SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

Fake NACHA SPAM, ransomware kits...

FYI...

NACHA .ZIP file attachment spam
- http://threattrack.tumblr.com/post/51863523782/nacha-zip-file-attachment-spam
June 1, 2013 - "Subjects Seen:
ACH Payment rejected: #<uniq_id>
Typical e-mail details:
Ach payment canceled Transaction ID: #[removed] The ACH transaction, recently initiated from your checking account (by you or any other person), was canceled by the other financial institution.
Transaction Status: Rejected Transaction ID: [uniq number removed\
Amount : $
To view more details for this transaction , please check the attached file .
NACHA works to maintain the privacy of any personally identifiable information (name, mailing address, e-mail address, etc.) that may be collected though our Web site. This Web site has security measures in place; however, NACHA does not represent, warrant or guarantee that personal information will be protected against unauthorized access, loss, misuse or alterations. Similarly, NACHA disclaims liability for personal information submitted through this Web site. Users are hereby advised that they submit such personal information at their own risk.
Thank you,
13450 Sunrise Valley Drive
Suite 100 Herndon
VA 20171
© 2013 NACHA - The Electronic Payments Association

Malicious URLs
Spam contains a malicious attachment.

Screenshot: https://gs1.wac.edgecastcdn.net/801...7abd42780/tumblr_inline_mnp9r6IWMy1qz4rgp.png
___

iOS7 announcement prompts themed ransomware kits
- http://community.websense.com/blogs...ouncement-prompts-themed-ransomware-kits.aspx
May 31, 2013 - "... phishing domain related to the imminent release of the Apple iOS7 Operating System. As gossips circulate news in the wild about iOS7 after the D11 conference... cybercriminals are setting up a foundation for phishing and malicious activities...
ios7news .net - 85.25.20.153 **
> http://community.websense.com/cfs-f...ts.WeblogFiles/securitylabs/7140.sshto004.PNG
... As a ransomware toolkit, Silence Locker can generate a malicious file associated with familiar police enforcement pictures, based on the country of the potential victims. For example, in the following page the fake FBI Cyber Squad Investigation team is bound with a binary file that has been uploaded:
> http://community.websense.com/cfs-f...ts.WeblogFiles/securitylabs/0741.sshto003.PNG
... we noticed that the AutoIT tool was used to package the malware. This conforms to the current trend of packaging malware to make detection more difficult. We continued our investigation by gathering some telemetry about the IP address that hosts this domain (ios7news .net). From what we discovered, it seems that this IP address is also used for other phishing domains... The domain "hxxp ://gamingdaily .us" is most likely a phishing domain for a gaming news website that is also used to host the exploit kit BleedingLife*... both IT news and rumors could be used by the attackers to leverage people's curiosity, as was done here. In this case, we can suppose (due to details such as the open directory access) that the attackers are going to use and configure that domain for malicious activities based on ransomware."
* http://community.websense.com/blogs/securitylabs/pages/bleeding-life-exploit-kit.aspx
"... The Bleeding Life exploit kit uses exploits which can bypass ASLR and DEP, which means this product could be used successfully against Windows 7 and Windows Vista operating systems..."

** https://www.google.com/safebrowsing/diagnostic?site=AS:8972

:fear:

 

[AplusWebMaster]

Malicious photo, Fivserv SPAM, Threat Outbreak Alerts ...

FYI...

Malicious photo attachment Spam
- http://threattrack.tumblr.com/post/52056798783/malicious-photo-attachment-spam
June 3, 2013 - "Subjects Seen:
Check the attachment you have to react somehow to this picture
Typical e-mail details:
Hi there ,
I got to show you this picture in attachment. I can’t tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who’s that dude??

Malicious File Name and MD5:
IMG[removed].zip (724bb53c12ebeb9df3e8525c6e1f9052)
ThreatAnalyzer Report: http://www.threattracksecurity.com/enterprise-security/sandbox-software.aspx
- http://db.tt/2ZLJo3Wq [PDF]

Screenshot: https://gs1.wac.edgecastcdn.net/801...40ee6e4ba/tumblr_inline_mntm1nK1JB1qz4rgp.png
___

Fivserv Secure Email Notification Spam
- http://threattrack.tumblr.com/post/52070758101/fivserv-secure-email-notification-spam
June 3, 2013 - "Subjects Seen:
Fiserv Secure Email Notification - [removed]
Typical e-mail details:
You have received a secure message
Read your secure message by opening the attachment, SecureMessage_[removed].zip.
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - [removed]
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it.
To access from a mobile device, forward this message to mobile-- @res.fiserv -- .com to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly...

Malicious URLs
116.122.158.195 :8080/ponyb/gate.php
nourrirnotremonde .org/ponyb/gate.php
zoecopenhagen .com/ponyb/gate.php
goldenstatewealth .com/ponyb/gate.php
190.147.81.28 /yqRSQ.exe
paulcblake .com/ngY.exe
207.204.5.170 /PXVYGJx.exe
netnet-viaggi .it/2L6L.exe

Screenshot: https://gs1.wac.edgecastcdn.net/801...7a67b2a00/tumblr_inline_mntxj0rqkk1qz4rgp.png

- http://blog.dynamoo.com/2013/06/fiserv-secure-email-notification-spam.html
3 Jun 2013 - "This spam email contains an encrypted ZIP file with password-protected malware.
Date: Mon, 3 Jun 2013 14:11:14 -0500 [15:11:14 EDT]
From: Fiserv Secure Notification [secure .notification @fiserv .com]
Subject: Fiserv Secure Email Notification - IZCO4O4VUHV83W1
You have received a secure message
Read your secure message by opening the attachment, SecureMessage_IZCO4O4VUHV83W1.zip.
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - Iu1JsoKaQ
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it...
If you have concerns about the validity of this message, please contact the sender directly.

Of course, it would be supremely pointless password protecting a document and then including the password in the email! The file has been password protected in an attempt to thwart anti-virus software. In this case, the password for the file SecureMessage_IZCO4O4VUHV83W1.zip is Iu1JsoKaQ which in turn leads to a file called SecureMessage_06032013.exe (note the date in included in that filename). At the moment the VirusTotal detection rate is a so-so 16/47*. The ThreatTrack analysis** identifies some locations that the malware phones home to:
netnet-viaggi .it
paulcblake .com
74.54.147.146
116.122.158.195
190.147.81.28
194.184.71.7
207.204.5.170 ..."
* https://www.virustotal.com/en/file/...17100d814a7811b6615ca8e6/analysis/1370289657/
File name: SecureMessage_06032013.exe
Detection ratio: 16/47
Analysis date: 2013-06-03
** http://www.dynamoo.com/files/analysis_31012_2994f3319096ad15b31f3f3135add304.pdf
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Secure Message Notification E-mail Messages - 2013 Jun 03
Malicious Attachment E-mail Messages - 2013 Jun 03
Fake Product Order E-mail Messages - 2013 Jun 03
Fake Bank Transfer Notification E-mail Messages - 2013 Jun 03
Fake Customer Complaint Notification E-mail Messages - 2013 Jun 03
Malicious Attachment E-mail Messages - 2013 Jun 03
Fake Order Invoice Notification E-mail Messages - 2013 Jun 03
Fake Payment Confirmation Notification E-mail Messages - 2013 Jun 03
Malicious Attachment E-mail Messages - 2013 Jun 03
Fake Remittance Slip with Invalid Digital Signature E-mail Messages - 2013 Jun 03
Fake Scanned Document Attachment E-mail Messages - 2013 Jun 03
Fake Product Order Quotation E-mail Messages - 2013 Jun 03
Fake Product Order Request E-mail Messages - 2013 Jun 03
Fake Online Dating Personal Photos Sharing E-mail Messages - 2013 Jun 03
Fake Purchase Order Request E-mail Messages - 2013 Jun 03
Fake Online Dating Proposal E-mail Messages - 2013 Jun 03
Fake Product Order Quotation E-mail Messages - 2013 Jun 03
Fake Processes and Subpoenas Notification E-mail Messages - 2013 Jun 03
(More detail and links available at the cisco URL above.)

:fear:

 

[AplusWebMaster]

Fake Xerox WorkCentre Attachment Spam

FYI...

Fake Xerox WorkCentre Attachment Spam
- http://threattrack.tumblr.com/post/52218547886/xerox-workcentre-attachment-spam
June 5, 2013 - "Subjects Seen:
Scanned Image from a Xerox WorkCentre
Typical e-mail details:
Reply to: Xerox.WorkCentre @[removed]
Device Name: Not Set
Device Model: XEROX-2178N
Location: Not Set
File Format: PDF (Medium)
File Name: Xerox_Scan_06-04-2013-466.zip
Resolution: 200dpi x 200dpi
Attached file is scanned image in PDF format.

Malicious URLs
116.122.158.195 :8080/ponyb/gate.php
4renttulsa .com/ponyb/gate.php
4rentunitedstates .com/ponyb/gate.php
newsouthdental .com/jENnMd2X.exe
leclosdelentaille .fr/2Zxq1hZ.exe
forexwinnersacademy .com/fmy.exe

Malicious File Name and MD5:
Xerox_Scan_06-04-2013-[removed].zip (e45db46d63330f20ef8c381f6c0d8f1a)
Xerox_Scan_06-04-2013-[removed].exe (7e4b3aca9a2a86022d50110d5d9498e2)
fmy.exe (c3c103ebb3ce065b8b62b08fba40483f)

ThreatAnalyzer Report: http://db.tt/yJoSwFM8 [PDF]
199.168.184.198, 82.165.79.64, 69.163.187.171, 216.172.167.17

Screenshot: https://gs1.wac.edgecastcdn.net/801...f36ca50a6/tumblr_inline_mnx8zd58Hw1qz4rgp.png
___

Don't like clicking when you won't know where you're going?
- http://urlxray.com/
Find out where shortened URLs lead to without clicking on them
Enter any shortened URL...
___

More Champions Club Community SPAM
- http://blog.dynamoo.com/2013/06/more-champions-club-community-spam.html
5 June 2013 - "... the originating IP is 217.174.248.194 [web1-opp2.champions-bounce .co.uk] (Fasthosts, UK). Spamvertised domains are champions.onlineprintproofing .co.uk also on 217.174.248.194 and championsclubcommunity .com on 109.203.113.124 (Eukhost, UK). Give these spammers a wide berth..."
- http://blog.dynamoo.com/2013/03/champions-club-community.html
___

Backdoor Wipes MBR, Locks Screen
- http://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-wipes-mbr-locks-screen/
June 5, 2013 - "German users are at risk of having their systems rendered unusable by a malware that we’re seeing being sent via spam messages. This particular malware, on top of its ability to remotely control an affected system, is able to wipe out the Master Boot Record – a routine that had previously caused a great crisis in South Korea. We recently uncovered this noteworthy backdoor as an attached file in certain spam variants. The spam sample we found is in German and forces recipients to pay for a certain debt, the details of which are contained in the attachment. Those who open the attachment are actually tricked into executing the malware, in this instance, a backdoor.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/06/backdoor-attached-file.jpg
Like any backdoor, BKDR_MATSNU.MCB performs certain malicious commands, which include gathering machine-related information and send it to its command-and-control (C&C) server. However, the backdoor’s most noteworthy feature is its capability to wipe the Master Boot Record (MBR). The wiping of the MBR was recently used in the high-profile (but different) attack against certain South Korean institutions. What makes this routine problematic is that once done, infected systems won’t reboot normally and will leave users with unusable machines. Another command is the backdoor’s capability to lock and unlock a screen. This locking of screen is definitely a direct copy from ransomware’s playbook, in which the system remains completely or partially inaccessible unless the victim pays for the “ransom”. Ransomware is a malware that locks an infected system’s screen and display a message, which instructs users to pay for a “ransom” thru certain payment methods... During our testing, BKDR_MATSNU.MCB readily performed the MBR wiping routine. The remote malicious (via server) only needs to communicate this command to the backdoor and it can execute this routine immediately. However, this is not the case with the screen locking. BKDR_MATSNU.MCB is likely to download a different module onto the system, which will then lock the screen. As to what routines will be first executed or not is dependent on the remote malicious user. Attackers may opt to lock the screen first then initiate the MBR overwriting or just initiate any of the two. Another possible scenario is that another version of BKDR_MATSNU is integrated with the screen blocking routine, which will make the screen locking command easier to execute... For better protection, users should always be cautious be the email they receive and must not readily open any attachments. If your system is already infected, it is a safer bet to not pay for the “ransom”, as paying does not guarantee anything..."

:fear:

 

[AplusWebMaster]

Fake Innex SPAM, rxlogs .net ...

FYI...

Fake Innex, Inc SPAM
- http://blog.dynamoo.com/2013/06/innex-inc-fake-spam.html
6 June 2013 - "Innex, Inc is a real company. This spam email message is -not- from Innex, Inc.
From: PURCHASING DEPARTMENT [fdmelo @fucsalud .edu.co]
To:
Reply-To: pinky .yu@chanqtjer .com.tw
Date: 6 June 2013 08:55
Subject: Innex, Inc.
Sir/Madam,
Our Company is interested in your product, that we saw in trading site,
Your early reply is very necessary for further detail specification immediately you receive our email.
Regards
Purchasing manager,
Mr James Vincent ...

Innex is based in California in the US, but the email appears to be from a university in Colombia and solicits replies to an email address in Taiwan. Note as well that the email is very vague about the "product" they are interested in, and the To: field is blank as the recipient list has been suppressed (i.e. it is being sent to multiple recipients). Avoid."
___

rxlogs .net: spam or Joe Job?
- http://blog.dynamoo.com/2013/06/rxlogsnet-spam-or-joe-job.html
6 June 2013 - "I've had nearly one hundred of these this morning. Is it a genuine spam run or a Joe Job**?
Date: Thu, 6 Jun 2013 09:44:18 -0700 [12:44:18 EDT]
From: Admin [whisis101 @gmail .com]
Reply-To: ec2-abuse @amazon .com
facebook
You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 4 ago.
This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.
If you have any other questions, please visit our Help Center.
Thanks,
The Facebook Team

Screenshot: https://lh3.ggpht.com/-ToJ6cyCDWME/UbBAFLEAhNI/AAAAAAAABP8/PODZRA25wh0/s1600/rxlogs.png

The link in the emails goes to multiple pages on rxlogs .net which as far I as can tell is -not- malware*, but is a blog about online pharmacies. But is is spam? Well, let's dig a little deeper.. Each email comes from a different IP, probably being sent by a botnet. That's pretty normal for pharma spam, but in this case there appear to be some anomalous addition headers.. The mildly munged headers from an example email are quite revealing. It appears that there are references to Amazon ECS (Amazon's cloud service) and a valid sender address of whisis101 -at- gmail.com injected into the headers, along with a load of other elements that you'd expect from botnet spam. The email has at no point hit either Gmail or Amazon, but the headers appear to have been -faked- in order to generate reports to Amazon and/or Gmail. It's worth noting that rxlogs .net is hosted on 107.20.147.122 which is an Amazon IP... I believe this is a Joe Job and not a "genuine" spam run, and rxlogs .net is simply another victim of the bad guys."
* http://urlquery.net/report.php?id=2919241
Source IP: 94.102.48.224 - Known RBN IP

** http://searchsecurity.techtarget.com/definition/Joe-job
___

Fake NatPay SPAM / usforclosedhomes .net
- http://blog.dynamoo.com/2013/06/natpay-transmission-confirmation-spam.html
6 Jun 2013 - "This fake NatPay spam leads to malware on usforclosedhomes .net.
Version 1:
Date: Thu, 6 Jun 2013 20:53:08 +0600 [10:53:08 EDT]
From: National Payment Automated Reports System [dunks @services .natpaymail .net]
Subject: Transmission Confirmation ~26306682~N25BHHL1~
Transmission Verification
Contact Us
To:
NPC Account # 26306682
Xavier Reed
Re:
NPC Account # 26306682
D & - D5
Thursday, July 04, 2013, Independence Day is a Federal Banking Holiday. All banks are closed for this holiday, therefore NatPay will not be able to process any files on that date. If you plan on transmitting for a paydate that falls between Thursday, July 04, 2013 and Thursday, July 11, 2013 you will need to the file a day earlier.
Batch Number 408
Batch Description VENDOR PAY
Number of Dollar Entries 2
Number of Prenotes 0
Total Deposit Amount $3,848.19
Total Withdraw Amount $3,848.19
Batch Confirmation Number 50983
Date Transmitted Thursday, June 06, 2013 ...
---
Version 2:
Date: Thu, 6 Jun 2013 09:59:06 -0500
From: National Payment Automated Reports System [lemuel @emalsrv.natpaymail .com]
Subject: Transmission Confirmation ~10968697~607MPYRC~
Transmission Verification
Contact Us
To: NPC Account # 10968697
Benjamin Turner
Re: NPC Account # 10968697
D & - MN
Thursday, July 04, 2013, Independence Day is a Federal Banking Holiday. All banks are closed for this holiday, therefore NatPay will not be able to process any files on that date. If you plan on transmitting for a paydate that falls between Thursday, July 04, 2013 and Thursday, July 11, 2013 you will need to the file a day earlier.
Batch Number 219
Batch Description VENDOR PAY
Number of Dollar Entries 2
Number of Prenotes 0
Total Deposit Amount $2,549.12
Total Withdraw Amount $2,549.12
Batch Confirmation Number 24035 ...

The malicious payload is on [donotclick]usforclosedhomes .net/news/walls_autumns-serial.php (report here*) hosted on the following IPs:
41.89.6.179 (Kenya Education Network, Kenya)
46.18.160.86 (Saudi Electronic Info Exchange Company (Tabadul) JSC, Saudi Arabia)
93.89.235.13 (FBS Bilisim Cozumleri, Cyprus)
112.170.169.56 (Korea Telecom, South Korea)
The cluster of IPs and domains this belongs to identifies it as part of the Amerika spam run.
Blocklist:
41.89.6.179
46.18.160.86
93.89.235.13
112.170.169.56 ..."
* http://urlquery.net/report.php?id=2926577
___

USPS Package Pickup Spam
- http://threattrack.tumblr.com/post/52314898634/usps-package-pickup-spam
June 6, 2013 - "Subjects Seen:
USPS - Your package is available for pickup ( Parcel [removed])
Typical e-mail details:
We attempted to deliver your item at 6 Jun 2013.
Courier service could not make the delivery of your parcel.
Status Deny / Invalid ZIP Code.
If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.
Label/Receipt Number: [removed]
Expected Delivery Date: Jun 6, 2013
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office...

Malicious URLs
michaelscigars .net/ponyb/gate.php
montverdestore .com/ponyb/gate.php
errezeta .biz/ToSN79T.exe
190.147.81.28 /yqRSQ.exe
207.204.5.170 /PXVYGJx.exe
archeting .it/86zP.exe

Screenshot: https://gs1.wac.edgecastcdn.net/801...a745f2670/tumblr_inline_mnziitVIUE1qz4rgp.png
___

Global $200M credit card hacking ring busted
- http://www.reuters.com/article/2013/06/05/us-cybercrime-hacking-arrests-idUSBRE95419G20130605
Jun 5, 2013 - "Eleven people in the United States, the UK and Vietnam have been arrested and accused of running a $200 million worldwide credit card fraud ring, U.S. and UK law enforcement officials said... Federal prosecutors in New Jersey said they had filed charges against a 23-year-old man from Vietnam... authorities in Vietnam had arrested Duy Hai Truong on May 29 in an effort to break up a ring he is accused of running with co-conspirators, who were not named in the statement... The arrests come as law enforcement officials around the world are cracking down on Internet-related heists. Two weeks ago, authorities raided Liberty Reserve, a Costa Rica-based company that provided a virtual currency system used frequently by criminals to move money around the world without using the traditional banking system. Earlier last month, authorities arrested seven people involved in a $45 million heist in which hackers removed limits on prepaid debit cards and used ATM withdrawals to drain cash from two Middle Eastern banks... the charges were filed in New Jersey's federal court because some of the victims of the scheme are residents of the state. Prosecutors claim Truong and accomplices stole information related to more than a million credit cards and resold it to criminal customers... According to the complaint, Truong hacked into websites that sold goods and services over the Internet and collected personal credit card information from the sites' customers. "The victims' credit cards incurred, cumulatively, more than $200 million in fraudulent charges," the complaint said..."
- http://www.soca.gov.uk/news/552-eleven-arrests-as-global-investigation-dismantles-criminal-web-forum

:fear::fear: :sad:

 

[AplusWebMaster]

Malware sites to block, Fake USPS SPAM...

FYI...

Malware sites to block 7/6/13
- http://blog.dynamoo.com/2013/06/malware-sites-to-block-7613.html
7 June 2013 - "Two IPs that look related, the first is 37.235.48.185 (Edis, Poland or Austria) which host some domains that are also found here** (158.255.212.96 and 158.255.212.97, also Edis) that seem to be used in injection attacks. I can identify the following domains linked to 37.235.48.185:
faggyppvers5 .info
finger2 .climaoluhip.org
linkstoads .net
node1.hostingstatics .org
node2.hostingstatics .org
Injecting some of the same sites as the domains on the above IPs is jstoredirect .net which is currently offline but was hosted on 149.154.152.18 which is also Edis (can you see the pattern yet?) so I would assume that they are linked. In the few days that jstoredirect .net was online it managed to infect over 1500 sites*.
Aggregate blocklist:
98.126.9.34
114.142.147.51
158.255.212.96
158.255.212.97
nethostingdb .com
netstoragehost .com
connecthostad .net
climaoluhip .org
hostingstatics .org
systemnetworkscripts .org
numstatus .com
linkstoads .net
faggyppvers5 .info
jstoredirect .net ..."
* http://www.google.com/safebrowsing/diagnostic?site=jstoredirect.net

** http://blog.dynamoo.com/2013/05/something-bit-evil-on-15825521296-and.html
___

Fake USPS SPAM / USPS_Label_861337597092.zip
- http://blog.dynamoo.com/2013/06/usps-spam-uspslabel861337597092zip.html
6 June 2013 - "This fake USPS spam contains a malicious attachment:
Date: Thu, 6 Jun 2013 10:43:56 -0500 [11:43:56 EDT]
From: USPS Express Services [service-notification @usps .com]
Subject: USPS - Your package is available for pickup ( Parcel 861337597092 )
Postal Notification,
We attempted to deliver your item at 6 Jun 2013.
Courier service could not make the delivery of your parcel.
Status Deny / Invalid ZIP Code.
If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.
Label/Receipt Number: 861337597092
Expected Delivery Date: Jun 6, 2013
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Thank you,
© 2013 Copyright© 2013 USPS. All Rights Reserved.
*** This is an automatically generated email, please do not reply ...

There is an attachment called USPS_Label_861337597092.zip which in turn contains a malicious executable file USPS_Label_06062013.exe (note the date is encoded into the filename). VirusTotal results for this are 18/47*. The Comodo CAMAS report** shows an attempt to download more components from michaelscigarbar .net on 184.95.37.109 (Jolly Works Hosting, Philippines.. rented from Secured Servers in the US). URLquery shows a very large amount of malware activity on that IP, mostly apparently running on legitimate -hacked- domains. You should probably treat all of the following domains as hostile:
alliancelittleaviators .com
apparelacademy .com
apparelacademy .net
brokerforcolorado .com
carlaellisproperties .com
dragoncigars .net
heavenlycigars .net
libertychristianstore .com
michaelscigarbar .com
michaelscigarbar .net
michaelscigars .net
montverdestore .com
montverdestore .net
montverdestore .org ..."

* https://www.virustotal.com/en/file/...657a2da3cfb2b4cf553ab695/analysis/1370549956/
File name: USPS_Label_06062013.exe
Detection ratio: 18/47
Analysis date: 2013-06-06
** http://camas.comodo.com/cgi-bin/sub...c861b35f6b3bea9b09219657a2da3cfb2b4cf553ab695

*** http://urlquery.net/search.php?q=184.95.37.109&type=string&start=2013-05-22&end=2013-06-06&max=50
___

Better Business Bureau Compliant Spam
- http://threattrack.tumblr.com/post/52376899345/better-business-bureau-compliant-spam
7 June 2013 - "Subjects Seen:
BBB Appeal [removed]
Typical e-mail details:
The Better Business Bureau has been booked the above mentioned grievance from one of your users in respect to their dealings with you. The detailed description of the consumer’s trouble are available for review at a link below. Please give attention to this matter and notify us about your sight as soon as possible.
We graciously ask you to overview the CLAIM REPORT to answer on this plaint.
We awaits to your prompt answer.
WBR
Ryan Myers
Dispute Advisor

Malicious URLs
amapi .com .br/bbb.html
pnpnews .net/news/readers-sections.php?hvv=rvjzzloo&jnjpe=thpe
pnpnews .net/news/readers-sections.php?yf=1i:1f:32:33:2v&re=1n:2w:1n:1g:30:1f:1o:1n:1i:2v&u=1f&br=b&sd=c&jopa=5698723

Screenshot: https://gs1.wac.edgecastcdn.net/801...b30385da6/tumblr_inline_mo0xyvrpWf1qz4rgp.png

- http://blog.dynamoo.com/2013/06/bbb-spam-pnpnewsnet.html
7 June 2013 - "This fake BBB spam leads to malware on pnpnews .net:
From: Better Business Bureau [mailto:standoffzwk68 @clients.bbb .com]
Sent: 07 June 2013 15:08
Subject: BBB information regarding your customer's pretension No. 00167486
Better Business Bureau ©
Start With Trust ©
Fri, 7 Jun 2013
RE: Complaint No. 00167486
[redacted]
The Better Business Bureau has been entered the above said grievance from one of your users in regard to their business relations with you. The information about the consumer's trouble are available visiting a link below. Please pay attention to this matter and notify us about your sight as soon as possible.
We kindly ask you to overview the CLAIM LETTER REPORT to meet on this claim.
We awaits to your prompt answer.
Faithfully yours
Jonathan Edwards
Dispute Advisor
Better Business Bureau ...

Screenshot: https://lh3.ggpht.com/-RY4L1o2A9_w/UbHwqENyOxI/AAAAAAAABQw/IgMGesJmdiQ/s400/bbb.png

The link in the email goes through a legitimate hacked site and then to a payload at [donotclick]pnpnews .net/news/readers-sections.php (report here*) hosted on:
46.18.160.86 - Saudi Electronic Info Exchange Company (Tabadul) JSC
93.89.235.13 - FBS Bilisim Cozumleri, Cyprus
178.16.216.66 - Gabrielson Invest AB, Sweden
186.215.126.52 - Global Village Telecom, Brazil
190.93.23.10 - Greendot, Trinidad and Tobago
Blocklist:
46.18.160.86
93.89.235.13
178.16.216.66
186.215.126.52
190.93.23.10 ..."
* http://urlquery.net/report.php?id=2944992
... Detected BlackHole v2.0 exploit kit URL pattern ...
___

Fake American Express PAYVE Remit Spam
- http://threattrack.tumblr.com/post/52383728966/american-express-payve-remit-spam
June 7, 2013 - "Subjects Seen:
PAYVE - Remit file
Typical e-mail details:
A payment(s) to your company has been processed through the American Express Payment Network.
The remittance details for the payment(s) are attached ([removed].zip).
- The remittance file contains invoice information passed by your buyer. Please contact your buyer for additional information not available in the file.
- The funds associated with this payment will be deposited into your bank account according to the terms of your American Express merchant agreement and may be combined with other American Express deposits. For additional information about Deposits, Fees, or your American Express merchant agreement:
Contact American Express Merchant Services at 1-800-528-0933 Monday to Friday, 8:00 AM to 8:00 PM ET.
- You can also view PAYVE payment and invoice level details using My Merchant Account/Online Merchant Services. If you are not enrolled in My Merchant Account/OMS, you can do so at americanexpress .com/mymerchantaccount or call us at 1-866-220-7374, Monday - Friday between 9:00 AM-7:30 PM ET, and we’ll be glad to help you.
For quick and easy enrollment, please have your American Express Merchant Number, bank account ABA (routing number) and DDA (account number) on hand.
This customer service e-mail was sent to you by American Express. You may receive customer service e-mails even if you have unsubscribed from marketing e-mails from American Express...

Malicious URLs
storeyourbox .net/ponyb/gate.php
storeyourthings .net/ponyb/gate.php
drjoycethomasderm .com/ponyb/gate.php
errezeta .biz/ToSN79T.exe
190.147.81.28 /yqRSQ.exe
207.204.5.170 /PXVYGJx.exe
archeting .it/86zP.exe

Screenshot: https://gs1.wac.edgecastcdn.net/801...71595ee72/tumblr_inline_mo14hjPc6a1qz4rgp.png

- http://blog.dynamoo.com/2013/06/payve-remit-file-spam.html
7 June 2013 - "This fake American Express Payment Network spam has a malicious attachment.
Date: Fri, 7 Jun 2013 20:41:25 +0600 [10:41:25 EDT]
From: "PAYVESUPPORT @AEXP .COM" [PAYVESUPPORT @AEXP .COM]
Subject: PAYVE - Remit file ...

Attached to the email is an archive file called CD0607213.389710762910.zip which in turn contains an executable named CD06072013.239871839.exe (note that the date is included in the filename). Virustotal reports that just 8/46* anti-virus scanners detect it.
The Comodo CAMAS report*** gives some details about the malware, including the following checksums:
MD5 fd18576bd4cf1baa8178ff4a2bef0849
SHA1 8b8ba943393e52a3972c11603c3f1aa1fc053788
SHA256 f31ca8a9d429e98160183267eea67dd3a6e592757e045b2c35bb33d5e27d6875
The malware attempts to download further components from storeyourbox .com on 97.107.137.239 (Linode, US) which looks like a legitimate server that has been -badly- compromised**. The following domains appear to be on the server, I would advise that they are all dangerous at the moment:
drjoycethomasderm .com
goodvaluemove .com
jacksonmoving .com
jacksonmoving .net
napervillie-movers .com
reebie .net
storageandmoving .net
storeyourbox .com
storeyourbox .net
storeyourthings .net "
* https://www.virustotal.com/en/file/...7e045b2c35bb33d5e27d6875/analysis/1370627576/
File name: CD06072013.239871839.exe
Detection ratio: 8/46
Analysis date: 2013-06-07
** https://www.virustotal.com/en/ip-address/97.107.137.239/information/

*** http://camas.comodo.com/cgi-bin/sub...83267eea67dd3a6e592757e045b2c35bb33d5e27d6875

:fear:

 

[AplusWebMaster]

Fake Wells Fargo - attachment Spam

FYI...

Fake Wells Fargo - attachment Spam
- http://threattrack.tumblr.com/post/52635380368/wells-fargo-important-document-attachment-spam
June 19, 2013 - "Subjects Seen:
IMPORTANT - WellsFargo
Typical e-mail details:
Please check attached documents.
Michael_Kane
Wells Fargo Advisors
817-563-5247 office
817-368-5170 cell [removed]
ATTENTION: THIS E-MAIL MAY BE AN ADVERTISEMENT OR SOLICITATION FOR PRODUCTS AND SERVICES.
To unsubscribe from marketing e-mails from:
· An individual Wells Fargo Advisors financial advisor: Reply to one of his/her e-mails and type “Unsubscribe” in the subject line.
· Wells Fargo and its affiliates: Unsubscribe at wellsfargoadvisors.com/unsubscribe.
Neither of these actions will affect delivery of important service messages regarding your accounts that we may need to send you or preferences you may have previously set for other e-mail services.
For additional information regarding our electronic communication policies, visit wellsfargoadvisors.com/disclosures/email-disclosure.html .
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103

Malicious URLs
megmcenery .com/ponyb/gate.php
mceneryfinancial .com/ponyb/gate.php
margueritemcenery .com/ponyb/gate.php
hraforbiz. com/ponyb/gate.php
ftp(DOT)impactdata .com/da4.exe
errezeta .biz/ToSN79T.exe
ftp(DOT)myfxpips .com/PMLyQRMt.exe
207.204.5.170 /PXVYGJx.exe

Malicious File Name and MD5:
WellsFargo.<random>.zip (05c33cfcf22c5736C4a162f6d7c2eeac)
Important WellsFargo Docs.exe (47e739106c24fbf52ed3b8fd01dc3668)

Screenshot: https://gs1.wac.edgecastcdn.net/801...c9ab77207/tumblr_inline_mo6s1hL1ca1qz4rgp.png

- http://blog.dynamoo.com/2013/06/wells-fargo-spam-important-wellsfargo.html
10 June 2013 - "This fake Wells Fargo spam run comes with one of two malicious attachments:
Date: Mon, 10 Jun 2013 13:00:13 -0500 [14:00:13 EDT]
From: Anthony_Starr @wellsfargo .com
Subject: IMPORTANT - WellsFargo
Please check attached documents.
Anthony_Starr
Wells Fargo Advisors
817-563-9816 office
817-368-5471 cell Anthony_Starr @ wellsfargo .com
ATTENTION: THIS E-MAIL MAY BE AN ADVERTISEMENT OR SOLICITATION FOR PRODUCTS AND SERVICES.
To unsubscribe from marketing e-mails from:
· An individual Wells Fargo Advisors financial advisor: Reply to one of his/her
e-mails and type “Unsubscribe” in the subject line.
· Wells Fargo and its affiliates: Unsubscribe at
www .wellsfargoadvisors .com/unsubscribe. Neither of these actions will affect delivery of
important service messages regarding your accounts that we may need to send you or
preferences you may have previously set for other e-mail services.
For additional information regarding our electronic communication policies, visit
http :// wellsfargoadvisors .com/disclosures/email-disclosure.html .
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...

There is a ZIP file attached to the email message, and the spammers have attempted to name the attachment after the recipient.. but because the spam has multiple recipients it may end up with a random name. Inside the ZIP file is an EXE file, and there appear to be -two- variants.
One is called Important WellsFargo Doc.exe and it has a pretty shocking VirusTotal detection rate of 0/47* (yup.. none at all). The Comodo CAMAS report** gives the following checksums..
Name Value
Size 94720
MD5 70e604777a66980bcc751dcb00eafee5
SHA1 52ef61b6296f21a3e14ae35320654ffe3f4e769d
SHA256 f669768216872c626abc46e4dd2e0b1d783ba5927166282922c16d6db3b8adae
..it identifies that this version of the malware attempts to download additional components from mceneryfinancial .com on 173.255.213.171 (specifically it is a pony downloader querying /ponyb/gate.php)... ThreatTrack has a more detailed report*** which also identifies callbacks to www.errezeta .biz and ftp.myfxpips .com. ThreatExpert has a slightly different report (1) and further identifies megmcenery .com, taxfreeincomenow .com, taxfreeincomenow .info and 207.204.5.170 (Linode, US). The second version has a similarly named files called Important WellsFargo Docs.exe (plural) with a higher VirusTotal detection rate of 11/46 (2). Comodo CAMAS reports(3) the following file characteristics..
Name Value
Size 114176
MD5 47e739106c24fbf52ed3b8fd01dc3668
SHA1 b85b4295d23c912f9446a81fd605576803a29e53
SHA256 2d0d16d29ceca912d529533aa850f1e1539f4b509ea7cb89b8839f672afb418b
..in this case the pony download contacts hraforbiz .com (also on 173.255.213.171). Other analyses are pending. Several of these malware domains are hosted on 173.255.213.171 (Linode, US) and we can assume that this server is compromised along with all the domains on it. 62.149.131.162 (Aruba, Italy) also seems to be compromised(4). 173.254.68.134 (5) (Unified Layer, US) and 207.204.5.170 (6) (Register .com, US) appear to be compromised in some way to. Of note is the fact that almost all of these domains appear to be legitimate but have been -hacked- in some way, I would expect them to be cleaned up at some point in the future. Putting all these IPs and domains together gives a recommended blocklist:
173.254.68.134
173.255.213.171
207.204.5.170
62.149.131.162 ..."
(More listed at the dynamoo URL above.)
* https://www.virustotal.com/en/file/...7166282922c16d6db3b8adae/analysis/1370888138/
File name: Important WellsFargo Doc.exe
Detection ratio: 0/47
Analysis date: 2013-06-10
** http://camas.comodo.com/cgi-bin/sub...c46e4dd2e0b1d783ba5927166282922c16d6db3b8adae
*** http://www.dynamoo.com/files/analysis_31139_70e604777a66980bcc751dcb00eafee5.pdf
1) http://www.threatexpert.com/report.aspx?md5=70e604777a66980bcc751dcb00eafee5
2) https://www.virustotal.com/en/file/...9ea7cb89b8839f672afb418b/analysis/1370888252/
File name: Important WellsFargo Docs.exe
Detection ratio: 11/46
Analysis date: 2013-06-10
3) http://camas.comodo.com/cgi-bin/sub...c46e4dd2e0b1d783ba5927166282922c16d6db3b8adae
4) https://www.virustotal.com/en/ip-address/62.149.131.162/information/
5) https://www.virustotal.com/en/ip-address/173.254.68.134/information/
6) https://www.virustotal.com/en/ip-address/207.204.5.170/information/
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
E-mail Messages with Malicious Attachments - 2013 Jun 10
Fake Deposit Transfer Confirmation Notification E-mail Messages - 2013 Jun 10
Fake Documents Attachment Email Messages - 2013 Jun 10
Malicious Attachment Email Messages - 2013 Jun 10
Fake Bill Payment Notification Email Messages - 2013 Jun 10
Fake Legal Assistance Inquiry E-mail Messages - 2013 Jun 10
Fake Products Advertisement E-mail Messages - 2013 Jun 10
Fake FedEx Shipment Notification E-mail Messages - 2013 Jun 10
Fake Xerox Scan Attachment Email Messages - 2013 Jun 10
Fake Gift Voucher Redemption Email Messages - 2013 Jun 10
Fake Deposit Statement Notification E-mail Messages - 2013 Jun 10
(More detail and links at the cisco URL above.)

:fear::fear:

 

[AplusWebMaster]

Fake Fax email, new ZBOT malware ...

FYI...

Fake Fax Transmission emails lead to malware
- http://blog.webroot.com/2013/06/11/fake-unsuccessful-fax-transmission-themed-emails-lead-to-malware/
June 11, 2013 - "Have you sent an eFax recently? Watch out for an ongoing malicious spam campaign that tries to convince you that there’s been an unsuccessful fax transmission. Once socially engineered users execute the malicious attachment found in the fake emails, their PCs automatically join the botnet of the cybercriminals behind the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...are_malicious_software_social_engineering.png
Detection rate for the malicious attachment: MD5: 66140a32d7d8047ea93de0a4a419880b * ... UDSangerousObject.Multi.Generic... phones back to the following C&C server hxxp ://lukafalls .com/banners/index.php – 95.154.254.17, as well as to the following C&C IPs:
95.154.254.17, 190.179.212.30, 65.92.129.196, 125.25.82.22, 69.235.15.127, 108.215.44.142, 188.153.47.135, 76.226.112.216, 78.100.36.98, 190.162.42.76, 78.99.110.225, 118.101.184.54, 90.156.118.144, 212.182.121.226, 99.97.73.189, 181.67.50.91, 2.87.2.21, 108.215.99.94, 84.59.222.81, 142.136.161.103, 178.203.226.84, 95.234.169.221, 217.41.0.85, 71.143.224.43, 74.139.10.100, 78.38.40.207, 213.215.153.212 ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/...067adc5fe9b35a4a674341e517e79222f68/analysis/
File name: Fax details and transmission_report.doc.exe
Detection ratio: 31/47
Analysis date: 2013-06-10
___

Self-propagating ZBOT malware ...
- http://blog.trendmicro.com/trendlab...g-solo-self-propagating-zbot-malware-spotted/
June 10, 2013 - "... we have spotted a new ZBOT variant that can spread on its own. This particular ZBOT variant arrives through a malicious PDF file disguised as a sales invoice document. If the user opens this file using Adobe Reader, it triggers an exploit which causes the following pop-up window to appear:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/06/zbot1.jpg
... error message upon execution of the malicious PDF file
While this is going on, the malicious ZBOT variant – WORM_ZBOT.GJ – is dropped onto the system and run. It is here that several differences start to appear. First of all, WORM_ZBOT.GJ has an autoupdate routine: it can download and run an updated copy of itself. Secondly, however, it can spread onto other systems via removable drives, like USB thumb drives. It does thus by searching for removable drives and then creating a hidden folder with a copy of itself inside this folder, and a shortcut pointing to the hidden ZBOT copy.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/06/worm-zbot-BD-JPEG.jpg
... Portion of WORM_ZBOT.GJ code creating copy of itself
This kind of propagation by ZBOT is unusual... ZBOT malware is usually distributed by exploit kits and/or malicious attachments..."

- https://net-security.org/malware_news.php?id=2515
June 11, 2013 - "The Zeus / Zbot Trojan has been around since 2007, and it and its variants continued to perform MitM attacks, log keystrokes and grab information entered in online forms. It is usually spread via exploit kits (drive-by-downloads), phishing schemes, and social media..."
___

Washington Free Beacon compromised to serve up Malware
- http://www.invincea.com/2013/06/kia-the-washington-free-beacon-compromised-to-serve-up-malware/
UPDATE 10:02 a.m. 6/11 – "Repeated attempts to reach the Beacon have been unsuccessful. We have not seen reinfection in subsequent visits but it is hard to know without navigating every page...
WARNING: Do NOT browse to freebeacon[.]com until further notice, as the site is still actively redirecting user traffic to malware. The Washington Free Beacon has been notified but have not confirmed nor responded... an article from The Washington Free Beacon on the breaking NSA Leaks story (freebeacon[.]com/nsa-leaker-surfaces-in-hong-kong/) linked to by the Drudge report has been compromising readers with a Java-based exploit kit* ... patching Java to the latest version (if you can) may be your only (temporary) protection..."
- http://www.invincea.com/wp-content/uploads/27.png
(More detail at the invincea URL above.)
* https://www.virustotal.com/en/file/...86e78974d99921e03de82252/analysis/1370873028/
File name: 1.jar
Detection ratio: 3/47
Analysis date: 2013-06-10
___

Something evil on 173.255.213.171
- http://blog.dynamoo.com/2013/06/something-evil-on-173255213171.html
11 June 2013 - "As a follow-up to this post*, the exploit server on 173.255.213.171 (Linode, US) is hosting a number of -hijacked- GoDaddy-registered domains that are serving an exploit kit [1] [2]... block 173.255.213.171 ..."
* http://blog.dynamoo.com/2013/06/wells-fargo-spam-important-wellsfargo.html

1) https://www.virustotal.com/en/ip-address/173.255.213.171/information/

2) http://urlquery.net/search.php?q=173.255.213.171&type=string&start=2013-05-27&end=2013-06-11&max=50
___

CitiBank Secure Message Spam
- http://threattrack.tumblr.com/post/52714672175/citibank-secure-message-spam
June 11, 2013 - "Subjects Seen:
(SECURE)Electronic Account Statement [removed]
Typical e-mail details:
You have received a Secure PDF message from the CitiSecure Messaging Server.
Open the PDF file attached to this notification. When prompted, enter your Secure PDF password to view the message contents.
To reply to this message in a secure manner, it is important that you use the Reply link inside the Secure PDF file. This will ensure that any confidential information is sent back securely to the sender.
Help is available 24 hours a day by calling 1-866-535-2504 or 1-904-954-6181 or by email at secure.emailhelp @citi .com
Please note: Adobe Reader version 7 or above is required to view all SecurePDF messages.

Malicious URLs
chriscarlson .com/ponyb/gate.php
chrisandannwedding .com/ponyb/gate.php
ccrtl .com/ponyb/gate.php
chrisandannwedding .com/ponyb/gate.php
hoteloperaroma .it/Sb9A7JV1.exe
stitaly .net/E2KYVJD.exe
newmountolivet .org/iUHgGvn.exe
mozzarellabroker .com/pZYTn.exe

Malicious File Name and MD5:
Secure.<random>.zip (05c33cfcf22c5736C4a162f6d7c2eeac)
secure.pdf.exe (4209430a3393287d5e28def88e43b93b)

ThreatAnalyzer Report: http://db.tt/RtlUb5Vs [PDF]

Screenshot: https://gs1.wac.edgecastcdn.net/801...9b4e19620/tumblr_inline_mo8kobS8e01qz4rgp.png
___

Amazon Order Notification Spam
- http://threattrack.tumblr.com/post/52735974435/amazon-order-notification-spam
June 11, 2013 - "Subjects Seen:
Payment for Your Amazon Order # [removed]
Typical e-mail details:
We’re writing to let you know that we are having difficulty processing your payment for the above transaction. To protect your security and privacy, your issuing bank cannot provide us with
information regarding why your credit card was declined.
However, we suggest that you double-check the billing address, expiration date and cardholder name
that you entered; if entered incorrectly these will sometimes cause a card to decline. There is no
need to place a new order as we will automatically try your credit card again.
There are a few steps you can take to make the process faster:
1. Verify the payment information for this order is correct (expiration date, billing address, etc).
You can update your account and billing information at :
amazon .com/gp/css/summary/edit.html?ie=UTF8&orderID=[removed]
2. Contact your issuing bank using the number on the back of your card to learn more about their
policies. Some issuers put restrictions on using credit cards for electronic or internet
purchases. Please have the exact dollar amount and details of this purchase when you call the
bank. If paying by credit card is not an option, buy Amazon.com Gift Card claim codes with cash
from authorized resellers at a store near you. Visit amazon.com/cashgcresellers to learn
more.
Thank you for shopping at Amazon.com. Sincerely, Amazon.com Customer Service

Malicious URLs
gnqlawyers .com/proteans/index.html
eucert .com/herein/index.html
gauravvashisht .com/desisted/index.html
goldcoinvault .com/news/pictures_hints_causes.php
sweethomesorrento .it/t0q.exe
server1.extra-web .cz/fdCtJM.exe

Screenshot: https://gs1.wac.edgecastcdn.net/801...19e0e8d24/tumblr_inline_mo8z4f3ZjB1qz4rgp.png

- http://blog.dynamoo.com/2013/06/amazoncom-spam-goldcoinvaultcom.html
June 11, 2013 - "This fake Amazon.com spam leads to malware on goldcoinvault .com:
Date: Tue, 11 Jun 2013 14:25:21 -0600 [16:25:21 EDT]
From: "Amazon.com Customer Care Service" [payments-update @amazon .com]
Subject: Payment for Your Amazon Order # 104-884-8180383
Regarding Your Amazon.com Order
Order Placed: June 11, 2013
Amazon.com order number: 104-884-8180383
Order Total: $2761.86 ...

The link in the email goes through a legitimate hacked site to an intermediate page with the following redirectors:
[donotclick]ftp.blacktiedjent .com/mechanic/vaccinated.js
[donotclick]piratescoveoysterbar .com/piggybacks/rejoiced.js
[donotclick]nteshop .es/tsingtao/flanneling.js
..from there it hits the main malware payload site at [donotclick]goldcoinvault .com/news/pictures_hints_causes.php (report here*) hosted on goldcoinvault .com which is a hacked GoDaddy domain -hijacked- to point at 173.255.213.171 (Linode, US). This same server is very active and has been spotted here** and here***, also using hacked GoDaddy domains, but right at the moment the malware page appears to be 403ing which is good..."
* http://urlquery.net/report.php?id=3054553

** http://blog.dynamoo.com/2013/06/something-evil-on-173255213171.html

*** http://blog.dynamoo.com/2013/06/wells-fargo-spam-important-wellsfargo.html

:fear::fear:

 

[AplusWebMaster]

Malware sites to block, Casino PUA software SPAM, Fake BBB SPAM...

FYI...

Casino PUA software SPAM ...
- http://blog.webroot.com/2013/06/12/tens-of-thousands-of-spamvertised-emails-lead-to-w32casonline/
June 12, 2013 - "Fraudsters are currently spamvertising tens of thousands of emails enticing users into installing rogue, potentially unwanted (PUAs) casino software. Most commonly known as W32/Casonline, this scam earns revenue through the rogue online gambling software’s affiliate network... (multiple screenshots at the URL above)... Spamvertised URLs:
hxxp ://luckynuggetcasino .com – 67.211.111.163
hxxp ://888casino .com – 213.52.252.59
hxxp ://spinpalace.com – 109.202.114.65
hxxp ://alljackpotscasino.com – 64.34.230.122
hxxp ://allslotscasino.com – 64.34.230.149
... (multiple) MD5s... have also phoned back to the same IP (213.52.252.59)... (Low detection rates per Virustotal - links at the webroot URL above)...
We advise users to avoid interacting with any kind of content distributed through spam messages, especially clicking on any of the links found in such emails...."
___

Fake BBB SPAM / trleaart .net
- http://blog.dynamoo.com/2013/06/bbb-spam-trleaartnet.html
12 June 2013 - "This fake BBB spam with a "PLAINT REPORT" (sic) leads to malware on trleaart .net:
From: Better Business Bureau [mailto:rivuletsjb72 @bbbemail .org]
Sent: 11 June 2013 18:04
Subject: Better Business Beareau Complaint ¹ S3452568
Importance: High
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust
Tue , 11 Jun 2013
Issue N. S3452568
The Better Business Bureau has been booked the above said claim letter from one of your customers in respect of their dealings with you. The detailed description of the consumer's trouble are available visiting a link below. Please pay attention to this matter and inform us about your mind as soon as possible.
We amiably ask you to open the PLAINT REPORT to answer on this claim.
We awaits to your prompt response.
Faithfully yours
Daniel Cox
Dispute Advisor...
Better Business Bureau...

Screenshot: https://lh3.ggpht.com/-ZaIrOeD1dnc/Ubg75F2bnoI/AAAAAAAABRQ/EM7rW99Jkac/s400/bbb2.png

The link goes through a legitimate -hacked- site and end up with a malware landing page on [donotclick]trleaart .net/news/members_guarantee.php (report here*) hosted on the following IPs:
160.75.169.49 (Istanbul Technical University, Turkey)
186.215.126.52 (Global Village Telecom, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
This network of evil sites is rather large... in the meantime here is a partial blocklist:
160.75.169.49
186.215.126.52
190.93.23.10
193.254.231.51 ..."
* http://urlquery.net/report.php?id=3067317
___

Malware sites to block 12/6/13
- http://blog.dynamoo.com/2013/06/malware-sites-to-block-12613.html
12 June 2013 - "This is a refresh of this list of domains and IPs controlled by what I call the "Amerika" gang, and it follows on from this BBB spam run earlier. Note that IPs included in this list show recent malicious activity, but it could be that they have now been fixed. I also noticed that a couple of the domains may have been sinkholed, but it will do you no harm to block them anyway..."
(LONG list at the dynamoo URL above - includes "Plain IPlist for copy-and-pasting".)
___

Fake "Activation Needed" emails...
- http://security.intuit.com/alert.php?a=82
6/11/13 - "People are receiving -fake- emails with the title "Important Activation Needed/"
Below is a copy of part of the email people are receiving:
Screenshot: http://security.intuit.com/images/importact.jpg
... This is the end of the -fake- email.
Steps to Take Now
Do not open the attachment in the email...
Delete the email..."
___

GAMARUE malware uses Sourceforge to host files
- http://blog.trendmicro.com/trendlabs-security-intelligence/gamarue-uses-sourceforge-to-host-files/
June 11, 2013 - "In our monitoring of the GAMARUE malware family, we found a variant that used the online code repository SourceForge to host malicious files... SourceForge is a leading code repository for many open-source projects, which gives developers a free site that allows them to host and manage their projects online. It is currently home to more than 324,000 projects and serves more than 4 million downloads a day... GAMARUE malware poses a serious risk to users; attackers are able to gain complete control of a system and use it to launch attacks on other systems, as well as stealing information. Among the most common ways it reaches user systems are: infected removable drives, or the user has visited sites compromised with the Blackhole Exploit Kit. This attack is made up of four files. The first is a shortcut, which appears to be a shortcut to an external drive. (This is detected as LNK_GAMARUE.RMA.) Instead of a drive, however, it points to a .COM file (detected as TROJ_GAMARUE.LMG)...
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/06/gamaruediagram.png
GAMARUE Infection Chain
Once the executable file is decrypted, it downloads updates to itself, as well as malicious files from a SourceForge project. In effect, it uses SourceForge to unwittingly host malicious files... The malicious files in the above example were hosted under the tradingfiles project. The same user created two more projects that were also used to host malicious GAMARUE files: ldjfdkladf and stanteam. New files were uploaded in these projects from June 1 onwards..."

- https://net-security.org/malware_news.php?id=2517
June 12, 2013 - "... the infection with a variant of the information-stealing Gamarue starts with a shortcut file to an external file, and ends with malicious files being downloaded from one of three (obviously bogus) Sourceforge projects: "tradingfiles," "stanteam," and "ldjfdkladf". The first two have already been deleted, and the third one emptied of all files. The account of the user who created them has been deleted (whether or not by Sourceforge or the user it's impossible to tell), but according to the researchers new files were uploaded into these projects from June 1 onwards..."
___

Fake Xerox WorkCentre Spam
- http://threattrack.tumblr.com/post/52796249184/xerox-workcentre-spam
June 12, 2013 - "Subjects Seen:
Scan from a Xerox WorkCentre
Typical e-mail details:
Please download the document. It was scanned and sent to you using a Xerox multifunction device.
File Type: pdf
Download: Scanned from a Xerox multi~3.pdf
multifunction device Location: machine location not set
Device Name: Xerox6592
For more information on Xerox products and solutions, please visit xerox .com

Malicious URLs
forum.xcpus .com:8080/webstats/counter.php
buildmybarwebsite .com/webstats/counter.php
continentalfuel .com/webstats/counter.php
apparellogisticsgroup .net/Aq70QrZ.exe
ftp(DOT)celebritynetworks .com/dNYC.exe
portal.wroctv .com/inZGwEH.exe
videotre .tv .it/UmQ.exe

Malicious File Name and MD5:
Scan_<random>.zip (0375c95289fc0e2dd94b63c105c24373)
Scan_<random> (8fcba93b00dba3d182b1228b529d3c9e)

Screenshot: https://gs1.wac.edgecastcdn.net/801...be4883843/tumblr_inline_moag33uzKT1qz4rgp.png

- http://blog.dynamoo.com/2013/06/scan-from-xerox-workcentre-spam.html
12 June 2013 - "This fake Xerox WorkCentre spam comes with a malicious attachment and appears to come from the victim's own domain:
Date: Wed, 12 Jun 2013 10:36:16 -0500 [11:36:16 EDT]
From: Xerox WorkCentre [Xerox.Device9@victimdomain.com]
Subject: Scan from a Xerox WorkCentre
Please download the document. It was scanned and sent to you using a Xerox multifunction device.
File Type: pdf
Download: Scanned from a Xerox multi~3.pdf
multifunction device Location: machine location not set
Device Name: Xerox2023
For more information on Xerox products and solutions, please visit http ://www.xerox .com

Attached is a ZIP file, in this case called Scan_06122013_29911.zip which in turn contains an executable Scan_06122013_29911.exe. Note that the date is encoded into the filename so future versions will be different. VirusTotal results are 23/47* which is typically patchy. Comodo CAMAS reports** that the malware attempts to phone home to forum.xcpus .com on 71.19.227.135 and has the following checksums:
MD5 8fcba93b00dba3d182b1228b529d3c9e
SHA1 54f02f3f1d6954f98e14a9cee62787387e5b072c
SHA256 544c08f288b1102d6304e9bf3fb352a8fdfb59df93dc4ecc0f753dd30e39da0c
... the ThreatTrack report [pdf]*** is more detailed and also identifies the following domains and IPs which are probably worth blocking or looking out for:
71.19.227.135
205.178.152.164
198.173.244.62
204.8.121.24
195.110.124.133
173.246.106.150 ..."
* https://www.virustotal.com/en/file/...93dc4ecc0f753dd30e39da0c/analysis/1371077066/
File name: Scan_06122013_29911.exe
Detection ratio: 23/47
Analysis date: 2013-06-12
** http://camas.comodo.com/cgi-bin/sub...4e9bf3fb352a8fdfb59df93dc4ecc0f753dd30e39da0c

*** http://www.dynamoo.com/files/analysis_31187_8fcba93b00dba3d182b1228b529d3c9e.pdf
___

Fake Fedex SPAM / oxfordxtg .net
- http://blog.dynamoo.com/2013/06/fedex-spam-oxfordxtgnet.html
12 June 2013 - "This fake FedEx spam leads to malware on oxfordxtg .net:
Date: Thu, 13 Jun 2013 01:18:09 +0800 [13:18:09 EDT]
From: FedEx [wringsn052 @emc.fedex .com]
Subject: Your Fedex invoice is ready to be paid now.
FedEx(R) FedEx Billing Online - Ready for Payment
fedex.com
Hello [redacted]
You have a new outstanding invoice(s) from FedEx that is ready for payment.
The following ivoice(s) are to be paid now :
Invoice Number
5135-13792
To pay or review these invoices, please sign in to your FedEx Billing Online account by clicking on this link: http ://www.fedex .com/us/account/fbo
Note: Please do not use this email to submit payment. This email may not be used as a remittance notice. To pay your invoices, please visit FedEx Billing Online, http ://www.fedex .com/us/account/fbo
Thank you,
Revenue Services
FedEx...

Screenshot: https://lh3.ggpht.com/-gOwdBh9V5Os/Ubj285rgYBI/AAAAAAAABRs/ugqVeCeHUVo/s1600/fedex.png

The link in the email goes through a legitimate hacked site and ends up on a malware payload page at [donotclick]oxfordxtg .net/news/absence_modern-doe_byte.php (report here*) hosted on:
124.42.68.12 (Langfang University, China)
190.93.23.10 (Greendot, Trinidad and Tobago)
The following partial blocklist covers these two IPs, but I recommend you also apply this larger blocklist of related sites** as well.
124.42.68.12
190.93.23.10 ..."
* http://urlquery.net/report.php?id=3082461

** http://blog.dynamoo.com/2013/06/malware-sites-to-block-12613.html
___

Fake "'Anonymous' sent you a payment" emails...
- http://security.intuit.com/alert.php?a=83
6/12/13 - " People are receiving fake emails with the title "X sent you a payment (where X is a person's name)." Below is a copy of the email people are receiving:
Screenshot: http://security.intuit.com/images/paymentnetwork.jpg
This is the end of the fake email.
Steps to Take Now
Do -not- open the attachment in the email...
Delete the email..."

:fear::fear:

 

[AplusWebMaster]

Fake eFax Corporate SPAM

FYI...

Fake eFax Corporate SPAM...
- http://threattrack.tumblr.com/post/52887323784/efax-corporate-spam
June 13, 2013 - "Subjects Seen:
Corporate eFax message from “unknown” - 4 page(s)
Typical e-mail details:
You have received a 4 page fax at 2013-06-10 11:52:46 EST.
* The reference number for this fax [removed] .
Please visit efaxcorporate .com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport @mail .efax .com.
Thank you for using the eFax Corporate service!

Malicious URLs
50.63.46.110 /erected/index.html
74.91.143.180 /frosting/index.html
weedguardplus .net/news/pictures_hints_causes.php

Screenshot: https://gs1.wac.edgecastcdn.net/801...205851a20/tumblr_inline_mocjtcxZRg1qz4rgp.png
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Scanned Document Attachment Email Messages - 2013 Jun 13
Fake Secure Message Notification Email Messages - 2013 Jun 13
Malicious Attachment Email Messages - 2013 Jun 13
Fake Product Order Quotation E-mail Messages - 2013 Jun 13
Fake Money Transfer Notification E-mail Messages - 2013 Jun 13
Fake Product Order E-mail Messages - 2013 Jun 13
Fake Bill Payment Notification Email Messages - 2013 Jun 13
Fake Bill Payment Notification Email Messages - 2013 Jun 13
Fake Bank Payment Request Notification E-mail Messages - 2013 Jun 13
(More detail and links at the cisco URL above.)

:fear:

 

[AplusWebMaster]

Fake LinkedIn, UPS SPAM...

FYI...

Fake LinkedIn SPAM...
- http://threattrack.tumblr.com/post/52945930175/linkedin-invitation-spam
June 14, 2013 - "Subjects Seen:
Invitation to connect on LinkedIn
Typical e-mail details:
Hattie Fitzgerald, wants to connect with you on LinkedIn.

Malicious URLs
50.63.46.110 /jotted/index.html
audio-mastering-music .com/news/pictures_hints_causes.php?jnlp=bd187af1d0
audio-mastering-music .com/news/pictures_hints_causes.php?rwiezly=qzxqjh&rzvaax=abldjf
audio-mastering-music .com/news/pictures_hints_causes.php?pf=2w:1l:1n:1f:1j&ze=2w:31:1g:1n:1m:2v:33:1g:31:1f&x=1f&xu=s&ma=o&jopa=1715713

Screenshot: https://gs1.wac.edgecastcdn.net/801...bc82c26b5/tumblr_inline_modyjkiIOr1qz4rgp.png
___

Fake UPS Package Pickup Spam
- http://threattrack.tumblr.com/post/52951986728/ups-package-pickup-spam
June 14, 2013 - "Subjects Seen:
UPS - Your package is available for pickup ( Parcel [removed] )
Typical e-mail details:
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.

Malicious URLs
bestseoamerica .com/ponyb/gate.php
austinremoterecording .com/ponyb/gate.php
audiomasteringsearch .com/ponyb/gate.php
audiomasteringmeistro .com/ponyb/gate.php
sistersnstyle .co/4bnsSjBb.exe
destinationgreece .com/7tW.exe
villa-anastasia-crete .com/JWHvdgW.exe
kahrobaa .com/14VkWHU0 .exe

Malicious File Name and MD5:
UPS_Label_<random>.zip (05c33cfcf22c5736c4a162f6d7c2eeac)
UPS-Label_Parcel_<random>.exe (bc48d3e736c66f577636ed486a990eeb)

Screenshot: https://gs1.wac.edgecastcdn.net/801...0128996b5/tumblr_inline_moe43yZKRF1qz4rgp.png

:fear:

 

[AplusWebMaster]

Something evil on 85.214.64.153

FYI...

Something evil on 85.214.64.153
- http://blog.dynamoo.com/2013/06/something-evil-on-8521464153.html
17 June 2013 - "85.214.64.153 is an IP belonging to Strato AG in Germany, it appears to host some legitimate sites but the server seems to be serving up the Neutrino exploit kit (example*) which is being injected into -hacked- websites (specifically, malicious code is being appended to legitimate .js files on those sites)... Dynamic DNS domains are being abused in this attack... These sites are mostly flagged as malicious by Google, you can see some indicators of badness here** and here***..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=3112582

** https://www.virustotal.com/en/ip-address/85.214.64.153/information/

*** http://urlquery.net/search.php?q=85.214.64.153&type=string&start=2013-06-02&end=2013-06-17&max=50

Diagnostic page for AS6724 (STRATO)
- https://www.google.com/safebrowsing/diagnostic?site=AS:6724
"... over the past 90 days, 7173 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-06-17, and the last time suspicious content was found was on 2013-06-17... we found 909 site(s) on this network... that appeared to function as intermediaries for the infection of 7496 other site(s)... We found 1434 site(s)... that infected 14549 other site(s)..."
___

Account takeover attempts nearly double ...
- https://net-security.org/secworld.php?id=15077
17 June 2013 - "ThreatMetrix* announced its Cybercrime Index, a series of Web fraud data aggregated from 1,500 customers, 9,000 websites and more than 1.7 billion cyber events. In a recent six-month snapshot ending March 31, ThreatMetrix determined that attacks on new account registrations using spoofed and synthetic identities saw the highest rate of attacks followed by account logins and payment fraud...
> http://www.threatmetrix.com/wp-content/uploads/2013/06/ThreatMetrix-Cybercrime-Index1.jpeg
Based on data taken from October 2012 through March 2013, they saw account takeover attempts nearly double (168%). These types of attacks have traditionally focused on banking and brokerage sites, but have recently escalated across e-commerce sites that store credit card details and SaaS companies that hold valuable customer data that do not yet have the heightened level of protection as banking sites..."
* http://www.threatmetrix.com/threatm...ver-attempts-close-to-doubling-over-6-months/
___

Rogue ads target EU users - Win32/Toolbar.SearchSuite through the KingTranslate PUA
- http://blog.webroot.com/2013/06/17/...ar-searchsuite-through-the-kingtranslate-pua/
June 17, 2013 - "... Tens of thousands of socially engineered European ads, who continue getting exposed to the rogue ads served through Yieldmanager’s network, are promoting more Potentially Unwanted Applications (PUAs) courtesy of Bandoo Media Inc and their subsidiary Koyote-Lab Inc...
Sample screenshots of the rogue KingTranslate PUA landing/download page:
1) https://webrootblog.files.wordpress.com/2013/06/kingtranslate_pua_01.png?w=659&h=496
2) https://webrootblog.files.wordpress.com/2013/06/kingtranslate_pua.png?w=592&h=550
... Rogue URL: kingtranslate .com – 109.201.151.95
Detection rate for the PUA: KingTranslateSetup-r133-n-bc.exe – MD5: 51d98879782d176ababcd8d47050f89f * ... Win32/Toolbar.SearchSuite...
We advise users to avoid using this application and to consider other free, legitimate translation services such as, for instance, Google Translate or Bing’s Translator."
* https://www.virustotal.com/en/file/...8dfbfd9d021e0d2edb8177f4bb788427d00/analysis/
File name: KingTranslateSetup-r120-n-bu.exe
Detection ratio: 3/46
Analysis date: 2013-06-16
___

Dun & Bradstreet Complaint Spam
- http://threattrack.tumblr.com/post/53202346878/dun-bradstreet-complaint-spam
June 17, 2013 - "Subjects Seen:
FW : Complaint - [removed]
Typical e-mail details:
Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
In the interest of time and good customer relations, please provide the DnB with written verification of your position in this matter by June 28, 2013. Your prompt response will allow DnB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.
The Dun & Bradstreet develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.
We encourage you to print this complaint (attached file), answer the questions and respond to us.
We look forward to your prompt attention to this matter.

Malicious URLs
iguttersupply .com/ponyb/gate.php
micromeshleafguard .com/ponyb/gate.php
ornamentalgutters .com/ponyb/gate.php
radiantcarbonheat .com/ponyb/gate.php
sistersnstyle .co/4bnsSjBb.exe
destinationgreece .com/7tW.exe
backup.hellaswebnews .com/8P6j4.exe
elenaseller .net/jKK1NMDt.exe

Malicious File Name and MD5:
Case_<random>.zip (3001dc82f5cb98b60326e7f8490488cf)
Case_<random>.exe (9c862af9a540563488cdc1c61b9ef5f8)

Screenshot: https://gs1.wac.edgecastcdn.net/801...dea651b41/tumblr_inline_mojpev7osN1qz4rgp.png
___

Fake NewEgg .com SPAM / profurnituree .com
- http://blog.dynamoo.com/2013/06/neweggcom-spam-profurnitureecom.html
17 June 2013 - "This fake NewEgg .com spam leads to malware on profurnituree .com:
Date: Mon, 17 Jun 2013 20:09:35 +0300 [13:09:35 EDT]
From: Newegg Auto-Notification [indeedskahu02 @services.neweg .com]
Subject: Newegg.com - Payment Charged ...

Screenshot: https://lh3.ggpht.com/-aC2D_mxMnTE/Ub9UBlLpIAI/AAAAAAAABTw/cuteVRRx9Mo/s1600/newegg3.png

The link goes through a legitimate -hacked- site and ends up on a malware landing page at [donotclick]profurnituree .com/news/posts_applied_deem.php (report here*) although the payload appears to be 404ing (I wouldn't trust that though). The domain is hosted on the following IPs:
124.232.165.112 (China Telecom, China)
186.215.126.52 (Global Village Telecom, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
202.147.169.211 (LINKdotNET Telecom Limited, Pakistan)
The domain registration details are fake... Below is a partial blocklist which I recommend you use in conjunction with this list.
124.232.165.112
186.215.126.52
190.93.23.10
202.147.169.211 ..."
* http://urlquery.net/report.php?id=3180371

:fear:

 

[AplusWebMaster]

Fake UPS, Wells Fargo SPAM...

FYI...

Fake UPS SPAM / rmacstolp .net
- http://blog.dynamoo.com/2013/06/ups-spam-rmacstolpnet.html
18 June 2013 - "This fake UPS spam leads to malware on rmacstolp .net:
Date: Tue, 18 Jun 2013 01:21:34 -0800 [05:21:34 EDT]
From: UPSBillingCenter @upsmail .net
Subject: Your UPS Invoice is Ready
UPS Billing Center
This is an automatically generated email. Please do not reply to this email address.
Dear UPS Customer,
Thank you for your business.
New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center.
Please visit the UPS Billing Center to view your paid invoice.
Questions about your charges? To get a better understanding of surcharges on your invoice, click here.
Discover more about UPS:
Visit ups .com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read Compass Online
© 2013 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS

The link in the email goes through a legitimate -hacked- site but then ends up on a malicious payload at [donotclick]rmacstolp .net/news/fishs_grands.php (report here* and here**). The payload appears to be the Blackhole Exploit kit, but the site seems to be either not working or (more likely) is being resistant to analysis. If not called properly, the malware appears to serve up random payload pages.. I think they may be fake ones to evade detection. Here are some of them:
[donotclick]shop.babeta .ru/ftyxsem.php
[donotclick]kontra-antiabzocker .net/cpdedlp.php
[donotclick]www.cyprusivf .net/iabsvkc.php
[donotclick]clubempire .ru/ayrwoxt.php
[donotclick]artstroydom .com/rwlqqtq.php
[donotclick]www.masthotels .gr/ysmaols.php
rmacstolp .net is hosted on the following IPs:
186.215.126.52 (Global Village Telecom, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
202.147.169.211 (LINKdotNET Telecom Limited, Pakistan)
Recommended blocklist:
186.215.126.52
190.93.23.10
193.254.231.51
202.147.169.211 ..."
* http://wepawet.iseclab.org/view.php?hash=ae660c5b01a9a3cb73ce83c906b28d8d&t=1371562967&type=js

** http://urlquery.net/report.php?id=3197446
___

Fake - Wells Fargo attachment Spam
- http://threattrack.tumblr.com/post/53282231311/wells-fargo-attachment-spam
June 18, 2013 - "Subjects Seen:
IMPORTANT Documents- WellsFargo
Typical e-mail details:
Please check attached documents.
Chuck_Vega
Wells Fargo Advisors
817-889-5857 office
817-353-6685 cell Chuck_Vega @wellsfargo.com
ATTENTION: THIS E-MAIL MAY BE AN ADVERTISEMENT OR SOLICITATION FOR PRODUCTS AND SERVICES.
To unsubscribe from marketing e-mails from:
· An individual Wells Fargo Advisors financial advisor: Reply to one of his/her e-mails and type “Unsubscribe” in the subject line.
· Wells Fargo and its affiliates: Unsubscribe at wellsfargoadvisors.com/unsubscribe.
Neither of these actions will affect delivery of important service messages regarding your accounts that we may need to send you or preferences you may have previously set for other e-mail services.
For additional information regarding our electronic communication policies, visit wellsfargoadvisors .com/disclosures/email-disclosure.html .
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103

Malicious URLs
thinkgreensupply .com/ponyb/gate.php
pacificcontractsources .com/ponyb/gate.php
tpi-ny.com/ponyb/gate .php
50shadesofshades .com/ponyb/gate.php
sistersnstyle .co/4bnsSjBb.exe
destinationgreece .com/7tW.exe
backup.hellaswebnews .com/8P6j4.exe
elenaseller .net/jKK1NMDt.exe

Malicious File Name and MD5:
WellsFargo_<random>.zip (3001dc82f5cb98b60326e7f8490488cf)
WellsFargo_<random>.exe (3c671b9f969a7ba0a9d9b532840c4ea2)

Screenshot: https://gs1.wac.edgecastcdn.net/801...3acf54951/tumblr_inline_molifnblxa1qz4rgp.png

:fear:

 

[AplusWebMaster]

Something evil on 205.234.139.169

FYI...

Something evil on 205.234.139.169
- http://blog.dynamoo.com/2013/06/something-evil-on-205234139169.html
19 June 2013 - "205.234.139.169 (Hostforweb, US) appears to be hosting a bunch of Java exploits being served up on subdomains of hacked GoDaddy domains. The malware looks like it is being served up in some sort of injection attack. Here are some example URLs of badness:
[donotclick]blog2.stefuraassociatesinc .com:6842/ServerAdministrator/keys/pairs/applet.jnlp
[donotclick]blog2.stefuraassociatesinc .com:6842/ServerAdministrator/keys/pairs/contact.php
[donotclick]blog2.stefuraassociatesinc .com:6842/ServerAdministrator/keys/pairs/xXsdYVRQe.class
[donotclick]blog2.stefuraassociatesinc .com:6842/ServerAdministrator/keys/pairs/xXsdYVRQe/class.class
[donotclick]blog2.stefuraassociatesinc .com:6842/ServerAdministrator/keys/pairs/jfygZbFu
URLquery* and VirusTotal** are not very conclusive, but if it walks like a duck and quacks like a duck.. well, you know the rest.
The following domains appear to be hosted on the server. You should assume that they are all malicious, ones already flagged by Google ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/search.php?q=205.234.139.169&type=string&start=2013-06-04&end=2013-06-19&max=50

** https://www.virustotal.com/en/ip-address/205.234.139.169/information/
___

Fake HP Digital Device Spam
- http://threattrack.tumblr.com/post/53361730606/hp-digital-device-spam
June 19, 2013 - "Subjects Seen:
Scanned Copy
Typical e-mail details:
Please open the attached document. This document was digitally sent to you using an HP Digital Sending device.
To view this document you need to use the Adobe Acrobat Reader.

Malicious URLs
bagdup .com/ponyb/gate.php
baggagereviews .com/ponyb/gate.php
bagpreview .com/ponyb/gate.php
mpricecs .com .au/ceAZfkX6.exe
serw.myroitracking .com/nokxk.exe
omnicomer .com/qT6DM.exe
sweethomesorrento .it/kNH827.exe

Malicious File Name and MD5:
HP_Scan_<random>.zip (d17aab950060319ea41b038638375268)
HP_Scan_<random>.exe (eab3a43d077661ca1c9549df49477ddb)

Screenshot: https://gs1.wac.edgecastcdn.net/801...5fda61d60/tumblr_inline_monbpvOdIV1qz4rgp.png

HP Spam / HP_Scan_06292013_398.zip FAIL
- http://blog.dynamoo.com/2013/06/hp-spam-hpscan06292013398zip-fail.html
June 19, 2013 - "I've been seeing these spams for a couple of days now..
Date: Wed, 19 Jun 2013 09:39:27 -0500 [10:39:27 EDT]
From: HP Digital Device [HP.Digital0 @victimdomain ]
Subject: Scanned Copy
Please open the attached document. This document was digitally sent to you using an HP Digital Sending device.
To view this document you need to use the Adobe Acrobat Reader...

The is an attachment called HP_Scan_06292013_398.zip. Obviously this is an attempt to deliver malware.. but the attachment is too small to have a payload. Initially I thought that it was some random part of somebody's security infrastructure stripping it off until I got a really clean copy.. and the ZIP file was just 8 bytes:
12 BA E8 AC 16 AC 7B AE
Another sample version looks like this, with just 6 bytes:
12 BA E8 AC 16 AC
Googling for 12BAE8AC16AC or 12BAE8AC16AC7BAE gets nothing at all (well, except it will now I've blogged about it)..."
___

65+ websites compromised to deliver malvertising
- https://net-security.org/malware_news.php?id=2519
June 19, 2013 - "At least 65 different sites serving ads that ultimately led to malware have been spotted by Zscaler researchers*. The massive malvertising campaign started with injected code into the ads served on the sites, and were delivered from several domains, all resolving to the following IP address: 89.45.14.87... The compromised sites were an assortment of random small and medium-sized sites, and among them was the official site for Government Security News..."
* http://research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html
June 18, 2013 - "On Monday, Government Security News (GSN), reported that their website had been compromised during a mass infection. While in the case of the GSN infection, the injected content was delivered from googlecodehosting.com, we have determined that the same content was also delivered from googlecodehosting.org and googlecodehosting.net, all of which resolve to 89.45.14.87 and are now offline. In reviewing our logs for sites with the aforementioned referrers, indicating that they too were/are compromised, we have thus far identified 65 different sites... Referers for the GSN site appeared as early as Jun 14th, suggesting that the site was likely compromised for a couple of days before they became aware of the situation and took steps to clean the site..."

:fear:

 

[AplusWebMaster]

Linkedin DNS Hijack, Fake ADP, WalMart Spam...

FYI...

Linkedin DNS Hijack
- https://isc.sans.edu/diary.html?storyid=16037
Last Updated: 2013-06-20 - "LinkedIn had its DNS "hijacked". There are no details right now, but often this is the result of an attacker compromising the account used to manage DNS servers... so far, no details are available so this could be just a simple misconfiguration. The issue has been resolved, but If LinkedIn is "down" for you, or if it points to a different site, then you should flush your DNS cache. It does not appear that Linkedin uses DNSSEC (which may not have helped if the registrar account was compromised). Your best bet to make sure you connect to the correct site is SSL... "owning" the domain may allow the attacker to create a new certificate rather quickly... other sites are affected as well... The fact that multiple site's NS records are affected implies that this may not be a simple compromised registrar account... According to:
- http://blog.escanav.com/2013/06/20/dns-hijack/ , the bad IP address is 204.11.56.17* ..."

Diagnostic page for AS40034 (CONFLUENCE)
* https://www.google.com/safebrowsing/diagnostic?site=AS:40034
"... over the past 90 days, 413 site(s).. served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-06-20, and the last time suspicious content was found was on 2013-06-20... we found 45 site(s) on this network... that appeared to function as intermediaries for the infection of 82 other site(s)... We found 347 site(s)... that infected 4358 other site(s)..."

- http://technet.microsoft.com/en-us/library/cc781949(v=WS.10).aspx
"... Open Command Prompt. Type: ipconfig /flushdns ..."

- https://atlas.arbor.net/briefs/
Elevated Severity
June 20, 2013
An emergent issue involving what's been called "domain hijacking" has taken place involving a number of prominent web properties. Some concern has been expressed that the problem may be part of an attack campaign, despite statements to the contrary.
Analysis: Any type of traffic headed towards any web property that is pointing to an unexpected location - due to a DNS hijack, a hosts file hijack, man-in-the-middle, man-in-the-browser, phishing, pharming, or whatever other technique - carries some risk of delivering sensitive information, credentials, mail contents, or other data to an unexpected party, that may be malicious. Indicators suggest that some type of error was involved in this incident, however there are larger concerns at play that will likely emerge in a more widespread manner in the near future.
Source: http://isc.sans.edu/diary/Linkedin+DNS+Hijack/16037
___

Fake ADP SPAM / planete-meuble-pikin .com
- http://blog.dynamoo.com/2013/06/adp-spam-planete-meuble-pikincom.html
20 June 2013 - "This fake ADP spam leads to malware on planete-meuble-pikin .com:
Date: Thu, 20 Jun 2013 07:12:28 -0600
From: EasyNetDoNotReply @clients.adpmail .org
Subject: ADP EasyNet: Bank Account Change Alert
Dear Valued ADP Client,
As part of ADP's commitment to provide you with exceptional service, ADP is taking additional steps to ensure that your payroll data is secure. Therefore, we are sending you this e-mail as a security precaution to confirm that you have added or changed a bank account for the following employee(s) on your account:
** Dominic Johnson **
** Ayden Campbell **
Use this links to: Review or Decline this changes.
If you have not made and authorized this bank account change, please contact your ADP Service Team immediately.
This security precaution is another reason why so many businesses like yours choose ADP, the world's leading payroll provider for over 60 years, to handle their payroll.
Sincerely,
Your ADP Service Team
This e-mail comes from an unattended mailbox. Please do not reply.

The link in the email goes through a legitimate but -hacked- site and end up on a malware landing page at [donotclick]planete-meuble-pikin .com/news/network-watching.php (report here*) hosted on:
173.254.254.110 (Quadranet, US)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.147.61.250 (Universidad Rey Juan Carlos, Spain)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
202.147.169.211 (LINKdotNET, Pakistan)
Recommended blocklist:
173.254.254.110
190.93.23.10
193.147.61.250
193.254.231.51
202.147.169.211 ..."
* http://urlquery.net/report.php?id=3236122

- http://threattrack.tumblr.com/post/53444315647/adp-easynet-spam
June 20, 2013 - "Subjects Seen:
ADP EasyNet: Bank Account Change Alert
Typical e-mail details:
Dear Valued ADP Client,
As part of ADP’s commitment to provide you with exceptional service, ADP is taking additional steps to ensure that your payroll data is secure. Therefore, we are sending you this e-mail as a security precaution to confirm that you have added or changed a bank account for the following employee(s) on your account:
[Removed]
Use this links to: Review or Revert this changes.
If you have not made and authorized this bank account change, please contact your ADP Service Team immediately.
This security precaution is another reason why so many businesses like yours choose ADP, the world’s leading payroll provider for over 60 years, to handle their payroll.
Sincerely,
Your ADP Service Team

Malicious URLs
support.mega-f .ru/easynet.html?view_id=6L9IRMQH
ssl.casalupitacafe .com/indication/occurred_sharing-blank.php
ssl.casalupitacafe .com/indication/occurred_sharing-blank.php?jnlp=4248af38de
ssl.casalupitacafe .com/indication/occurred_sharing-blank.php?otfjbgzd=mekpsr&lmbcq=snfip
ssl.casalupitacafe .com/indication/occurred_sharing-blank.php?lf=1i:1f:32:33:2v&fe=1j:1h:1j:1n:2v:33:1i:1n:31:32&j=1f&fo=a&jb=m&jopa=5634202

Screenshot: https://gs1.wac.edgecastcdn.net/801...fb0175661/tumblr_inline_mop8h6Iy9H1qz4rgp.png
___

Fake QuickBooks Overdue Payment Spam
- http://threattrack.tumblr.com/post/53442271393/quickbooks-overdue-payment-spam
20 June 2013 - "Subjects Seen:
Please respond - overdue payment
Typical e-mail details:
Please find attached your invoices for the past months. Remit the payment by 06/25/2013 as outlines under our “Payment Terms” agreement.
Thank you for your business,
Sincerely,
Ginger Mccall

Malicious URLs
checkpoint-friendly-bag .com/ponyb/gate.php
checkpoint-friendly-bags .com/ponyb/gate.php
checkpoint-friendly-laptopcases .com/ponyb/gate.php
checkpoint-friendly-luggage .com/ponyb/gate.php
backup.hellaswebnews .com/8P6j4.exe
powermusicstudio .it/Ckq.exe
gpbit .com/MACnU.exe
sedi .ch/XDHMsu.exe

Malicious File Name and MD5:
<name>_Invoice.zip (eef2fd603a9412d3e5b99264d20a7155)
<name>_Invoice.exe (eb362fe45a54707d5c796e36975e88a5)

Screenshot: https://gs1.wac.edgecastcdn.net/801...64c394361/tumblr_inline_mop6ptsVz51qz4rgp.png
___

Fake WalMart Order Spam
- http://threattrack.tumblr.com/post/53398921161/walmart-com-order-spam
June 19, 2013 - "Subjects Seen:
Thanks for your Walmart.com Order [removed]
Typical e-mail details:
Thanks for ordering from Walmart.com. We’re currently processing your order.
You’ll receive another email, with tracking information, when your order ships.
If you’re paying by credit card or Bill Me Later®, your account will not be charged until your order ships.
If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available.
All other forms of payment are charged at the time the order is placed...

Malicious URLs
culinare .tv/wp-content/plugins/customize-admin/walmart.html
ssl.beautysupplyeast .com/indication/primary-processor_cost.php
ssl.beautysupplyeast .com/indication/primary-processor_cost.php?jnlp=4248af38de
ssl.beautysupplyeast .com/indication/primary-processor_cost.php?ef=1i:1f:32:33:2v&le=1j:1h:1j:1n:2v:33:1i:1n:31:32&j=1f&ol=r&gq=m&jopa=4794157

Screenshot: https://gs1.wac.edgecastcdn.net/801...2558efc79/tumblr_inline_moo1k2wX111qz4rgp.png

 

[AplusWebMaster]

Flash spoof leads to infectious audio ads

FYI...

Flash spoof leads to infectious audio ads
- http://blog.webroot.com/2013/06/21/adobe-flash-spoof-leads-to-infectious-audio-ads/
June 21, 2013 - "We’ve seen quite a few audio ads infecting users recently... As you can see in this first picture, this is another Adobe Flash spoof that launches its signature update window.
> https://webrootblog.files.wordpress.com/2013/06/audio-ads1.jpg?w=869
... It doesn’t matter what option you check; once you click “NEXT” you’ll get this next window.
> https://webrootblog.files.wordpress.com/2013/06/audio-ads2.jpg?w=869
So far this seems completely official and harmless. It even takes it’s time progressing the loading bar. However, once you click “Finish” everything closes down and the computer reboots. The command force quits all applications so you won’t have time to save anything or cancel the shutdown. Once the computer reboots there is no final closing message from “Adobe”, but everything seems normal for a few minutes. After about three to five minutes the computer slows down to a crawl and Audio ads start playing in the background... The audio streams are not being run by an audio application or an internet browser session, but instead a hijacked “svchost.exe” that’s using 88.25% CPU. If we take a look at its network communication we find that it’s establishing and closing over a hundred different connections at once. This is why the audio ads aren’t coherent and are basically just multiple advertisement streams all at once which makes for quite an annoying sound... Software Modem and Utility Suite are the culprit. If you read the full command they are located in appdata and point to two randomly named DLLs called “qogrpr.dll” and “ntrti.dll” This is extremely suspicious. All you need to do is delete the files in appdata and then remove the run keys from startup. The full registry key and directory location from are below.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“qogrpr”=”\”C:\\Windows\\System32\\rundll32.exe\” \”C:\\Users\\”youruserfolder”\\AppData\\Roaming\\qogrpr.dll\”,GetGlobals”
“ntrti”=”\”C:\\Windows\\System32\\rundll32.exe\” \”C:\\Users\\”youruserfolder”\\AppData\\Roaming\\ntrti.dll\”,NewMember”
... That’s it for this variant of the Audio ads. There are also other variants that use rootkits to infect the MBR..."

 

[AplusWebMaster]

Fake LexisNexis, Visa SPAM...

FYI...

Fake LexisNexis SPAM ...
- http://blog.dynamoo.com/2013/06/lexisnexis-spam-fail.html
21 Jun 2013 - "This -fake- LexisNexis spam is meant to have a malicious attachment, but something has gone wrong. Nonetheless, the next time the spammers try it they will probably get it right.. so beware of any emails similar to this one.
Date: Fri, 21 Jun 2013 10:48:12 -0700 [13:48:12 EDT]
From: LexisNexis [einvoice.notification @lexisnexis .com]Book
Subject: Invoice Notification for June 2013 ...

Screenshot: https://lh3.ggpht.com/-O31Ed0UEqAk/UcTKD_VRYEI/AAAAAAAABXM/yl8xU_aOkyQ/s1600/lexisnexis.png

// ... Of note, the only link in the email goes to [donotclick]https ://server.nepplelaw .com/owa/redir.aspx?C=430ed6e3b59a4a69b2d5653797c3e3d6&URL=http%3a%2f%2fwww.adobe .com%2fproducts%2facrobat%2freadstep2.html which is the sort of thing that happens to a URL when it goes through Outlook Web Access, in this case it would be on the server server.nepplelaw .com ..."
* https://www.virustotal.com/en/file/...0a598a42e87add553d01f77efa39d1588bc/analysis/
File name: LexisNexis_Invoice_06212013.zip
Detection ratio: 15/47
Analysis date: 2013-06-21
___

"Unusual Visa card activity" SPAM / anygus .com
- http://blog.dynamoo.com/2013/06/unusual-visa-card-activity-spam.html
21 Jun 2013 - "... this FAIL of a Visa spam leads to malware on anygus .com. Note the bits in {braces} that should have content..
From: Visa Anti-Fraud [upbringingve @visabusiness .com]
Date: 21 June 2013 17:36
Subject: Unusual Visa card activity
we {l1} detected {l2} activity in your business visa account.
please click here to view {l4}
your case id is: {symbol}{dig}
look for unexpected charges or questionable activity, and if you see anything suspicious,don't wait to act.
this added security is to prevent any additional fraudulent charges from taking place on your account.
notice: this visa communication is furnished to you solely in your capacity as a customer of visa inc. (or its authorized agent) or a participant in the visa payments system. by accepting this visa communication, you acknowledge that the information contained herein (the "information") is confidential and subject to the confidentiality restrictions contained in visa's operating regulations, which limit your use of the information. you agree to keep the information confidential and not to use the information for any purpose other than in your capacity as a customer of visa inc. or a participant in the visa payments system. the information may only be disseminated within your organization on a need-to-know basis to enable your participation in the visa payments system.
please be advised that the information may constitute material nonpublic information under u.s. federal securities laws and that purchasing or selling securities of visa inc. while being aware of material nonpublic information would constitute a violation of applicable u.s. federal securities laws. this information may change from time to time. please contact your visa representative to verify current information. visa is not responsible for errors in this publication. the visa non-disclosure agreement can be obtained from your visa account manager or the nearest visa office.
this message was sent to you by visa, p.o. box 8999, san francisco, ca 94128. please click here to unsubscribe.

Despite the errors in the email it still ends up going through a -hacked- legitimate site to a Blackhole Exploit kit at [donotclick]anygus .com/news/fewer_tedious_mentioning.php (report here*) hosted on the following IPs:
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
202.147.169.211 (LINKdotNET Telecom, Pakistan)
Recommended blocklist:
193.254.231.51
202.147.169.211 ..."
* http://urlquery.net/report.php?id=3262435
"... Detected BlackHole v2.0 exploit kit URL pattern ..."
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Product Purchase Email Messages - 2013 Jun 21
Fake Claims Invoice Email Messages - 2013 Jun 21
Fake Bill Payment Notification Email Messages - 2013 Jun 21
Fake Christmas Greeting Email Messages - 2013 Jun 21
Fake Bill Payment Request Email Messages - 2013 Jun 21
Fake Payment Notification Email Messages - 2013 Jun 21
Fake Portuguese Bank Deposit Delivery Notification Email Messages - 2013 Jun 21
Malicious Attachment Email Messages - 2013 Jun 21
Fake Xerox Scan Attachment Email Messages - 2013 Jun 21
Fake German Invoice Delivery Email Messages - 2013 Jun 21
(More detail and links at the cisco URL above.)

:fear:

 

[AplusWebMaster]

Fake Facebook SPAM, PayPal Phish - more...

FYI...

Fake Facebook SPAM / chinadollars .net
- http://blog.dynamoo.com/2013/06/facebook-spam-chinadollarsnet.html
24 June 2013 - "This fake Facebook spam leads to malware on chinadollars .net:
Date: Mon, 24 Jun 2013 09:18:12 -0500
From: Facebook [notification+SCCRJ42M8P @facebookmail .com]
Subject: You have 1 friend request ...
You have new notifications.
A lot has happened on Facebook since you last logged in. Here are some notifications you've missed from your friends.
1 friend request
View Notifications
Go to Facebook
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes through a legitimate but -hacked- site and then leads to a malware landing page at [donotclick]chinadollars .net/news/inputted-ties.php (report here*) hosted on:
119.147.137.31 (China Telecom, China)
202.147.169.211 (LINKdotNET, Pakistan)
203.80.17.155 (MYREN Cloud Infrastructrure, Malaysia)
210.42.103.141 (Wuhan Urban Construction Institute, China)
Recommended blocklist:
119.147.137.31
202.147.169.211
203.80.17.155
210.42.103.141 ..."
* http://urlquery.net/report.php?id=3303350
___

Fake Fiserv SPAM - / SecureMessage_TBTATU41DMJDT5B.zip
- http://blog.dynamoo.com/2013/06/fiserv-secure-email-notification.html
24 June 2013 - "This fake FISERV email has a malicious attachment SecureMessage_TBTATU41DMJDT5B.zip containing a trojan named SecureMessage.exe:
Date: Mon, 24 Jun 2013 07:27:59 -0600 [09:27:59 EDT]
From: Fiserv Secure Notification [secure.notification @fiserv .com]
Subject: Fiserv Secure Email Notification - TBTATU41DMJDT5B
Part(s):
2 SecureMessage_TBTATU41DMJDT5B.zip [application/zip] 104 KB
You have received a secure message
Read your secure message by opening the attachment, SecureMessage_TBTATU41DMJDT5B.zip.
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - SUgDu07dn
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it.
To access from a mobile device, forward this message to mobile @res .fiserv .com to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.710.6198.
2000-2013 Fiserv Secure Systems, Inc. All rights reserved.

Ask yourself this question: why would you encrypt a message and then put the password in the email? Simple.. to get past virus scanners, of course! The VirusTotal detection for this malware is just 8/46*.
Other analysis is pending, the malware has the following checksums:
Size 117248
MD5 fdd154360854e2d9fee47a557b296519
SHA1 d3de7f5514944807eadb641353ac9380f0c64607
SHA256 1ef3302196f5c4cd9bf97c719e934d612a244a17a20f5a742c15d8203d477f59
* https://www.virustotal.com/en/file/...a20f5a742c15d8203d477f59/analysis/1372086208/
File name: SecureMessage.exe
Detection ratio: 8/46
Analysis date: 2013-06-24

- http://threattrack.tumblr.com/post/53757242508/fiserv-securemessage-attachment-spam
24 June 2013 - "Subjects Seen:
Please respond - overdue payment
Typical e-mail details:
You have received a secure message ...

Screenshot: https://gs1.wac.edgecastcdn.net/801...75dc69b39/tumblr_inline_mowhsjzZ5Q1qz4rgp.png
___

PayPal Credentials Phish
- http://threattrack.tumblr.com/post/53756074278/paypal-credentials-phish
24 June 2013 - "Subjects Seen:
Important Message
Typical e-mail details:
Dear PayPal Manager Customer,
We regret to inform you that your merchant account has been locked.
Te re-activate it please download the file attached to this e-mail and update your login information.

Malicious URLs
bellt .es/CSS/confirm.php

Malicious File Name and MD5:
vtextloginpage.html (06c12f594dc7a558510cb9d9c402ed8f)

Screenshot: https://gs1.wac.edgecastcdn.net/801...5370185df/tumblr_inline_mowgmc7E4u1qz4rgp.png
___

Rogue ‘Free Mozilla Firefox Download’ ads lead to ‘InstallCore’ PUA...
- http://blog.webroot.com/2013/06/24/...allcore-potentially-unwanted-application-pua/
June 24, 2013 - "Our sensors continue detecting rogue ads that expose users to bogus propositions in an attempt to install privacy-invading Potentially Unwanted Applications (PUAs) on their PCs. The most recent campaign consists of a successful brand-jacking abuse of Mozilla’s Firefox browser, supposedly offered for free, while in reality, the rogue download manager entices users into installing multiple rogue toolbars, most commonly known as InstallCore...
Sample screenshot of the landing page:
> https://webrootblog.files.wordpress...wanted_application_ezdownload.png?w=609&h=567
Rogue download URL:
hxxp ://www.ez-download .com/mozilla-firefox
Detection rate for the Potentially Unwanted Application (PUA) – MD5: * ... Win32/InstallCore.BL; InstallCore (fs).
The rogue sample is digitally signed by ‘Secure Installer’.
Once executed, it phones back to:
media.ez-download .com – 54.230.12.193
os.downloadster2cdn .com – 54.245.235.34
cdn.secureinstaller .com – 54.230.12.162
img.downloadster2cdn .com – 199.58.87.151 ...
We advise users to avoid interacting with ads enticing them into downloading well known software applications, and to always visit their official Web sites in order to obtain the latest versions..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/...850705d31c52d7cb04a0229579c586034b9/analysis/
File name: Firefox_Setup_21.0.exe
Detection ratio: 4/47
Analysis date: 2013-06-21

:fear::fear:

 

[AplusWebMaster]

Fake Southwest Airlines SPAM, more...

FYI...

Fake Southwest Airlines SPAM / meynerlandislaw .net
- http://blog.dynamoo.com/2013/06/southwest-airlines-confirmation-kqr101.html
25 June 2013 - "This fake Southwest Airlines spam leads to malware on meynerlandislaw .net:
from: Southwest Airlines [information @luv.southwest .com]
reply-to: Southwest Airlines [no-reply@ emalsrv.southwestmail .com]
date: 25 June 2013 17:09
subject: Southwest Airlines Confirmation: KQR101
[redacted] 2013-06-25 JACEE3 INITIAL SLC WN PHX0.00T/TFF 0.00 END AY2.50$SLC1.50 1583018870396 2013-12-22 1394 2013-06-26 Depart SALT LAKE CITY IL (SLC) at 10:14 PM on Southwest Airlines Arrive in PAOLO ALTO MI (PHX) at 1:30 PM
You're all set for your travel!
Southwest Airlines
My Account | Review My Itinerary Online ...

The link goes through a legimate -hacked- site and end up on a malicious payload at [donotclick]meynerlandislaw .net/news/possibility-redundant.php (report here*) hosted on the following IPs:
119.147.137.31 (China Telecom, China)
203.80.17.155 (MYREN, Malaysia)
Recommended blocklist:
119.147.137.31
203.80.17.155 ..."
* http://urlquery.net/report.php?id=3323617
... Detected BlackHole v2.0 exploit kit URL pattern..."
___

Something evil on 173.246.104.154
- http://blog.dynamoo.com/2013/06/something-evil-on-173246104154.html
24 June 2013 - "173.246.104.154 (Gandi, US) is hosting hacked GoDaddy domains serving a variety of malware [1] [2]..."
1] http://urlquery.net/search.php?q=173.246.104.154&type=string&start=2013-06-09&end=2013-06-24&max=50

2] https://www.virustotal.com/en/ip-address/173.246.104.154/information/

Diagnostic page for AS29169 (GANDI)
- https://www.google.com/safebrowsing/diagnostic?site=AS:29169
"... over the past 90 days, 318 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-06-25, and the last time suspicious content was found was on 2013-06-25... Over the past 90 days, we found 24 site(s) on this network... that appeared to function as intermediaries for the infection of 103 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 153 site(s)... that infected 843 other site(s)..."
___

FedEx Delivery Notification Spam
- http://threattrack.tumblr.com/post/53862085299/fedex-delivery-notification-spam
June 25, 2013 - "Subjects Seen:
Delivery Notification
Delivery Notification ID#<random>
Typical e-mail details:
Dear Client,
Your parcel has arrived at June 13. Courier was unable to deliver the parcel to you.
To receive your parcel, print this label and go to the nearest office.

Malicious URLs
txwebsolutions .com/main.php?d_info=899_549892719
ehagency .com/main.php?g_info=ss00_323
eup-ecodesign .com/main.php?g_info=ss00_323
roccoracingmotors .com/main.php?g_info=ss00_323
bebmorena .com/main.php?g_info=ss00_323
metrocomoptimist .org/img/info.php?g_info=ss00_323

Malicious File Name and MD5:
Shipment_Label.zip (a95ef37d4d992ac63cbb81e116Ca6d07)
Shipment_Label.exe (fcd9314b644d86eee71cd67c44935fc8)

Screenshot: https://gs1.wac.edgecastcdn.net/801...d6208cdd2/tumblr_inline_moyqvtdowG1qz4rgp.png
___

Fake ADP SPAM / spanishafair .com
- http://blog.dynamoo.com/2013/06/adp-spam-spanishafaircom.html
25 June 2013 - "This fake ADP spam leads to malware on spanishafair .com:
Date: Tue, 25 Jun 2013 14:38:05 +0000 [10:38:05 EDT]
From: Run Do Not Reply [RunDoNotReply @ipn.adp .net]
Subject: Your Biweekly payroll is accepted
Yoyr payroll for check date 06/25/2013 is approved. Your payroll would be done at least 3 days before to your check date to ensure timely tax deposits and payroll delivery. If you offer direct deposit to your employees, this will also support pay down their money by the due date.
Client ID: [redacted]
View Details: Review
Important: Please be advised that calls to and from your payroll service team may be monitored or recorded.
Please do not reply to this message. auto informer system not configured to accept incoming messages.

The malicious payload is at [donotclick]spanishafair .com/news/possibility-redundant.php hosted on:
119.147.137.31 (China Telecom, China)
210.42.103.141 (Wuhan Urban Construction Institute, China)
203.80.17.155 (MYREN Cloud Infrastructrure, Malaysia)
Related evil domains and IP addresses to block can be found here* and here**."
* http://blog.dynamoo.com/2013/06/facebook-spam-chinadollarsnet.html

** http://blog.dynamoo.com/2013/06/southwest-airlines-confirmation-kqr101.html
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Bill Payment Notification Email Messages - 2013 Jun 25
Malicious Personal Pictures Attachment Email Messages - 2013 Jun 25
Fake Bank Deposit Confirmation Email Messages - 2013 Jun 25
Fake Legal Contract Form Email Messages - 2013 Jun 25
Fake Customer Complaint Attachment Email Messages - 2013 Jun 25
Fake Mobile Phone Credit Notification Email Messages - 2013 Jun 25
Fake Unpaid Debt Invoice Email Messages - 2013 Jun 25
Email Messages with Malicious Attachments - 2013 Jun 25
Fake Sample Product Purchase Order Email Messages - 2013 Jun 25
Fake Bank Payment Transfer Notification Email Messages - 2013 Jun 25
Fake Personal Photo Sharing Email Messages - 2013 Jun 25
Fake Product Order Inquiry Email Messages - 2013 Jun 25
Fake Authorization Letter Email Messages - 2013 Jun 25
(More detail and links at the cisco URL above.)

:fear:

 

[AplusWebMaster]

Fake UPS, Xerox SPAM...

FYI...

Fake UPS Parcel Pickup Spam
- http://threattrack.tumblr.com/post/53933973553/ups-parcel-pickup-spam
June 26, 2013 - "Subjects Seen:
UPS - Your package is available for pickup ( Parcel <random> )
Typical e-mail details:
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.

Malicious URLs
nichebiznetwork .com/ponyb/gate.php
watertreecapital .com/ponyb/gate.php
attentivetodetails .com/ponyb/gate.php
furnishedfloorplans .com/ponyb/gate.php
casailtiglio .com/NY19N.exe
casevacanzeversilia .com/9jW.exe
72.52.164.246 /FDKwgvdt.exe
scenografiesacs .com/mvNaxR.exe

Malicious File Name and MD5:
Label_<random>.zip (d17aab950060319ea41b038638375268)
Label_<random>.exe (347cbf0c41a978e601b00d39928506aa)

Screenshot: https://gs1.wac.edgecastcdn.net/801...f40ef7fd3/tumblr_inline_mp0b2emZ7e1qz4rgp.png
___

Xerox WorkCentre Scan Spam
- http://threattrack.tumblr.com/post/53943191167/xerox-workcentre-scan-spam
June 26, 2013 - "Subjects Seen:
Scanned Image from a Xerox WorkCentre
Typical e-mail details:
Tlease open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
Sent by: [removed]
Number of Images: 5
Attachment File Type: ZIP [PDF]
WorkCentre Pro Location: Machine location not set
Device Name: [removed]
Attached file is scanned image in PDF format.

Malicious URLs
attentivetodetails .com/ponyb/gate.php
watertreecapital .com/ponyb/gate.php
helisovertidewater .com/ponyb/gate.php
mcqbuildersllc-1 .com/ponyb/gate.php
casailtiglio .com/NY19N.exe
ftp(DOT)vickibettger .com/oEoASW64.exe
72.52.164.246 /FDKwgvdt.exe
scenografiesacs .com/mvNaxR.exe

Malicious File Name and MD5:
Scan_<random>.zip (d8d8bf4a0890c937d501b78cdfd7de13)
Scan_<random>.exe (40378c0d43dd8c135f90a704911024bd)

Screenshot: https://gs1.wac.edgecastcdn.net/801...c60ffa848/tumblr_inline_mp0hcwPh591qz4rgp.png

:fear:

 

[AplusWebMaster]

Fake BBB, OfficeWorld SPAM...

FYI...

BBB Compliant Spam
- http://threattrack.tumblr.com/post/54017972956/better-business-bureau-compliant-spam
June 27, 2013 - "Subjects Seen:
FW: Complaint Case <removed>
Typical e-mail details:
The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct.
In the interest of time and good customer relations, please provide the BBB with written verification of your position in this matter by June 30, 2013. Your prompt response will allow BBB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.
The Better Business Bureau develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.
We encourage you to print this complaint (attached file), answer the questions and respond to us.
We look forward to your prompt attention to this matter.
Sincerely,
BBB Serving Metropolitan New York, Long Island and the Mid-Hudson Region

Malicious URLs
ammscanada .com/ponyb/gate.php
ammschicago .com/ponyb/gate.php
ammsdallas .com/ponyb/gate.php
ammsdirectors .com/ponyb/gate.php
casailtiglio .com/NY19N.exe
ftp(DOT)vickibettger .com/oEoASW64.exe
72.52.164.246 /FDKwgvdt.exe
scenografiesacs .com/mvNaxR.exe

Malicious File Name and MD5:
Case_<random>.zip (0ed9dd827d557d3e20818ab50c7d930b)
Case_<random>.exe (f317d215a672a209cbdcba452e5e84d8)

Screenshot: https://gs1.wac.edgecastcdn.net/801...65a105f5e/tumblr_inline_mp24td7SVn1qz4rgp.png
__

Fake OfficeWorld .com SPAM / sartorilaw .net
- http://blog.dynamoo.com/2013/06/officeworldcom-spam-sartorilawnet.html
27 June 2013 - "This fake OfficeWorld spam leads to malware on sartorilaw .net:
Date: Thu, 27 Jun 2013 12:39:36 -0430 [13:09:36 EDT]
From: customerservice @emalsrv.officeworldmail .net
Subject: Confirmation notification for order 1265953
Thank you for choosing OfficeWorld.com - the world's biggest selection of business products!
Please review your order details below. If you have any questions, please Contact Us
Helpful Tips:
- Please SAVE or PRINT this confirmation for your records.
- ORDER STATUS is available online! Login and click "My Orders" to obtain UPS tracking information, etc.
- If you skipped registration, or forgot your password, simply enter your Login ID (normally your full e-mail address) and click [ forgot password ] to access your account.
Order: 1265953
Date: 6/27/2013
Ship To: My Default
Credit Card: MasterCard
Product Qty Price Unit Extended
HEWCC392A 1 $9703.09 EA $15.15
AVE5366 1 $27.49 BX $27.49
SAF3081 2 $56.29 EA $112.58
Product Total: $9855.22
Total: $9855.22
OfficeWorld.com values your business!

The link in the email goes through a legitimate -hacked- site and then on to [donotclick]sartorilaw .net/news/source_fishs.php (report here*) hosted on the following IPs:
77.240.118.69 (Acens Technologies, Spain)
78.108.86.169 (Majordomo LLC, Russia)
89.248.161.148 (Ecatel, Netherlands)
108.177.140.2 (Nobis Technology Group, US)
Recommended blocklist:
77.240.118.69
78.108.86.169
89.248.161.148
108.177.140.2 ..."
* http://urlquery.net/report.php?id=3362472
... Detected BlackHole v2.0 exploit kit URL pattern...

:fear: