SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

SCAM and SPAM ...

FYI... multiple entries:

iPad SCAM ...
- http://www.gfi.com/blog/twitter-dm-lures-recipients-to-ipad-scam/
Oct 24, 2012 - "We have been reading reports of malware and phishing attacks by means of suspicious direct messages to get user systems infected or have user information and credentials stolen, a ploy that is fast becoming common in the Twittersphere now more than ever. One GFI Labs blog reader gave us the heads up on the latest DM currently making rounds on Twitter. The message says:
did you see your pics with her facebook(dot)com/45569965114786…
Users who click the embedded link are led to a Facebook app page, which then executes a PHP script—
> http://www.gfi.com/blog/wp-content/uploads/2012/10/05-background-traffic.png
... —before redirecting them to this:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/01-fake-facebook-event-page-300x181.jpg
It appears to be a genuine Facebook event page; however, the URL has made obvious that it’s not at all related to the said social networking site.
Depending on where users are in the US and UK, they are led to either a survey scam page or a phishing page once they click - Click here.:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/02-ipad-survey-scam-300x222.jpg
...
> http://www.gfi.com/blog/wp-content/uploads/2012/10/03-phishing-page-300x285.png
... Others are redirected to this ad campaign page we’re probably familiar with:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/04-generic-ad-campaign-page-300x201.png
We have determined that more than 4,500 Internet users have visited the dodgy Facebook app page; however, it is unclear how many have fallen victim to these scams... quick reminder to our readers: think before you click..."
___

Contract SPAM / fidelocastroo .ru
- http://blog.dynamoo.com/2012/10/contract-spam-fidelocastrooru.html
24 Oct 2012 - "This fake contact spam leads to malware on fidelocastroo .ru:
Date: Tue, 23 Oct 2012 12:33:51 -0800
From: "Wilburn TIMMONS" [HIWilburn@hotmail.com]
Subject: Fw: Contract from Wilburn
Attachments: Contract_Scan_DS23656.htm
Hello,
In the attached file I am transferring you the Translation of the Job Contract that I have just received today. I am really sorry for the delay.
Best regards,
Wilburn TIMMONS, secretary

The .htm attachment contains obfuscated javascript that attempts to direct the visitor to a malicious [donotclick]fidelocastroo .ru:8080/forum/links/column.php. This domain name has been used in several recent attacks and is currently multihomed on some familiar IP addresses:

202.3.245.13 (President of French Polynesia*)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)

* http://blog.dynamoo.com/2012/10/president-of-french-polynesia.html ..."
___

Bogus Windows License SPAM - in the Wild
- http://www.gfi.com/blog/bogus-windows-license-spam-is-in-the-wild/
Oct 24, 2012 - "... Below is a screenshot of a new spam run in the wild... presents to recipients a very suspicious but very free license for Microsoft Windows that they can download. Sounds too good to be true? It probably is.
> http://www.gfi.com/blog/wp-content/uploads/2012/10/01-MSWindowsLic_1022-300x124.png
From: {random email address}
Subject: Re: Fwd: Order N [redacted]
Message body:
Welcome,
You can download your Microsoft Windows License here -
Microsoft Corporation
Clicking the hyperlinked text leads recipients to a number of .ru websites hosting the file, page2.htm (screenshot below), which contains obfuscated JavaScript code that loads the Web page fidelocastroo(dot)ru(colon)8080/forums/links/column(dot)php.
> http://www.gfi.com/blog/wp-content/uploads/2012/10/02-blackhole-300x83.png
This spam is a launchpad for a Blackhole-Cridex attack on user systems. This method is likewise being used by the most recent campaign of the “Copies of Policies” spam*, also in the wild..."
* http://gfisoftware.tumblr.com/tagged/Copies-of-Policies
___

Wire Transfer SPAM / ponowseniks .ru
- http://blog.dynamoo.com/2012/10/wire-transfer-spam-ponowseniksru.html
24 Oct 2012 - "This fake wire transfer spam leads to malware on ponowseniks .ru:
Date: Wed, 24 Oct 2012 04:26:12 -0500
From: FedEx [info@emails.fedex.com]
Subject: Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 9649AA02)
Attachments: Report_Trans99252.htm
Dear Bank Operator,
WIRE TRANSFER: FEDW-30126495944197210
STATUS: REJECTED
You can find details in the attached file. (Internet Explorer format)

The .htm attachment attempts to redirect the user to a malicious page at [donotclick]ponowseniks .ru:8080/forum/links/column.php hosted on some familar IP addresses:
202.3.245.13 (President of French Polynesia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)"
___

BBB SPAM / samplersmagnifyingglass .net
- http://blog.dynamoo.com/2012/10/bbb-spam-samplersmagnifyingglassnet.html
24 Oct 2012 - "This fake BBB spam leads to malware on samplersmagnifyingglass .net:
Date: Wed, 24 Oct 2012 22:10:18 +0430
From: "Better Business Bureau" [noreply@bbb.org]
Subject: Better Business Beareau Appeal #42790699
Attention: Owner/Manager
Here with the Better Business Bureau notifies you that we have been sent a claim (ID 42790699) from one of your consumers about their dealership with you.
Please view the CLAIMS REPORT down to view more information on this problem and suggest us about your point of view as soon as possible.
On a website above please enter your complain id: 42790699 to review it.
We are looking forward to hearing from you.
-----------------------------------
Faithfully,
Rebecca Wilcox
Dispute advisor
Better Business Bureau

The malicious payload is on [donotclick]samplersmagnifyingglass .net/detects/confirming_absence_listing.php hosted on 183.81.133.121, a familiar IP address belonging to Vodafone in Fiji that has been used several times before and is well worth blocking."

 

[AplusWebMaster]

Fake UPS, Facebook, ADP emails lead to malware ...

FYI... multiple entries:

Fake UPS emails serve malware ...
- http://blog.webroot.com/2012/10/25/your-ups-invoice-is-ready-themed-emails-serve-malware/
Oct 25, 2012 - "... cybercriminals launched yet another massive spam campaign, impersonating the United Parcel Service (UPS), in an attempt to trick its current and prospective customers into downloading and executing the malicious attachment found in the email. Upon execution, the malware opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain complete control over the victim’s host...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/10/ups_spam_email_malware.png
Detection rate for the malicious attachment: MD5: 0e78d3704332c59b619f872fd6d33d25 * ... Trojan-Downloader.Win32.Andromeda.qw.
* https://www.virustotal.com/file/d9e...af9da5c6d0c1d295c3f07a5d/analysis/1350581761/
File name: UPS_Delivery_Confirmation.pdf.exe
Detection ratio: 32/43
Analysis date: 2012-10-18
___

Fake Facebook emails lead to malware
- https://www.net-security.org/malware_news.php?id=2302
25.10.2012 - "If you receive an email seemingly sent by Facebook, sharing an offensive comment that has seemingly been left on your Wall by an unknown user, please don't be tempted to follow the link.
> https://www.net-security.org/images/articles/fb-offensive-scam.jpg
... If you do, you'll be -redirected- to a -fake- Facebook page hosting a malicious iFrame script that triggers the infamous Blackhole exploit kit, and if it finds a vulnerability to exploit, you will be automatically saddled with some or other malicious software. The attackers will try to hide the fact by automatically redirecting you to another legitimate Facebook page, belonging to a Facebook users that, according to Sophos*, does not seem to be related to the attack."
* http://nakedsecurity.sophos.com/201...book-email-leads-to-blackhole-malware-attack/
___

ADP SPAM / openpolygons .net
- http://blog.dynamoo.com/2012/10/adp-spam-openpolygonsnet.html
25 Oct 2012 - "This fake ADP spam leads to malware on openpolygons .net:
From: warning @adp .com
Sent: Thu 25/10/2012 16:42
Subject: ADP Instant Message
ADP Pressing Communication
Reference No.: 27711
Respected ADP Client October, 25 2012
Your Transaction Report(s) have been uploaded to the web site:
Click Here to access
Please overview the following information:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This email was sent to existing users in your company that access ADP Netsecure.
As general, thank you for using ADP as your business affiliate!
Ref: 27711
> https://lh3.ggpht.com/-xEHpgbIAYcs/UIlsYnnqtcI/AAAAAAAAAwQ/CoQutqaRwmw/s1600/adp-spam.png

The malicious payload is at [donotclick]openpolygons .net/detects/lorrys_implication.php hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden) which is an IP address that has been seen before. That IP also hosts the fake AV application win8ss .com and another malware site of legacywins .com...
Plain list for copy-and-pasting:
195.198.124.60
openpolygons .net
win8ss .com
legacywins .com ..."
___

"End of Aug. Statement required" SPAM / kiladopje .ru
- http://blog.dynamoo.com/2012/10/end-of-aug-statement-required-spam.html
25 Oct 2012 - "This spam leads to malware on kiladopje .ru:
From: ZaireLomay @mail .com
Sent: 24 October 2012 20:58
Subject: Re: FW: End of Aug. Statement required
Hi,
as reqeusted I give you inovices issued to you per sept. (Internet Explorer format)
Regards

In this case, there's an attachment called Invoices-23-2012.htm with some obfuscated Javascript to direct visitors to a malware laden page at [donotclick]kiladopje .ru:8080/forum/links/column.php hosted on:
79.98.27.9 (Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
The following IPs and domains are all related and should be blocked if you can:
68.67.42.41, 72.18.203.140, 79.98.27.9, 84.22.100.108, 85.143.166.170, 132.248.49.112, 190.10.14.196, 202.3.245.13, 203.80.16.81, 209.51.221.247
fidelocastroo .ru
finitolaco .ru
kennedyana .ru
kiladopje .ru
lemonadiom .ru
leprasmotra .ru
ponowseniks .ru
secondhand4u .ru
windowonu .ru ..."
___

Vast email -malware- outbreaks – efaxCorporate and Xerox copiers
- http://blog.commtouch.com/cafe/emai...-outbreaks-–-efaxcorporate-and-xerox-copiers/
Oct 25, 2012 - "... huge of amounts of email-attached malware distributed – all with an “office” theme. The attacks pushed the amount of email up by several hundred percent and totaled near five billion emails sent worldwide.
> http://blog.commtouch.com/cafe/wp-content/uploads/eFax-malware-levels-24-Oct-2012.jpg
The first part of the day saw emails describing an attachment as being the scan from a Xerox Workcenter... Yesterday’s file was a zipped executable. The second part of the attack moved on to eFaxCorporate, announcing the arrival of a (21 page) fax message. Once again the attachment was an executable file pretending to be a PDF. The file is detected as W32/Trojan2.NTLB... The malware scans the infected system for FTP programs – no doubt looking for FTP credentials that can be stolen to access and compromise Web servers (which can then be used to serve malware links).
> http://blog.commtouch.com/cafe/wp-content/uploads/eFax-message.jpg ..."

 

[AplusWebMaster]

Bogus Skype, ADP emails lead to malware ...

FYI... multiple entries:

Share of malicious email by country
- http://www.h-online.com/security/ne...-malicious-spam-1737717.html?view=zoom;zoom=1
26 Oct 2012
___

Bogus Skype emails lead to malware...
- http://blog.webroot.com/2012/10/26/...sfully-changed-notifications-lead-to-malware/
Oct 26, 2012 - "... millions of emails impersonating Skype, in an attempt to trick Skype users that their password has been successfully changed, and that in order to view their call history and change their account settings, they would need to execute the malicious attachment found in the emails...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/10/skype_email_spam_malware.png
Detection rate for the malicious attachment: MD5: 0e78d3704332c59b619f872fd6d33d25 * ... Trojan-Downloader.Win32.Andromeda.qw. Upon execution, the malware opens a backdoor allowing the cybercriminals behind the campaign complete access to the affected user’s host..."
* https://www.virustotal.com/file/d9e...af9da5c6d0c1d295c3f07a5d/analysis/1350584221/
File name: Skype_Password_inscturtions.pdf.exe
Detection ratio: 32/43
Analysis date: 2012-10-18
___

apl.de.ap SPAM
- http://blog.dynamoo.com/2012/10/apldeap-spam.html
26 Oct 2012 - "I'm not really a fan of the Black Eyed Peas, so I'd never heard of apl.de.ap ( http://en.wikipedia.org/wiki/Apl.de.ap ) until I received this spam. I'm pretty sure that Mr ap isn't sending these out himself, but they're coming from a spammer in the UAE, a place which seems to be the spam capital of the middle east. Although those look like tinyurl links, they're not... they go through a redirector at ykadl .net on 109.236.88.71, the same IP used to send the spam... here's the spam in case you really want to buy tickets from a shady bunch of spammers (NOT)...
From: DNA alex @ ykadl .net
Date: 26 October 2012 04:48
Subject: Black Eyed Peas/ APL DE AP in Dubai
Signed by: ykadl.net
BLACK EYE PEAS founding member APL DE AP heads to Dubai
BLACK EYE PEAS founding member APL DE AP to Dubai for the first time.The internationally famed Black Eyed Peas rapper/DJ, who has won 7 Grammy Awards and sold over 70 million albums, will be the headliner performance at Nasimi Beach on Thursday 1st November.
Like his high school friend Will I Am, APL DE AP also DJ's with international bookings all around the globe including Ibiza, Cannes and London, recently headlining at Belgium's Tomorrowland Festival. The American-Philippines star headlines this event with support from Dion Mavath, local celebrity DJ Marwan Bliss/ 411, Mathew Charles and as well as a performance by Number One selling band Swickasswans.
APL DE AP and the other members of the Black Eyed Peas have been on a hiatus ..."
___

ADP SPAM / steamedboasting .info
- http://blog.dynamoo.com/2012/10/adp-spam-steamedboastinginfo.html
26 Oct 2012 - "This fake ADP spam leads to malware on steamedboasting.info:
From: ClientService @adp .com
Sent: 26 October 2012 12:03
Subject: ADP Instant Notification
ADP Urgent Warning
Reference #: 31344
Dear ADP Client October, 25 2012
Your Transfer Summary(s) have been uploaded to the web site:
https ://www.flexdirect.adp .com/client/login.aspx
Please take a look at the following information:
• Please note that your bank account will be charged within 1 banking day for the amount(s) specified on the Statement(s).
•Please DO NOT reply to this message. automative notification system cannot accept incoming messages. Please Contact your ADP Benefits Specialist.
This note was sent to existing users in your company that approach ADP Netsecure.
As always, thank you for choosing ADP as your business companion!
Ref: 31344

The malicious payload is at [donotclick]steamedboasting .info/detects/burying_releases-degree.php, the initial redirection page has some Cloudflare elements on it which is a bit disturbing. steamedboasting .info is hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden).
This is an alternative variant with the same malicious payload:
Date: Fri, 26 Oct 2012 16:32:10 +0530
From: "noreply @adp .com"
Subject: ADP Prompt Communication
ADP Speedy Notification
Reference #: 27585
Dear ADP Client October, 25 2012
Your Transaction Statement(s) have been put onto the web site:
Web site link
Please see the following notes:
• Please note that your bank account will be charged-off within 1 banking business day for the amount(s) specified on the Protocol(s).
?Please do not reply to this message. automative notification system can't accept incoming mail. Please Contact your ADP Benefits Specialist.
This message was sent to operating users in your company that approach ADP Netsecure.
As always, thank you for choosing ADP as your business partner!
Ref: 27585 [redacted] ..."
___

"Your Photos" SPAM / manekenppa .ru
- http://blog.dynamoo.com/2012/10/your-photos-spam-manekenpparu.html
26 Oct 2012 - "This fake "photos" spam leads to malware on manekenppa .ru:
From: Acacia @redacted .com
Sent: 26 October 2012 10:14
Subject: Your Photos
Hi,
I have attached your photos to the mail (Open with Internet Explorer).

In this case there is an attachment called Image_DIG691233.htm that leads to a malware laden page at [donotclick]manekenppa .ru:8080/forum/links/column.php hosted on some familiar looking IPs:
79.98.27.9 (Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
We've seen these IPs before and they are well worth blocking."

 

[AplusWebMaster]

Fake BT-Business, Verizon emails lead to malware

FYI...

Fake BT-Business emails lead to malware ...
- http://blog.webroot.com/2012/10/28/...s-direct-order-themed-emails-lead-to-malware/
Oct 28, 2012 - "Over the past 24 hours, cybercriminals have been spamvertising millions of emails targeting customers of BT’s Business Direct in an attempt to trick its users into executing the malicious attachment found in the emails. Upon executing it, the malware opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain complete access to the affected host...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/10/bt_business_direct_spam_email_malware.png
Detection rate for the malicious attachment: MD5: 8d0e220ce56ebd5a03c389bedd116ac5 * ... Trojan-Ransom.Win32.Gimemo.ashm ..."
* https://www.virustotal.com/file/8f4...7659639520ffa5199c8bea86c04710f7c48/analysis/
File name: 8D0E220CE56EBD5A03C389BEDD116AC5.fil
Detection ratio: 32/42
Analysis date: 2012-10-25
___

Fake Verizon Wireless emails serve client-side exploits and malware ...
- http://blog.webroot.com/2012/10/27/...eless-serve-client-side-exploits-and-malware/
Oct 27, 2012 - "... For over a week now, cybercriminals have been persistently spamvertising millions of emails impersonating the company, in an attempt to trick current and prospective customers into clicking on the client-side exploits and malware serving links found in the malicious email. Upon clicking on any of the links, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/10/verizon_wireless_spam_email_exploits_malware.png
Spamvertised malicious URLs:
hxxp ://coaseguros .com/components/com_ag_google_analytics2/notifiedvzn.html;
hxxp ://clinflows .com/components/com_ag_google_analytics2/vznnotifycheck.html
Client-side exploits serving URL: hxxp ://strangernaturallanguage .net/detects/notification-status_login.php?mzuilm=073707340a&awi=45&dawn=04083703023407370609&iwnjdt=0a000300040002
Sample client-side exploits served: CVE-2010-0188
Upon successful client-side exploitation, the campaign drops MD5: b8d6532dd17c3c6f91de5cc13266f374 * ... Trojan-Spy.Win32.Zbot.fkth
Once executed, the sample phones back to tuningmurcelagoglamour .ru, tuningfordmustangxtremee .ru - 146.185.220.28, AS58014 ..."
* https://www.virustotal.com/file/2d1...6f5a0df33846b8a5ca9f2cc0232e83561f4/analysis/
File name: b8d6532dd17c3c6f91de5cc13266f374.malware
Detection ratio: 26/44
Analysis date: 2012-10-09 ..."

 

[AplusWebMaster]

Fake British Airways emails serve malware

FYI...

Fake British Airways emails serve malware
- http://blog.webroot.com/2012/10/29/...rways-themed-e-ticket-receipts-serve-malware/
Oct 29, 2012 - "Cybercriminals are currently mass mailing millions of emails in an attempt to trick British Airways customers into executing the malicious attachment found in the spamvertised emails. Upon execution, the malware opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain complete control over the infected host...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/10/british_airways_spam_email_malware.png
Detection rate for the malicious attachment: MD5: 4a3a345c24fda6987bbe5411269e26b7 * ... Trojan-Downloader.Win32.Andromeda.aey..."
* https://www.virustotal.com/file/39f...ad06fe653a938124e2bd9c462fb7caa5c21/analysis/
File name: BritishAirways-eticket.pdf.exe
Detection ratio: 30/43
Analysis date: 2012-10-23
___

.com malware pretends to be naughty .com website
- http://blog.commtouch.com/cafe/email-security-news/com-malware-pretends-to-be-naughty-com-website/
Oct 28, 2012 - "... The email doesn’t include much text – simply asking that you 'Pay attention at the attach':
Screenshot: http://blog.commtouch.com/cafe/wp-content/uploads/com-trick-blurred.jpg
... As shown in the screenshot it’s www .——-face .com. Those tempted to double-click the “link” in order to visit a porn site would find themselves attacked by malware."

 

[AplusWebMaster]

Bogus Facebook notifications serve malware

FYI...

Bogus Facebook notifications serve malware
- http://blog.webroot.com/2012/10/30/...f-bogus-facebook-notifications-serve-malware/
Oct 30, 2012 - "... cybercriminals spamvertised yet another massive email campaign, impersonating the world’s most popular social network – Facebook. It was similar to a previously profiled spam campaign imitating Facebook. However, in this case the cybercriminals behind it relied on attached malicious archives, compared to including exploits and malware serving links in the email...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/10/facebook_spam_email_malware.png
Detection rate for the malicious archive: MD5: 0938302fbf8f7db161e46c558660ae0b * ... Trojan.Generic.KDV.753880; Trojan-Ransom.Win32.Gimemo.arsu. Upon execution, the sample opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain full access to the affected host..."
* https://www.virustotal.com/file/79f...5b7fb47025b9bfe373a7ded6/analysis/1350575670/
File name: FacebookPhoto_album.jpeg.exe
Detection ratio: 34/43
Analysis date: 2012-10-18
___

Blackhat SEO poisoning: Halloween tricks and holiday malware ...
- http://blogs.computerworld.com/cybe...alloween-tricks-and-holiday-malware-interview
Oct 29, 2012 - "... things like blackhat SEO poisoning to successfully infect devices. Blackhat SEO link poisoning, scams, tricks. Although the poisonous pranks and tainted tricks go far beyond Halloween, this seemed a great time to get insight into these trends as well as tips to avoid them. You might know about it, but how about your parents or other people who are not nearly so security-savvy? You might want to warn them that their simple searches could infect their computers... especially if you will be the one called upon to fix them for free ;-) ..."
(More detail at the URL above.)

 

[AplusWebMaster]

Twitter, Steam phish ...

FYI... multiple entries:

Twitter phish is selling drama
- http://www.gfi.com/blog/new-twitter-phish-is-selling-drama/
Oct 30, 2012 - "... new phish in Twitter... you won’t miss it once you visit your direct message (DM) inbox. The message content can be any of the following:
- A horrible rumor is spreading about you
- A nasty rumor is spreading about you
- A terrible rumor is spreading about you
- You see this video of someone taping you? [URL redacted] creep
- Hey you hear about the gossip your mentioned in? it started some serious drama, it fired up a lot of people on [URL redacted] sNqp

Whatever the message, it carries a shortened URL that directs the recipient to the domain ivtwtter(dot)com once clicked. Fortunately, the domain is no longer active.
> http://www.gfi.com/blog/wp-content/uploads/2012/10/02-twitter-phish.png
Web browsers have also flagged the URL as a phishing site. If you receive any of these messages (or similar), the best way to handle it is to simply delete it from your DM inbox and warn your followers. In warning them, don’t copy and paste the entire message you received with the live link still in it — as some are prone to do — because this just increases the possibility of the nefarious link getting clicked..."
___

"Your Apple ID has been disabled" phish
- http://blog.dynamoo.com/2012/10/your-apple-id-has-been-disabled-phish.html
31 Oct 2012 - "I've never seen one quite like this before, although it's not the first time I've seen Apple-themed scam emails...
From: Apple no_reply @ macapple .com
Reply-To: no_reply @ macapple .com
Date: 31 October 2012 06:08
Subject: Your Apple ID has been disabled
Apple ID Support
Dear [redacted] ,
This Apple ID has been disabled!
For your protection, your Apple ID ([redacted]) is automatically disabled. We detect unauthorized Login Attempts to your Apple ID from other IP Location. Please verify your identity today or your account will be disabled due to concerns we have for the safety and integrity of the Apple Community.
To verify your Apple ID, we recommend that you go to:
Verify Now >

The phish is hosted at [donotclick]app.apple .com.proiectmaxim .ro/id2/sign_in/login_ID&=/?&=?reactivate=[redacted] and it looks pretty convincing if you haven't spotted the Romanian domain name... It just goes to show that the bad guys will try to phish -anything- these days."
___

HP ScanJet SPAM / donkihotik .ru
- http://blog.dynamoo.com/2012/10/hp-scanjet-spam-donkihotikru.html
31 Oct 2012 - "This fake printer message leads to malware on donkihotik .ru:
Date: Wed, 31 Oct 2012 05:06:42 +0300
From: LinkedIn Connections
Subject: Re: Fwd:Scan from a HP ScanJet #26531
Attachments: HP-Scan-44974.htm
Attached document was scanned and sent
to you using a Hewlett-Packard Officejet PRO.
Sent: by Bria
Image(s) : 6
Attachment: Internet Explorer file [.htm]
Hewlett-Packard Officejet Location: machine location not set

The malicious payload is at [donotclick]donkihotik .ru:8080/forum/links/column.php which is hosted on the same IP addresses as this attack* yesterday."
* http://blog.dynamoo.com/2012/10/craiglist-spam-fionadixru.html
"... some familiar IPs:
68.67.42.41 (Fibrenoire, Canada)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, United States)
Additional name server IPs:
50.22.102.132 (Softlayer, United States)
62.76.186.190 (Clodo-Cloud, Russia)
84.22.100.108 (Cyberbunker, Netherlands)
213.251.171.30 (OVH, France)
Plain list for copy-and-pasting:
50.22.102.132
62.76.186.190
68.67.42.41
84.22.100.108
203.80.16.81
209.51.221.247
213.251.171.30
manekenppa.ru
kiladopje.ru
lemonadiom.ru
finitolaco.ru
fidelocastroo.ru
ponowseniks.ru
dianadrau.ru
windowonu.ru
panalkinew.ru
fionadix.ru ..."
___

Steam phish steals more than credentials
- http://www.gfi.com/blog/new-phish-steals-more-than-steam-credentials/
Oct 31, 2012 - "... targeting players of the popular gaming platform, Steam. More than a year ago, Valve launched Steam Trading. The objective is to “allows you [the Steam account owner] to exchange In-game items and Gifts with everybody in the Steam Community.” It is a good move to get people within their large gaming community to engage with one another and form a bond of camaraderie. Upon its launch, Steam can only cater to a number of gamers. In particular, those who play Team Fortress 2, Portal, Spiral Knights, and other games from Three Rings and SEGA... phishing page that mimics the look and feel of the actual news page announcing the launch. The -bogus- page -baits- unknowing users with one free game this “Steam Happy Day”... at this time of writing Chrome flags the site as a phish... If you play Team Fortress 2, Portal, Spiral Knights plus other SEGA games on Steam and regularly trades items with other players, please avoid and block days(dot)steamgamesgift(dot)yzi(dot)me ... Be wary of free games and offers that would cost you more than you want to bargain for, especially if they’re hosted on dubious sites that use familiar strings in URLs you’d normally see in legitimate sites. To be safe, visit Steam directly* to double-check if they indeed have free offers..."
* http://store.steampowered.com/

 

[AplusWebMaster]

Bogus BofA, Discover emails serve exploits and malware

FYI...

Bogus BofA ‘Online Banking Passcode Reset’ emails serve client-side exploits and malware
- http://blog.webroot.com/2012/11/01/...mails-serve-client-side-exploits-and-malware/
Nov 1, 2012 - "Cybercriminals are currently mass mailing millions of emails, in an attempt to trick Bank of America customers into clicking on the exploit and malware-serving link found in the spamvertised email. Relying on bogus “Online Banking Passcode Changed” notifications and professionally looking email templates, the campaign is the latest indication of the systematic rotation of impersonated brands in an attempt to cover as many market segments as possible...
Screenshot of a sample spamvertised email:
> https://webrootblog.files.wordpress.com/2012/10/bank_of_america_spam_email_malware_exploits.png
... Client-side exploits serving URL: hxxp ://the-mesgate .net/detects/signOn_go.php – 183.81.133.121, AS38442 ... Also responding to the same IP are the following malicious domains:
stafffire .net – 183.81.133.121, AS38442
hotsecrete .net – Email: counseling1 @ yahoo .com
formexiting .net – suspended domain
navisiteseparation .net – suspended domain ...
Related malicious domains responding the these IPs:
change-hot .net
locksmack .net
Money mule recruitment domains using the same IP as a mailserver:
aurafinancialgroup .com
epscareers .com
As you can see, this campaign is great example of the very existence of the cybercrime ecosystem. Not only are they spamvertising millions of exploits and malware serving emails, they’re also multitasking on multiple fronts, as these two domains are recruiting money mules to process fraudulently obtained assets from the affected victims..."
___

Discover card SPAM / netgear-india.net
- http://blog.dynamoo.com/2012/11/discover-card-spam-netgear-indianet.html
1 Nov 2012 - "This fake Discover Card spam leads to malware on netgear-india .net:
From: Discover Account Notes [mailto:no-reply @ notify .discover .com]
Sent: Thu 01/11/2012 15:32
Subject: Great Details Changes in your Discover card Account Terms
Account Services | Customer Care Services
Account ending in XXX1
An substantial communication regarding latest Declined Transfers is waiting for you.
Log In to Read Information
Honored Discover Client,
There is an serious message waiting for you from Discover® card. Please read the message mindfully and keep it with your file.
To ensure optimal privacy, please log in to view your message at Discover.com.
Please click on this link if you have forgotten your UserID or Password.
Add information @ service .discover .com to your address book to ensure delivery of these notifications.
VITAL NOTE
This message was delivered to [redacted] for Discover debit card account number ending with XXX1.
You are receiving this e-mail because you have account at Discover.com.
Log in to change your e-mail address or overview your account e-mail options.
If you have any questions about your account, please Login to leave us a message securely and we would be glad to support you.
Please DO NOT reply to this message. auto informer system cannot accept incoming email.
DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.
Discover Banking Ltd.
P.O. Box 84265
Salt Lake City, SC 76433
2012 Discover Bank, Member FDIC
[redacted]
========
From: Discover Account Notes [mailto:donotreply @service .discover .com]
Sent: Thu 01/11/2012 16:36
Subject: Substantial Information about your Discover Account
Account Center | Customer Center
Account ending in XXX9
An significant message regarding latest Approved Activity is waiting for you.
Log In to Overview Details
Respective Cardholder,
There is an important message waiting for you from Discover® card. Please read the message carefully and keep it with your archive.
To ensure optimal privacy, please sign in to read your data at Discover.com.
Please visit discover .com if you have forgotten your Login ID or Password.
Add discover @ information .discover .com to your trusted emails to ensure delivery of these messages.
VITAL NOTIFICATION
This e-mail was sent to [redacted] for Discover card account No. ending with XXX9.
You are receiving this e-mail because you member of Discover.com.
Log in to change your e-mail address or view your account e-mail settings.
If you have any questions about your account, please Enter your account to leave us a message securely and we would be blissful to help you.
Please don't reply to this message. auto-notification system cannot accept incoming mail.
DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.
Discover Banking Llc.
P.O. Box 85486
Seashore City, NV 91138
2012 Discover Bank, Member FDIC
[redacted]

The malicious payload is at [donotclick]netgear-india .net/detects/discover-important_message.php hosted on 183.180.134.217 (RAT CO, Japan). The following domains are on that same IP, and judging by the registration details they should also be considered as malicious:
itracrions .pl
radiovaweonearch .com
steamedboasting .info
solla .at
netgear-india .net
puzzledbased .net
stempare .net
questionscharges .net
bootingbluray .net ..."
___

Hurricane Sandy SPAMs lead to survey scams
- http://nakedsecurity.sophos.com/2012/11/01/hurricane-sandy-spams-lead-to-survey-scams/
Nov 1, 2012 - "... we began to see the first online criminals trying to cash in on the interest in Hurricane Sandy. The good news is they are not trying to spread malware (yet), but the bad news is they are trying to take advantage of a natural disaster affecting millions. The subject lines of the scam messages -- "Sandy Got you down? We've got you covered!", "Don't let the storm ruin your diner plans" and "Avoid the Storm, Eat at chilis!" -- appear to be targeting people who may need to file insurance claims related to damages from the "super storm" and other people who are simply hungry. The bodies of the emails aren't terribly interesting, but every place in the message is a link to a site called "remain watery." The domain was registered on October 15th, clearly in anticipation of creating more victims from this crisis... For those who are affected by the hurricane, stay safe, stay secure, and don't fall for it. The last thing you need right now is another thing to worry about cleaning up after."
___

Hurricane Sandy pump and dump SPAM
- http://blog.commtouch.com/cafe/anti-scam/pump-and-dump-spam-waits-for-hurricane-sandy/
Oct 31, 2012 - "... recipients are encouraged to buy into low-priced shares now that Hurricane Sandy has passed and trading has resumed.
> http://blog.commtouch.com/cafe/wp-content/uploads/Hurricane-Sandy-stock-spam.jpg
... we see less topical spam than we used to. In the past spammers would use current events in subjects and in the text of emails to create interest and generate visits to pharmacy and replica websites..."

 

[AplusWebMaster]

Fake ADP, inTuit SPAM emails lead to malware...

FYI...

Fake ADP SPAM emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/11/02/...themed-emails-lead-to-black-hole-exploit-kit/
Nov 2, 2012 - "... cybercriminals behind the recently profiled malicious campaign impersonating Bank of America, launched yet another massive spam campaign, this time targeting ADP customers. Upon clicking on the link found in the malicious email, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/10/adp_email_spam_exploits_malware.png
... Client-side exploits serving URL: hxxp ://reasonedblitzing .net/detects/lorrys_implication.php – 195.198.124.60, AS3301 – Email: monteene_forbrich8029 @ mauritius.com; hxxp ://nfcmpaa .info/detects/burying_releases-degree.php – 195.198.124.60, AS3301 – Email: nevein_standrin35 @ kube93mail .com...
Responding to the same IP are also the following malicious domains:
win8ss .com – Email: fermetnolega @ hotmail .com
legacywins .com – Email: fermetnolega @hotmail .com
openpolygons .net – Email: cordey_yabe139 @ flashmail .net
steamedboasting .info – Email: mauro_borozny655 @ medical .net.au
Name servers part of the campaign’s infrastructure:
Name Server: NS1.TOPPAUDIO .COM
Name Server: NS2.TOPPAUDIO .COM
We’ve already seen the same name servers used in the recently profiled “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware” malicious campaign. Clearly, the cybercriminal or gang of cybercriminals behind the campaign continue rotating the impersonated brands, next to using the same malicious infrastructure to achieve their objectives..."
___

Fake "Payroll Account Cancelled by Intuit" email
- http://security.intuit.com/alert.php?a=67
11/2/2012 - "People are receiving emails with the title "Notification Only: Payroll Account Cancelled by Intuit." Below is a copy of the email people are receiving.

Direct Deposit Service Informer
Informational Only
We processed your payroll on November 1, 2012 at 365 PM Pacific Time.
Money would be revoked from the Checking account number ending in: XXX3 on November 2, 2012.
total to be left: $2 465.98
Paychecks would be deferred to your workforce' accounts on: November, 2, 2012
Sign In to Overview Details
Funds are typically departed before business banking hours so please be sure you have enough Cash on the account by 12 a.m. on the date Funds are to be withdrawn.
Intuit must process your payroll by 4 p.m. Eastern time, two banking days before your paycheck date or your personnel will not be paid on time. QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services

This is the end of the fake email..."

- http://blog.dynamoo.com/2012/11/intuit-spam-savedordercommunicatesinfo.html
2 Nov 2012 - "... fake Intuit spam leads to malware on savedordercommunicates .info:
... Subject: Notification Only: Transaction Received by Intuit"...
The malicious payload is at [donotclick]savedordercommunicates .info/detects/bank_thinking.php hosted on 75.127.15.39 (New Wave NetConnect, US) along with another malicious domain of teamscapabilitieswhich .org. Blocking this IP would be wise."
___

Wire Transfer SPAM / webmoniacs .ru
- http://blog.dynamoo.com/2012/11/wire-transfer-spam-webmoniacsru.html
2 Nov 2012 - "This fake wire transfer spam leads to malware on webmoniacs .ru:
Date: Fri, 2 Nov 2012 06:23:10 +0700
From: service @ paypal .com
Subject: RE: Wire Transfer cancelled
Dear Sirs,
The Wire transfer was canceled by the other bank.
Canceled transaction:
FED REFERENCE NUMBER: 628591160ACH34584
Transaction Report: View
The Federal Reserve Wire Network

The malicious payload is at [donotclick]webmoniacs .ru:8080/forum/links/column.php hosted on:
65.99.223.24 (RimuHosting, US)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
The following IPs and domain are all connected and should be blocked:
50.22.102.132
62.76.186.190
65.99.223.24
68.67.42.41
79.98.27.9
84.22.100.108
85.143.166.170
132.248.49.112
203.80.16.81
209.51.221.247
213.251.171.30
denegnashete .ru
dianadrau .ru
donkihotik .ru
fidelocastroo .ru
finitolaco .ru
fionadix .ru
forumibiza .ru
kiladopje .ru
lemonadiom .ru
manekenppa .ru
panacealeon .ru
panalkinew .ru
pionierspokemon .ru
ponowseniks .ru
rumyniaonline .ru
webmoniacs .ru
windowonu .ru ..."

- https://www.ic3.gov/media/2012/121101.aspx
Nov 1, 2012

 

[AplusWebMaster]

Fake Vodafone msg / Something evil on 31.193.12.3 ...

FYI...

Malware... as a Vodafone MMS message
- http://h-online.com/-1743608
5 Nov 2012 - "The phone number from which the message was supposedly sent varies... Cyber criminals are currently spreading malware by sending a large number of email messages purporting to be from Vodafone's MMS gateway. These emails have the subject "You have received a new message" and claim that the recipient has been sent a picture message over MMS from a Vodafone customer. The Vodafone email address used and the supposed telephone number sending the messages varies*; even the country code is changed based on the location being targeted...
* http://www.h-online.com/security/ne...-an-MMS-message-1743608.html?view=zoom;zoom=1
The messages say that a picture message is in the attached "Vodafone_MMS.zip" file. However, once unzipped, it only contains an executable named "Vodafone_MMS.jpg.exe" that will install malware onto a victim's system when launched... VirusTotal*... To avoid accidentally opening such files and becoming infected with malware, Windows users should also make sure that file name extensions are always shown**..."
* https://www.virustotal.com/file/bb2...0d88c1d5cd90418a9a26e60e9248a65f9a7/analysis/
File name: Vodafone_MMS.zip
Detection ratio: 11/43
Analysis date: 2012-11-05

** https://en.wikipedia.org/wiki/Filename_extension#Security_issues
"... default behavior of Windows Explorer... is for filename extensions -not- to be shown... without alerting the user to the fact that (it may be) a harmful computer program..."
___

Wire Transfer & PayPal SPAM / forumibiza .ru
- http://blog.dynamoo.com/2012/11/wire-transfer-paypal-spam-forumibizaru.html
5 Nov 2012 - "These two spam campaigns lead to malware on forumibiza .ru:
Date: Mon, 5 Nov 2012 12:54:44 +0530
From: Declan Benjamin via LinkedIn ...
Subject: Wire Transfer Confirmation (FED 27845UL095)
Good afternoon,
Your Wire Transfer Amount: USD 85,714.01
Wire Transfer Report: View
ELOISA STRICKLAND,
The Federal Reserve Wire Network
==============
From: JoyceMillwee @ mail .com
Sent: 05 November 2012 01:48
Subject: Welcome to PayPal - Choose your way to pay
Welcome
Hello [redacted],
Thanks for paying with PayPal.
We congratulate you with your first Paypal money transfer. But we have hold it for the moment because the amount is over the security borders of our rules.
Here is what we have on file for you. Take a second to confirm we have your correct information.
Email
[redacted]
Confirmation Code
5693-0930-8767-9350-6794
Transfer Information
Amount: 27380.54 $
Reciever: Gracia Cooley
E-mail: Gage97742 @[redacted] .com
Accept Decline
Help Center | Security Center
Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
Copyright 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.
PayPal Email ID PP6118

The malicious payload in both cases is [donotclick]forumibiza .ru:8080/forum/links/column.php hosted on the following IPs:
65.99.223.24 (RimuHosting, US)
103.6.238.9 (Universiti Putra, Malaysia)
203.80.16.81 (MYREN, Malaysia) ..."
___

Something evil on 31.193.12.3
- http://blog.dynamoo.com/2012/11/something-evil-on-31193123.html
4 Nov 2012 - "These are fake AVs and drive-by downloads mostly, some seem to promoted through low-grade banner ads, all hosted on 31.193.12.3 (Burstnet, UK**) and suballocated to:
person: Olexii Kovalenko
address: Pavlova, 15, Zaporozhye, Zaporozhye, 69000, Ua
phone: +1 570 343 2200
fax-no: +1 570 343 9533
nic-hdl: OK2455-RIPE
source: RIPE # Filtered
mnt-by: mnt-burst-au
mnt-by: mnt-burst-mu
The registration for the .asia and .eu domains is consistent in the ones I have checked:
Registrant IDI_23063626
Registrant Name: Javier
Registrant Organization: n/a
Registrant Address: Nevskaya street 41
Registrant Address2:
Registrant Address3:
Registrant City: Belgorad
Registrant State/Province: Belgorodskaya oblast
Registrant Country/Economy: RU
Registrant Postal Code:494980
Registrant Phone:+007.9487728744
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant E-mail:007uyfo007 @mail .ru

... I've broken the list into three parts, it's a bit messy sorry... this long list (too long to post here) contains other detected domains on the same IP. Frankly, blocking the IP address is the most easy option.. there are actually more domains than listed here and some are duplicated, but it's the best I could do at the moment. Many of these domains show as evil in Google's Safe Browsing Diagnostics (example*) and I can find -zero- legitimate domains on this IP..."
* https://www.google.com/safebrowsing/diagnostic?site=acutefile.asia

** https://www.google.com/safebrowsing/diagnostic?site=AS:29550

** https://www.google.com/safebrowsing/diagnostic?site=AS:51377
___

Fake statistics domains lead to malware
- http://blog.dynamoo.com/2012/11/fake-statistics-domains-lead-to-malware.html
5 Nov 2012 - "The following fake "statistics" domains lead to malware. All have been registered very recently in the past few days and are used as a redirector to other exploit kits. Perhaps they are actually performing black hat statistical tracking. Blocking them (or the associated IPs) would be wise.

bilingstats .org
bombast-atse .org
bombastatse .org
ceastats .org
colinstats .org
expertstats .org
informazionestatistica .org
melestats .org
nonolite .org
statisticaeconomica .org
statspps .org
superbombastatse .org
topbombastatse .org
ufficiostatistica .org

Hosting IPs:
31.193.133.212 (Simply Transit, UK)
91.186.19.42 (Simply Transit, UK)
95.211.180.143 (Leaseweb, Netherlands) ..."
___

Dynamic DNS sites you might want to block
- http://blog.dynamoo.com/2012/11/dynamic-dns-sites-you-might-want-to.html
5 Nov 2012 - "These domains belong to ChangeIP .com, which I guess is a legitimate company providing Dynamic DNS services, but one that is being abused by the bad guys. These will be used with some random subdomain unless it's a corporate site (like ChangeIP .com itself) pointing to a random IP address somewhere.. so blocking IPs won't work here.
There are two versions of this list, one links through to the Google Safe Browsing diagnostics report in case you want to review them on a case-by-case basis before blocking them. The second one is a plain list of everything in case you want to block them completely. You might notice one of the domains is called b0tnet .com which is a peculiar name for a legitimate business to register..."
(More detail at the URL above.)

 

[AplusWebMaster]

Bogus USPS, SMS SPAM lead to malware

FYI...

Bogus USPS emails lead to malware
- http://blog.webroot.com/2012/11/06/usps-postal-notification-themed-emails-lead-to-malware/
Nov 6, 2012 - "... mass mailing millions of emails impersonating The United States Postal Service (USPS), in an attempt to trick its customers into downloading and executing the malicious .zip archive linked in the bogus emails. Upon execution, the malware opens a backdoor on the affected host, allowing the cybercriminals behind the campaign to gain complete control over the host...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/usps_email_spam_malware.jpg
Spamvertised compromised URL: hxxp ://www .unser-revier-bruchtorf-ost .de/FWUJKKOGMP.html
Actual malicious archive URL: hxxp ://www .unser-revier-bruchtorf-ost .de/Shipping_Label_USPS.zip
Detection rate: MD5: 089605f20e02fe86b6719e0949c8f363 * ... UDSangerousObject.Multi.Generic
Upon execution, the sample phones back to the following URLs...
(See the 1st webroot URL above - long list of IPs.) ... 64.151.87.152, 66.7.209.185, 173.224.211.194, 46.105.121.86, 222.255.237.132, 64.151.87.152, 79.170.89.209, 217.160.236.108, 88.84.137.174, 46.105.112.99, 50.22.136.150, 130.88.105.45, 91.205.63.194, 95.173.180.42, 217.160.236.108 ..."
* https://www.virustotal.com/file/372...77d17877118647a04af6814e/analysis/1351876562/
File name: Shipping_Label_USPS.exe
Detection ratio: 5/44
Analysis date: 2012-11-02
___

SMS SPAM: "Records passed to us show you're entitled to a refund approximately £2130"
- http://blog.dynamoo.com/2012/11/sms-spam-records-passed-to-us-show.html
6 Nov 2012 - "More SMS spam from.. well, I think the ICO will shortly reveal who. It's not just a spam, but it's also a scam because the spammers are attempting to persuade you to make fraudulent claims. Not everyone is eligible for a PPI refund, and I'm certainly not.. no "records" exist, it's just a scammy sales pitch. Avoid.
Records passed to us show you're entitled to a refund approximately £2130 in compensation from mis-selling of PPI on your credit card or loan.Reply INFO or stop

In this case, the sender's number is +447585858897, although it will change as it gets blocked by the networks. If you get one of these, you should forward the spam and the sender's number to your carrier. In the case of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints."
___

Fake Apple "Account Info Change" SPAM / welnessmedical .com
- http://blog.dynamoo.com/2012/11/apple-account-info-change-spam.html
6 Nov 2012 - "Not malware this time, but Pharma spam.. the links in this fake Apple message lead to welnessmedical .com.
From: Apple [ appleid @ id.arcadiadesign .it]
Sent: Tue 06/11/2012 18:30
Subject: Account Info Change
Hello,
The following information for your Apple ID [redacted] was updated on 11/06/2012:
Date of birth
Security question(s) and answer(s)
If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately by going to iforgot.apple.com.
To review and update your security settings, sign in to appleid.apple.com.
This is an automated message. Please do not reply to this email. If you need additional help, visit Apple Support.
Thanks,
Apple Customer Support
TM and copyright © 2012 Apple Inc. 1 Infinite Loop, MS 96-DM, Cupertino, CA 95014.
All Rights Reserved / Keep Informed / Privacy Policy / My Apple ID

The fake pharma site (welnessmedical.com) is hosted on 84.22.127.43 along with a bunch of other ones, plus some additional sites one IP over at 84.22.127.44... Oddly, 84.22.127.43 doesn't seem to be registered at RIPE. No matter, we know who the owner of 84.22.127.0 is.. our old friends Cyberbunker again, who have registered the block with fake details. How RIPE lets them get away with this I don't know. If you can, I recommend blocking the entire 84.22.96.0/19 range as almost everything here is pretty seedy. You can read more about Cyberbunker's very dark grey hat activities over at Wikipedia* if you want more information."
* http://en.wikipedia.org/wiki/CyberBunker
___

Fake "Scan from a Xerox WorkCentre Pro" / peneloipin .ru
- http://blog.dynamoo.com/2012/11/scan-from-xerox-workcentre-pro.html
6 Nov 2012 - "This fake printer spam leads to malware on peneloipin .ru:
From: Keshawn Burns - MaribelParchment @ hotmail .com
Sent: 06 November 2012 05:09
Subject: Scan from a Xerox WorkCentre Pro #47938830
Please open the attached document. It was scanned and sent
to you using a Xerox WorkCentre Pro.
Sent by: Keshawn
Number of Images: 5
Attachment File Type: .HTML [Internet Explorer file]
Xerox WorkCentre Location: machine location not set

The attachment contains some obfuscated Javascript that redirects the visitor to a malicious payload on [donotclick]peneloipin .ru:8080/forum/links/column.php hosted on some IPs that have been used several times before for malware:
65.99.223.24 (RimuHosting, US)
103.6.238.9 (Universiti Putra, Malaysia)
203.80.16.81 (MYREN, Malaysia)
The following malicious domains are also hosted on the same servers:
forumibiza .ru
kiladopje .ru
donkihotik .ru
lemonadiom .ru
peneloipin .ru
panacealeon .ru
finitolaco .ru
fidelocastroo .ru
ponowseniks .ru
dianadrau .ru
panalkinew .ru
fionadix .ru ..."

 

[AplusWebMaster]

Fake ‘Scan from a Xerox W. Pro’ emails lead to BlackHole Exploit Kit

FYI...

Fake ‘Fwd: Scan from a Xerox W. Pro’ emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/11/07/...themed-emails-lead-to-black-hole-exploit-kit/
Nov 7, 2012 - "... malicious cybercriminals spamvertise millions of emails attempting to trick end users into thinking that they’ve received a scanned document. Upon clicking on the links found in these emails, or viewing the malicious .html attachment, users are automatically exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit... The first is mimicking a Xerox Pro printer, and the second is claiming to be a legitimate Wire Transfer. Both of these campaigns point to the same client-side exploits serving URL, indicating that they’ve been launched by the same cybercriminal/gang of cybercriminals.
Sample screenshots of the spamvertised emails:
> https://webrootblog.files.wordpress.com/2012/11/xerox_email_spam_exploits_malware.png
> https://webrootblog.files.wordpress.com/2012/11/xerox_email_spam_exploits_malware_01.png
... sample javascript obfuscation: MD5: 0a8a06770836493a67ea2e9a1af844bf * ... Mal/JSRedir-M
... dropped malware: MD5: 194655f7368438ab01e80b35a5293875 ** ... Trojan-Ransom.Win32.PornoAsset.avzz
panalkinew .ru responds to the following IPs – 203.80.16.81, AS24514; 209.51.221.247, AS10297; 213.251.171.30, AS16276 ..."
* https://www.virustotal.com/file/c65...275c0ed50208640000a2c612be19471ea40/analysis/
File name: Scan_N13004.htm
Detection ratio: 24/44
Analysis date: 2012-11-05
** https://www.virustotal.com/file/f8a...205c984089aea6a8eae992ebaccc5275ed8/analysis/
File name: d34c2e80562a36fb762be72e490b7793887c3192
Detection ratio: 25/43
Analysis date: 2012-11-01
___

Fake Intercompany Invoice SPAM / controlleramo .ru
- http://blog.dynamoo.com/2012/11/intercompany-invoice-spam.html
7 Nov 2012 - "This fake invoice spam leads to malware on controlleramo .ru:
Date: Wed, 7 Nov 2012 07:29:44 -0500
From: LinkedIn [welcome@linkedin.com]
Subject: Re: Intercompany inv. from Beazer Homes USA Corp.
Attachments: Invoice_e49580.htm
Hi
Attached the corp. invoice for the period July 2012 til Aug. 2012.(Internet Explorer file)
Thanks a lot for supporting this process
Rihanna PEASE
Beazer Homes USA Corp.

The attachment contains obfuscated Javascript that attempts to direct the visitor to a malicious payload at [donotclick]controlleramo .ru:8080/forum/links/column.php hosted on:
103.6.238.9 (Universiti Putra, Malaysia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
These IP addresses have been used in several attacks recently, and you should block access to them if you can."
___

Phishers take aim at USAA
- http://www.gfi.com/blog/phishers-take-aim-at-usaa/
Nov 7, 2012 - "Customers of the United Services Automobile Association, or USAA, are confronted with a faceless threat and may likely find themselves within enemy territory... if they’re not careful enough. Our researchers in the AV Labs spotted a phishing attack aimed at USAA customers who are mainly military service members, veterans and their families. The attack starts with the following spam:
> http://www.gfi.com/blog/wp-content/uploads/2012/11/USAACred_115.png
From: {random}
To: {random}
Subject: USAA – Account Security Update
Message body:
Dear Valued Customer,
We detected irregular activities on your USAA Internet Banking account. Your Internet banking account has been temporarily suspended for
your protection, you must verify this activity before you can continue using your Internet banking account with USAA Bank.
Please follow the reference link below to verify your account.
[link] Click here to verify [/link]
Security advice : Always log-off completely your Internet banking account after using internet banking from a public places or computer for security
reasons.
Thank you,
USAA Internet Banking.

Once a recipient clicks Click here to verify, he/she is then taken to a legitimate-looking USAA login page... take note of the URL:
> http://www.gfi.com/blog/wp-content/uploads/2012/11/usaa011.png
This phishing page asks for a member’s Online ID, password and the PIN number of their USAA-issued credit or debit card, which the phishers made a compulsory detail to add on the login page. Note, however, that the actual USAA login page* does -not- ask for their members’ PINs. PIN numbers can personally identify individuals and their owners must only have sole knowledge of them. Members must never disclose them to any service provider or individual. Likewise, service providers must never ask for them (as proof of membership) nor store them in any form. Private citizens are also not safe from this phishing attack. Although USAA caters more to the military folks and their families, USAA has made available its online banking service to anyone, locally and internationally. USAA clients should be aware that phishing attacks are happening not just to online banking and e-commerce sites but also to financial services and insurance companies. We advise recipients of the phishing email to -delete- it from their inboxes..."
* https://www.usaa.com/inet/ent_logon/Logon

>> https://www.usaa.com/inet/pages/adv...archRanking=6&SearchLinkPhrase=phishing email

>>> https://www.youtube.com/watch?feature=player_embedded&v=KYiKATvQvWw#!

:fear:

 

[AplusWebMaster]

Fake Discover Card emails - and more...

FYI...

Fake Discover Card emails serve client-side exploits and malware
- http://blog.webroot.com/2012/11/08/...mails-serve-client-side-exploits-and-malware/
8 Nov 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating Discover, in an attempt to trick cardholders into clicking on the client-side exploits serving URLs found in the malicious emails. Upon clicking on the links, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit.
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/discover_email_spam_exploits_malware.png
... Sample detection rate for the dropped malware: MD5: 80601551f1c83ee326b3094e468c6b42 * ... UDSangerousObject.Multi.Generic
Upon execution, the sample phones back to 200.169.13.84 :8080/AJtw/UCyqrDAA/Ud+asDAA, AS21574
Client-side exploits serving domain reconnaissance:
teamscapabilitieswhich.org responds to 183.180.134.217, AS2519 – Email: anil_valiquette124 @ dawnsonmail .com
Name Server: NS1.CHELSEAFUN.NET – 173.234.9.89
Name Server: NS2.CHELSEAFUN.NET – 65.131.100.90
netgear-india .net – 183.180.134.217, AS2519
Name Server: NS1.TOPPAUDIO .COM - 91.216.93.61
Name Server: NS2.TOPPAUDIO .COM - 173.234.9.89 ..."
* https://www.virustotal.com/file/44c...15c76f700e323fbd7e86d3bc4f04ea50589/analysis/
File name: KB01474670.exe
Detection ratio: 4/44
Analysis date: 2012-11-02
___

getyourbet .org injection attack
- http://blog.dynamoo.com/2012/11/getyourbetorg-injection-attack.html
8 Nov 2012 - "There seems to be an injection attack doing the rounds, the injected domain is getyourbet .org hosted on 31.184.192.237. The domain registration details are:
Registrant ID:TOD-42842658
Registrant Name:ChinSec
Registrant Organization:ChinSec
Registrant Street1:Beijing
Registrant Street2:
Registrant Street3:
Registrant City:Beijing
Registrant State/Province:BJ
Registrant Postal Code:519000
Registrant Country:CN
Registrant Phone:+86.5264337745
Registrant Phone Ext.:
Registrant FAX:+86.5264337745
Registrant FAX Ext.:
Registrant Email:chinseccdomains @ yahoo .com
The domain was created on 12th October. The IP address is in Russia (PIN-DEDICATEDSERVERS-NET).
This is a two stage attack, if getyourbet .org is called with the correct referrer parameters then the victim ends up at another server at 64.202.123.3 (Hostforweb, US) that tries to serve up a malicious payload. This server contains a bunch of subdomains from a hacked GoDaddy account.
pin.panacheswimwear .co.uk
physical.oneandonlykanuhura .com
pig.onmailorder .com
picture.onlyplussizes .com
person.nypersonaltrainers .com
pipe.payday-loanstoday .com
I've seen this sort of abuse of GoDaddy domains before, the main "www" domain resolves OK, but the subdomains get pointed elsewhere. There's either a problem with GoDaddy or this is done through a phish.
Anyway, block 64.202.123.3 and 31.184.192.237 if you can to prevent further attacks."

 

[AplusWebMaster]

Fake Intuit, Changelog emails lead to malware

FYI...

Fake Intuit emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/11/09/...themed-emails-lead-to-black-hole-exploit-kit/
Nov 9, 2012 - "Intuit users, beware! Cybercriminals are currently mass mailing millions of emails impersonating Intuit’s Direct Deposit Service, in an attempt to trick its users into clicking on the malicious links found in the legitimate-looking emails. Upon clicking on -any- of them, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/intuit_spam_email_exploits_malware.png
... Detection rate for the dropped malware: MD5: ebe81fe9a632726cb174043f6ac93e46 * ... Trojan.Win32.Bublik.qqf
Client-side exploits serving domain reconnaissance:
savedordercommunicates .info – 75.127.15.39, AS36352 – Email: heike_ruigrok32 @ naplesnews .net
Name Server: NS1.CHELSEAFUN .NET – 173.234.9.89, AS15003 – also responding to the same IP is the following malicious name server: ns1.nationalwinemak .com
Name Server: NS2.CHELSEAFUN .NET – 65.131.100.90, AS209
We’ve already seen the -same- name servers used in the previously profiled “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware” malicious campaign, indicating that both of these campaigns are managed by the same malicious party.
Responding to the same IP (75.127.15.39) is also the following malicious domain:
teamscapabilitieswhich .org..."
* https://www.virustotal.com/file/461...3b94bccc787574dd3929770d99c279c1e14/analysis/
File name: download
Detection ratio: 29/44
Analysis date: 2012-11-08
___

Changelog SPAM / canadianpanakota .ru
- http://blog.dynamoo.com/2012/11/changelog-spam-canadianpanakotaru.html
9 Nov 2012 - "This spam leads to malware on canadianpanakota .ru:
Date: Fri, 9 Nov 2012 11:55:11 +0530
From: LinkedIn Password [password @ linkedin .com]
Subject: Re: Changlog 10.2011
Attachments: changelog4-2012.htm
Hello,
as promised changelog,(Internet Explorer File)

The attachment leads to a malicious payload at [donotclick]canadianpanakota .ru :8080/forum/links/column.php hosted on the following IPs:
120.138.20.54 (SiteHost, New Zealand)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
These IPs will probably be used in other attacks, blocking access to them now might be prudent. The following IPs and domains are all related:
120.138.20.54
202.180.221.186
203.80.16.81
canadianpanakota .ru
controlleramo .ru
donkihotik .ru
finitolaco .ru
fionadix .ru
forumibiza .ru
lemonadiom .ru
peneloipin .ru
moneymakergrow .ru ..."

 

[AplusWebMaster]

Fake AmExpress emails serve client-side exploits and malware

FYI...

Fake American Express emails serve client-side exploits and malware...
- http://blog.webroot.com/2012/11/12/...mails-serve-client-side-exploits-and-malware/
Nov 12, 2012 - "American Express cardholders, beware! Over the past week, cybercriminals mass mailed millions of emails impersonating American Express, in an attempt to trick its customers into clicking on the malicious links found in the emails. Upon clicking on any of the links, users are redirected to a malicious URL serving cllient-side exploits courtesy of the BlackHole Exploit Kit....
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/american_express_email_exploits_malware.png
... Malicious domain name reconnaissance:
stempare .net – 109.123.220.145, AS15685 – Email: rebe_bringhurst1228 @ i-connect .com
Name Server: NS1.TOPPAUDIO .COM – 91.216.93.61, AS50300 – Email: windowclouse @ hotmail .com
Name Server: NS2.TOPPAUDIO .COM – 29.217.45.138 – Email: windowclouse @ hotmail .com ...
Upon loading of the malicious URL, a malicious PDF file exploiting CVE-2010-0188 is used to ultimately drops the actual payload – MD5: c8c607bc630ee2fe6a8c31b8eb03ed43 * ... Trojan.Win32.Bublik.ptf...
Upon execution, the dropped malware requests a connection to 192.5.5.241 :8080 and then establishes a connection with 210.56.23.100 :8080/Ajtw/UCygrDAA/Ud+asDAA (AS7590, Commission For Science And Technology, Pakistan). The following domain responds to this IP: discozdata .org. It is currently blacklisted in 25 anti-spam lists. The following URLs are known to have (been) directly serving malicious content, and act as command and control servers in the past:
210.56.23.100 :8080/asp/intro.php
210.56.23.100 :8080/za/v_01_a/in ...
The last time we came across this IP (210.56.23.100), was in July 2012's analysis of yet another malicious campaign, this time impersonating American Airlines..."
* https://www.virustotal.com/file/06a...97bf948e271520a6b893c75ad3abf0c6182/analysis/
File name: c8c607bc630ee2fe6a8c31b8eb03ed43
Detection ratio: 15/43
Analysis date: 2012-11-02
___

Cableforum.co .uk hacked?
- http://blog.dynamoo.com/2012/11/cableforumcouk-hacked.html
12 Nov 2012 - "Cableforum.co .uk is a popular and useful UK site about digital TV and broadband. Unfortunately, the email address list has leaked out and is being used for spamming, for example:
NatWest : Helpful Banking
Dear Valued Member ;
To prevent unauthorized access to your accounts, your online service has been temporarily locked. No further log in attempts will be accepted.
This is a procedure that automatically occur when an invalid information is submitted during the log in process.
Please follow the provided steps below to confirm your identity
and restore your online access...
> https://lh3.ggpht.com/-v0aFooReF9M/UKD3p5kUNjI/AAAAAAAAAxY/oFfCiZV5IR4/s1600/natwest.png
This is a standard NatWest phish. It doesn't originate from Cableforum.co.uk or its servers, but it is sent to an address ONLY used for Cableforum, so it must have leaked out somehow... Sadly, crap like this happens to good websites... Clearly there has been a problem for several months, although it isn't clear when such an address leak occurred or what data was taken with it. You should always assume that the passwords have been compromised and change it, plus change it anywhere that you re-use the same password."

 

[AplusWebMaster]

Blackhole exploit kit - top threat by a large margin

FYI...

Blackhole exploit kit - top threat by a large margin
- https://blogs.technet.com/b/securit...vity-on-the-internet-reaches-new-heights.aspx
12 Nov 2012 - "... exploit activity has increased substantially over the past year... large increases in HTML/JavaScript exploit activity and Oracle Java exploit activity are major contributors to this trend... the top threat family driving these detections is Blacole, also known as the “Blackhole” exploit kit. Blacole, a family of exploits used by the so-called Blackhole exploit kit to deliver malicious software through infected webpages, was the most commonly detected exploit family in the first half of 2012 by a large margin*. This kit can be bought or rented on hacker forums and through other illegitimate outlets. The kit consists of a collection of malicious webpages that contain exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components** ... In years past it was rare to see an exploit in the top ten list of threats for a country/region. In 2012-Q2 at least one exploit was in the top ten list of threats for 51 locations of the 105 countries/regions (49%) reported on in SIRv13***. Blacole is in the top ten lists of twenty-seven of these locations ..."

* https://blogs.technet.com/cfs-files...ponents-weblogfiles/00-00-00-50-43/3683.2.jpg

** https://blogs.technet.com/cfs-files...ponents-weblogfiles/00-00-00-50-43/6443.1.jpg

*** http://www.microsoft.com/security/sir/threat/default.aspx
___

New Java attack introduced into "Cool Exploit Kit"
- https://threatpost.com/en_us/blogs/new-java-attack-introduced-cool-exploit-kit-111212
Nov 12, 2012 - "A new exploit has been found in the Cool Exploit Kit for a vulnerability* in Java 7 Update 7 as well as older versions, a flaw that’s been patched by Oracle in Java 7 Update 9. Cool Exploit Kit was discovered last month and is largely responsible for dropping the Reveton ransomware. A new Metasploit module was introduced last night by researcher Juan Vazquez, developer Eric Romang said. Romang, a frequent Metasploit contributor, suggested it’s likely the exploit has been in the wild for a period of time and has only now been integrated into an exploit kit... Researchers are concerned now that this exploit is in Cool Exploit Kit, it could find its way into the BlackHole Exploit Kit... Reveton is linked to the Citadel banking and botnet malware..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5076 - 10.0 (HIGH)

 

[AplusWebMaster]

Fake "Your flight" / Wire transfer SPAM - monacofrm .ru

FYI...

Fake "Your flight" SPAM / monacofrm .ru
- http://blog.dynamoo.com/2012/11/your-flight-spam-monacofrmru.html
13 Nov 2012 - "These spam email messages lead to malware on monacofrm .ru:
From: sales1 @victimdomain .com
Sent: 13 November 2012 04:04
Subject: Fwd: Your Flight A874-64581
Dear Customer,
FLIGHT NR: 1173-8627
DATE/TIME : JAN 27, 2013, 19:15 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 520.40 USD
Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.
NAOMI PATTON,
==========
From: messages-noreply @bounce .linkedin .com On Behalf Of LinkedIn
Sent: 13 November 2012 05:18
Subject: Re: Fwd: Your Flight A943-6733
Dear Customer,
FLIGHT NR: 360-6116
DATE/TIME : JAN 26, 2013, 14:12 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 997.25 USD
Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.
Adon Walton,
(...etc.)

The malicious payload is at [donotclick]monacofrm.ru:8080/forum/links/column.php hosted on the following IPs:
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
216.24.194.66 (Psychz Networks, US)
The Mongolian and Malaysian IPs have been used several times for malware attacks, 216.24.194.66 looks like a new one. Blocking them all would probably be prudent.

Added: There's a Wire Transfer SPAM using the same payload too:
From: Amazon.com / account-update @amazon .com
Sent: 13 November 2012 08:08
Subject: Fwd: Re: Wire Transfer Confirmation
Dear Bank Account Operator,
WIRE TRANSFER: FED8979402863338715
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.
___

Fake "End of Aug. Statmeent" SPAM / veneziolo .ru
- http://blog.dynamoo.com/2012/11/end-of-aug-statmeent-spam-venezioloru.html
13 Nov 2012 - "The spam never stops, this malicious email leads to malware at veneziolo .ru:
Date: Tue, 13 Nov 2012 12:27:15 -0500
From: Mathilda Allen via LinkedIn [member @linkedin .com]
Subject: Re: End of Aug. Statmeent required
Attachments: Invoices12-2012.htm
Good morning,
as reqeusted I give you inovices issued to you per sept. (Internet Explorer format)
Regards

The malicious payload is at [donotclick]veneziolo .ru:8080/forum/links/column.php hosted on the same IPs seen earlier today, the following IPs and domains are all related:
41.168.5.140, 62.76.46.195, 62.76.178.233, 62.76.186.190, 62.76.188.246, 65.99.223.24, 84.22.100.108, 85.143.166.170, 87.120.41.155, 91.194.122.8, 103.6.238.9, 120.138.20.54, 132.248.49.112, 202.180.221.186,
203.80.16.81, 207.126.57.208, 209.51.221.247, 213.251.171.30, 216.24.194.66 ..."

 

[AplusWebMaster]

Fake ‘PayPal Account Modified’ emails lead to BlackHole Exploit Kit

FYI...

Fake ‘PayPal Account Modified’ emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/11/14/...themed-emails-lead-to-black-hole-exploit-kit/
Nov 14, 2012 - "A cybercriminal/group... continues to systematically rotate the impersonated brands and the actual malicious payload dropped by the market leading Black Hole Exploit Kit. The prospective target of their latest campaign? PayPal users...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/paypal_email_spam_exploits_malware.png
... Malicious domain name reconnaissance: puzzledbased .net – 183.180.134.217, AS2519 – Email: rodger_covach3060 @ spacewar .com
Name Server: NS1.TOPPAUDIO .COM
Name Server: NS2.TOPPAUDIO .COM
Although we couldn’t reproduce puzzledbased .net’s malicious activity, we know for certain that on 2012/11/01 at 15:19, hxxp ://netgear-india .net/detects/discover-important_message.php was responding to the same IP. We’ve already seen and profiled the malicious activity of the campaign using this URL in the “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware analysis...
The following malicious domains are also part of the campaign’s infrastructure and respond to the same IP (183.180.134.217) as the client-side exploits serving domains:
rovo .pl
itracrions .pl
superdmntre .com
chicwhite .com
radiovaweonearch .com
strili .com
superdmntwo .com
unitmusiceditior .com
newtimedescriptor .com
steamedboasting .info
solla.at votela .net
stempare .net
tradenext .net
bootingbluray .net
The following malicious domain (stempare .net) was also seen in the recently profiled “‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware” campaign, indicating yet another connection between these campaigns..."
___

promotesmetasearch .net promotes malware
From the WeAreSpammers blog: http://wearespammers.blogspot.co.uk/2012/11/launch-of.html

- http://blog.dynamoo.com/2012/11/promotesmetasearchnet-promotes-malware.html
14 Nov 2012 - "This looks like a fake get-rich-quick scam email which is actually intended to distribute malware. Originating IP is 5.39.101.233 (OVH, Germany). Spamvertised domains are 8mailer .com on 5.39.101.225 (OVH, Germany) and promotesmetasearch .net on 46.249.38.27 (Serverius Holding, Netherlands). This last one is kind of interesting, because 1) it's all in French and 2) it contains a virus. The malware attempts to download an exploit kit from [donotclick]vodkkaredbuuull .chickenkiller .com/trm/requesting/requesting-pass_been_loaded.php which is kind of unfriendly, hosted on the same IP address.
The WHOIS details show a completely different name and address from the one quoted on the email:
Florence Buker
florence_buker05 @rockfan .com
7043 W Avenue A4
93536 Lancaster
United States
Tel: +1.4219588211
Clearly the owner of promotemetasearch .net is up to no good, and I would suggest the Anthony Tomei connection might well be completely bogus.
From: Anthony Tomei admin @8 mailer .com
Reply-To: info @ promotesmetasearch .net
To: donotemail @ wearespammers .com
Date: 14 November 2012 18:22
Subject: launch of
Dear Future Millionaire,
Making $100,000 per month is not hard. In fact, there are 2 ways you accomplish this easy task of making money in a short period of time.
The first way is to...

Anthony Tomei is an Expert Internet Network Marketer. Anthony is known as the Master Marketer and practically gives away all of his secrets, methods and marketing techniques... You should probably regard the domain chickenkiller .com as compromised and block it. Additionally, all the following IPs and domains are related and a probably malicious.
46.249.38.21
46.249.78.23
46.249.38.27
deficiencieshiss .net
personaloverly .net
spaceyourfilesbig.chickenkiller .com
vodkkaredbuuull.chickenkiller .com
firefoxslacker .pro
personaloverly .net
wowteammy113 .org
logicalforced .org
flashkeyed .org
incidentindie .org
sufficeextensible .org
laughspadstyle .org
check-update .org
softtwareupdate .org
internallycontentchecking .org
cordlesssandboxing .org
westsearch .org
perclickbank .org
trayscoffeecup .org
agreedovetails .org
commencemessengers .org
dfgs453t .org
disappointmentcontent .org
whiskeyhdx .org
uhgng43fgjl82309dfg99df1 .com
rethnds732 .com
odiushb327 .com
a6q7 .com
makosl .com
noticablyccleaner .com
leisurelyadventures .com
invitedns .com
srv50 .in
flacleaderboard.in
frwdlink .in
tgy56fd3fj.firm .in
warrantynetwork .co .in
kclicksnet .in
reelshandsoff .info
scatteredavtestorg .info
ap34 .pro
trafficgid .pro
stop2crimepeople .pro
huge4floorhouse .pro
exportlite .pro
weeembedding .pro
layer-grosshandel .pro
firefoxslacker .pro
s1topcrimefor .pro
opera-soft .pro
brauser-soft .pro
mp3soft .pro
pornokuca .net
licencesoftwareupda .net
settlementstored .net
licencesoftwareuppd .net
compartmentalizationwere .net
seniorhog .net
coinbatches .net
isnbreathy .net
mrautorun .ru
askedvisor .ru
srv50b .biz
vimeosseeing .biz
threatwalkthrough .biz
promotemetasearch .net ..."

 

[AplusWebMaster]

Bogus BBB emails serve client-side exploits and malware

FYI...

Opera site served Blackhole malvertising...
- http://www.theregister.co.uk/2012/11/15/opera_blackhole/
15 Nov 2012 - "Opera has suspended ad-serving on its portal as a precaution while it investigates reports that surfers were being exposed to malware simply by visiting the Norwegian browser firm's home page. Malicious scripts loaded by portal .opera .com were redirecting users towards a malicious site hosting the notorious BlackHole exploit kit, said a Romanian anti-virus firm BitDefender*, which said it had detected the apparent attack on its automated systems. BitDefender said it promptly warned Opera after it detected the problem on Wednesday. It seems likely the scripts had been loaded through a third-party advertisement, a practice commonly known as malvertising. Opera has yet to confirm the problem, but has disabled advertising scripts on its portal in case they are tainted..."
* http://www.hotforsecurity.com/blog/...-blackhole-through-browser-homepage-4431.html
14 Nov 2012 - "... malicious page harbors the BlackHole exploit kit (we got served with the sample via a PDF file rigged with the CVE-2010-0188 exploit) that will infect the unlucky user with a freshly-compiled variant of ZBot, detected by Bitdefender as Trojan.Zbot.HXT. The ZBot malware is on a server in Russia which, most probably, has also fallen victim to a hacking attack, allowing unauthorized access via FTP..."
> http://www.hotforsecurity.com/wp-co...-to-BlackHole-through-Browser-Homepage-21.jpg

- http://www.h-online.com/security/ne...-banking-trojan-1751410.html?view=zoom;zoom=3
16 Nov 2012
___

Bogus BBB emails serve client-side exploits and malware
- http://blog.webroot.com/2012/11/15/...tions-serve-client-side-exploits-and-malware/
Nov 15, 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating the Better Business Bureau (BBB), in an attempt to trick users into clicking on a link to a non-existent report. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...siness_bureau_email_spam_exploits_malware.png
... Although I wasn’t able to obtain the actual malicious payload from this campaign, it’s worth pointing out that the cybercriminals behind it relied on the same infrastructure as they did in previously profiled malicious attacks launched by the same party. We also know that on the following dates/specific time, the following malicious URLs also responded to the same IP (183.81.133.121):
2012-10-16 00:24:08 – hxxp ://navisiteseparation .net/detects/processing-details_requested.php
2012-10-12 11:19:37 – hxxp ://editdvsyourself .net/detects/beeweek_status-check.php
Responding to the same IP (183.81.133.121) are also the following malicious domains:
stafffire .net
hotsecrete .net - Email: counseling1 @ yahoo .com
the-mesgate .net - also responds to 208.91.197.54 – Email: admin @ newvcorp .com
Name servers used in the campaign:
Name Server: NS1.TOPPAUDIO .COM - 91.216.93.61 – Email: windowclouse @ hotmail .com
Name Server: NS2.TOPPAUDIO .COM - 29.217.45.138 – Email: windowclouse @ hotmail .com ..."
___

Changelog SPAM / feronialopam .ru
- http://blog.dynamoo.com/2012/11/changelog-spam-feronialopamru.html
15 Nov 2012 - "This fake "Changelog" spam leads to malware on feronialopam .ru:
Date: Thu, 15 Nov 2012 10:43:59 +0300
From: "Xanga" [noreply@xanga.com]
Subject: Re: Changelog 2011 update
Attachments: changelog-12.htm
Hello,
as promised chnglog attached (Internet Explorer File)
==========
Date: Thu, 15 Nov 2012 05:43:09 -0500
From: Chaz Shea via LinkedIn [member@linkedin.com]
Subject: Re: Changelog as promised(updated)
Attachments: Changelog-12.htm
Hello,
as prmised changelog is attached (Internet Explorer File)

The malicious payload is at [donotclick]feronialopam .ru:8080/forum/links/column.php hosted on a familiar looking bunch of IP addresses that you really should block:
120.138.20.54 (Sitehost, New Zealand)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)..."

 

[AplusWebMaster]

Bogus eFax Corporate messages serve multiple malware variants

FYI...

Malware sites to block - 16/11/12
- http://blog.dynamoo.com/2012/11/malware-sites-to-block-161112.html
16 Nov 2012 - "Some more evil domains and IPs, connected with this spam run*. (Thanks, GFI)
* http://gfisoftware.tumblr.com/post/35789134771/american-express-online-merchant-system-spam
chelseafun .net
cosmic-calls .net
dirtysludz .com
fixedmib .net
packleadingjacket .org
performingandroidtoios .info
65.131.100.90
75.127.15.39
82.145.36.69
108.171.243.172
218.102.23.220 ..."
___

Bogus eFax Corporate messages serve multiple malware variants
- http://blog.webroot.com/2012/11/16/...ery-messages-serve-multiple-malware-variants/
Nov 16, 2012 - "... mass mailing millions of emails trying to trick recipients into executing malicious attachments pitched as recently arrived fax messages. Upon running the malicious executables, users are exposed to a variety of dropped malware variants in a clear attempt by the cybercriminals to add additional layers of monetization to the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/11/efax_corporate_email_spam_malware.png
Detection rate for the malicious executable: MD5: 16625f5ee30ba33945b807fb0b8b2f9e * ... Trojan-PSW.Win32.Tepfer.blbl
Upon execution, it attempts to connect to the following domains:
192.5.5.241
ser.foryourcatonly .com
ser.luckypetspetsitting .com
dechotheband .gr
barisdogalurunler .com
alpertarimurunleri .com
oneglobalexchange .com
rumanas .org
www .10130138 .wavelearn .de
visiosofttechnologies .com
sgisolution.com .br
plusloinart .be
marengoit .pl
It then downloads additional malicious payload...
Phone back URL:
hxxp ://oftechnologies.co .in/update/777/img.php?gimmeImg – 130.185.73.102, AS48434 ** – Email: melody_mccarroll38 @ indyracers .com
Name Server:NS1.INVITEDNS .COM
Name Server:NS2.INVITEDNS .COM
The following malicious domain responds to the same IP: updateswindowspc .net
The following malicious domains are also known to have responded to the same IP (130.185.73.102) in the past..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/755...e1f11eb05d637d383d90362f/analysis/1352078183/
File name: eFAX.CORPORATE.exe
Detection ratio: 37/43
Analysis date: 2012-11-05

** https://www.google.com/safebrowsing/diagnostic?site=AS:48434
Diagnostic page for AS48434 (TEBYAN) - "Of the 1723 site(s) we tested on this network over the past 90 days, 86 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-11-16, and the last time suspicious content was found was on 2012-11-16... Over the past 90 days, we found 2 site(s) on this network... that appeared to function as intermediaries for the infection of 5 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 5 site(s)... that infected 6 other site(s)..."

:fear: