SPAM frauds, fakes, and other MALWARE deliveries...

AplusWebMaster · Mar 13, 2014

Exploit Kits - OVH Canada / r5x .org ...

FYI...

Exploit Kits - OVH Canada / r5x .org / Penziatki
- http://blog.dynamoo.com/2014/03/evil-network-ovh-canada-r5xorg-penziatki.html
13 Mar 2014 - "Hat tip to Frank Denis (@jedisct1)* for this report** on Nuclear EK's hosted by OVH Canada using their infamous "Penziatki" customer which is linked to black-hat host r5x .org***. The blocks have been identified as belonging to that customer and I would recommend that you block them:
198.27.114.16/30
198.27.114.64/27
198.50.186.232/30
198.50.186.236/30
198.50.186.252/30
198.50.231.204/30
OVH Canada have repeatedly hosted exploit kits for this customer... If you are in a security-sensitive environment then you might simply want to block traffic to the following ranges:
198.27.0.0/16
198.50.0.0/16
Of course this will block many legitimate sites, but if stopping exploit kits is a priority over some user inconvenience then you may want to consider it. If you want a slightly more nuanced blocklist then these ranges contain the biggest concentration of malware:
198.27.114.0/24
198.50.172.0/24
198.50.186.0/24
198.50.197.0/24
198.50.231.0/24 ..."
(More detail at the dynamoo URL above.)

* https://twitter.com/jedisct1

** https://gist.github.com/jedisct1/9509527 - Nuclear Exploit Kit Mar 12

*** http://blog.dynamoo.com/search/label/R5X.org

> http://google.com/safebrowsing/diagnostic?site=AS:16276
___

Malware sites to block 13/3/14
- http://blog.dynamoo.com/2014/03/malware-sites-to-block-13313.html
13 Mar 2014 - "These IPs and domains seem to be involved in injection attacks today. I recommend you block them.
64.120.242.178
188.226.132.70
93.189.46.90 ...
The domains being abused are as follows.. many of them appear to be hijacked legitimate domains..."
(Many others listed at the dynamoo URL above.)
___

Fake Blood count result - fake PDF malware
- http://myonlinesecurity.co.uk/important-complete-blood-count-result-fake-pdf-malware/
13 Mar 2014 - "This email saying IMPORTANT Complete blood count result pretending to come from NICE (National Institute for Health and Care Excellence) has to be the most vicious and evil attempt by any malware purveyor to try to infect a victim. Sending an email saying that you probably have cancer will alarm & distress so many people and is just the most offensive and disgusting attempt to trick a user into opening a malware attachment... another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Other subjects in this evil email attempt to infect you are:
- IMPORTANT:Blood analysis result
- IMPORTANT:Blood analysis
- IMPORTANT:Complete blood count (CBC)result ...
> http://myonlinesecurity.co.uk/wp-co.../IMPORTANT-Complete-blood-count-CBCresult.png
... 13 March 2014: CBC_Result_9B4824B65E.zip (55kb) Extracts to CBC_scaned_584444449.pdf.exe
Current Virus total detections: 2/50*... careful when unzipping them and make sure you have “show known file extensions enabled"**, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
* https://www.virustotal.com/en/file/...e02307e4ee7c3ee411c73218/analysis/1394703905/

** http://myonlinesecurity.co.uk/why-you-should-set-your-folder-options-to-show-known-file-types/
___

Key Secured Message -fake- PDF malware
- http://myonlinesecurity.co.uk/key-secured-message-fake-pdf-malware/
13 March 2014 - "Key Secured Message pretending to come from Payroll Reports <payroll @quickbooks .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details...
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/03/Key-Secured-Message.png
... Extracts to NIKON-2013564-JPEG.scr ... Current Virus total detections: 2/50*
This Key Secured Message is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day..."
* https://www.virustotal.com/en-gb/fi...d4a7eaf76b0a1fdb7cb4c2e881c606855c2/analysis/
___

Fake Sky .com "Statement of account" SPAM
- http://blog.dynamoo.com/2014/03/skycom-statement-of-account-spam.html
13 Mar 2014 - "This -fake- Sky .com email comes with a malicious attachment:
Date: Thu, 13 Mar 2014 12:23:09 +0100 [07:23:09 EDT]
From: "Sky .com" [statement@ sky .com]
Subject: Statement of account
Afternoon,
Please find attached the statement of account.
We look forward to receiving payment for the December invoice as this is now due for
payment.
Regards, Carmela ...
Wilson McKendrick LLP Solicitors ...

Attached is an archive Statement.zip which in turn contains a malicious executable Statement.scr which has a VirusTotal detection rate of 6/50*. Automated analysis tools... show attempted connections to the following domains and IPs:
188.247.130.190 (Prime Telecom SRL, Romania)
gobemall .com
gobehost .info
184.154.11.228 (Singlehop, US)
terenceteo .com
184.154.11.233 (Singlehop, US)
quarkspark .org
The two Singlehop IPs appear to belong to Host The Name (hostthename .com) which perhaps indicates a problem at that reseller.
Recommended blocklist:
184.154.11.228
184.154.11.233
188.247.130.190
gobemall .com
gobehost .info
terenceteo .com
quarkspark .org "
* https://www.virustotal.com/en-gb/fi...0c6880835d394d117608fda9/analysis/1394715270/
___

HM Revenue & Customs Spam
- http://threattrack.tumblr.com/post/79368114782/hm-revenue-customs-spam
Mar 12, 2014 - "Subjects Seen:
HMRC Tax Notice
Typical e-mail details:
Dear <email address>
Please be advised that one or more Tax Notices (P6, P6B) have been issued.
For the latest information on your Tax Notices (P6, P6B) please open attached report.
Document Reference: 6807706.

Malicious File Name and MD5:
PDF_Scanned_HMRCBBD45F6647.zip (09BA8CF32FDDE3F73EA8F2E6F75BDF1E)
scaned_7246582_pdf_4364534533.exe (3F347C85BEA303904975FF0A8DE49E7E)

Screenshot: https://gs1.wac.edgecastcdn.net/801...3deffee64/tumblr_inline_n2c0ewlGe41r6pupn.png

Tagged: HMRC, weelsof

:fear:

AplusWebMaster · Mar 14, 2014

Google Docs users Targeted - Phishing Scam ...

FYI...

Google Docs users Targeted - Phishing Scam
- http://www.symantec.com/connect/blogs/google-docs-users-targeted-sophisticated-phishing-scam
13 Mar 2014 - "We see -millions- of phishing messages every day, but recently, one stood out: a sophisticated scam targeting Google Docs and Google Drive users. The scam uses a simple subject of "Documents" and urges the recipient to view an important document on Google Docs by clicking on the included link. Of course, the link doesn't go to Google Docs, but it does go to Google, where a very convincing fake Google Docs login page is shown:
Google Docs phishing login page:
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/phish_site_image.png
The -fake- page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly-accessible URL to include in their messages. This login page will look familiar to many Google users, as it's used across Google's services. (The text below "One account. All of Google." mentions what service is being accessed, but this is a subtlety that many will not notice.) It's quite common to be prompted with a login page like this when accessing a Google Docs link, and many people may enter their credentials without a second thought. After pressing "Sign in", the user’s credentials are sent to a PHP script on a -compromised- web server. This page then redirects to a real Google Docs document, making the whole attack very convincing. Google accounts are a valuable target for phishers, as they can be used to access many services including Gmail and Google Play, which can be used to purchase Android applications and content..."
___

ABSA Global business - certificate update – fake PDF malware
- http://myonlinesecurity.co.uk/absa-global-business-customers-certificate-update-fake-pdf-malware/
Mar 14, 2014 - "ABSA Global business customers 'certificate update' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. ABSA Global is a South African Bank so I wouldn’t expect a high number of US or UK citizens to have accounts with them, so this should be a quite obvious scam, phishing, malware attack to the majority of users. After examination of the malware, although many Antiviruses detect it as a Zbot, It looks more like an Androm version, possibly dropped by Asprox botnet. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
Attention!
On March 14, 2014 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to install new server certificate attached to the letter.
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
System Administrator ABSA Global

cert p12 install instruction.zip (58kb) - Extracts to ABSA cert p12 install instruction.exe
Current Virus total detections: 11/50* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...c504916b22f19106110cd28cac22e265843/analysis/
___

Fake Facebook messages
- http://myonlinesecurity.co.uk/fake-facebook-messages/
Mar 14, 2014 - "... plagued by Fake Facebook messages saying ” somebody commented on your status” (1) or “You requested a new Facebook password” (2) ...
1) http://myonlinesecurity.co.uk/wp-co...acebook-somebody-commented-on-your-status.png
2) http://myonlinesecurity.co.uk/wp-co...ook-You-requested-a-new-Facebook-password.png
Always -hover- over the links in these emails and you will see that they do -not- lead to Facebook. Do not click on the links, just delete the emails as soon as they arrive. Thee is always the very high possibility that one of the other botnets will use these to send you to a malicious site where your computer will be infected, rather than trying to scam you out of money by selling fake medicines that could kill you."
___

Banks to be hit with MS costs for running outdated ATMs
- http://www.reuters.com/article/2014/03/14/banks-atms-idUSL6N0M345C20140314
LONDON/NEW YORK, March 14, 2014 - "Banks around the world, consumed with meeting more stringent capital regulations, will miss a deadline to upgrade outdated software for automated teller machines (ATMs) and face additional costs to Microsoft to keep them secure. The U.S. software company first warned that it was planning to end support for Windows XP in 2007, but only one-third of the world's 2.2 million ATMs which use the system will have been upgraded to a new platform, such as Windows 7 by the April deadline, according to NCR, one of the biggest ATM makers. To ensure the machines are protected against viruses and hackers many banks have agreed deals with Microsoft to continue supporting their ATMs until they are upgraded, extra costs and negotiations that were avoidable but are now likely to be a distraction for bank executives... Britain's five biggest banks - Lloyds Banking Group , Royal Bank of Scotland, HSBC, Barclays and Santander UK - either have, or are in the process of negotiating, extended support contracts with Microsoft. The cost of extending support and upgrading to a new platform for each of Britain's main banks would be in the region of 50 to 60 million pounds ($100 million), according to Sridhar Athreya, London-based head of financial services advisory at technology firm SunGard Consulting, an estimate corroborated by a source at one of the banks. Athreya said banks have left it late to upgrade systems after being overwhelmed by new regulatory demands in the wake of the 2007-08 financial crisis... Windows XP currently supports around 95 percent of the world's ATMs... many of the banks operating them will still be running their ATMs with Windows XP for a while after the April 8 deadline..."
___

Bogus online casino themed campaigns intercepted in the wild
- http://www.webroot.com/blog/2014/03...s-online-casino-themed-emails-lead-w32casino/
Mar 14, 2014 - "... proliferation of social engineering driven, privacy-violating campaigns serving W32/Casino variants. Relying on affiliate based revenue sharing schemes and spamvertised campaigns as the primary distribution vectors, the rogue operators behind them continue tricking tens of thousands of gullible users into installing the malicious applications. We’ve recently intercepted a series of spamvertised campaigns distributing W32/Casino variants...
Sample screenshots of the landing pages for the rogue casinos:
1) https://www.webroot.com/blog/wp-con...ino_Potentially_Unwanted_Applicationc_PUA.png
2) https://www.webroot.com/blog/wp-con..._Potentially_Unwanted_Applicationc_PUA_01.png
3) https://www.webroot.com/blog/wp-con..._Potentially_Unwanted_Applicationc_PUA_02.png
4) https://www.webroot.com/blog/wp-con..._Potentially_Unwanted_Applicationc_PUA_03.png
5) https://www.webroot.com/blog/wp-con..._Potentially_Unwanted_Applicationc_PUA_04.png
6) https://www.webroot.com/blog/wp-con...lly_Unwanted_Applicationc_PUA_05-1024x576.png
Spamvertised URLs:
hxxp ://bit. ly/1brCoxg
hxxp ://bit .ly/1bQRudq
hxxp ://bit .ly/1mLQr5I
hxxp ://bit .ly/MCOyaL
hxxp ://bit .ly/1ec3UMN
hxxp ://bit .ly/1hN6Vbd
hxxp ://bit .ly/1mQ3XFu
hxxp ://bit .ly/17DJ4pZ
hxxp ://bit .ly/1ec2JNa
hxxp ://bit .ly/1fBY6d5
W32.Casino PUA domains reconnaisance:
hxxp ://rubyfortune .com – 78.24.211.177
hxxp ://grandparkerpromo .com – 95.215.61.160
hxxp ://kingneptunescasino1 .com – 67.211.111.169
hxxp ://riverbelle1 .com – 193.169.206.233
hxxp ://europacasino .com – 87.252.217.13
hxxp ://vegaspartnerlounge .com – 66.212.242.136

Sample detection rates for the W32/Casino PUA:
MD5: b80db6ec0e6c968499ce01232fbfdc5c * ... W32/Casino.P.gen!Eldorado
MD5: a2a545adf4498e409f7971f326333333 ** ... Heuristic.BehavesLike.Win32.Suspicious-DTR.S
MD5: a2a545adf4498e409f7971f326333333 *** ... W32/Casino.P.gen!Eldorado
MD5: 1cd6db7edbbc07d1c68968f584c0ac82 **** ... W32/Casino.P.gen!Eldorado
... (More) Known to have been downloaded from the same IP (87.248.203.254) ..."
* https://www.virustotal.com/en/file/...5d586eb3e6daaa46aa946290/analysis/1394642298/
** https://www.virustotal.com/en/file/...4d37659c1a70c8025c32e503/analysis/1394642439/
*** https://www.virustotal.com/en/file/...b3c911b82a47b7899ee0ea88/analysis/1394643637/
**** https://www.virustotal.com/en/file/...fd06675729775e3717032c42/analysis/1394643413/

:fear: :sad:

AplusWebMaster · Mar 17, 2014

Something evil on 198.50.140.64/27, 192.95.6.196/30 ...

FYI...

Something evil on 198.50.140.64/27
- http://blog.dynamoo.com/2014/03/something-evil-on-198501406427.html
17 Mar 2014 - "Thanks again to Frank Denis (@jedisct1) for this heads up* involving grubby web host OVH Canada and their black hat customer "r5x .org / Penziatki" hosting the Nuclear EK in 198.50.140.64/27. A full list of all the web sites I can find associated with this range can be found here**, but the simplest thing to do is block 198.50.140.64/27 completely (or if you are paranoid about security and don't mind some collateral damage block 198.27.0.0/16 and 198.50.0.0/16). Domains in use that I can identify are listed below. I recommend you block -all- of them. Domains listed as malicious by Google are in red, those listed as suspect by SURBL are in italics.
Recommended blocklist:
198.50.140.64/27
ingsat .eu
kingro .biz ..."
(More detail and domains listed at the dynamoo URL above.)
* https://twitter.com/jedisct1/status/445220289534631937

** http://pastebin.com/kkPRKu6v
___

Something evil on 192.95.6.196/30
- http://blog.dynamoo.com/2014/03/something-evil-on-19295619630.html
17 Mar 2014 - "Another useful tip by Frank Denis* on evil in the OVH Canada IP ranges, suballocated to their black hat customer "r5x .org / Penziatki", this time on 192.95.6.196/30. The following domains should be considered as dangerous and I would recommend blocking them as soon as possible:
shoalfault .ru
addrela .eu
backinl .org
A full list of the domains I can find in this /30 can be found here** [pastebin].
Given the extremely poor reputation of these OVH Canada ranges, I would suggest blocking the following network ranges if you have a security-sensitive environment and are prepared to put up with the collateral damage of blocking some legitimate sites:
198.27.0.0/16
198.50.0.0/16
198.95.0.0/16 "
* https://twitter.com/jedisct1/status/445690516433145856

** http://pastebin.com/RWG8uj00
___

Bank of America / Merrill Lynch - Completion of request for ACH CashPro – fake PDF malware
- http://myonlinesecurity.co.uk/bank-...pletion-request-ach-cashpro-fake-pdf-malware/
Mar 17, 2014 - "Bank of America Merrill Lynch Completion of request for ACH CashPro is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details...
> http://myonlinesecurity.co.uk/wp-co...nch-Completion-of-request-for-ACH-CashPro.png
17 March 2014 securedoc.zip (12kb) Extracts to securedoc.exe
Current Virus total detections: 2/49* - MALWR Auto Analysis**
This Bank of America Merrill Lynch Completion of request for ACH CashPro is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
* https://www.virustotal.com/en/file/...618deebce69a33b23c849656ce71ceb9bf5/analysis/

** https://malwr.com/analysis/Njc2MjY3YzcyNTc0NDA5NThlYjdhODVhYTEyMzI4OTY/
___

Injection attack in progress 17/3/14
- http://blog.dynamoo.com/2014/03/injection-attack-in-progress-17314.html
17 Mar 2014 - "A couple of injection attacks seem to be in progress, I haven't quite got to the bottom of them yet.. but you might want to block the following domains:
fsv-hoopte-winsen .de
grupocbi .com
These are hosted on 82.165.77.21 and 72.47.228.162 respectively. The malware is resistant to automated tools and redirects improperly-formed attempt to analyse it to Bing [1] [2]. The malware is appended to hacked .js files on target sites... This sort of attack has been used to push -fake- software updates* in the past. Even though I can't quite get to the bottom of this at the moment, you can be pretty sure that this is Nothing Good and I would recommend blocking these domains."
1) http://urlquery.net/report.php?id=9933756

2) http://urlquery.net/report.php?id=9933677

* http://blog.dynamoo.com/2014/01/script-exploits-lead-to-adscend-media.html
___

Fake Personal message from Gmail Service – spam
- http://myonlinesecurity.co.uk/fake-personal-message-gmail-service-spam/
Mar 17, 2014 - "< your name> Personal message from Gmail Service is an alternative version of the Fake Facebook messages*. Just like the Facebook versions these either take you to a Women’s Health page trying to sell you fake drugs for slimming or other women’s problems. Other days they send you to one of the Canadian or Russian Pharmacy pages selling Viagra, valium or other illegal drugs.
Fake Personal message from Gmail Service
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/03/fake-gmail-message.png
Always -hover- over the links in these emails and you will see that they do -not- lead to Gmail. Do -not- click on the links, just delete the emails as soon as they arrive. There is always the very high possibility that one of the other -botnets- will use these to send you to a malicious site where your computer will be infected, rather than trying to scam you out of money by selling fake medicines..."
* http://myonlinesecurity.co.uk/fake-facebook-messages/
___

Fake Salesforce/Quickbooks invoice - malware
- http://blog.dynamoo.com/2014/03/salesforcecom-please-respond-overdue.html
Mar 17, 2014 - "This -fake- Salesforce spam comes with a malicious attachment... actually two malicious attachments..
Date: Mon, 17 Mar 2014 16:12:20 +0100 [11:12:20 EDT]
From: "support @ salesforce .com" [support @ salesforce .com]
Subject: Please respond - overdue payment
Priority: High Priority 2
Please find attached your invoices for the past months. Remit the payment by 01/9/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Alvaro Rocha
This e-mail has been sent from an automated system...

Attached are two archive files quickbook_invoice_89853654.rar and quickbook_invoice_8988561346654.zip which in turn contain the same malicious executable quickbook_invoice.scr which has a VirusTotal detection rate of 8/49*. Automated analysis tools... don't give much of a clue as to what is going on..."
* https://www.virustotal.com/en-gb/fi...a08ea328ecd08cec30001d12/analysis/1395087978/

:fear:

AplusWebMaster · Mar 18, 2014

AMEX phish, Gov't Biz Dept SPAM ...

FYI...

AMEX phish...
- http://myonlinesecurity.co.uk/american-express-phishing-attempts/
Mar 18, 2014 - "We are seeing quite a few American Express -phishing- attempts trying to get your American Express details. These are very well crafted and look identical to genuine American Express emails. The senders appear to be from American Express until you look carefully at the email headers. They are using literally hundreds if not thousands of -hijacked- websites to perform these attacks. The site listed in the email is the first step in the chain and you are bounced on to other sites. The coding on the primary hijacked sites suggest that they are under the control of the Blackhole and Angler exploit kit criminals. This means that at any time when they have taken stolen enough identities and money, they will switch to spreading malware via the same network and emails. Do not click any links in these emails. Hover your mouse over the links and you will see a web address that isn’t American Express. Immediately -delete- the email and the safest way to make sure that it isn’t a genuine email form American Express is to type the American Express web address in your browser. and then log in to the account that way. There are currently 2 main avenues of the American Express phishing attempts:
AmericanExpress phishing attempts:
1) http://myonlinesecurity.co.uk/wp-co...ss-Irregular-card-activity-phishing-email.png
2) http://myonlinesecurity.co.uk/wp-co...tant-Personal-Security-Key-phishing-email.png
Following the link in these takes you to a website that looks exactly like the real American Express site. You are then through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your American Express account, but also your Bank Account, Email details, webspace ( if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life..."
___

Gov't Biz Dept. – fake PDF malware
- http://myonlinesecurity.co.uk/government-business-departament-fake-pdf-malware/
Mar 18, 2014 - "Government Business Departament pretending to come (from a) Department for Business Innovation & Skills <business_dep@ gov .uk> from is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Please note the poor -spelling- in the email subject, which should be enough of a flag to warn users of the -fake- . Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/03/Government-Business-Departament.png
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
___

Fake YouTube email – fake mov malware
- http://myonlinesecurity.co.uk/received-youtube-video-fake-mov-malware/
Mar 18, 2014 - "'You have received a YouTube video' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details... plain simple email with subject You have received a YouTube video and content just says 'Sent from my iPad'...
18 March 2014 : VIDEO_819562694.MOV.ZIP (79kb) : Extracts to VIDEO_890589685.MOV.exe
Current Virus total detections: 6/50*
... another one of the spoofed icon files... will look like a proper mov ( movie) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...3bc17ab84ab808d91a44cc80e8666b769ae/analysis/

Screenshot: https://gs1.wac.edgecastcdn.net/801...d5d9d150f/tumblr_inline_n2mznrfywx1r6pupn.png
___

500,000 PCs attacked after 25,000 UNIX servers hijacked ...
- http://www.welivesecurity.com/2014/03/18/attack-unix-operation-windigo/
Mar 18, 2014 - "... Researchers at ESET, in collaboration with CERT-Bund, the European Organization for Nuclear Research (CERN), the Swedish National Infrastructure for Computing and other agencies, have uncovered a widespread cybercriminal operation that has seized control of tens of thousands of Unix servers. And if your system is found to be infected, experts strongly recommend you re-install the operating system, and consider all credentials used to log into the machine as compromised. In short, if you are a victim, all passwords and private OpenSSH keys should be changed. The attack, which has been given the name “Windigo” after a mythical creature from Algonquian Native American folklore, has resulted in over 25,000 Unix servers being hacked, resulting in 35 million spam messages being sent each day from compromised machines...
> http://www.welivesecurity.com/wp-content/uploads/2014/03/windigo-spam.jpeg
... That would be bad enough, normally. But in this case, malicious hackers have also been using hijacked web servers to infect visiting Windows PCs with click fraud and spam-sending malware, and display dating website adverts to Mac users. Even smartphone users don’t escape – finding their iPhones redirected to X-rated content, with the intention of making money for the cybercriminals...
> http://www.welivesecurity.com/wp-content/uploads/2014/03/windigo-iphone.jpeg
ESET’s security research team has published a detailed technical paper* into “Operation Windigo”, and says it believes that the cybercrime campaign has been gathering strength, largely unnoticed by the security community, for over two and a half years..."
An analysis of the visiting computers revealed a wide range of operating systems being used:
> http://www.welivesecurity.com/wp-content/uploads/2014/03/victims-by-os.jpeg
(More detail at the welivesecurity URL at the top.)
* http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf

Indicators of Compromise
- https://github.com/eset/malware-ioc

:fear:

AplusWebMaster · Mar 19, 2014

OVH Canada hosted exploit kits, Twitter Spamrun ...

FYI...

More OVH Canada hosted exploit kits
- http://blog.dynamoo.com/2014/03/more-ovh-canada-hosted-exploit-kits.html
19 Mar 2014 - "... Yesterday Frank identified three new OVH Canada ranges* being used to host the Nuclear EK [1], again the customer is "r5x .org / Penziatki"
198.50.212.116/30
198.50.131.220/30
192.95.40.240/30
Update: also 192.95.51.164/30 according to this Tweet**... A full list of everything I can find is here*** [pastebin] ... At a mininum I recommend that you block those IP ranges and/or domains.
Given the extremely poor reputation of these OVH Canada ranges, I would suggest blocking the following network ranges if you have a security-sensitive environment and are prepared to put up with the collateral damage of blocking some legitimate sites:
198.27.0.0/16
198.50.0.0/16
198.95.0.0/16 "
(More detail at the dynamoo URL above.)

* https://twitter.com/jedisct1/status/445970337490927616

** https://twitter.com/jedisct1/status/446154856093343744

*** http://pastebin.com/4eGWBwHV

1] http://krebsonsecurity.com/tag/nuclear-exploit-pack/

Updated - Mar 20, 2014: http://blog.dynamoo.com/search/label/OVH
___

Something evil on 64.120.242.160/27
- http://blog.dynamoo.com/2014/03/something-evil-on-6412024216027.html
19 Mar 2014 - "64.120.242.160/27 (Network Operations Center, US) is hosting a number of exploit domains (see this example report at VirusTotal*). There appears to be a variety of badness involved, and many of the domains hosted in the range are flagged as malicious by Google or SURBL (report here** [csv]). There appears to be nothing legitimate in this whole range. Domains flagged as malicious by Google are highlighted, ones marked as malicious by SURBL are in italics. I would recommend you block the entire lot.
64.120.242.160/27
asifctuenefcioroxa .net
hukelmshiesuy .net
asifctuenefcioroxa .com
asifctuenefcioroxa .info ..."
(Long list at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/ip-address/64.120.242.180/information/

** http://www.dynamoo.com/files/64.120.242.160-27.csv
___

Fake NatWest SPAM ...
- http://blog.dynamoo.com/2014/03/natwest-you-have-received-secure.html
19 Mar 2014 - "This -fake- NatWest spam has a malicious attachment:
Date: Wed, 19 Mar 2014 15:14:02 +0100 [10:14:02 EDT]
From: NatWest [secure.message@ natwest .co .uk]
Subject: You have received a secure message
You have received a secure message
Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 4226.
First time users - will need to register after opening the attachment...

Attached to the message is an archive file SecureMessage.zip which in turn contains a malicious executable SecureMessage.scr which has a VirusTotal detection rate of 8/51*. Automated analysis tools... show attempted downloads from the following domains, both hosted on servers that appear to be completely compromised and should be blocked.
199.193.115.111 (NOC4Hosts, US) ...
184.107.149.74 (iWeb, Canada) ...
50.116.4.71 (Linode, US) ...
Recommended blocklist:
199.193.115.111
184.107.149.74
50.116.4.71 ..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fi...7f3a7595c42fe86ca9035c9c/analysis/1395245960/

Screenshot: https://gs1.wac.edgecastcdn.net/801...d8ebca5f2/tumblr_inline_n2p5d8Mol61r6pupn.png
___

Steer Clear of the Latest Twitter Spamrun
- http://blog.malwarebytes.org/social-engineering/2014/03/steer-clear-of-the-latest-twitter-spamrun/
Mar 19, 2014 - "Watch out for messages on your Twitter feed like the ones below, because they’ll try their best to give your account a bad hair day:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/03/twitphish1.jpg
Some of the (many) messages read as follows, and all are designed to entice the recipient into clicking:
lmao I had a eerie feeling this was yours
haha this post by you is so funny
haha this was made by you?
Im laughing so much right now at this
haha this update by you is odd
lol I had a eerie feeling this was you
lolz this post by you is nuts
lol this was posted by you?
omfg this entry by you is crazy
lolz this tweet by you is so funny
LOL you got 2 see this, its epic
omfg this post by you is cool
lolz this post by you is hilarious... (more)
There are others, but those seem to be the main ones and everything else is typically a variation on the above themes. The links take end-users to a site informing them of the following:
“Your current session has ended
For security purposes you were forcibly signed out. For security purposes you need to verify your Twitter account, please login”
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/03/twitpsh2.jpg
... change your password if you think you’ve already been affected by this one and clear up any rogue links lying around on your feed – your followers will thank you for it.
Christopher Boyd (Hat-tip to @Cliffsull *)"
* https://twitter.com/cliffsull

AplusWebMaster · Mar 20, 2014

Something evil on 66.96.195.32/27, PHP bug ...

FYI...

Something evil on 66.96.195.32/27
- http://blog.dynamoo.com/2014/03/something-evil-on-66961953227.html
Mar 20, 2014 - "Another bad bunch of IPs hosted by Network Operations Center in Scranton following on from yesterday*, this time 66.96.195.32/27 which seems to be more of the same thing. The exploit kit in question is the Goon EK, as shown in this URLquery report**. It seems that it spreads by malicious SWF files being injected into legitimate websites (I think this one, for example [3]). The easiest thing to do would be to block traffic to 66.96.195.32/27, but I can see... malicious websites active in that range (all on 66.96.195.49 [4])..."
* http://blog.dynamoo.com/2014/03/something-evil-on-6412024216027.html

** http://urlquery.net/report.php?id=1395311494976

3] http://urlquery.net/report.php?id=1395322515680

4] https://www.virustotal.com/en/ip-address/66.96.195.49/information/
___

PHP bug allowing site hijacking still menaces Internet 22 months on
- http://arstechnica.com/security/201...ijacking-still-menaces-internet-22-months-on/
Mar 19 2014 - "A vulnerability that allows attackers to take control of websites running older versions of the PHP scripting language continues to threaten the Internet almost two years after security researchers first warned that attackers could use it to remotely execute malicious code on vulnerable servers. As Ars reported 22 months ago, the code-execution exploits worked against PHP sites only when they ran in common gateway interface mode, a condition that applied by default to those running the Apache Web server. According to a blog post published Tuesday*, CVE-2012-1823**, as the vulnerability is formally indexed, remains under attack today by automated scripts that scour the Internet in search of sites that are susceptible to the attack. The sighting of in-the-wild exploits even after the availability of security patches underscores the reluctance of many sites to upgrade... PHP versions prior to 5.3.12 and 5.4.2 are vulnerable. The Imperva blog post* said that an estimated 16 percent of public websites are running a vulnerable version. People running susceptible versions should upgrade right away. Readers who visit vulnerable sites should notify the operators of the risk their site poses..."
* http://blog.imperva.com/2014/03/threat-advisory-php-cgi-at-your-command.html
Mar 18, 2014

** https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1823 - 7.5 (HIGH)
Last revised: 07/20/2013
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Product Shipping Documents Email Messages - 2014 Mar 20
Fake Financial Documents Email Messages - 2014 Mar 20
Email Messages with Malicious Attachments - 2014 Mar 20
Fake Tax Return Notification Email Messages - 2014 Mar 20
Email Messages with Malicious Attachments - 2014 Mar 20
Fake Document Processing Request Email Messages - 2014 Mar 20
Fake Fax Message Delivery Email Messages - 2014 Mar 20
Fake Product Order Quotation Email Messages - 2014 Mar 20
Fake Tax Document Email Messages - 2014 Mar 20
Fake Payroll Information Notification Email Messages - 2014 Mar 20
Fake Incoming Money Transfer Notification Email Messages - 2014 Mar 20
Fake Bank Payment Transfer Notification Email Messages - 2014 Mar 20
Fake Lawsuit Details Attachment Email Messages - 2014 Mar 20
Fake Account Payment Information Email Messages - 2014 Mar 20
Fake Product Order Notification Email Messages - 2014 Mar 20
Fake Failed Delivery Notification Email Messages - 2014 Mar 20
Fake Bank Transaction Notification Email Messages - 2014 Mar 19
(More detail and links at the cisco URL above.)

:sad:

AplusWebMaster · Mar 21, 2014

Fake Amazon, Companies House SPAM, Something evil on 50.116.4.71 ...

FYI...

Fake Amazon .co .uk SPAM, Something evil on 50.116.4.71
- http://blog.dynamoo.com/2014/03/amazoncouk-spam-something-evil-on.html
21 Mar 2014 - "This -fake- Amazon .co .uk spam comes with a malicious attachment:
Date: Fri, 21 Mar 2014 13:40:05 +0530 [04:10:05 EDT]
From: "AMAZON .CO .UK" [SALES@ AMAZON .CO .UK]
Cc: ; Fri, 21 Mar 2014 13:40:05 +0530
Subject: Your Amazon.co.uk order ID841-6379889-7781077
Hello, Thanks for your order. We’ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details
Order #799-5059801-3688207 Placed on March 21, 2014 Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon .co .uk...

There is an attachment Order details 21.04.2014 Amazon 19-1101.zip which contains a quite large 596Kb malicious executable Order details 21.04.2014 Amazon 19-1101.exe which only has a VirusTotal detection rate of 2/51*. The Malwr analysis** the most comprehensive, and shows that it attempts to phone home... Out of these, aulbbiwslxpvvphxnjij .biz seems to be active on 50.116.4.71 (Linode, US). Combining the "phone home" domains with the other malicious domains hosted on that IP gives the following recommended blocklist:
50.116.4.71
afaxdlrnjdevgddqrcvkdmvemwo .org ..."
(Long list at the dynamoo URL above.)

* https://www.virustotal.com/en-gb/fi...eaf05a064ba4097f72e8f052/analysis/1395393900/

** https://malwr.com/analysis/MWI1MGFlYTIyNzBkNGM4Y2I4NmIzOGMzMmViZTk4ZjI/

- https://www.virustotal.com/en/ip-address/50.116.4.71/information/
___

Fake Companies House SPAM and 50.116.4.71 (again)
- http://blog.dynamoo.com/2014/03/companies-house-spam-and-50116471-again.html
21 Mar 2014 - "This -fake- Companies House spam comes with a malicious attachment:
Date: Fri, 21 Mar 2014 11:05:35 +0100 [06:05:35 EDT]
From: Companies House [WebFiling@ companieshouse .gov .uk]
Subject: Incident 8435407 - Companies House
The submission number is: 8435407
For more details please check attached file.
Please quote this number in any communications with Companies House.
All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.
Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.
If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house .gov .uK
Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message...

Attached is an archive file CH_Case_8435407.zip which in turn contains the malicious executable CH_Case_21032014.scr which has a VirusTotal detection rate of 3/49*. The Malwr analysis -again- shows an attempted connection to a Linode IP at 50.116.4.71 using the domain aulbbiwslxpvvphxnjij .biz. The malware also downloads a config file from a hacked WordPress installation at [donotclick]premiercrufinewine .co .uk/wp-content/uploads/2014/03/2103UKp.qta plus a number of other domains that are not resolving (listed below). I would recommend... the following blocklist in combination with this one.
50.116.4.71
aulbbiwslxpvvphxnjij.biz ..."
(Long list at the dynamoo URL above.)

* https://www.virustotal.com/en-gb/fi...7a407a814b76685e4176a71a/analysis/1395396703/
___

Fake Air Canada Ticket - malware
- http://www.threattracksecurity.com/it-blog/air-canada-ticket-malware/
Mar 20, 2014 - "... The email (pictured below) was directed to an employee inbox purporting to be from Air Canada and directing the recipient to download and print their ticket. (Note: Air Canada was not hacked, nor were they part of this malware. The malicious URL distributing a previously unidentified malware is simply being masked to look like it’s coming from Air Canada.)
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2014/03/Air-Canada-Malicious-Email.png
The link hxxps ://www.aircanada .com/travelInformation/viewOrderInfo.do?action=download&fid=QB820910108CA pointed to another address, hxxp ://alienstub.com/pdf_ticket_820910108.zip, which hosts the malware, a zipped malicious file. Once the zip file is decompressed, the user will see a file called pdf_ticket_820910108.pif . Analysis by ThreatSecure quickly revealed the sample as an exploit categorized with a high severity (see in-product analysis screen below), exhibiting malicious behavior like disabling the Windows firewall, changing proxy settings in Internet Explorer, opening the command prompt, creating executable files and connecting to Windows Remote Access Connection Manager.
> http://www.threattracksecurity.com/...-Canada-pdf_ticket_820910108_pif-analsysi.jpg
... At the time of posting this blog, 16/51* antivirus vendors on VirusTotal detect this file as being malicious. The domain hxxp ://alienstub .com appears to be registered in China...
* https://www.virustotal.com/en/file/...27cdc2912c95500276499e761c0fe687622/analysis/

alienstub .com

108.162.198.134 - https://www.virustotal.com/en-gb/ip-address/108.162.198.134/information/

108.162.199.134 - https://www.virustotal.com/en-gb/ip-address/108.162.199.134/information/

:fear:

AplusWebMaster · Mar 23, 2014

Malware sites to block 23/3/14 (P2P/Gameover Zeus)

FYI...

Malware sites to block 23/3/14 (P2P/Gameover Zeus)
- http://blog.dynamoo.com/2014/03/malware-sites-to-block-23314.html
23 Mar 2014 - "These domains and IPs are associated with the Peer-to-peer / Gameover variant of Zeus as described in this blog post at MalwareMustDie*. I recommend that you -block- the -IPs- and/or domains listed as they are all malicious:
50.116.4.71 (Linode, US) ...
178.79.178.243 (Linode, UK)
212.71.235.232 (Linode, UK)
23.239.140.156 (Root Level Technology, US)

50.116.4.71 ...
178.79.178.243 ...
212.71.235.232 ...
23.239.140.156 ..."
(More - long list of domains listed at the dynamoo URL above.)
* http://blog.malwaremustdie.org/2014/03/a-post-to-sting-zeus-p2pgameover-crooks.html

:fear:

AplusWebMaster · Mar 25, 2014

Fake Flash update hosted on OneDrive, HMRC SPAM

FYI...

Fake Flash update hosted on OneDrive
- http://blog.dynamoo.com/2014/03/js-injection-leads-to-fake-flash-update.html
25 Mar 2014 - "This kind of attack is nothing new, but there has been a sharp uptick recently in injection attacks that alter .js files on vulnerable systems. The payload is a -fake- Flash update with a surprisingly low detection rate, hosted on Microsoft OneDrive. The first step in the attack is through a vulnerable site such as this one [urlquery*]. In turn, the infected .js file leads to [donotclick]alientechdesigns .com/NLBFH8ZG.php?id=88473423 which in turn leads to a fake Flash popup hosted at [donotclick]alientechdesigns .com/NLBFH8ZG.php?html=27 which you can see an approximation of here [urlquery**].
> https://lh3.ggpht.com/-sLx4s_0GoKQ/UzFS03GnLzI/AAAAAAAACvo/Ee3FYtmdQS4/s1600/fake-flash.jpg
The link in the popup goes to a download loction at [donotclick]onedrive.live .com/download.aspx?cid=20e850f993bd56fd&resid=20E850F993BD56FD%21111 which downloads a file flashplayerinstaller.exe. flashplayerinstaller.exe is the first stage in the infection, it has a VirusTotal detection rate of just 3/51***. The Malwr report shows that this then downloads two additional components, from:
[donotclick]onedrive.live .com/download.aspx?cid=20e850f993bd56fd&resid=20E850F993BD56FD%21112
[donotclick]onedrive.live .com/download.aspx?cid=20e850f993bd56fd&resid=20E850F993BD56FD%21108
The first one of these is called flashplayer2.exe which has a VirusTotal detection rate of 4/51 [5]. Malwr, Anubis and Comodo CAMAS show some working of this malware. The second file is called update2.exe with a VirusTotal detection rate of 5/49****. This seems somewhat resistant to automated analysis tools... This sort of attack is hard to block from a network point of view as it leverages legitimate sites. Perhaps the best way to protect yourself is a bit of user education about where it is appropriate to download updates from."
* http://urlquery.net/report.php?id=1395739538065

** http://urlquery.net/report.php?id=1395739786885

*** https://www.virustotal.com/en-gb/fi...8c8601baedb97984f85aadf2/analysis/1395739964/

**** https://www.virustotal.com/en-gb/fi...185d9076ed8f292de5ef063c/analysis/1395742041/

5] https://www.virustotal.com/en/file/...b3a43657c22d6870ee85b276/analysis/1395740434/
___

Fake HMRC SPAM
- http://blog.dynamoo.com/2014/03/you-have-received-new-messages-from.html
25 Mar 2014 - "This fake HMRC spam comes with a malicious attachment:
Date: Tue, 25 Mar 2014 12:59:28 +0100 [07:59:28 EDT]
From: "noreply@hmrc .gov .uk" [noreply@hmrc .gov .uk]
Subject: You have received new messages from HMRC
Please be advised that one or more Tax Notices (P6, P6B) have been issued.
For the latest information on your Tax Notices (P6, P6B) please open attached report.
Please do not reply to this e-mail.
1.This e-mail and any files or documents transmitted with it are confidential and
intended solely for the use of the intended recipient. Unauthorised use, disclosure or
copying is strictly prohibited and may be unlawful. If you have received this e-mail in
error, please notify the sender at the above address and then delete the e-mail from your
system. 2. If you suspect that this e-mail may have been intercepted or amended, please
notify the sender. 3. Any opinions expressed in this e-mail are those of the individual
sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that
this e-mail and any attachments have been created in the knowledge that internet e-mail
is not a 100% secure communications medium. It is your responsibility to ensure that they
are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson
for any loss or damage arising from the receipt of this e-mail or its contents.
QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU
Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,
TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough
TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
Solicitors Regulation Authority (57864). A full list of Partners names is available from
any of our offices....

The attachment is called HMRC_TAX_Notice_rep.zip which in turn contains a malicious exectuable HMRC_TAX_Notice_rep.scr which has a VirusTotal detection rate of 5/51*. According to the Malwr report, the malware makes a download from the following locations hosted on 67.205.16.21 (New Dream Network, US):
[donotclick]sandsca .com.au/directions/2503UKp.tis
[donotclick]www.sandsca .com.au/directions/2503UKp.tis
Subsequent communications are made with aulbbiwslxpvvphxnjij .biz on the familiar looking Linode IP of 50.116.4.71, and also qkdapcqinizsczxrwaelaimznfbqq .biz on another Linode IP of 178.79.178.243. An attempt it also made to connect to hzdmjjneyeuxkpzkrunrgyqgcukf .org which does not resolve...
Recommended blocklist:
50.116.4.71
178.79.178.243
sandsca .com
aulbbiwslxpvvphxnjij .biz
qkdapcqinizsczxrwaelaimznfbqq .biz
hzdmjjneyeuxkpzkrunrgyqgcukf .org "
* https://www.virustotal.com/en-gb/fi...0adf0c4c31a836e1403cb9a7/analysis/1395750216/

- https://www.virustotal.com/en/ip-address/67.205.16.21/information/

- https://www.virustotal.com/en/ip-address/50.116.4.71/information/

- https://www.virustotal.com/en/ip-address/178.79.178.243/information/
___

Google Drive Email - Phish ...
- http://www.hoax-slayer.com/google-drive-email-phishing-scam.shtml
Mar 25, 2014 - "... email requests recipients to click a link to view a document that the sender uploaded using Google Cloud Drive. There is no document to be viewed, urgent or otherwise. The email is a -phishing- scam designed to trick recipients into giving their email login details to Internet criminals... Example:
Hello,
Kindly click the link to view the document I uploaded for you using Google
cloud drive.
[Link removed]
Just Sign in with your email to view the document, it is very important.
Thank you,
Rev. Dr. Karen [Surname Removed]
Serving Humanity Spiritually
[Phone number removed]
Good works are links that form a chain of love.
Mother Teresa

Screenshot of phishing website:
> http://www.hoax-slayer.com/images/google-drive-email-phishing-scam-1.jpg
... Users who fall for the ruse and click the link as instructed will be taken to a -bogus- website that includes the Google Drive logo along with a login screen that asks for both their email address and email password. If users submit their email credentials as requested and click the 'View document' button, they will be redirected to Google's Gmail home page... however, their email address and password will be sent to online criminals. The criminals can use the stolen details to hijack webmail accounts belonging to victims. Hijacked accounts can be used to perpetrate more scam and spam campaigns, all in the names of the victims. If victims submitted details for a Gmail account, the scammers may be able to use the same login information to access other Google services as well as email..."
___

Gameover ZeuS now targets users of employment websites
- http://net-security.org/malware_news.php?id=2745
Mar 25, 2014 - "Some newer variants of the Gameover Zeus Trojan, which is exceptionally good at using complex web injections to perform Man-in-the-Browser (MITB) attacks and gain additional information about the victims to be used for bypassing multi-factor authentication mechanisms and effecting social engineering attacks, has been spotted targeting users of popular employment websites. They initially focused on CareerBuilder.com (largest employment website in the US), but now also on Monster.com (one of the largest in the world). The -fake- login page victims are served with looks virtually identical to the legitimate one, but the next one is web form injected by the malware:
> http://www.net-security.org/images/articles/monster-25032014.jpg
There are 18 different questions to choose from, and they range from the name of the city where your sibling lives/you got your first job/you met your spouse, to the name of your school(s)/friend/work supervisor and significant dates and numbers in your life..."

- http://www.f-secure.com/weblog/archives/00002687.html
March 25, 2014
___

Deceptive ads expose users to the Adware.Linkular/Win32.SpeedUpMyPC.A PUAs
- http://www.webroot.com/blog/2014/03...pmypc-puas-potentially-unwanted-applications/
Mar 25, 2014 - "Rogue vendors of Potentially Unwanted Applications (PUAs) continue tricking tens of thousands of gullible users into installing deceptive and privacy violating applications. Largely relying on ‘visual social engineering’ tactics and basic branding concepts, the majority of campaigns convincingly present users with legitimately looking ToS (Terms of Service)/EULA (End User License Agreements) which socially engineered users accept, thereby assuming the responsibility for the potential privacy-violating activities taking place on their host. We’ve recently spotted yet another PUA campaign, relying on deceptive “Download Now” types of ads, enticing users into downloading the bogus GetMyFiles (Adware.Linkular) application, as well as the rogue SpeedUpMyPC (Win32.SpeedUpMyPC.A) PUA...
Sample screenshot of Adware.Linkular download page:
> https://www.webroot.com/blog/wp-con...UpMy_PUA_Potentially_Unwanted_Application.png
Sample screenshot of Win32.SpeedUpMyPC.A download page:
> https://www.webroot.com/blog/wp-con...y_PUA_Potentially_Unwanted_Application_01.png
Domain name reconnaissance:
getmyfilesnow .info – 54.208.165.36
getmyfilesnow .com – 174.142.147.2
coollinks .us – 174.142.147.5
linkular .com – 208.109.216.125
Detection rate for the PUA: MD5: 0d60941d1ec284cab2e861e05df89511 * ...
Known to have responded to 54.208.165.36 ...
Once executed, the sample phones back to:
hxxp // 107.23.152.80 /api/software/?s=887&os=win32&output=1&v=2.2.2&l=1033&np=0&osv=5.1&b=ie&bv=8.0.6001.18702&c=12&cv=2.2.2.1768
Sample detection rate for the Win32.SpeedUpMyPC.A PUA:
MD5: 0a8ecb11e39db5647dcad9f0cc938c99 ** ... "
* https://www.virustotal.com/en/file/...0f89b8fafcc0034165a62263/analysis/1395713453/

** https://www.virustotal.com/en/file/...b331675de7aae59526fe8328/analysis/1395717259/

:fear:

AplusWebMaster · Mar 26, 2014

Something evil on 173.212.223.249, Fake PDF malware...

FYI...

Something evil on 173.212.223.249
- http://blog.dynamoo.com/2014/03/something-evil-on-173212223249.html
26 Mar 2014 - "There's some sort of evil at work here, but I can't quite replicate it.. however I would recommend that you put a block in for 173.212.223.249 (Network Operations Center, US). The infection chain I have spotted here starts with a typical compromised website, in this case:
[donotclick]onerecipedaily .com/prawn-patia-from-anjum-anands-i-love-curry/
A quick look at the URLquery report* shows a general alert, but no smoking gun.. The incident logs come up with a generic detection... The following malicious subdomains are also active on 173.212.223.249:
bkbr.beuqnyrtz .com
syb.beuqnyrtz .com
sxxmxv.beuqnyrtz .info
The simplest thing to do to protect yourself against this particular threat is to use the following blocklist:
173.212.223.249
beuqnyrtz .com
beuqnyrtz .info "
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1395844844686

- https://www.virustotal.com/en/ip-address/173.212.223.249/information/

- https://www.virustotal.com/en/ip-address/184.168.179.1/information/
___

Info from SantanderBillpayment. co .uk - fake PDF malware
- http://myonlinesecurity.co.uk/info-santanderbillpayment-co-uk-fake-pdf-malware/
26 Mar 2014 - "Info from SantanderBillpayment.co.uk pretending to come from Santanderbillpayment-noreply@SantanderBillPayment .co .uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details. Analysis of this one is showing it likely to be a Gameover Zeus/Zbot variant. This is “new” — it’s going after a similar URL as the Pony samples we have been seeing in the last few weeks, but completely different binary. This has VM detection and if it detects that, it runs routines to choke memory and the CPU. On real hardware, it tries this URL (http :// 62.76.45.233 /2p/1.exe) given recent patterns, this is likely to be a Gameover production...
Thank you for using BillPay. Please keep this email for your records.
The following transaction was received on 18 March 2014 at 20:03:41.
Payment type: VAT
Customer reference no: 9789049470611
Card type: Visa Debit
Amount: 483.93 GBP
Your transaction reference number for this payment is IR19758383.
Please quote this reference number in any future communication regarding this payment.
Full information in attachment.
Yours sincerely,
Banking Operations
This message is intended for the named person above and may be confidential, privileged or otherwise protected from disclosure...

26 March 2014 : VAT_F37D8FE5F9.zip (72kb) : Extracts to ATT00347_761105586544.pdf.exe
Current Virus total detections: 7/51* MALWR Auto Analysis** ...
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...1db0fad83c1750a10a83a21216dda42d4a2/analysis/

** https://malwr.com/analysis/NTQyOGVhNDc1NTJiNDQ5OGFiYTA3ZTRlMDZmMjVhMDk/

- https://www.virustotal.com/en/ip-address/62.76.45.233/information/

:fear::sad:

AplusWebMaster · Mar 27, 2014

Threat Metrics / Malware magnets ...

FYI...

Malware magnets ...
Cisco's threat metrics show pharmaceutical and chemical firms are 11 times more susceptible to Web malware
- http://www.infoworld.com/t/cyber-cr...makers-are-the-biggest-malware-magnets-238909
Mar 24, 2014 - "... Cyber crime has been estimated* at costing the U.S. economy $100 billion annually, with smaller companies feeling the pain** more often due to inadequate defenses. If Cisco's analyses are on track - and the numbers hold true for people outside of Cisco's customer base - attacks are likely to grow even more targeted to match their victims in the future, with narrower niches singled out by attackers based on their industry."
* http://www.infoworld.com/d/security/cyber-crime-costs-us-economy-100-billion-and-500000-jobs-223352

** http://www.infoworld.com/d/security...-small-businesses-battered-cyber-crime-216543

Feb 2014 Threat Metrics
- http://blogs.cisco.com/security/february-2014-threat-metrics/
Mar 21, 2014 - "Web surfers in February 2014 experienced a median malware encounter rate of 1:341 requests, compared to a January 2014 median encounter rate of 1:375. This represents a 10% increase in risk of encountering web-delivered malware during the second month of the year. February 8, 9, and 16 were the highest risk days overall, at 1:244, 1:261, and 1:269, respectively. Interestingly, though perhaps not unexpectedly, web surfers were 77% more likely to encounter Facebook scams on the weekend compared to weekdays. 18% of all web malware encounters in February 2014 were for Facebook related scams.
> http://blogs.cisco.com/wp-content/uploads/Feb2014Rate.jpg
The ratio of unique non-malicious hosts to unique malware hosts was fairly constant between the two months, at 1:4808 in January 2014 and 1:4775 in February 2014. Likewise, the rate of unique non-malicious IP addresses to malicious IP addresses was also similar between the two months, at 1:1330 in January 2014 compared to 1:1352 in February 2014.
> http://blogs.cisco.com/wp-content/uploads/Feb2014hosts.jpg
While Java malware encounters were 4% of all web malware encounters in January 2014, that rate increased to 9% in February. Of particular interest was the increase in the rate of Java malware encounters involving versions older than Java 7 or Java 6, which increased to 33% of all Java malware encounters in February 2014 from just 13% in the month prior.
> http://blogs.cisco.com/wp-content/uploads/Feb2014java.jpg
During the month of February 2014, risk ratings for companies in the Media & Publishing vertical increased 417%, Utilities increased 218%, and Insurance 153%. Companies in Pharmaceutical & Chemical remained at a consistent high rate, with a slight increase from a 990% risk rating in January 2014 to an 1100% risk rating in February. To assess vertical risk, we first calculate the median encounter rate for all enterprises, and then calculate the median encounter rate for all enterprises in a particular vertical, then compare the two. A rate higher than 100% is considered an increased risk.
> http://blogs.cisco.com/wp-content/uploads/Feb2014vert.jpg
Following a January 2014 spam volume decrease of 20% in January 2014, spam volumes increased 73% in February 2014...
> http://blogs.cisco.com/wp-content/uploads/Feb2014spamvol.jpg
The top five global spam senders in February 2014 were the United States at 16.5%, followed by the Russian Federation at 12.41%, with Spain, China, and Germany a distant 3.77%, 3.39%, and 3%, respectively. Though the Russian Federation was also in the number two spot in January 2014, it was a significant volume increase from only 5.10% of global spam origin that month."
___

Secure Message from various banks – fake PDF malware
- http://myonlinesecurity.co.uk/secure-message-various-uk-foreign-banks-fake-pdf-malware/
Mar 27, 2014 - "... pretends to come from various banks is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details... We have seen a couple of different versions over the last few days from different banks, including HSBC, and Natwest...
Subjects seen are:
You have a new Secure Message
You have received a secure message
HSBC secure mail
Secure Message
You have received a secure message
Read your secure message by opening the attachment. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the HSBC Secure Mail Help Desk.
First time users – will need to register after opening the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/03/hsbc-secure-mail.png

Natwest Secure Message:
You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk...

27 March 2014 : Version 1 (NatWest bank) SecureMessage.zip (8kb Extracts to SecureMessage.exe (19kb)
Current Virus total detections: 5/51* MALWR Auto Analysis **
27 March 2014 : Version 2 (HSBC) SecureMessage.zip (11kb) Extracts to SecureMessage.exe (24kb)
Current Virus total detections: 0/51*** MALWR Auto Analysis ****
This You have received a secure message is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
* https://www.virustotal.com/en/file/...6cf1a14a2967c8bcc5a5523cbe3ec0312a4/analysis/

** https://malwr.com/analysis/ZmFkZDRhNTE4NTZmNGFkZmE5NTkwZGQ5YzlhODQ1Zjg/

*** https://www.virustotal.com/en/file/...703172a9041e43aaeb00cbb0bfe7dfc3cbb/analysis/

**** https://malwr.com/analysis/NGI0NjVmYzYwMDU5NDBhYmJlNWMxNGRjMDVmYmMyZTQ/
___

Facebook You send new photo – fake PDF malware
- http://myonlinesecurity.co.uk/facebook-send-new-photo-fake-pdf-malware/
Mar 27, 2014 - "... pretending to be from Facebook is another one from the current Androm bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details. This campaign follows on from other similar attempts to infiltrate your computer using Facebook as a theme...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/03/Facebook-You-send-new-photo.png

27 March 2014 DCIM_IMAGEForYou.rar (40kb) Extracts to DCIM_IMAGEForYou.scr
Current Virus total detections: 1/51* MALWR Auto Analysis**
This You send new photo is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...77b12e7041f5fce78ef95d26d8636bc9404/analysis/

** https://malwr.com/analysis/ZWQyMjdkY2MwZDcwNGVlNWE1YzAxYjhjZWVlNTVjMmM/

AplusWebMaster · Mar 28, 2014

Fake Bank acct. security warning, Something evil on 192.95.44.0/27

FYI...

Fake Bank acct. security warning – fake PDF malware
- http://myonlinesecurity.co.uk/banking-account-security-warning-fake-pdf-malware/
28 Mar 2014 - "Banking account security warning pretending to come from FRAUD ALERT SYSTEM <k.cooper@ fraudalert .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. Many of these bank themed emails are extremely difficult to distinguish from phishing scams. It is becoming very frequent that the same or almost identical emails are being used over and over. Sometimes they have a link to a -fake- website where they expect you to give them your details. Other times it contains a html file that they want you to -click- on and enter details. This time they have a -fake- pdf file that if you are unwise enough to open it would infect your computer and enroll it into the Zeus botnet...
Subjects seen:
Important: Unauthorized attempt to access your banking account
Banking account security warning
Attention! Your credit card is being used
Emails seen:
Dear Sir or Madam,
The banking security system has just registered an external attempt to use your credit card from an unknown location.
In view of the fact that the safety of the credit card account is in danger we strongly recommend you to use the emergency instructions given in the attachments.
To protect users from attacks and fraudulent activities coming from within the banking system itself we need your permission to start the investigation and adjust the security measurements. If the required steps won’t be completed the account will be temporarily suspended and will be available after visiting a local office.
Step-by-step instructions and emergency phone number are in attachments to the email.
Truly yours,
PCI DSS Chief officer
K. Cooper ...

28 March 2014 : Fraud alert document 778-1.zip (345kb) Extracts to Fraud alert document 778-1.exe
Current Virus total detections: 4/51* MALWR Auto Analysis**
This Banking account security warning is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
* https://www.virustotal.com/en/file/...bdaf81e5ee02be4343f19dc42c7c7393c50/analysis/

** https://malwr.com/analysis/NjE0ZmFmMmNlNTgyNDYxODg3MjUzYjU5NjcyNTkyZTc/
___

Something evil on 192.95.44.0/27 (OVH Canada)
- http://blog.dynamoo.com/2014/03/something-evil-on-1929544027-ovh-canada.html
28 Mar 2014 - "192.95.44.0/27 (spotted by Frank Denis*) is another evil OVH Canada netblock which I assume belongs to their black hat customer r5x .org / Penziatki although now OVH seem to be masking the customer details. I can see the following active subdomains within this range, all of which can be assumed to be malicious...
(Long list of URLs at the dynamoo URL above.)
I recommend that you apply the following blocklist:
192.95.44.0/27
accruespecialiste .ru
reachprotectione .ru
reachmape .ru
acquireconnectionse .ru "
* https://twitter.com/jedisct1/status/449309681408684032
___

Sky .com SPAM leads to Gameover Zeus
- http://blog.dynamoo.com/2014/03/skycom-statement-of-account-spam-leads.html
28 Mar 2014 - "This -fake- Sky spam has a malicious attachment:
Date: Fri, 28 Mar 2014 07:16:43 -0300 [06:16:43 EDT]
From: "Sky.com" [statement@ sky .com]
Subject: Statement of account
Afternoon,
Please find attached the statement of account.
We look forward to receiving payment for the February invoice as this is now due for
payment.
Regards,
Darrel ...

The attachment is a ZIP file which contains an exectable Statement_03282014.exe (note that the date is encoded into the file). This has a VirusTotal detection rate of 8/51*. The Malwr analysis** shows several attempted network connections. Firstly there's a download of a configration file from [donotclick]igsoa .net/Book/2803UKd.wer and then subsequently an attempted connection aulbbiwslxpvvphxnjij .biz on 50.116.4.71 (a Linode IP which has been seen before) and a number of -other- autogenerated domains.
Recommended blocklist:
50.116.4.71
aulbbiwslxpvvphxnjij .biz
lpuoztsdsnvyxdyvwpnlzwg .com..."
(More domains listed at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fi...00b0993dd22b84b64bf9312f/analysis/1396011158/

** https://malwr.com/analysis/N2ZkYWFiNWU1YWUwNGRlNGFmOGRmNTk1MGI3MTYwNDU/
___

New Man-in-the-Middle attacks leveraging rogue DNS
- http://atlas.arbor.net/briefs/index#-1333965473
27 Mar 2014
Elevated Severity
New Man-in-the-Middle attacks are manipulating DNS settings and posing as websites of over 70 different financial institutions in order to capture login credentials.
Source:
- http://blog.phishlabs.com/new-man-in-the-middle-attacks-leveraging-rogue-dns
Mar 26, '14 - "... new wave of "Man-in-the-Middle" (MitM) attacks targeting users of online banking and social media. Customers of more than 70 different financial institutions are being targeted. In these attacks, hackers use -spam- to deliver malware that changes DNS settings and installs a rogue Certificate Authority (CA). The DNS changes point to the hacker's clandestine DNS name server so that users are directed to proxy servers instead of legitimate sites... The browser displays the proper website name and displays the familiar security icon to indicate a trusted, secure connection. The hacker's proxy sits between the authorized user and the real website, capturing login credentials and injecting code into the browsing session. This allows the hacker to take total control of the user's account and carry out unauthorized banking transactions as well as other actions...
> http://blog.phishlabs.com/hs-fs/hub/326665/file-613453020-png/Images/New_MitM_Attack.png
The hacker initiates these attacks by using spam to deliver malware to victims via malicious attachments... these spam emails contain a message designed to entice the user to open an attached RTF (Rich Text Format) document. The document contains an OLE (Object Linking and Embedding) object which is actually an executable program file. This program is the malware which changes the DNS and Certificate Authority settings that allow the attack to be performed without any outward signs visible to the user.
> http://blog.phishlabs.com/hs-fs/hub/326665/file-604096624-png/Images/EXE_disguised_as_RTF.png
On many systems, double-clicking an embedded program will execute it. Cybercriminals may use tools to create specially crafted RTF document files that display a familiar data file icon and a caption in most popular word processing programs; thus hiding or obscuring clues to the executable nature of the object, such as the EXE filename extension... The malware embedded in the spammed documents is a backdoor RAT (Remote Administration Tool) with an initial payload containing instructions to change DNS and security settings when initialized. The file is a Win32 PE (Portable Executable) EXE file and is actually a compiled form of an AutoIt script. The AutoIt scripting tools used offer the option to obfuscate the compiled code, and the version used to produce this malware makes it more difficult to decompile or reverse engineer the resulting EXE file than earlier versions. Some but not all of the samples found have been run through a second "cryptor" to aid in evading detection by anti-malware tools... One of the first actions performed by the malware is changing the DNS settings on the infected user’s PC. The malware configures the PC to use the hacker's rogue DNS server... PhishLabs continues to monitor these attacks and is working with others to mitigate the threat."
___

CVE-2014-0322* integrating Exploit Kits
- http://atlas.arbor.net/briefs/index#1584606323
27 Mar 2014
Elevated Severity
The disclosed CVE-2014-0322 vulnerability affecting Internet Explorer 9 and 10 is now being integrated into exploit kits.
This follows previously observed patterns of 0-day exploit code first being developed and used by APT actors for specific targets, then later adapted by cyber criminals for use in exploit kits targeting a much wider range of users who have not yet applied security updates.
Source: http://malware.dontneedcoffee.com/2014/03/cve-2014-0322-integrating-exploit-kits.html

* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0322 - 9.3 (HIGH)
Last revised: 03/16/2014

:fear:

AplusWebMaster · Mar 31, 2014

Android.MisoSMS - malware, Google Public DNS intercepted, Credit Card SCAM ...

FYI...

Android.MisoSMS - malware ...
- http://www.fireeye.com/blog/technic...3/android-misosms-its-back-now-with-xtea.html
Mar 31, 2014 - "FireEye labs recently found a more advanced variant of Android.MisoSMS, the SMS-stealing malware that we uncovered last December* — yet another sign of cybercriminals’ growing interest in hijacking mobile devices for surveillance and data theft. Like the original version of the malware, the new variant sends copies of users’ text messages to servers in China. But the newest rendition adds a few features that make it harder to detect, including a new disguise, encrypted transmissions, and command-and-control (CnC) communications that are handled natively rather than over email... The newest version of MisoSMS suggests that cyber attackers are increasingly eyeing mobile devices — and the valuable information they store — as targets. It also serves as a vivid reminder of how crucial protecting this threat vector is in today’s mobile environment."
* http://www.fireeye.com/blog/?p=4126
(More detail available at both fireeye URLs above.)
___

Who’s Behind the ‘BLS Weblearn’ Credit Card SCAM
- http://krebsonsecurity.com/2014/03/whos-behind-the-bls-weblearn-credit-card-scam/
Mar 31, 2014 - "A new rash of credit and debit card scams involving bogus sub-$15 charges and attributed to a company called “BLS Weblearn” is part of a prolific international scheme designed to fleece unwary consumers... At issue are a rash of phony charges levied against countless consumers for odd amounts — such as $10.37, or $12.96. When they appear on your statement, the charges generally reference a company in St. Julians, Malta such as BLS*Weblearn or PLI*Weblearn, and include a 1-888 number that may or may not work (the most common being 888-461-2032 and 888-210-6574)...
onlinelearningaccess .com, one of the fraudulent affiliate marketing schemes that powers these -bogus- micropayments:
> http://krebsonsecurity.com/wp-content/uploads/2014/03/onlinelearningaccess.png
... it appears that the payments are being processed by a company called BlueSnap, which variously lists its offices in Massachusetts, California, Israel, Malta and London. Oddly enough, the payment network behind the $9.84 scams that surfaced last year — Credorax — also lists offices in Massachusetts, Israel, London and Malta. And, just like with the $9.84 scam*, this latest micropayment fraud scheme involves an extremely flimsy-looking affiliate income model that seems merely designed for abuse. According to information from several banks contacted for this story, early versions of this scam (in which fraudulent transactions were listed on statements as PLI*WEBLEARN) leveraged pliblue .com, formerly associated with a company called Plimus, a processor that also lists offices in California and Israel (in addition to Ukraine)... If you see charges like these or any other activity on your credit or debit card that you did not authorize, contact your bank and report the fraud immediately. I think it’s also a good idea in cases like this to request a new card in the odd chance your bank doesn’t offer it: After all, it’s a good bet that your card is in the hands of crooks, and is likely to be abused like this again. For more on this scam, check out these posts from DailyKos** and Consumerist***."
* http://krebsonsecurity.com/2014/01/deconstructing-the-9-84-credit-card-hustle/

** http://www.dailykos.com/story/2014/03/15/1284964/-Credit-card-fraud-warning

*** http://consumerist.com/2014/03/19/c...tatements-for-bls-weblearn-scam-transactions/
___

Fake cclonline "Order Despatched" – fake doc malware
- http://myonlinesecurity.co.uk/cclonline-com-order-despatched-fake-doc-malware/
Mar 31, 2014 - "... pretending come from sales@ cclonline .com and to be a notification about a computer being despatched to you via DPD courier services is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses...
Dear ellie,
We are pleased to confirm that your order reference 1960096 has been despatched via Economy Courier. You will find the full details of your order and this delivery in the attached document. In a few hours, your consignment 0255417316 can be tracked through the DPD website by clicking the following link: www .dpd .co .uk/tracking/trackingSearch.do?search.searchType=1&search.consignmentNumber=0255417321
You may receive further information concerning your consignment direct from DPD via email and/or SMS
Should you have any queries regarding your purchase, our customer service staff will be pleased to assist. E-mail mailto:custservice@ cclonline .com or telephone 01274 471206.
Thank you for choosing CCL Computers.
Yours sincerely...

31March 2014: DESPATCH_NOTE_B18E7F.zip (72kb) Extracts to disp_75464354787914325.doc.exe
Current Virus total detections: 2/51* . This cclonline .com – Order Despatched is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper doc file with a fake Bluetooth icon instead of the .exe file it really is..."
* https://www.virustotal.com/en/file/...38df629f85bb8ebb19516706639d127892c/analysis/
___

ADP Benefit Election Spam
- http://threattrack.tumblr.com/post/81291999525/adp-benefit-election-spam
Mar 31, 2014 - "Subjects Seen:
Benefit Elections
Typical e-mail details:
Please review the attached CBE form, If you require changes to the options shown, please contact me right away so that we may address your concerns. We will record your elections in our system and provide you a final Client Confirmation Statement for your review.
Please sign and send it back.
Regards,
ADP TotalSource Benefits Team

Screenshot: https://gs1.wac.edgecastcdn.net/801...206146ae1/tumblr_inline_n3b283sybc1r6pupn.png

Malicious File Name and MD5:
CBE_Form.zip (60770AD82549984031FD3615E180EC83)
CBE_Form.scr (20406804C43D11DA25ABC2714697EC59)

Tagged: ADP, Upatre
___

Google’s Public DNS intercepted in Turkey
- http://googleonlinesecurity.blogspot.com/2014/03/googles-public-dns-intercepted-in-turkey.html
Mar 29, 2014 - "We have received several credible reports and confirmed with our own research that Google’s Domain Name System (DNS) service has been intercepted by most Turkish ISPs (Internet Service Providers). A DNS server tells your computer the address of a server it’s looking for, in the same way that you might look up a phone number in a phone book. Google operates DNS servers because we believe that you should be able to quickly and securely make your way to whatever host you’re looking for... imagine if someone had changed out your phone book with another one, which looks pretty much the same as before, except that the listings for a few people showed the wrong phone number. That’s essentially what’s happened: Turkish ISPs have set up servers that masquerade as Google’s DNS service."

:fear:

AplusWebMaster · Apr 1, 2014

Something evil on 64.202.116.124, Fake PDF malware...

FYI...

Something evil on 64.202.116.124
- http://blog.dynamoo.com/2014/04/something-evil-on-64202116124.html
1 Apr, 2014 - "64.202.116.124 (HostForWeb, US) is currently hosting exploit kits (see this example*). I recommend that you block traffic to this IP or the domains listed in this pastebin**. Most of the domains listed are dynamic DNS ones. If you block all such domains in that list it is nice and managable:

in .ua
myftp .org
sytes .net
hopto .org
no-ip .biz
myvnc .com
sytes .net
no-ip .info
tobaccopeople .com "
* http://urlquery.net/report.php?id=1396348899312

** http://pastebin.com/Pq4kDit6

- https://www.virustotal.com/en/ip-address/64.202.116.124/information/
___

Fake message from your attorney - PDF malware
- http://myonlinesecurity.co.uk/message-attorney-fake-pdf-malware/
1 April 2014 - "... pretending to be from your neighbour is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details. This one also has a rootkit component so the malware it downloads & ruins, attempts to stay hidden on your computer...
Hi, there!
This is your neighbor writing here. Today your attorney popped you, but you were out, so he left a message for you.
I have attached the file in this email, so you can open and check everything you need.
Your attorney told me it is quite urgent and as soon as you check this message you should call him back.
If something is not clear, you can find the cell phone number of your attorney into the file, so you can dial it at once...

1 April 2014 please call me back asap.zip (346kb) Extracts to please call me back asap.exe
Current Virus total detections: 6/51*. This message from your attorney is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...86cd5aaef5be7a125c2c4fa377906c36e81/analysis/
___

Fake rbs .com "RE: Copy" SPAM
- http://blog.dynamoo.com/2014/04/rbscom-re-copy-spam.html
1 Apr 2014 - "This very terse spam has a malicious attachment:
Date: 1 Apr 2014 14:25:39 GMT [10:25:39 EDT]
From: Kathryn Daley [Kathryn.Daley@ rbs .com]
Subject: RE: Copy
(Copy-01042014)

The attachment is Copy-04012014.zip which in turn contains a malicious executable Copy-04012014.scr which has a VirusTotal detection rate of just 3/50*. The Malwr analysis** shows that is has the characteristics of P2P/Gameover Zeus and it makes several network connections starting with a download of a configuration file from: [donotclick]photovolt .ro/script/0104UKd.bis . The malware then tries to contact a number of other domains. I recommend using the following blocklist:
50.116.4.71
photovolt .ro
aulbbiwslxpvvphxnjij .biz ..."
(More listed at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fi...90daf6d94ffb803619c55a11/analysis/1396353996/

** https://malwr.com/analysis/MWY4M2M3Y2FjMGM2NGVmZGE5YTUwZTJjMDhlYmM3ZmY/
___

Royal Mail Lost Package Spam
- http://threattrack.tumblr.com/post/81388009110/royal-mail-lost-package-spam
Apr 1, 2014 - "Subjects Seen:
Failure to deliver
Typical e-mail details:
Dear <email address>
Royal Mail has detained your package #98159-5424.Unfortunately some important information is missing to complete the delivery.
Please fulfil the documents attached, and send it back to: onlinepostage@ royalmail.com
The RM International Mail Branch holding will notify you of the reason for detention .

Malicious File Name and MD5:
rm_332009105C.zip (AB0041BC7687AE92E378B145663519C5)
Deliery_info_7383461243.pdf.exe (3F54A5BBAD1B63263135DC97037447E1)

Screenshot: https://gs1.wac.edgecastcdn.net/801...73041685b/tumblr_inline_n3cu66TITU1r6pupn.png
___

Bogus email “ACH failed...” - trojan in .scr format
- http://blog.mxlab.eu/2014/03/31/ema...ilure-contains-attached-trojan-in-scr-format/
Mar 31, 2014 - "... new trojan distribution campaign by email with the subject “ACH failed due to system failure”... has the following body:
ACH PAYMENT CANCELLED
The ACH Transfer (ID: 87052955198926), recently submitted from your savings account (by you or any other person), was CANCELLED by other financial institution.
Rejection Reason: See details in the acttached report.
Transfer Report: report_87052955198926.pdf (Adobe Reader PDF)
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
2014 NACHA – The Electronic Payments Association

The attached ZIP file has the name report_87052955198926.zip and contains the 19 kB large file report_28740088654298.scr. The trojan is known as W32/Trojan.MNWL-4927 or TROJ_GEN.F0D1H00CV14. At the time of writing, 3 of the 48 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 1ab76103d28fda1ed11d2019e7c47df3d57401aee43e7df785b057853f9c1f52 "
* https://www.virustotal.com/en/file/...df3d57401aee43e7df785b057853f9c1f52/analysis/

** https://malwr.com/analysis/OTg5MWRiNTM5ODk4NDU0Y2E3ZDc5NGYzYjgzNzUyMGM/

:fear:

AplusWebMaster · Apr 2, 2014

Something evil on 66.96.223.204 + 213.229.69.41, Facebook SPAM...

FYI...

Something evil on 66.96.223.204
- http://blog.dynamoo.com/2014/04/something-evil-on-6696223204.html
2 Apr 2014 - "66.96.223.204 (Network Operations Center, US) appears to be hosting some sort of malicious redirectors being used in current malware campaigns. VirusTotal gives a snapshot of the badness*.
* https://www.virustotal.com/en-gb/ip-address/66.96.223.204/information/
Recommended blocklist:
66.96.223.204 ..."
(More URLs listed at the dynamoo URL above.)
___

Something evil on 213.229.69.41
- http://blog.dynamoo.com/2014/04/something-evil-on-2132296941.html
2 Apr 2014 - "This tweet by Malmouse* got me investigating what was happening on 213.229.69.41.. and the answer is that it appears to be unmitigated badness. First of all, these domains are either currently or recently hosted on 213.229.69.41, or are associated with it in some way... VirusTotal gives a good overview of the badness on this IP**.
** https://www.virustotal.com/en-gb/ip-address/213.229.69.41/information/
... All these domains appear to be recently registered with the exception of gfthost .com which has ns1.gfthost .com and ns2.gfthost .com hosted on the same IP. Both those nameservers are used exclusively for these malware domains, so there must be some sort of connection... I recommend that you -block- 213.229.69.41 (Simply Transit, UK) ..."
* https://twitter.com/malm0u53/status/451299152316882944
___

Fake Facebook emails lead to Upatre Malware
- http://blog.malwarebytes.org/securi...k-notification-emails-lead-to-upatre-malware/
Apr 2, 2014 - "... SPAM messages in circulation bearing the message “Some men commented on your status”... Here’s the spam message currently landing in mailboxes, which looks like a Facebook notification:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/04/fbcute1.jpg
... The -clickable- link leads to a Dropbox page which is currently offline. The Malware involved in this particular spam run claims to be a PDF file:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/04/fbspam2.jpg
The spammers are making use of the Windows feature which hides extensions of common file types...
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/04/fbspam3.jpg
... the so-called PDF is actually an .scr file, commonly used in Malware campaigns... As for the Malware itself, the VirusTotal score is currently pegged at 23/51*, a Malwr analysis can be seen here**... Upatre is well known for email campaigns and downloading additional Malware onto a compromised PC – from there, browser credentials, insecure passwords and anything else the attacker can think of could be up for grabs. Upatre often tends to go hand in hand with ZBot, which has many ties to Ransomware..."
* https://www.virustotal.com/en/file/...d2962419042798108fea12ed8c656d59322/analysis/

** https://malwr.com/analysis/M2YyMjYwNjhkM2I1NDMxN2E5ZWQzNWNiYjQzMzljZTI/

- http://myonlinesecurity.co.uk/facebook-men-commented-status-fake-pdf-malware/
1 Apr 2014
___

Fake Companies House "Annual Return" – fake PDF malware
- http://myonlinesecurity.co.uk/companies-house-ar01-annual-return-received-fake-pdf-malware/
2 Apr 2014 - "... 'Annual Return' pretending to be from Companies House <web-filing@ companies-house .gov .uk> received is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer.They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
Companies House
Thank you for completing a submission Reference # (0282665).
• (AR01) Annual Return
Your unique submission number is 0282665
Please quote this number in any communications with Companies House.
Check attachment to confirm acceptance or rejection of this filing.
All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission.
Once accepted, these changes will be displayed on the public record...

Fake Companies House(AR01) Annual Return received:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/04/companies-house-annual-return.png
2 April 2014: Ref_0282665.zip (7kb) - Extracts to Ref_04022014.scr
Current Virus total detections: 14/51* . This (AR01) Annual Return received is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fi...a5fb9eb3e9cd7f52b5889f76e1df76c9dff/analysis/

Screenshot: https://gs1.wac.edgecastcdn.net/801...c4f6394cb/tumblr_inline_n3ew2oX2u81r6pupn.png
___

Fake Bitdefender A/V ...
- http://www.hotforsecurity.com/blog/fans-tricked-with-fake-bitdefender-antivirus-plus-2015-8262.html
Mar 31, 2014 - "... -fake- Bitdefender antivirus download posted on YouTube leads users to fraudulent surveys and premium SMS scams. The video had hundreds of views and several French users posted messages to warn others.
> http://www.hotforsecurity.com/wp-co...with-fake-bitdefender-antivirus-plus-2015.jpg
... The grammatically-troubled spammers lure users into clicking on a URL-shortened link that hides a fraudulent website. The “Bitdefender” download is then blocked by a phony human verification warning. “It is very simple to verify, just complete any of the verification forms or surveys from the list below,” the message reads. The options include direct downloads, “how smart are you” surveys and selections of soccer games.
> http://www.hotforsecurity.com/wp-co...th-fake-bitdefender-antivirus-plus-2015-1.jpg
Users never get to download Bitdefender Antivirus Plus 2015, but they are redirected to scams such as premium SMS fraud that copies Facebook’s design to look like a legitimate app of the social network. For a month now, several “entrepreneurs” have also been spreading license keys for Bitdefender Total Security on Facebook. Bitdefender has reported the -fake- YouTube video and the -deceptive- Facebook profile and advises users to be cautious before downloading security software from third parties..."

:fear:

AplusWebMaster · Apr 4, 2014

Attachment inside an attachment - UPATRE ...

FYI

Attachment inside an attachment - UPATRE ...
- http://blog.trendmicro.com/trendlab...he-ante-with-attachment-inside-an-attachment/
Apr 4, 2014 - "... the UPATRE threat is constantly advancing its techniques–this time, by using multiple levels of attachments... a spammed message that imitates emails from known banks such as Lloyds Bank and Wells Fargo. The spam within spam technique was already notable in itself, as the .MSG file contained another .MSG file attached–only this time, the attached file actually contains the UPATRE variant, which we detect as TROJ_UPATRE.YYKE...
An email from “Lloyds Bank” contains a .MSG attachment
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/04/upatre-spam1.png
Opening the .MSG attachment reveals a malicious .ZIP file
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/04/upatre-spam2.png
Based on our analysis, TROJ_UPATRE.YYKE downloads its ZBOT tandem, detected as TSPY_ZBOT.YYKE. This ZBOT variant then downloads a NECURS variant detected as RTKT_NECURS.RBC. The NECURS malware is notable for its final payload of disabling computers’ security features, putting computers at serious risk for further infections. It gained notoriety in 2012 for its kernel-level rootkit and backdoor capabilities. It is important to note that we are now seeing an increase of this malware, which can be attributed to UPATRE/ZBOT being distributed as attachments to spammed messages... Users should always be on their guard when dealing with unknown or unfamiliar emails, sites, or files..."
___

SPAM: Important – New Outlook Settings – fake PDF malware
- http://myonlinesecurity.co.uk/important-new-outlook-settings-fake-pdf-malware/
Apr 4, 2014 - "... pretends to come from your own domain is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses...
Please carefully read the attached instructions before updating settings.
This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@ thespykiller .co .uk and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.

4 April 2014: OutlookSettings.zip (7kb) : Extracts to OutlookSettings.scr
Current Virus total detections: 5/51*. This Important – New Outlook Settings is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is..."
* https://www.virustotal.com/en/file/...cf2dd21c36d246062b0f6a176921d7d7c53/analysis/
____

Twitter Spam: Compromised Accounts and Websites lead to Diet Spam
- http://www.symantec.com/connect/blogs/twitter-spam-compromised-accounts-and-websites-lead-diet-spam
4 Apr 2014 - "Earlier this week, a large number of Twitter accounts were compromised and used by spammers to spread “miracle diet” spam. The compromised accounts included public figures, as well as average users of the social networking service.
Twitter miracle diet spam:
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/Figure1_10.png
... Twitter is no stranger to this problem. Over the years, we’ve seen many different campaigns try to capitalize on the latest miracle diet craze. In this particular case, spammers are trying to peddle garcinia cambogia extract through a page designed to look identical to the real Women’s Health website.
Fake promotional page used by spammers in this campaign
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/Figure2_6.png
Many of the tweets contained messages saying “I couldn’t believe it when I lost 6 lbs!” and “I was skeptical, but I really lost weight!” followed by a URL shortened using Bitly .com. Celebrities and public figures are often sought after to help endorse products. One of the compromised accounts... By compromising accounts like Jamie’s, spammers increase their odds of convincing someone to click on their links and perhaps even purchase the diet product... Diet spam is here to stay and social networks remain the perfect place for spammers to try to make money off of unsuspecting users..."
___

Fiesta Exploits Kit Targeting High Alexa-Ranked Site
- https://atlas.arbor.net/briefs/index#-564048760
Elevated Severity
3 Apr 2014
Analysis: Exploits kits are easy to find and purchase, making attacks relatively easy for cybercriminals. Like other kits, Fiesta EK includes a number of exploits targeting widespread applications with disclosed vulnerabilities; it is rare for a kit to have zero-day capabilities... In addition, most vulnerabilities targeted by kits have patches available, including some updates available as far back as 2012. The most likely intended victims of EKs are therefore those with unpatched systems. Applying patches in a timely manner is absolutely critical for network security. Multiple Fiesta EK campaigns, including this current one, have made use of -dynamic- DNS (DDNS) domains to host exploits. Due to the widespread malicious use of DDNS, organizations should automatically scrutinize network traffic to DDNS in order to determine whether or not it is legitimate.
Source: http://community.websense.com/blogs...a-exploits-kit-targeting-high-alexa-site.aspx
___

CryptoDefense - CryptoLocker imitator ...
- http://www.symantec.com/connect/blogs/cryptodefense-cryptolocker-imitator-makes-over-34000-one-month
Mar 31, 2014 - "... CryptoDefense appeared in late February 2014 and since that time Symantec telemetry shows that we have blocked over 11,000 unique CryptoDefense infections. Using the Bitcoin addresses provided by the malware authors for payment of the ransom and looking at the publicly available Bitcoin blockchain information, we can estimate that this malware earned cybercriminals over $34,000 in one month alone... Symantec has observed CrytoDefense being spammed out using emails such as the one shown:
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/Figure1_9.png
... Example of HOW_DECRYPT.HTML file:
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/Figure2_5.png
... malware authors are using the Tor network for payment of the ransom demand. If victims are not familiar with what the Tor network is, they even go as far as providing instructions on how to download a Tor-ready browser and enter the unique Tor payment Web page address. The use of the Tor network conceals the website’s location and provides anonymity and resistance to take down efforts. Other similar threats, such as Cryptorbit (Trojan.Nymaim.B), have used this tactic in the past... Once the user opens their unique personal page provided in the ransom demand using the Tor Browser, they will be presented with a CAPTCHA page:
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/Figure3_3.png
... Once they have filled in the CAPTCHA correctly, the user will be presented with the ransom payment page:
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/Figure4_4.png
... As advertised by the malware authors in the ransom demand, the files were encrypted with an RSA-2048 key generated on the victim’s computer. This was done using Microsoft’s own cryptographic infrastructure and Windows APIs to perform the key generation before sending it back in plain text to the attacker’s server. However, using this method means that the decryption key the attackers are holding for ransom, actually still remains on the infected computer after transmission to the attackers server... To further protect against threats of this nature, it is recommended that you follow security best practices and -always- backup your files..."

AplusWebMaster · Apr 8, 2014

Fake Evernote leads to malware ...

FYI...

Fake Evernote – Image has been sent – leads to malware download
- http://myonlinesecurity.co.uk/image-sent-fake-evernote-leads-malware-download/
8 April 2014 - "... appears to come from Evernote service [support@ evernote .com}] another one from the current bot runs which try to drop loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment
Image has been sent < your name>.
DCIM_4199.jpg <http ://kingperu .com/1.html >
28 Kbytes
Go to Evernote <http ://kingperu .com/1.html>
2014 Evernote. Privacy policy provides our policies and procedures for collecting, using, and disclosing your information.
Users can access the Evernote service (the “Service”) through our website, applications on Devices, through APIs, and through third-parties.
A “Device” is any computer used to access the Evernote Service, including without limitation a desktop, laptop, mobile phone, tablet, or other consumer electronic device...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/04/evernote-image-has-been-sent.png

Following the link in the email sends you to a page offering a download of Vio player (why on earth anybody would think that they need vio player to view an image in evernote, I really don’t know). You -don’t- get the download offering from the original page but that loads 3 sites in the background and you are randomly sent to one...
8 April 2014 : setup.exe (565kb) : Current Virus total detections: 5/51*"
* https://www.virustotal.com/en/file/...44b9cdc84a04890e0450e979d9be1bd21b4/analysis/
___

Fake Sage SPAM ...
- http://blog.dynamoo.com/2014/04/sage-please-see-attached-copy-of.html
8 April 2014 - "This -fake- Sage spam comes with a malicious attachment:
Date: Tue, 8 Apr 2014 08:65:82 GMT
From: Sage [Merrill.Sterling@ sage-mail .com]
Subject: RE: BACs #3421309
Please see attached copy of the original invoice.

Attached is a file BACs-3421309.zip which in turn contains a malicious executable BACs-040814.exe which has a VirusTotal detection rate of 10/51*. The Malwr analysis** shows that it attempts to download a configuration file from [donotclick]hemblecreations .com/images/n0804UKd.dim and then it attempts to connect to a number of other domains and IP addresses.
Recommended blocklist:
50.116.4.71
aulbbiwslxpvvphxnjij .biz ..."
(More URLs listed at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fi...3f2ca429329fdea2bfa2c2c8/analysis/1396961704/

** https://malwr.com/analysis/MDBjYmFhY2Q3ZDNjNDg0N2I3MGFmYTY0MjJlMWRhYTI/

- https://www.virustotal.com/en/ip-address/50.116.4.71/information/
___

Fake Starbucks 'gift' email – fake PDF malware
- http://myonlinesecurity.co.uk/starbucks-coffee-company-gift-form-friend-fake-pdf-malware/
8 April 2014 - "... another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This one is slightly more unusual than most others because they are sending a .exe file in the email and not a zipped file...
Your friend just made an order at Starbucks Coffee Company a few hours ago.
He pointed he is planning to make a special gift for you and he have a special occasion for that.
We’ve arranged an awesome menu for that case that can really surprise you with our new flavors.
In the attachment you can view the whole menu and the address and the exact time you can come and celebrate this day with your friend.
He asked to stay anonymous in order to make some mystery and desire to come and enjoy this atmosphere.
Have an awesome evening!

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/04/starbucks-gift.png

8 April 2014 Starbucks Coffee Company gift details on 12.04.2014.exe - Current Virus total detections: 4/50*. This Starbucks Coffee Company gift form your friend is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...bc8bc67265fe6df6e4732bcaf4dde672541/analysis/
___

Bank of America CashPro Spam
- http://threattrack.tumblr.com/post/82109999294/bank-of-america-cashpro-spam
Apr 8, 2014 - "Subjects Seen:
FW: Important documents
Typical e-mail details:
Important account documents
Reference: C58
Case number: 8924169
Please scan attached document and fax it to +1 (888) 589-0271.
Please note that the Terms and Conditions available below are the Bank’s most recently issued versions...

Malicious File Name and MD5:
AccountDocuments.zip (2A3034F7E6AD24B58CA11ED13AB2F84D)
Account_Documents.scr (3CD24390EDAE91C0913A20CEF18B5972)

Screenshots: https://gs1.wac.edgecastcdn.net/801...f01130b0a/tumblr_inline_n3q546rTSR1r6pupn.png

Tagged: Bank of America, CashPro, Upatre
___

Scam Virus Shield app top paid app in Play Store
- http://blog.malwarebytes.org/mobile-2/2014/04/scam-virus-shield-app-top-paid-app-in-play-store/
Apr 8, 2014 - "An app claiming to be an antivirus solution climbed the charts as a top paid app in the Play Store...The problem is the app is a -fake-, a scam really. It does not scan for nor does it detect malware on Android devices...
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/04/virussheild03.jpg
The app doesn’t do much but change the protection status and run a progress bar in the notification area. Although it appears to do a scan, it does not and has very limited functionality. The app is no longer in the Play Store and was first reported by Android Police*..."
* http://www.androidpolice.com/2014/0...loads-a-4-7-star-rating-and-its-a-total-scam/

- http://cdn.androidpolice.com/wp-content/uploads/2014/04/nexusae0_2014-04-07-02.08.02.png

:fear:

AplusWebMaster · Apr 9, 2014

Instagram SCAM, Fake eBay emails ...

FYI...

Instagram Scam: Lottery Winners impersonated to offer Money for Followers
- http://www.symantec.com/connect/blo...ry-winners-impersonated-offer-money-followers
9 Apr 2014 - "... Instagram scammers have been posting images offering -fake- lottery winnings to followers. They have convinced users to share the posts, give up personal information, and even send money back to the scammers...
> http://www.symantec.com/connect/sites/default/files/users/user-2998361/figure1_20.png
... In this -scam- a number of Instagram accounts have been created to impersonate real-life lottery winners from the UK and US. These accounts claim to offer US$1,000 to each Instagram user who follows them and leaves a comment with their email address... It’s clear that these accounts are fraudulent, but users continue to believe that they will be given US$1000 just for following Instagram accounts... if it sounds too good to be true, it is."
___

Something evil on 66.96.223.192/27
- http://blog.dynamoo.com/2014/04/something-evil-on-669622319227.html
9 Apr 2014 - "There seems to be some exploit activity today on the IP range 66.96.223.192/27 (a customer of Network Operations Center, US). Most domains are already -flagged- as malicious by Google, and I've reported on bad IPs in this range before. A list of the domains I can find in this range, their myWOT ratings and Google and SURBL prognoses can be found here* [csv]. I would recommend applying the following blocklist:
66.96.223.192/27
capcomcom .com
chebuesx .com ..."
(Long list at the dynamoo URL above.)
* http://www.dynamoo.com/files/66.96.223.192-27.csv
___

Fake eBay emails – Pharma SPAM
- http://myonlinesecurity.co.uk/fake-delayed-mails-ebay-pharma-spam/
9 Apr 2014 - "... we are now seeing fake < Your name >, You have delayed mails from eBay. In exactly the same way as The Fake Facebook Messages, these fake Ebay messages appear to come from eBayNotifier but are being sent by one of the botnets and -not- by Ebay at all. These only have 1 link in them unlike the previous which normally have 2 links in them, that if you are unwise enough to click on them will either take you to a Women’s Health page trying to sell you fake drugs for slimming or other women’s problems. Other days they send you to one of the Canadian or Russian Pharmacy pages selling Viagra, valium or other illegal drugs. Todays offerings are to a Canadian Pharma spam site. Always hover over the links in these emails and you will see that they do -not- lead to Ebay. Do not click on the links, just -delete- the emails as soon as they arrive. There is always the very high possibility that one of the other botnets will use these to send you to a malicious site where your computer will be infected... Email text will say something like:
Your name,
You have delayed mail
View mails
Yours truly
eBayNotifier

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/04/You-have-delayed-mails-from-eBay.png ..."

:fear:

AplusWebMaster · Apr 10, 2014

Fake CDS, DHL SPAM ...

FYI...

Fake CDS Invoice – fake PDF malware
- http://myonlinesecurity.co.uk/cds-invoice-fake-pdf-malware/
10 April 2014 - "Following on from today’s and other recent DHL* and -other- delivery service failure notices, the malware gangs have changed track and are sending out local courier company invoices. CDS Invoice pretending to come from accounts@ cdsgroup .co .uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses...
Dear client
Please find attached your invoice number 168027
If you have any queries with this invoice, please email us... or call us...
For and on behalf ofThe CDS Group of Companies
Crawfords of London | CrawfordsDelivery Services | Media Express |CDS International
Passenger Car Services　Same Day UK Couriers　TV Support Units Overnight & International...
This message and any attachment are confidential and may be privileged...
This email has been scanned...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/04/cds-invoice.png

9 April 2014: CDS_INVOICE_168027.zip (464 kb): Extracts to CDS_INVOICE_168027.exe
Current Virus total detections: 6/51**. This CDS Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/dhl-delivery-failure-fake-pdf-malware/
10 April 2014

Fake DHL email Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/02/DHL-delivery-report.png

** https://www.virustotal.com/en/file/...2b43b699f0c725de9def260c/analysis/1397115564/
___

SCAM: Climate Change And Health Conference ...
- http://blog.dynamoo.com/2014/04/ccahc-climate-change-and-health.html
10 April 2014 - "This -spam- is a form of an advanced fee fraud scam:
From: CCAHC ccahc@ live .com
Reply-To: ccahc@ e-mile .co .uk
Date: 10 April 2014 16:04
Subject: Call for Poster
CCAHC: Climate Change And Health Conference 2014
Dear Colleague,
On behalf of the CCAHC Scientific Committee, you are cordially invited to attend the 14th Climate Change & Health Conference to be held in Ibis Garden Hotel, from 16th - 18th May, 2014.
The CCAHC 2014 event promises unrivalled learning and networking opportunities for the general public. Invited speakers are experts from multiple sectors and disciplines. Case studies of successful collaborations of environment, nutrition and public health across a wide range of issues...
Sincerely yours,
Professor Jon Lloyd
Conference Chair
Maple House, 37-45 City Road, London EC1Y 1AT, United Kingdom

The email originates from 196.46.246.174 (Airtel, Nigeria) via 221.120.96.3 in Bangladesh. Note that the sender is using -free- email addresses rather than one that ties back to an identifiable organisation. The email was sent to a spamtrap... the sting is that there will be visa and hotel fees to pay before going to the conference, and once this money has been sent by Western Union then the scammers will -vanish- taking their mythical conference with them."
___

Fake UPS SPAM - Exception Notification – fake PDF malware
- http://myonlinesecurity.co.uk/ups-exception-notification-fake-pdf-malware/
10 April 2014 - "... UPS Exception Notification pretending to be from UPS Quantum View [auto-notify@ ups .com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. This one has links in the email to download the malware laden zip, rather than an attachment...
UPS
Discover more about UPS:
Visit ups .com
At the request of the shipper, please be advised that delivery of the following shipment has been rescheduled.
Important Delivery Information
Tracking Number:1Z522A9A6892487822 [ clickable URL ]
Rescheduled Delivery Date:14-April-2014
Exception Reason:THE CUSTOMER WAS NOT AVAILABLE ON THE 1ST ATTEMPT. A 2ND ATTEMPT WILL BE MADE
Exception ResolutionACKAGE WILL BE DELIVERED NEXT BUSINESS DAY.
Shipment Detail ...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/04/UPS-Exception-Notification.png

... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is..."

:fear:

AplusWebMaster · Apr 11, 2014

Something evil on 62.75.140.236, 62.75.140.237, 62.75.140.238 and 64.120.207.253, 64.

FYI...

Something evil on 62.75.140.236, 62.75.140.237, 62.75.140.238 and 64.120.207.253, 64.120.207.254
- http://blog.dynamoo.com/2014/04/something-evil-on-6275140236-6275140237.html
11 April 2014 - "This set of IPs is being used to push the Angler EK [1*] [2**]:
Intergenia, Germany
62.75.140.236
62.75.140.237
62.75.140.238
Network Operations Center (HostNOC), US
64.120.207.253
64.120.207.254
A look at the /24s that these ranges are in indicates a mix of malicious and legitimate sites, but on the whole it might be a good idea to consider blocking traffic to 62.75.140.0/24 and 64.120.207.0/24.
Sites on these IPs consist of hijacked subdomains of (mostly) legitimate domains in the Intergenia range and purely malicious domains in the HostNOC range..."
(Long list of domains at the dynamoo URL above.)
* http://wepawet.iseclab.org/view.php?hash=7d33b6700333f1babb56e2f92b006524&t=1397206144&type=js

** http://urlquery.net/report.php?id=1397206442682
___

Fake UKMail - Proof of Delivery Report – fake PDF malware
- http://myonlinesecurity.co.uk/proof-delivery-report-ukmail-fake-pdf-malware/
11 April 2014 - "Continuing from yesterday’s theme of parcel & courier email messages, the malware bad guys are continuing with the same theme today. Proof of Delivery Report: 09/04/14-11/04/14, pretending to come from UKMail Customer Services [list_reportservices@ ukmail .com] is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
Dear Customer,
Please find attached your requested Proof of Delivery (POD) Download Report
………………………………………………………………………………………………………………………
iMail Logo
“For creating, printing and posting your next day mail”
click here to realise the savings that you could make
Please consider the environment before printing this e-mail or any attachments.
This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed.
If you have received this message in error, please notify us and remove it from your system. Any views or opinions expressed are solely those of the author and do not necessarily represent those of UK Mail Group Plc or any of its subsidiaries.
UK Mail Group Plc is registered and incorporated in England.
Registered Office: Express House, 120 Buckingham Avenue, Slough, SL1 4LZ, United Kingdom.
Registered Company No.: 02800218.

11 April 2014: poddel-pdf-2014041103004500.zip (59 kb). Extracts to poddel-pdf-2014041103004500.exe
Current Virus total detections: 2/51*. This Proof of Delivery Report: 09/04/14-11/04/14 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...51bc7fc03e4ecabbe3e5ab09e68e29a8f0d/analysis/

:fear:

SPAM frauds, fakes, and other MALWARE deliveries...

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member