SPAM frauds, fakes, and other MALWARE deliveries...

AplusWebMaster · Sep 6, 2015

Fake 'Court appearance' SPAM, Bank phish-sites

FYI...

Fake 'Court appearance' SPAM - JS malware
- http://myonlinesecurity.co.uk/notice-of-appearance-in-court-js-malware/
5 Sep 2015 - "An email with the subject of 'Notice of appearance in Court #0000440904' [random numbered] pretending to come from County Court with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-co.../Notice-of-appearance-in-Court-0000440904.png

5 September 2015: 0000440904.zip: Extracts to: 0000440904.doc.js
Current Virus total detection 9/57* ... which downloads 2 files 14136619.exe (Virus total**) and 1e0e6fda2680957[1].gif (VirusTotal***) from a combination of these 3 sites:
selmaryachtmarket .com
fibrasinteticafm .com
laterrazzafiorita .it
... None of the automatic analysers even mention any reference to digital signatures whatsoever: Hybrid Analysis Win8.1 [1] | Hybrid Analysis Win 7 [2] | MALWR [3]
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...b7b0dff62e89846d5c9ae73e/analysis/1441437273/

** https://www.virustotal.com/en/file/...432edb9c9f9f3e998860dc26/analysis/1441413005/

*** https://www.virustotal.com/en/file/...cbf8de8e8f0de910aa1c8474/analysis/1441438363/

1] https://www.hybrid-analysis.com/sam...f6a93432edb9c9f9f3e998860dc26?environmentId=3

2] https://www.hybrid-analysis.com/sam...f6a93432edb9c9f9f3e998860dc26?environmentId=1

3] https://malwr.com/analysis/ZDE5ODQxNTU1MWYxNGZkOTllNDA1NWMzNTM2ZGU1OTY/

selmaryachtmarket .com: 174.137.191.22: https://www.virustotal.com/en/ip-address/174.137.191.22/information/
fibrasinteticafm .com:
54.228.191.204: https://www.virustotal.com/en/ip-address/54.228.191.204/information/
45.55.195.124: https://www.virustotal.com/en/ip-address/45.55.195.124/information/
177.71.183.219: https://www.virustotal.com/en/ip-address/177.71.183.219/information/
54.241.242.142: https://www.virustotal.com/en/ip-address/54.241.242.142/information/
54.83.41.200: https://www.virustotal.com/en/ip-address/54.83.41.200/information/
177.71.188.70: https://www.virustotal.com/en/ip-address/177.71.188.70/information/
laterrazzafiorita .it: 208.43.65.115: https://www.virustotal.com/en/ip-address/208.43.65.115/information/
___

UK bank phish-sites on teamhelpers .com
- http://myonlinesecurity.co.uk/uk-bank-phishing-sites-on-teamhelpers-com/
5 Sep 2015 - "I received a couple of -phishing- emails this morning that both lead to UK bank phishing sites on teamhelpers .com. So far I have seen one for Halifax Bank and one for Lloyds Bank. The subjects include 'Your Halifax online banking needs updating' and 'Your Lloyds online banking needs updating'. I would not be at all surprised to find out that there are many other different UK bank phishing sites on teamhelpers .com. I just haven’t found them yet...

Screenshot1: http://myonlinesecurity.co.uk/wp-co...ax-online-banking-needs-updating-1024x610.png

Screenshot2: http://myonlinesecurity.co.uk/wp-co...ds-online-banking-needs-updating-1024x612.png

They are both common subjects in a bank phishing attempt. We see them pretending to be from PayPal and your Bank or Credit Card, with a message saying some thing like :
There have been unauthorised or suspicious attempts to log in to your account, please verify
Your online banking needs updating
Your account has exceeded its limit and needs to be verified
Your account will be suspended !
You have received a secure message from < your bank>
We are unable to verify your account information
Update Personal Information
Urgent Account Review Notification
We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
Confirmation of Order
... These will NEVER be genuine emails from PayPal or Your Bank so don’t ever follow the link-in-the-email which leads to a website that looks at first glance like the genuine bank website. This particular phishing campaign starts with an email with-a-link. In this case to a newly created base domain teamhelpers .com Which is hosted on Godaddy .com... you would be very hard-pressed to tell the difference from the -fake- one and the genuine site. The only way is look at the address bar and in the -Genuine- bank site, when using Internet Explorer the entire address bar is in green. (in Chrome or Firefox, only the padlock symbol on the left of the browser is green)... This either means that the new domain has been hacked already due to insecurities in the site software and Godaddy servers or more likely that the entire site was set up to act as a -fraud- site and Godaddy are not being as efficient and proactive as they should be with weeding out fake registrations..."

Phish1: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/halifax_teamhelpers-1024x678.png

Phish2: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/lloyds_teamhelpers-1024x707.png

Genuine: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Halifax_real_site-1024x672.png

teamhelpers .com: 107.180.41.152: https://www.virustotal.com/en/ip-address/107.180.41.152/information/

:fear::fear:

AplusWebMaster · Sep 7, 2015

Fake 'Companies House', 'scanner notice' SPAM, EK's on 184.105.163.192/26

FYI...

Fake 'Companies House' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malware-spam-companies-house.html
7 Sep 2015 - "This spam does -not- come from Companies House, but is instead a simple forgery with a malicious attachment:
From "Companies House" [WebFiling@ companieshouse .gov.uk]
Date Mon, 7 Sep 2015 12:40:01 +0100
Subject RE: Case 0676414
The submission number is: 0676414
For more details please check attached file.
Please quote this number in any communications with Companies House.
All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.
Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.
If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@ companies-house .gov.uK
Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message...

The "case number" is random, and is reflected in the name of the attachment (in this case Case_0676414.zip) which in turn contains a malicious executable Case_0043258.scr which has an icon to make it look like a PDF file. This executable has a detection rate of 4/56*. The Hybrid Analysis report** shows that it communicates with 197.149.90.166 (Cobranet, Nigeria) which has been seen handling malicious traffic for the past couple of weeks. The payload is Upatre/Dyre."
* https://www.virustotal.com/en/file/...d0ade5c087d77df6aa983252/analysis/1441627466/

** https://www.hybrid-analysis.com/sam...52e4bd0ade5c087d77df6aa983252?environmentId=1

197.149.90.166: https://www.virustotal.com/en/ip-address/197.149.90.166/information/
___

Fake 'scanner notice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/important-system-scanner-notice-fake-pdf-malware/
7 Sep 2015 - "An email with the subject of 'Important system scanner notice' coming from random companies and email addresses with a zip attachment is another one from the current bot runs... The content of the email says :
Hello!
Our system scanner indicates 69405063 error(s). Please see the attached documentation and contact with us ASAP.
Regards,
Online system security
Mrs. Kendall Howell
tel. 503-012-0597
Email : prabha@ klcc .com.my

The alleged sender matches the name of the company and email address in the body of the email. The numbers of errors are random. Some of the other subjects inn this series of -Upatre- downloaders include:
Important system e-mail
Protection shield system scanner report
Urgent security system notification
Protection shield system scanner e-mail
Security system scanner notification
Urgent system scanner notice
Protection shield system scanner e-mail
And -hundreds- of other variations along the same theme...
7 Serptember 2015: Cary PlazaGL_report-HUDY9Ife7_.zip: Extracts to: Imogene CoveBR_report.exe
Current Virus total detections 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...2b461261f7a3447494d6529d/analysis/1441621866/
___

Something evil on 184.105.163.192/26 ...
- http://blog.dynamoo.com/2015/09/something-evil-on-18410516319226-white.html
7 Sep 2015 - "... I spotted some Nuclear EK (or some other Flash exploit) traffic on our network which attracted my interest. The IP in question was 184.105.163.243* hosted on what appears to be a Hurricane Electric IP... I don't tend to see a lot of bad stuff on HE so I looked more closely at the IP WHOIS and saw it was part of a range 184.105.163.192/26... given the sheer volume of crap that White Falcon has hosted in the past and its current problem with exploit kits, I would definitely recommend blocking-traffic to 184.105.163.192/26 to be on the safe side."
(More detail at the dynamoo URL above.)
* 184.105.163.243: https://www.virustotal.com/en/ip-address/184.105.163.243/information/

:fear::fear:

AplusWebMaster · Sep 8, 2015

Evil network: 89.144.2.0/24, .SU domains, Fake 'FedEx', 'contract' SPAM

FYI...

Evil network: 89.144.2.0/24 / Echo Romeo LLP (AS199762)
- http://blog.dynamoo.com/2015/09/something-evil-on-891442024-echo-romeo.html
8 Sep 2015 - "This post at malware.kiwi* caught my eye after a sort-of challenge by Techhelplist**. Well, the bottom line is that these get-rich-quick schemes are run by serious organised criminals who tend not to leave too many traces behind.
* http://malware.kiwi/compromised-pti-edu-email-accounts-phishing-campaign/
...
** https://twitter.com/Techhelplistcom/status/641107799796137984
This appears to be a binary options scam*** that is using illegally -hacked- sites as redirectors, and I suspect that it is using a botnet to send the spam in the first place, although this is not clear. Eventually, victims are sent via an affiliate link to a site searchingprofit .me...
*** http://www.cftc.gov/ConsumerProtect...on/CFTCFraudAdvisories/fraudadv_binaryoptions
It turns out that dailybusinessdirect .com is hosted alongside a cluster of related domains on a set of IPs belonging to a firm called Echo Romeo LLP in the UK. From the research I have done, it appears that Echo Romeo are a legitimate small business doing web design and hosting. However, they operate an IP range 89.144.2.0/24 which seems to be almost completely full of spam, scam and malware sites... Echo Romeo have a portfolio on their site of designs they have done for customers. As far as I can tell, -none- of those customer sites are actually hosted in this IP address range. The first thing I noticed was a cluster of sites and IPs[4] that appear to be closely related to dailybusinessdirect .com:
4] http://pastebin.com/mieQQj5s
... Overall, the evil-ness factor of 89.144.2.0/24 seems very high indeed (for example, this Damballa report on POSeidon[5] shows how the bad guys moved to this netblock), and yet Echo Romeo LLP seems to be completely legitimate. I even went to the effort of checking them out at Companies House, and all seems OK. I wonder if perhaps the bad guys have either gained control of the IP block or have popped a large number of their servers?"
5] https://www.damballa.com/new-poseidon-spotted/
(More detail at the dynamoo URL at the top of this post.)

AS199762 (ECHOROMEO-AS)
> https://www.google.com/safebrowsing/diagnostic?site=AS:199762

- https://www.google.com/safebrowsing/diagnostic?site=t9e.net/

- https://www.google.com/safebrowsing/diagnostic?site=89.144.2.0/

searchingprofit .me: 82.192.91.16: https://www.virustotal.com/en/ip-address/82.192.91.16/information/

dailybusinessdirect .com: 89.144.2.158: https://www.virustotal.com/en/ip-address/89.144.2.158/information/
___

ipserver .su, 5.133.179.0/24 and 212.38.166.0/24
- http://blog.dynamoo.com/2015/09/ipserversu-5133179024-and-21238166024.html
8 Sep 2015 - "A follow-up to this post*, I took a look at the netblocks 5.133.179.0/24 and 212.38.166.0/24 suballocated to:
person: Oleg Nikol'skiy
address: British Virgin Islands, Road Town, Tortola, Drake Chambers
phone: +18552100465
e-mail: abuse@ ipserver .su
nic-hdl: ON929-RIPE
mnt-by: IPSERVER-MNT
changed: abuse@ ipserver .su 20150528
created: 2015-05-28T11:11:09Z
last-modified: 2015-05-28T11:11:09Z
source: RIPE

I'm going to say straight away that my methodology is flawed, but I will share what I have. Very many IPs in this range have hosted badness in the past year-and-a-bit (e.g. 5.133.179.165**), mostly using subdomains.. to the extent that there are too many sites to analyse easily if I take the data from a passive DNS service. Instead, I elected to use the DomainTools reverse DNS which limits the results to domains only (not subdomains) and these are mostly active sites. Running the list through my analyser checks that the IPs are valid, and would normally tell me things such as the Google Safebrowsing Diagnostics and SURBL rating... I would expect to see about 1% in a normal sample, and out of 399 sites it comes back with zero. In fact, none of these sites seem to have any web presence at all, and all the ones that I have tried come back with almost no references on Google at all. I am going to suggest that there is nothing of value in these IP ranges, and given that historically .SU domains have a bad reputation***, then my suggestion is that you block traffic to:
5.133.179.0/24
212.38.166.0/24
In the meantime I will continue digging.."
* http://blog.dynamoo.com/2015/09/something-evil-on-891442024-echo-romeo.html

** 5.133.179.165: https://www.virustotal.com/en/ip-address/5.133.179.165/information/

*** https://www.abuse.ch/?p=3581

Diagnostic page for AS20860 (IOMART-AS)
- https://www.google.com/safebrowsing/diagnostic?site=AS:20860
"... over the past 90 days, 289 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2015-09-08, and the last time suspicious content was found was on 2015-09-08... we found 6 site(s) on this network... that appeared to function as intermediaries for the infection of 9 other site(s)... We found 97 site(s)... that infected 127 other site(s)..."
___

Fake 'FedEx' SPAM - JS malware
- http://myonlinesecurity.co.uk/fedex-standard-overnight-we-could-not-deliver-your-parcel-js-malware/
8 Sep 2015 - "An email with the subject of 'We could not deliver your parcel, #00184416 [ random numbered]' pretending to come from FedEx Standard Overnight <kevin.swartz@ 189-38-86-3 .net2 .com.br> with a zip attachment is another one from the current bot runs... The content of the email says:
Dear Customer,
We could not deliver your parcel.
Delivery Label is attached to this email.
Regards,
Kevin Swartz,
Station Agent.

8 September 2015: Delivery_Notification_00184416.zip: Extracts to: Delivery_Notification_00184416.doc.js
Current Virus total detections 9/56* ... which downloads 2 files 97823c.gif (VirusTotal**) | 12918408.exe (VirusTotal***) from a combination of these 3 sites:
dominaeweb .com
idsecurednow .com
les-eglantiers .fr
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...6c721fe5af65726afa300416/analysis/1441689276/

** https://www.virustotal.com/en/file/...c5b95d9334e9d22e5b86fd18/analysis/1441689928/

*** https://www.virustotal.com/en/file/...ca8bf1aeca61e636062fbe7e/analysis/1441658746/

dominaeweb .com: 174.36.231.69: https://www.virustotal.com/en/ip-address/174.36.231.69/information/
idsecurednow .com: 96.31.36.46: https://www.virustotal.com/en/ip-address/96.31.36.46/information/
les-eglantiers .fr: 76.74.242.190: https://www.virustotal.com/en/ip-address/76.74.242.190/information/
___

Fake 'contract' SPAM - PDF malware
- http://myonlinesecurity.co.uk/edits-of-contract-fake-pdf-malware/
8 Sep 2015 - "An email with the subject of 'Edits of contract #oyMolGA of Tue, 08 Sep 2015 12:33:32 +0200 (random characters and times)' pretending to come from random companies and email addresses with a zip attachment is another one from the current bot runs... The content of the email says :
Good day,
Please check out the edits of contract 181254053. Pay your particular attention to
paragraphs 121.39 and 148.85.
Until this contract isn’t signed, an amount won’t be remitted. If you have any questions,
please mail or call me on my additional number 63779928.
Emmalee Schaden
phone: 842-690-4561
Robel, McCullough and Gibson

8 September 2015: agreement changes Bruen Mall_jEHqrF.zip: Extracts to: renewed agreement Harber Village.exe
Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...1a04aaabfb4dc6a88b44c89e/analysis/1441708637/
___

PayPal Overpayment Scams that target Craigslist Sellers
- https://isc.sans.edu/diary.html?storyid=20115
Last Updated: 2015-09-08 - "... when people become familiar with the tactics employed by scammers, they will be less likely to get ripped off. With this in mind, I'd like to describe my recent interactions with miscreants who target sellers on Craigslist. This encounter, which involved SMS messages, emails and a click, is a variation of a PayPal-themed overpayment -scam- that has been quite prolific in the recent years... The -fake- PayPal message in my inbox clarified that I might not see the funds in my PayPal account until I sent money to the buyer's pickup agent using MoneyGram... Soon, I received two more messages claiming to be from PayPal and impressing upon me of the 'safety' of the transaction... more of my articles about online scams, take a look at How Victims Are Redirected to IT Support Scareware Sites* and Conversation With a Tech Support Scammer**."
(More detail at the isc URL at the top of this post.)
* https://isc.sans.edu/diary/How+Victims+Are+Redirected+to+IT+Support+Scareware+Sites/19487/

** https://zeltser.com/tech-support-scammer-conversation/
___

Com[dot]com site leads to -Fake- Daily Mail Article, Other Dodgy Sites
- https://blog.malwarebytes.org/fraud...to-fake-daily-mail-article-other-dodgy-sites/
Sep 7, 2015 - "When news of “com .com” (previously owned by CNET) being quietly sold to dsparking .com*, a known entity in the realm of browser hijacking and domain squatting, had rippled within the security industry a couple of years ago, some experts expressed concern**...
* https://www.virustotal.com/en/domain/www.dsparking.com/information/
...
** https://blog.whitehatsec.com/why-com-com-should-scare-you/
... We recently encountered the URL, dw[DOT]com[DOT]com, that directed us to various destinations whenever we refresh it. Although this site is no longer accessible as we write this post, we were still able to visit one particular live URL destination that stood out among the rest during our testing. It is a -fake- Daily Mail news piece[3] reporting about British citizens finding a loophole wherein they can get the iPhone 6 for £1...
3] https://blog.malwarebytes.org/wp-content/uploads/2015/09/dailymail00.png
... All links on the fake Daily Mail article point to one URL, which then leads users to -random- destinations where they are offered freebies-behind-surveys or certain services... A little more digging around about dw[DOT]com[DOT]com has revealed that it also has a history of housing adware, PUPs[4], and spyware[5]... there are relatively few reports of com .com sites getting abused. That may be a good thing — at least for now; however, there may come a time when criminals would make full use of these sites for their malicious campaigns. So be advised, dear Reader, to avoid and proactively -block- them as early as now..."
4] https://www.herdprotect.com/domain-dw.com.com.aspx

5] https://www.f-secure.com/sw-desc/dw_com_com.shtml

dw .com .com: 54.201.82.69: https://www.virustotal.com/en/ip-address/54.201.82.69/information/

com .com: 209.132.243.234: https://www.virustotal.com/en/ip-address/209.132.243.234/information/

dsparking .com: 141.8.225.89: https://www.virustotal.com/en/ip-address/141.8.225.89/information/

:fear::fear:

AplusWebMaster · Sep 9, 2015

Fake 'Internship', 'new contract', 'MP2541', 'enrollment contract' SPAM

FYI...

Fake 'Internship' SPAM – doc malware
- http://myonlinesecurity.co.uk/internship-word-doc-malware/
9 Sep 2015 - "An email with the subject of 'Internship' pretending to come from SAMETRICE BLACKBURN <pwlc@ healthassets .net> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Internship-1024x571.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content...
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
...
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Excel_macro_protected-mode-1024x604.png
... 9 September 2015: My_Resume_7049.doc . Current Virus total detections 7/56*.
Downloads Dridex banking malware from http ://bakingsoda404 .com/dd/12345.exe (VirusTotal** 1/57)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...fcb0f4cdd8e526bea50cf01b/analysis/1441779828/

** https://www.virustotal.com/en/file/...ff318f8176273ac01a74f6e4/analysis/1441780825/
___

Fake 'new contract' SPAM - PDF malware
- http://myonlinesecurity.co.uk/we-ha...-the-attached-documentation-fake-pdf-malware/
9 Sep 2015 - "An email saying 'We have submitted a new contract for your approval. Please view the attached documentation' with the subject of 'Please view' pretending to come from FAX with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Please-view-1024x481.png

9 September 2015: renewed contract Blanda Common.zip: Extracts to: agreement Braden Views.exe
Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...cecc7f2ca5737a63ef1d7eb2/analysis/1441795477/
___

Fake 'MP2541' SPAM – PDF malware
- http://myonlinesecurity.co.uk/message-from-mp2541-fake-pdf-malware/
9 Sep 2015 - "An email with the subject of 'Message from “MP2541” (random numbers)' pretending to come from DoNotReply@ b(your own email domain) with a zip attachment is another one from the current bot runs... The content of the email says :
This E-mail was sent from “MP2541” (MP 2541).
Scan Date: Wed, 09 Sep 2015 10:33:34 GMT
Queries to: DoNotReply@ ...

9 September 2015: omp cheque.zip: Extracts to: omp cheque.scr
Current Virus total detections 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...182880963f2f27c9071c8e51/analysis/1441799167/
___

Fake 'enrollment contract' SPAM – doc macro malware
- http://myonlinesecurity.co.uk/re-enrollment-contract-word-doc-macro-malware/
9 Sep 2015 - "An email with the subject of 'RE: enrollment contract' pretending to come from Calvin Hobbs <accounting@ steelgrill .com> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/enrollment-contract-1024x506.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
...
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Excel_macro_protected-mode-1024x604.png
9 September 2015: charles_contract.doc - Current Virus total detections 2/56* ... Which goes through a convoluted download process via thetunaslab .com/wp-snapshots/sasa.txt (which simply contains the download link) and thetunaslab .com/wp-snapshots/66836487162.txt (a VB script to transform the downloaded .exe to a new location and name and autorun it) to end up with what is almost certainly a Dridex banking Trojan from http ://www. heavensound .it/wp-content/uploads/2015/06/pa.exe (VirusTotal 2/57 **)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...686b8f962005e0deec2f472e/analysis/1441810073/

** https://www.virustotal.com/en/file/...689743895a0dedabbbadc18e/analysis/1441811453/
... Behavioural information
TCP connections
93.170.105.115: https://www.virustotal.com/en/ip-address/93.170.105.115/information/
128.199.119.166: https://www.virustotal.com/en/ip-address/128.199.119.166/information/
___

'Famous Spy Software' - SCAM
- https://blog.malwarebytes.org/onlin...d-sites-lead-to-offer-of-famous-spy-software/
Sep 9, 2015 - "... received a tip from one of our researchers, Steven Burn, who is continuously investigating on several persistent Facebook hacking scams... the individuals or group behind them merely rehashing the same lures and tactics; services that offer the hacking of Facebook accounts is one such scam. Using a single line of text to look for potential scam destinations, Burn came across not one but -thousands- of compromised sites offering this particular type of hacking service... Once users click any of the search result links, they are -redirected- multiple-times and then land on a page in the domain, trackphone[DOT]tk:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/trackphone.png
Clicking the big-green-button that says “Go to new site” directs to a page from mspy[DOT]com:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/mspy.png
... mSpy is a highly popular and controversial software that markets itself as a tool that a parent can use to monitor their child’s activities on their mobile devices -or- a tool that a doubting husband or wife can use to catch their cheating partners red handed... others who are contemplating on using tools similar to mSpy, especially if you’re a parent, we implore that you think this through carefully before using it, because you may inadvertently expose your child to harm more than good this way."

mspy .com: 104.20.26.47: https://www.virustotal.com/en/ip-address/104.20.26.47/information/
104.20.27.47: https://www.virustotal.com/en/ip-address/104.20.27.47/information/

:fear::fear:

AplusWebMaster · Sep 10, 2015

Fake 'QuickBooks Invoice', 'America Airlines', 'New FAX' SPAM, 'Spear-phishing'

FYI...

Fake 'QuickBooks Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/quickbooks-invoice-payment-overdue-fake-pdf-malware/
10 Sep 2015 - "An email with the subject of 'Payment Overdue' pretending to come from QuickBooks Invoice <auto-invoice@ quickbooks .com> with a zip attachment is another one from the current bot runs... The content of the email says :
Please find attached your invoices for the past months. Remit the payment by 10/09/2015 as outlines under our “Payment Terms” agreement.
Thank you for your business,
Sincerely,
Rosendo Numbers
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
The information contained in this message may be privileged, confidential and protected from disclosure...

10 September 2015: Invoice.zip: Extracts to: Invoice.scr
Current Virus total detections 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...20f01ba2faf7fe2698c5b979/analysis/1441880136/

- http://blog.dynamoo.com/2015/09/malware-spam-payroll-received-by-intuit.html
10 Sep 2015 - "... Attached is a file payroll_report.zip which in turn contains a malicious executable payroll_report.scr which has a VirusTotal detection rate of 3/56*. The Hybrid Analysis report** shows traffic patterns that are consistent with the Upatre downloader -and- Dyre banking trojan. In particular, the malware contacts a familiar server at 197.149.90.166 (Cobranet, Nigeria) which you should definitely block ..."
* https://www.virustotal.com/en/file/...20f01ba2faf7fe2698c5b979/analysis/1441886437/

** https://www.hybrid-analysis.com/sam...391a020f01ba2faf7fe2698c5b979?environmentId=1

197.149.90.166: https://www.virustotal.com/en/ip-address/197.149.90.166/information/
___

Fake 'America Airlines' SPAM – JS malware
- http://myonlinesecurity.co.uk/america-airlines-your-ticket-order-00000239643-js-malware/
10 Sep 2015 - "An email with the subject of 'Your ticket order #00000239643 approved' [random numbered] pretending to come from America Airlines with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-co...icket-order-00000239643-approved-1024x504.png

10 September 2015: Order_00000239643.zip: Extracts to: Order_00000239643.doc.js
Current Virus total detections 13/57* ... which downloads 2 files 42809780.exe (Virus total 1/57 **) (Hybrid analysis***) and 3233543213348c1[1].gif (VirusTotal 10/56 [4]) (Hybrid Analysis[5]) from a combination of these 3 sites:
64.239.115.111: https://www.virustotal.com/en/ip-address/64.239.115.111/information/
les-eglantiers .fr: 76.74.242.190: https://www.virustotal.com/en/ip-address/76.74.242.190/information/
readysetgomatthew .com: 205.144.171.28: https://www.virustotal.com/en/ip-address/205.144.171.28/information/
See MALWR report[6] and Wepawet[7] ... which decodes or deobfuscates the javascript... note that the 42809780.exe has a -stolen- digital signature from Microsoft, which has been blocked (at least in Internet Explorer), Smart Filter warns about an invalid digital signature:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/corrupt-signature.png
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...2e45d3a33f5120636143d5bf/analysis/1441858346/

** https://www.virustotal.com/en/file/...8f881f2cab72fe65fd14265c/analysis/1441845045/

*** https://www.hybrid-analysis.com/sam...608198f881f2cab72fe65fd14265c?environmentId=1

4] https://www.virustotal.com/en/file/...3fd79775c5be184d747a02c5/analysis/1441859040/

5] https://www.hybrid-analysis.com/sam...cb4463fd79775c5be184d747a02c5?environmentId=1

6] https://malwr.com/analysis/ODEyYTNjZTNjNzM4NGE2YmFkZDQ2OWZiNzQ0OGZmMDk/

7] https://wepawet.iseclab.org/view.php?hash=23de9e6aad67d8a516acd6e60d90f4e9&type=js
___

Fake 'New Fax' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malware-spam-new-fax-3901535011-uk2fax.html
10 Sep 2015 - "This -fake- fax spam comes with a malicious attachment:
From "UK2Fax" [fax2@ fax1.uk2fax .co.uk]
Date Thu, 10 Sep 2015 14:07:11 +0100
Subject New Fax - 3901535011
UK2Fax Fax2Email : New fax attached, received at 10/09/2015 10:26:29 GMT

Attached is a file Fax-3901535011.zip which in turn contains a malicious executable Fax-800312316.scr which is exactly the -same- Upatre/Dyre payload as seen in this attack also seen today*."
* http://blog.dynamoo.com/2015/09/malware-spam-payroll-received-by-intuit.html
___

'Spear-phishing' - Know the Risk, Raise Your Shield
- http://arstechnica.com/security/201...ells-government-employees-raise-your-shields/
Sep 9, 2015 - "... the director of the National Counterintelligence and Security Center (NCSC) announced a "new counterintelligence campaign" focused on reducing the potential security damage done by the Office of Personnel Management data breaches. Called 'Know the Risk, Raise Your Shield', the campaign's opening salvo is a pair of spear-phishing awareness videos, urging people -not-to-click-on 'those links'*... The Office of the Director of National Intelligence, which the NCSC is part of, is pushing out materials for the campaign through its website and social media channels..."
* https://www.youtube.com/embed/videoseries?list=PLfaSGHp0IgDBzfD8dnJ3CpklC2vNkbtiD
Video 2:53
Know the Risk, Raise Your Shield

:fear::fear:

AplusWebMaster · Sep 11, 2015

Fake 'e-invoice', 'Sales Order', 'SOP Invoice' SPAM

FYI...

Fake 'e-invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/your-latest-e-invoice-from-tnt-1568467424-9445661-fake-pdf-malware/
11 Sep 2015 - "An email with the subject of 'Your latest e-invoice from TNT 1568467424 9445661 (random numbers)' pretending to come from eInvoicing <groupadminstubbinsDONOTREPLY@ tnt .com> with a zip attachment is another one from the current bot runs... The content of the email says :
PLEASE DO NOT RESPOND – Emails to this address are not monitored or responded to.
Please find attached your TNT Invoice. Please note that our standard payment terms require cleared funds in our account by the 15th of the month following the month of invoice.
IMPORTANT CONTACT DETAILS
To register an invoice query please contact us at ukinvoicequeries@ tnt .co.uk
To forward a remittance advice or confirm payment please contact us at tntuk.cash.allocation@ tnt .com
To set up a Direct Debit plan please contact us at tntdirectdebit@ tnt .co.uk
For quick and easy access to your invoices simply log in using your user name and password to https ://express .tnt .com/eInvoicing and you’ll be able to view and download your electronic invoices immediately.
If you have forgotten your user name or password please follow the above link where you will be able to reset your log-in details. If you are experiencing any technical issues with your e-Invoicing account please contact us at ukeinvoice@ tnt .co.uk
Rest assured, we operate a secure system, so we can confirm that the invoice PDF originates from TNT and is authenticated with a digital signature. Thank you for using e-invoicing...

11 September 2015: 1568467424_9445661.zip: Extracts to: 0230516548_6835403.scr
Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...b3b2e6339f859dbf2b746c59/analysis/1441967307/
___

Fake 'Sales Order' SPAM – PDF malware
- http://myonlinesecurity.co.uk/sales...61725-your-reference-89-bud-fake-pdf-malware/
11 Sep 2015 - "An email with the subject of 'Sales Order Acknowledgement – Order No: 7M661725 – Your Reference: 89 /Bud (random numbers and names)' pretending to come from random companies and email addresses with a zip attachment is another one from the current bot runs... The content of the email says :
Please find attached your sales order acknowledgement
Order No: 7M661725
Account: MGQ313
Your Reference: 89 /Bud
Web Reference:
Kind Regards
Office Team

11 September 2015: SalesOrderAcknowledgement_2G060028.zip: Extracts to: SalesOrderAcknowledgement.scr
Current Virus total detections 0/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...1bb712ec416addc6c9997b8d/analysis/1441964692/

- http://blog.dynamoo.com/2015/09/malware-spam-sales-order.html
11 Sep 2015 - "This -fake- financial spam comes with a malicious payload:
From "reports@officeteam .co.uk" [reports@ officeteam .co.uk]
Date Fri, 11 Sep 2015 10:39:32 GMT
Subject Sales Order Acknowledgement - Order No: EF150085 - Your Reference: 14 /Geneva
Please find attached your sales order acknowledgement
Order No: EF150085...
... SalesOrderAcknowledgement_EF150085.zip which in turn contained a malicious executable SalesOrderAcknowledgement.scr which has a VirusTotal detection rate of 3/55*. The Hybrid Analysis report** shows that amongst other traffic, it communicates with a familiar Nigerian IP of 197.149.90.166 (Cobranet)... the payload is Upatre downloading the Dyre banking trojan."
* https://www.virustotal.com/en/file/...1bb712ec416addc6c9997b8d/analysis/1441972298/

** https://www.hybrid-analysis.com/sam...c74a81bb712ec416addc6c9997b8d?environmentId=1
___

Fake 'SOP Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/sop-invoice-single-ppl-leeds-co-uk-fake-pdf-malware/
11 Sep 2015 - "An email with the subject of 'SOP Invoice (Single)' pretending to come from “Carlene Kidd” <Carlene.Kidd@ ppl-leeds .co.uk> (random names @ ppl-leeds .co.uk) with a zip attachment is another one from the current bot runs... The content of the email says :
Hi Nicolas
Please find attached copy Invoice No: J292G64W as requested.
Regards
Carlene
The attached file is a Sage Report in PDF (Adobe Acrobat) format. To view
the report you will need Acrobat Reader, available as a free download...

11 September 2015: Invoice_J292G64W.zip: Extracts to: invoice.scr
Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...9410dfd01dd95379868c09af/analysis/1441965422/
___

Fake 'PO & New Order' SPAM – doc malware
- http://myonlinesecurity.co.uk/po-new-order-word-doc-rtf-exploit-malware/
11 Sep 2015 - "An email with the subject of 'PO & New Order' pretending to come from Sales with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/PO-New-Order-1024x599.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be -blank- or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
...
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Excel_macro_protected-mode.png
11 September 2015: PO & New Order.doc - Current Virus total detections 23/56* .
Downloads http ://creativelinkspk .com/.css/ashok.exe (VirusTotal** 18/57). This looks like an old exploit CVE-2012-0158 that was fixed in MS12-027... but there is always a possibility that the exploit creators have added to it to work in modern office versions... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...a1af667e5999c30d0e7c0bb0/analysis/1441931051/

** https://www.virustotal.com/en/file/...1721f5cc30445e2e360f3d4c/analysis/1441887586/

creativelinkspk .com: 192.3.105.250: https://www.virustotal.com/en/ip-address/192.3.105.250/information/

:fear::fear:

AplusWebMaster · Sep 13, 2015

Fake 'Pretrial requirements' SPAM

FYI...

Fake 'Pretrial requirements' SPAM – JS malware
- http://myonlinesecurity.co.uk/pretrial-requirements-js-malware/
13 Sep 2015 - "An email with the subject of 'Pretrial requirements' pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Pretrial-requirements-1024x388.png

12 September 2015: pretrial_requirements488.zip: Extracts to: pretrial_requirements488.js
Current Virus total detections 21/57* . (Wepawet**) (MALWR***) which downloads multiple files including Adobe_update-S3NS81Y2MJC[1].exe (virus total 0/56 [4]) and Adobe_update-1SGMQ65OVG[1].exe (VirusTotal 0/57 [5]) and a genuine pdf (Adobe_update-BI5T99S2B9W[1].pdf) which displays an invoice to think that the entire download is innocent from a combination of these sites (this particular version only uses the first 2 sites, but if it cannot contact either of them, it will try each site in turn until it downloads the malware):
ERVINSOLAR .NET: 88.198.60.20: https://www.virustotal.com/en/ip-address/88.198.60.20/information/
JAIINSTITUTEFORPARENTING .NET: 50.62.232.1: https://www.virustotal.com/en/ip-address/50.62.232.1/information/
C3SMS .COM: 72.249.68.39: https://www.virustotal.com/en/ip-address/72.249.68.39/information/
www .prairiehouse .ie: 80.93.29.15: https://www.virustotal.com/en/ip-address/80.93.29.15/information/
DIGITALCONTACT .COM: 54.154.210.110: https://www.virustotal.com/en/ip-address/54.154.210.110/information/
LIVINGLAVIDAPYME .COM: 72.47.236.23: https://www.virustotal.com/en/ip-address/72.47.236.23/information/
LASALCHICHONERIA .COM: 72.47.236.23
AZHINEHPS .COM: 149.3.137.13: https://www.virustotal.com/en/ip-address/149.3.137.13/information/
XINHFURNITURE .COM: 112.78.2.205: https://www.virustotal.com/en/ip-address/112.78.2.205/information/
The PDF is genuine and obviously a stolen invoice from an Italian company Eco srl being -reused- to try to fool you into thinking that it is only an invoice being displayed while the other malware is silently downloaded and run in the background:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/eco_pdf-1024x619.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...608c06c6530e232977ea0eb7/analysis/1442130826/

** https://wepawet.iseclab.org/view.php?hash=7f38d9df842a87500e5be65061a149de&type=js

*** https://malwr.com/analysis/Mjk4ZDIyYjM2OTA1NGZhMmJiODFkZDM3MzNhOWM1ZTQ/

4] https://www.virustotal.com/en/file/...e2272b10ced51674f48675ce/analysis/1442105203/

5] https://www.virustotal.com/en/file/...bdb927a4033f43d078f62202/analysis/1442131135/

:fear::fear:

AplusWebMaster · Sep 14, 2015

HMRC Tax Refund Phish, ATM malware

FYI...

HMRC Tax Refund / Phish ...
- https://blog.malwarebytes.org/fraud-scam/2015/09/avoid-this-hmrc-tax-refund-phish/
Sep 14, 2015 - "... here’s the spam mail, which is titled 'Tax Refund New Message Alert!':
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/hmrcform0.jpg
Some standouts:
1. The -typo- in the sender address. Yes, we already mentioned it but it’s such an amazingly silly way to blow the cover of an attempted phish that I’m going to point and roll my eyes at it twice.
2. Do Tax Departments send anybody emails with exclamation-marks in the subject? It doesn’t seem in line with the notion of serious people sending out serious tax emails, really.
3. “See this email? Yeah, don’t tell anyone about it okay? It’s our little secret. Cough cough.”
4. “Download and fill out a form” HMRC don’t send out mails about tax rebates.
5. “Allow 5 to 9 business days, because we won’t have enough time to rip-off the card details you just sent us if you’re checking your account every five minutes”.
Note that in the above example, the mail was sent to an Outlook account and was-flagged as spam – not all mail providers catch something, so it pays to always be on your guard.
Clicking the link offers up a HTML file download from: liveinlove(dot)us/index(dot)php:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/hmrcform1.jpg
Opening up the file in a browser will fetch elements of real HMRC pages to add that little extra splash of authenticity:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/hmrcform2.jpg
There is, of course, no HTTPS / padlock which one would hope sets off a few alarm bells. The form follows the common pattern of not letting you proceed unless you’ve entered information in the relevant boxes. They want full card details, bank name, security code, name, DOB, address – the works. Once the submit button is hit, the victim will be redirected to a real HMRC page via the liveinlove URL. It seems the website being used for this scam has been -hacked-... In a first for me, I’ve had to let someone know their site has been compromised via a wedding RSVP form. As the wedding was due to take place back in -2014- I’m not entirely sure someone will be there to pick up the message but we’ll see how it goes. Should you receive one of these mails, feel free to delete it."

liveinlove .us: 192.186.248.162: https://www.virustotal.com/en/ip-address/192.186.248.162/information/
___

Next Gen ATM Malware
- https://www.fireeye.com/blog/threat-research/2015/09/suceful_next_genera.html
Sep 11, 2015 - "You dip your debit card in an automated teller machine (ATM) and suddenly realize it is stuck inside, what happened?
a) You took too much time entering details.
b) There was an error in the network connection to the bank.
c) The machine is infected with malware and your card was intentionally retained to be ejected to the crooks once you walk away asking for help.
If you answered ‘c’ you might be correct! FireEye Labs discovered a new piece of ATM malware (4BDD67FF852C221112337FECD0681EAC) that we detect as Backdoor.ATM.Suceful (the name comes from a typo made by the malware authors), which targets cardholders and is able to retain debit cards on infected ATMs, disable alarms, or read the debit card tracks. ATM malware is not new, back in 2013 and 2014 threats like Ploutus[1] or PadPin[2] (Tyupkin) were used to empty ATMs in Mexico, Russia and other countries, but SUCEFUL offers a new twist by targeting the cardholders. SUCEFUL was recently uploaded to VirusTotal (VT) from Russia, and based on its timestamp, it was likely created on August 25, 2015. It might still be in its development phase; however, the features provided are shocking and never seen before in ATM malware:
> https://www.fireeye.com/content/dam/fireeye-www/blog/images/SUCEFUL/suceful1.png
Potential SUCEFUL capabilities in Diebold or NCR ATMs include:
1. Reading all the credit/debit card track data
2. Reading data from the chip of the card
3. Control of the malware via ATM PIN pad
4. Retention or ejection of the card on demand: This could be used to steal physical cards
5. Suppressing ATM sensors to avoid detection ..."
(More detail at the fireye URL above.)

:fear::fear:

AplusWebMaster · Sep 15, 2015

Fake 'Payment Summary', 'Unsettled invoice' SPAM, WhatsApp scam

FYI...

Fake 'Payment Summary' SPAM – PDF malware
- http://myonlinesecurity.co.uk/payme...aysliphss-health-nsw-gov-au-fake-pdf-malware/
15 Sep 2015 - "2 sets of emails pretending to come from payslip@ hss.health.nsw. gov.au with the subject of 'Payment Summary (Group Certificate) for 2014/15 financial year' or 'Payslip for the period 31 Aug 2015 to 14 sep 2015' with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-co...ayment-Summary-Group-Certificate-1024x506.png

15 September 2015: PAYG-EoY-2014-15-11577085-181466719.zip: Extracts to: PAYG-EoY-2014-15-04831806-000718002.scr
Current Virus total detections 11/56*
15 September 2015: Payslip13526234054137704-78242.zip: Extracts to: Payslip00477196470196471-00038.scr
Current Virus total detections 6/57**
... Techhelplist.com have done a breakdown of these Upatre downloaders from yesterday’s versions of these emails with similar attachments... HERE[3] and Here[4].
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...1868bd58438619b9091cc6e9/analysis/1442293989/

** https://www.virustotal.com/en/file/...f080ff90a8c75f6ed18dd977/analysis/1442282228/

3] https://techhelplist.com/spam-list/923-payment-summary-group-certificate-for-financial-year-malware

4] https://techhelplist.com/spam-list/924-payslip-for-the-period-date-to-date-malware
___

Fake 'Unsettled invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/unsettled-invoice-e-mail-notice-fake-pdf-malware/
15 Sep 2015 - "The latest -Upatre- style downloaders are attached to series of emails with the subject of 'Unsettled invoice e-mail notice' pretending to come from random addresses with a zip attachment is another one from the current bot runs... The content of the email says:
Hello dear customer,
I urgently ask you to settle an invoice from Tue, 15 Sep 2015 11:39:13 +0100

Other subjects in this malspam run include:
Unsettled invoice e-mail reminder
Important invoice e-mail notice
Overdue invoice e-mail reminder
Unsettled invoice notification
Outstanding invoice e-mail notice
Important invoice final reminder
The times are all random, but the dates all say Tue, 15 Sep 2015..
15 September 2015: Voluptas soluta laborum illum aperiam praesentium molestiae sequi..zip:
Extracts to: Consequatur sint consectetur qui esse..exe
Current Virus total detections 1/57*
This doesn’t actually appear to be Upatre and we haven’t managed to get any other downloads from it via automatic analysis so far... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...68f41fccb354f065e8f5d1a4/analysis/1442313814/
___

WhatsApp scam/SPAM ...
- https://blog.malwarebytes.org/fraud-scam/2015/09/dont-get-stuck-on-whatsapp-stickers/
Sep 15, 2015 - "We’ve spotted a WhatsApp scam using the same general template as the previously covered WhatsApp Elegant Gold*, located at:
stickers-whatsapp(dot)com
... which asks for your WhatsApp Number in return for some “stickers“. You typically have to pay for stickers via a number of Apps, so potential freebies are always going to pull in some eyeballs.
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/whatstickers1.jpg
It follows the familiar pattern of “Spam a bunch of people and we’ll give you what you want”, complete with inevitable Shyamalan-style plot twist at the end (no, your phone wasn’t a ghost the whole time). Here’s the spam request:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/whatstickers2.jpg
... As with other sites of a similar nature**, we advise you to not bother and stick to legit apps on your mobile store of choice if you really want to plaster your texts with images. All you’ll get for your time and trouble with these websites are adverts, PUPs and surveys (also, your phone was totally a ghost the whole time)."
* https://blog.malwarebytes.org/fraud-scam/2015/07/whatsapp-elegant-gold-hits-the-digital-catwalk/

** https://blog.malwarebytes.org/fraud-scam/2015/03/scams-pups-target-would-be-whatsapp-voice-users/

stickers-whatsapp(dot)com: 54.254.185.159: https://www.virustotal.com/en/ip-address/54.254.185.159/information/
___

Cisco router break-ins bypass cyber defenses
- http://www.reuters.com/article/2015...y-routers-cisco-systems-idUSKCN0RF0N420150915
Sep 15, 2015 - "... researchers* say they have uncovered clandestine attacks across three continents on the routers that direct traffic around the Internet, potentially allowing suspected cyberspies to harvest vast amounts of data while going undetected. In the attacks, a highly sophisticated form of malicious software, dubbed "SYNful Knock'*, has been implanted in routers made by Cisco..."
* https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html
Sep 15, 2015 - "... recent vendor advisories indicate that these have been seen in the wild. Mandiant can confirm the existence of at least -14- such router implants spread across four different countries: Ukraine, Philippines, Mexico, and India... Conclusion: ... It should be evident now that this attack vector is very much a reality and will most likely grow in popularity and prevalence..."
1] http://www.cisco.com/web/about/security/intelligence/integrity-assurance.html

:fear::fear:

AplusWebMaster · Sep 16, 2015

Fake 'Renewed insurance policy', 'HSBC SecureMail', 'Lloyds Bank', Autopay info SPAM

FYI...

Fake 'Renewed insurance policy' SPAM – PDF malware
- http://myonlinesecurity.co.uk/renewed-insurance-policy-e-mail-fake-pdf-malware/
16 Sep 2015 - "An email with the subject of 'Renewed insurance policy' e-mail pretending to come from random companies (all appearing to be either Australian or New Zealand addresses) with a zip attachment is another one from the current bot runs... The content of the email says :
Good afternoon,
This email address was specified to get a new insurance policy. Your policy is attached

Other subjects include:
Important insurance e-mail notice
Insurance policy e-mail notice
Health insurance notice
Renewed insurance policy e-mail notice
Important insurance e-mail
16 September 2015: 23720.zip: Extracts to: 96998.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...ea67b1b63fbd7056c2c3a709/analysis/1442351794/
___

Fake 'HSBC SecureMail' SPAM - malicious payload
- http://blog.dynamoo.com/2015/09/malware-spam-hsbc-securemail-you-have.html
16 Sep 2015 - "This -fake- HSBC email message has a malicious payload:
From: HSBC SecureMail [HSBCRepresentative_WilliamsBlankenship@ hsbc .co.uk]
Date: 16 September 2015 at 13:13
Subject: You have received a secure message ...

... file HSBC_Payment_87441653.zip which in turn contains a malicious executable HSBC_Payment_87441653.exe, this has a VirusTotal detection rate of 4/56*. Automated analysis is pending... but the payload is most likely to be Upatre/Dyre."
* https://www.virustotal.com/en/file/...ab281089f2115ba8c35957c2/analysis/1442407433/
___

Fake 'Lloyds Bank' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/you-h...ed-word-doc-or-excel-xls-spreadsheet-malware/
16 Sep 2015 - "A BOGOF (Buy one, get one free) today pretending to come from various Lloyds bank email addresses with 2 different subjects both containing the same word macro downloader malware: 'You have received a new debit and Lloyds Bank – Pendeford Securities – Please Read Action Required/PI Documents/ Region code East 2/ 1831383/' with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshots:
> http://myonlinesecurity.co.uk/wp-co...ties-Please-Read-Action-Required-1024x742.png
-Or-
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/You-have-received-a-new-debit-1024x511.png

DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
...
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/Excel_macro_protected-mode-1024x604.png
The version of this word doc that I received actually has this content which tries to suggest it is protected with an RSA digital signature key that needs you to enable macros and editing to be able to see the proper content. You definitely do-not-want-to-enable-macros or editing or you-will-be-infected:
> http://myonlinesecurity.co.uk/wp-co.../ReportonTitle0045168.1Final_doc-1024x597.png

16 September 2015: ReportonTitle0045168.1Final.doc - Current Virus total detections 4/53* .
The malicious macros in this malware are giving problems to the automatic analysers, who aren’t able to actually get the malware. The macro contacts:
obiectivhouse .ro/wp-content/plugins/maintenance/load/images/fonts-icon/
... which is an open directory where it gets various instructions to download the actual malware from http ://vandestaak .com/css/libary.exe and autorun it (VirusTotal**) which is itself an Upatre downloader that will download today’s version of the Dyre/dyreza/dridex banking Trojan malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...c1f60d106a3b2f284ee6c8b4/analysis/1442403104/

** https://www.virustotal.com/en/file/...4fe55d3251cb2769266d628e/analysis/1442407381/

obiectivhouse .ro: 178.156.230.216: https://www.virustotal.com/en/ip-address/178.156.230.216/information/

- http://blog.dynamoo.com/2015/09/malware-spam-lloyds-bank-pendeford.html
16 Sep 2016 - "...In the sample I saw, there was a Word document ReportonTitle7117152.1Final.doc attached (detection rate 4/56*)... malicious macro. The macro attempts to download components from the following locations:
thebackpack .fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/66836487162.txt
thebackpack .fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/sasa.txt
obiectivhouse .ro/wp-content/plugins/maintenance/load/images/fonts-icon/66836487162.txt
obiectivhouse .ro/wp-content/plugins/maintenance/load/images/fonts-icon/sasa.txt
A further download then takes place from:
vandestaak .com/css/libary.exe
This has a detection rate of 3/56**. The general characteristics of this file make it a close match to the Upatre/Dyre payload of this concurrent spam run [3] (automated analysis is pending).
Recommended blocklist:
197.149.90.166
vandestaak .com
thebackpack .fr
obiectivhouse .ro "
* https://www.virustotal.com/en/file/...c1f60d106a3b2f284ee6c8b4/analysis/1442408475/

** https://www.virustotal.com/en/file/...4fe55d3251cb2769266d628e/analysis/1442411964/

3] http://blog.dynamoo.com/2015/09/malware-spam-hsbc-securemail-you-have.html

vandestaak .com: 213.179.202.11: https://www.virustotal.com/en/ip-address/213.179.202.11/information/
thebackpack .fr: 195.144.11.40: https://www.virustotal.com/en/ip-address/195.144.11.40/information/
obiectivhouse .ro: 178.156.230.216: https://www.virustotal.com/en/ip-address/178.156.230.216/information/
___

Fake 'Autopay information' SPAM – PDF malware
- http://myonlinesecurity.co.uk/autopay-information-fake-pdf-malware/
16 Sep 2015 - "An email with the subject of 'Autopay information' pretending to come from random companies with a zip attachment is another one from the current bot runs... The content of the email says :
Hello,
A new monthly invoice for the services is available to view online and is included as an attachment.
No action is required because you’ve signed up for the AutoPay.
Just review and retain this invoice #52467 for your records.

Other subjects in this series of emails include:
Settled invoice info
Online service invoice info ...
16 September 2015: Get new check MacGyver Station.zip: Extracts to: Repay insurance bill Ullrich Falls.exe
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...ef5f474dec9b3c8273558dad/analysis/1442410631/
___

Fake Amazon UK Mail - phish...
- https://blog.malwarebytes.org/fraud...asks-you-to-verify-your-account-after-breach/
Sep 16, 2015 - "There is an Amazon phishing scam currently making rounds, so you better keep an eye on your inboxes, assuming your spam traps haven’t picked up on this one yet. And much like majority of phish campaigns, this one also begins with an email. The samples we retrieved all originated from the Linode server (24.236.39.51):
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/amazon-phish-mail.png
... The “Get Started” text is, of course, a link leading to the phishing page (screenshot below), which is at ukamazonverify[DOT]com:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/amazon-phish-page-one.png
... After text boxes have been filled out, the user is taken to another page asking for -more- details, which includes personally identifiable information (PII), payment card details, and account security details (screenshot below), while data about email address and password are saved to Verify.php, which is located within the domain:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/amazon-verify-page.jpg
Data that users enter on this page are saved to Finish.php after clicking the Validate button. The page then changes to tell users to wait as this site processes all their details, complete with a “spinny” indicator to denote that indeed some semblance of data processing is taking place at the background:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/amazon-phish-spinny.png
What users don’t realize is that they’re actually taking their cue from a GIF file, and not an actual indicator, as they wait for what happens next. In the end, they are directed to the real Amazon UK site.
ukamazonverify[DOT]com was created two-days-ago, along with other domains registered under a specific email address from 126[DOT]com, a popular email provider in China. Some browsers have already flagged the domain as a potential threat, which is great... when you see a similar email like the one above in your inbox, simply delete them..."

ukamazonverify[DOT]com: 103.42.180.253: https://www.virustotal.com/en/ip-address/103.42.180.253/information/
___

Fake 'New payment for tax refund' SPAM – JS malware
- http://myonlinesecurity.co.uk/new-payment-for-tax-refund-0000255599-js-malware/
16 Sep 2016 - "An email with the subject of 'New payment for tax refund #0000255599' [random numbered] pretending to come from Internal Revenue Service <office@ irs .gov> with a zip attachment is another one from the current bot runs... The content of the email says :
This is to inform you that your tax refund request has been processed.
Please find attached a copy of the approved 94035N form you have submitted.
Transaction type – Tax Refund
Payment method – Wire transfer
Amount – $ 3214.00
Status – Processed
Form – 94035N
Additional information regarding tax refunds can be found on our website...
Regards,
Internal Revenue Service
Address: 1111 Constitution Avenue, NW
Washington, DC 20224 ...
Phone: 1-800-829-1040

16 September 2015: Tax_Refund_0000255599_Processed.zip: Extracts to: Tax_Refund_0000255599_Processed.doc.js
Current Virus total detections 22/56* ... which downloads -3- files
53212428.exe (Virustotal 1/57 **)
13876688.exe (VirusTotal 2/57 ***) and
0cedc1[1].gif (VirusTotal 1/57 ****) from a combination of these 3 sites:
crossfitrepscheme .com
dickinsonwrestlingclub .com
les-eglantiers .fr
(MALWR[5])
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...9130d0024eda1fa87c01baa3/analysis/1442419074/

** https://www.virustotal.com/en/file/...b7bafecb03bad847a091f09b/analysis/1442414485/

*** https://www.virustotal.com/en/file/...a8f17853e57deff162a29eda/analysis/1442414434/

**** https://www.virustotal.com/en/file/...60b3e2f32dfe92dc35d4e6b0/analysis/1442419912/

5] https://malwr.com/analysis/MDc5NThhYzRiMDIxNDY0Mjg0MDA5MDBlMzNmMDU0OTU/

crossfitrepscheme .com: 199.175.49.19: https://www.virustotal.com/en/ip-address/199.175.49.19/information/
dickinsonwrestlingclub .com: 72.20.64.58: https://www.virustotal.com/en/ip-address/72.20.64.58/information/
les-eglantiers .fr: 76.74.242.190: https://www.virustotal.com/en/ip-address/76.74.242.190/information/

:fear::fear:

AplusWebMaster · Sep 17, 2015

Fake 'E-Bill', 'REFURBISHMENT', 'Important notice' SPAM

FYI...

Fake 'E-Bill' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malware-spam-shell-e-bill-for-week-38.html
17 Sep 2015 - "This -fake- financial spam comes with a malicious attachment:
From [invoices@ ebillinvoice .com]
To administrator@ victimdomain .com
Date Thu, 17 Sep 2015 11:10:15 GMT
Subject Shell E-Bill for Week 38 2015
Customer No : 28834
Email address : administrator@ victimdomain .com
Attached file name : 28834_wk38_2015.PDF
Dear Customer,
Please find attached your invoice for Week 38 2015.
In order to open the attached PDF file you will need
the software Adobe Acrobat Reader...
Yours sincerely
Customer Services...

Attached is a file 28834_wk38_2015.zip containing a malicious executable 67482_wk38_2015.scr which has a detection rate of 2/56*. Automated analysis is pending, but the payload is almost definitely Upatre/Dyre which has been consistently sending traffic to 197.149.90.166 (Cobranet, Nigeria) for some time now, so I suggest that you -block- or monitor that IP."
* https://www.virustotal.com/en/file/...c8be7fe9121339df52fbda83/analysis/1442489503/
___

Fake 'REFURBISHMENT' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malware-spam-hrwfmailerprodlancashirego.html
17 Sep 2015 - "This -fake- financial spam... comes in several different variants (I saw two):
From "Workflow Mailer" [hrwfmailerprod@ lancashire. gov.uk]
To hp_printer@ victimdomain .com
Date Thu, 17 Sep 2015 12:16:26 GMT
Subject FYI: Sent: Online Discussion Message for RFQ 6767609,1 (LCDC - NF014378 R.R. Donnelley & Sons Company - REFURBISHMENT)
__
From Mabel Winter
To hp_printer@ victimdomain .com
Sent Thu, 17 Sep 2015 12:12:26 GMT
ID 7216378
Number 6767609,1
Title Q3EX - 1C995408 R.R. Donnelley & Sons Company - REFURBISHMENT
Negotiation Preview Immediately upon publishing
Negotiation Open Immediately upon publishing
Negotiation Close September 21, 2015 10:00 am GMT
Company R.R. Donnelley & Sons Company
Subject ITT Clarifications
To view the message, please open attachment.

The other version I had mentioned "QMDM - 5J673827 CDW Computer Centers Inc. - REFURBISHMENT" instead. The attachment appears to have a randomly-generated name e.g. REFURBISHMENT 7216378.zip and REFURBISHMENT 4435708.zip which contain a malicious executable REFURBISHMENT 7015295.scr which has a VirusTotal detection rate of 3/55*. The payload appears to be Upatre/Dyre..."
* https://www.virustotal.com/en/file/...8815f277b946692a1c9b9f44/analysis/1442492094/
___

Fake 'Important notice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/important-notice-about-document-signing-fake-pdf-malware/
17 Sep 2015 - "An email with the subject of 'Important notice about document signing' pretending to come from random companies with a zip attachment is another one from the current bot runs... The content of the email says :
Hello,
You have been sent the document to sign it using Signority. To view this document, user’s personal data and secured link to signing, please open the attachment.
Regards,
The Signority Team

Other subjects in this malspam run delivering Upatre downloaders include:
Notice of documentation signing
Important notification of document signing
Important notice about documentation signing ...
17 September 2015: Gain infringement fine .zip: Extracts to: Send proposed sum .exe
Current Virus total detections 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...56f3f95adbf2908c8021df5b/analysis/1442507711/

:fear::fear:

AplusWebMaster · Sep 18, 2015

Fake 'Transaction confirmation', 'Approval', 'Monthly report' SPAM, 'TaxRefund' Phish

FYI...

Fake 'Transaction confirmation' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malware-spam-transaction-confirmation.html
18 Sep 2015 - "This -fake- banking spam comes with a malicious attachment:
From donotreply@ lloydsbank .co.uk
Date Fri, 18 Sep 2015 11:52:36 +0100
Subject Transaction confirmation
Dear Customer,
Please see attached the confirmation of transaction conducted from Your
account. Kindly sign and forward the copy to us for approval.
Best regards,
Your personal Manager
Thora Blanda
tel: 0345 300 0000
LLOYDS BANK.

Attached is a file Notice.zip which contains a malicious executable Value mortgage policy .exe (note the rogue space) which has a VirusTotal detection rate of 3/55*. The Hybrid Analysis report** shows activity consistent with Upatre/Dridex including a key indicator of traffic to 197.149.90.166 in Nigeria."
* https://www.virustotal.com/en/file/...6508cae765dbc279d25c2568/analysis/1442574773/

** https://www.hybrid-analysis.com/sam...a0f0b6508cae765dbc279d25c2568?environmentId=1
___

Fake 'Approval' SPAM - PDF malware
- http://myonlinesecurity.co.uk/approval-of-the-pages-fake-pdf-malware/
18 Sep 2015 - "An email with the subject of 'Approval of the pages' pretending to come from random companies with a zip attachment is another one from the current bot runs... The content of the email says :
Hi,
Please take a quick look at the headlines of the attached docs.
As I’ve told you before, the main part of project is almost ready.
I guarantee that I’ll send it to you within this week.
Please remember: the attached information is strongly confidential.

Other subjects in this series of -Upatre- downloaders include:
Check out the following pages
Approval of renewed project part
See the part of work
Check updated part of work
Review updated pages
View renewed pages ...
18 September 2015: Do obligatory agreeement .zip: Extracts to: Maintain remittance fund .exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...a149ba1ff59bcd7808da93ff/analysis/1442583621/
___

'Tax Credits Refund' - Phish ...
- https://blog.malwarebytes.org/fraud-scam/2015/09/warning-tax-credits-refund-phish/
Sep 18, 2015 - "... scammers leap onto the bandwagon with promises of tax credit refunds – effectively targeting those already most under threat from potential financial loss. If you’ve clicked-on-a-message along these lines in the last few days, you may want to get in touch with your bank as soon as possible. The message, which reads as follows, makes use of a Goo.gl shortening URL to -redirect- victims to what appears to be a compromised website:
"Dear valued customer, we are happy to inform you that you have a new tax credit refund from HMRC. Click on the following link [/COLOR] to claim your HMRC refund"...-content/uploads/2015/09/taxcreditsphish1.jpg
• 731 clicks so far, with the majority of them coming from the UK.
• 440 of those were on iPhone, and 252 were using Android. Just 31 people were browsing via Windows.
• The shortened link is 4 days old, so the scam is pretty fresh.
Here’s the phishing page, located at savingshuffle(dot)com/hmrc/Tax-Refund(dot)php:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/taxcreditsphish3.jpg
As you can see, they want name, address, phone, email, telephone number, card details, sort code and account number. Further down the page, they also want some “Identity Verification” in the form of driving license number, national insurance number and mother’s maiden name. There’s also a pre-filled refund amount of £265.48 next to the submit button:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/taxcreditsphish4.jpg
... By the time you end up checking to see if the money has gone in, they’ll likely have tried to clean you out. Given we’re talking about those who might be severely affected by the changes to the tax credits system, this would be quite the blow to say the least (and even if you’re not impacted, it’s still not a nice thing to happen either way)... HMRC does -not- send out missives offering refunds."

savingshuffle(dot)com: 50.63.202.37: https://www.virustotal.com/en/ip-address/50.63.202.37/information/
___

Malicious SYNful Cisco router implant found on more devices...
- https://zmap.io/synful/
Sept 16, 2015 - "... The attack is known to affect Cisco 1841, 2811, and 3825 series routers, but may also affect similar Cisco devices... Further details on the -firmware- implant can be found in the original FireEye post:
> https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html
... by modifying ZMap to send the specially crafted TCP SYN packets. We completed four scans of the public IPv4 address space on September 15, 2015 and found -79- hosts displaying behavior consistent with the SYNful Knock implant. These routers belong to a range of institutions in -19- countries. We have found no immediate pattern in the organizations affected, but note a surprising number of routers in Africa and Asia (compared to IP allocations). We note that the -25- hosts in the United States belong to a single service provider on the East Coast, and that the hosts in both Germany and Lebanon belong to a single satellite provider that provides coverage to Africa. A map of devices is available here:
> https://zmap.io/synful/map.html "

> https://zmap.io/synful/graph.png

> https://www.eecs.umich.edu/eecs/about/articles/2013/zmap.html

>> http://net-security.org/malware_news.php?id=3104
18.09.2015
___

Fake 'Monthly account report' SPAM – PDF malware
17 Sep 2-15 - "An email with the subject of 'Monthly account report' pretending to come from info@ nab. com.au with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Monthly-account-report-1024x645.png

17 September 2015: Finance received statement .zip: Extracts to: Transfer online paying system cashback .exe
Current Virus total detections 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...57ae682919b1279ceea5c84f/analysis/1442524683/

:fear::fear:

AplusWebMaster · Sep 19, 2015

Active malware campaign uses WordPress sites, Online poker sites - trojan

FYI...

Active malware campaign uses thousands of WordPress sites to infect visitors
15-day-old campaign has spiked in past 48 hours, with >5,000 new infections daily.
- http://arstechnica.com/security/201...usands-of-wordpress-sites-to-infect-visitors/
Sep 18, 2015 - "Attackers have hijacked thousands of websites running the WordPress content management system and are using them to infect unsuspecting visitors with potent malware exploits, researchers said Thursday. The campaign began 15 days ago, but over the past 48 hours the number of compromised sites has spiked, from about 1,000 per day on Tuesday to close to 6,000 on Thursday, Daniel Cid, CTO of security firm Sucuri, said in a blog post*. The hijacked sites are being used to -redirect- visitors to a server hosting attack code made available through the Nuclear exploit kit**, which is sold on the black market. The server tries a variety of different exploits depending on the operating system and available apps used by the visitor... On Thursday, Sucuri detected thousands of compromised sites, 95 percent of which are running on WordPress. Company researchers have not yet determined how the sites are being hacked, but they suspect it involves vulnerabilities in WordPress plugins. Already, 17 percent of the hacked sites have been blacklisted by a Google service that warns users before they visit booby-trapped properties... Administrators can use this Sucuri scanning tool*** to check if their site is affected by this ongoing campaign."

* https://blog.sucuri.net/2015/09/wordpress-malware-active-visitortracker-campaign.html
Sep 18, 2015

** https://heimdalsecurity.com/blog/nuclear-exploit-kit-flash-player/

*** https://sitecheck.sucuri.net/

Latest Wordpress update: https://forums.spybot.info/showthread.php?867-Alerts&p=466236&viewfull=1#post466236
___

Trojan targets online poker sites, peeks at players’ cards
Malware targets two of the largest gambling sites, PokerStars and Full Tilt Poker.
- http://arstechnica.com/security/2015/09/trojan-targets-online-poker-sites-peeks-at-players-cards/
Sep 18, 2015 - "Anybody who has ever played poker, online or offline, always suspects that they might be the victim of cheating when the cards aren't going their way. Now there's evidence to suspect that the hunch is real when it comes to two of the world's most popular online gambling portals. "Several hundred" gamblers on the Pokerstars and Full Tilt Poker platforms have been hit with a cheating trojan, according to ESET* security researcher Robert Lipovsky:
' Every once in a while, though, we stumble upon something that stands out, something that doesn’t fall into the “common” malware categories that we encounter every day — such as ransomware, banking trojans, or targeted attacks (APTs) — just to name a few of those that are currently causing the most problems. Today, we’re bringing you one of those uncommon threats — a trojan devised to target players of online poker.'
The latest Windows malware discovery, called Odlanor, comes two years after ESET warned of the PokerAgent botnet propagating on Facebook in connection to the Zynga Poker app..."
* http://www.welivesecurity.com/2015/09/17/the-trojan-games-odlanor-malware-cheats-at-poker/
17 Sep 2015
(Country locations infected with Odlanor)
- http://www.welivesecurity.com/wp-content/uploads/2015/09/ESET_Odlanor_infected.jpg

Threat Detail: http://virusradar.com/en/Win32_Spy.Odlanor/detail

:fear::fear:

AplusWebMaster · Sep 21, 2015

Fake 'Paymark', 'Sage invoice', 'order not competed' SPAM, 91.226.32.0/23

FYI...

Fake 'Paymark' SPAM – PDF malware
- http://myonlinesecurity.co.uk/paymark-transtrack-report-fake-pdf-malware/
21 Sep 2015 - "An email with the subject of 'Paymark TransTrack Report' pretending to come from Paymark TransTrack <onlineassist@ paymark .co.nz> with a zip attachment is another one from the current bot runs... The content of the email says:
Thank you for using the Paymark TransTrack Transaction Reporting email service.
Please find attached your requested transaction report.
The report is in PDF format, suitable for importing into a variety of finance and spreadsheet applications such as Xero, MYOB and Microsoft Excel.
The attached report is in a zip-formatted compressed file so you will need to extract it before viewing it.
If you experience any difficulties or would like more information about Paymark TransTrack please visit ...
This email was sent to [REDACTED]
This email has been filtered by SMX. For more information visit ...

21 September 2015: report.zip: Extracts to: report.scr
Current Virus total detections 6/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...a203d600735d32e4af21eb0a/analysis/1442811837/
___

Fake 'Sage invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/your-sage-subscription-invoice-is-ready-fake-pdf-malware/
21 Sep 2015 - "An email with the subject of 'Your Sage subscription invoice is ready' pretending to come from noreply@ sage .com with a link-for-you-to-download a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-co...ge-subscription-invoice-is-ready-1024x674.png

21 September 2015: invoice.zip: Extracts to: invoice.scr
Current Virus total detections 0/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...f1b2bf73633ca692c3184edd/analysis/1442827749/

- http://blog.dynamoo.com/2015/09/malware-spam-your-sage-subscription.html
21 Sep 2015 - "... contains a malicious executable invoice.scr which has a VirusTotal detection rate of 1/56*. The Hybrid Analysis report** shows that this is -Upatre- dropping the Dyre banking trojan, and one key indication of infection is traffic to the IP 197.149.90.166 in Nigeria."
* https://www.virustotal.com/en/file/...f1b2bf73633ca692c3184edd/analysis/1442835086/

** https://www.hybrid-analysis.com/sam...5f453f1b2bf73633ca692c3184edd?environmentId=1

197.149.90.166: https://www.virustotal.com/en/ip-address/197.149.90.166/information/
___

Fake 'order not competed' SPAM – PDF malware
- http://myonlinesecurity.co.uk/your-order-is-not-competed-fake-pdf-malware/
21 Sep 2015 - "The Upatre malware spreading gang are hard at work again today with a new set of emails with the subject of 'Your order is not competed' pretending to come from random companies with a zip attachment is another one from the current bot runs... The body of the email simply contains the -name- of the attachment, so in this case the body reads: 'file: Receive rental contract.pdf'. Every email so far received has had a -different- subject and attachment name. Other subjects include:
Order isn’t done
Your order is not done
Order is not finished
Your order is not paid
Order is not processed ...

21 September 2015: Receive rental contract.zip: Extracts to: Imprint tax business.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...38b1fddf9b2c5d0c1e2ba71e/analysis/1442828635/
___

Tainted Network - VPS Hosting of Latvia (91.226.32.0/23) ...
- http://blog.dynamoo.com/2015/09/tainted-network-kfciilluminationescomsn.html
21 Sep 2015 - "I've been seeing some injection attacks since last week utilising hosting services of VPS Hosting in Latvia. These are continuing today, with attacks like this one [URLquery*] which sends traffic to:
[donotclick]kfc.i.illuminationes .com/snitch
This is hosted on 91.226.33.54. The exploit is not clear at this point, but some sources say that this is some sort of TDS kit. The URLquery transaction flowchart shows the attack in action:
> https://2.bp.blogspot.com/-9JiDUjob_AI/Vf_J3mhrGEI/AAAAAAAAHDI/bDMRc9G0AF4/s1600/tds-ek.png
The injected script sends the keywords and referring site upstream... Although the attacks in the past few days only seem to have utilised 91.226.33.54, an analysis of the netblock... shows several bad or spammy sites in 91.226.32.0/23, so my recommendation is that you banish (-block-) this range from your network."
* https://urlquery.net/report.php?id=1442826023324

illuminationes .com: 91.226.32.69: https://www.virustotal.com/en/ip-address/91.226.32.69/information/

91.226.33.54: https://www.virustotal.com/en/ip-address/91.226.33.54/information/
> https://www.virustotal.com/en/domain/kfc.i.illuminationes.com/information/
___

NSW Health Payslip Spam
- http://threattrack.tumblr.com/post/129567671538/nsw-health-payslip-spam
Sep 21, 2015 - "Subjects Seen
Payslip for the period 21 Aug 2015 to 21 sep 2015
Typical e-mail details:
This message is intended for the addressee named and may contain confidential information. If you are not the intended recipient, please delete it and notify the sender.
Views expressed in this message are those of the individual sender, and are not necessarily the views of NSW Health or any of its entities.

Screenshot: https://40.media.tumblr.com/433050ff0f62b72379fdd04b4f512c3b/tumblr_inline_nv151zgxyC1r6pupn_500.png

Malicious File Name and MD5:
Payslip-21092015.scr (fa73a8adc4a7a1b037b8dded1eb9ac90)

Tagged: NSWHealth, Upatre
___

iOS users endangered by Trojanized apps from the App Store
- http://net-security.org/malware_news.php?id=3105
21.09.2015 - "Unknown malware pushers have managed to trick Apple into offering for download from the company's official App Store a considerable number of malicious apps - apps that collect device information and try to get users' iCloud login credentials. The current list* of infected iOS apps includes many extremely popular apps in China and the rest of the world..."

Malware XcodeGhost Infects 39 iOS Apps ...
* http://researchcenter.paloaltonetwo...chat-affecting-hundreds-of-millions-of-users/
Sept 18, 2015
- http://researchcenter.paloaltonetwo...the-xcodeghost-malware-and-affected-ios-apps/
Sep 21, 2015

- https://blog.malwarebytes.org/mac/2015/09/xcodeghost-malware-infiltrates-app-store/
Sep 21, 2015
___

Skype 'glitch' preventing some users from making calls
- http://www.reuters.com/article/2015/09/21/us-microsoft-skype-idUSKCN0RL0YC20150921
Sep 21, 2015 - "Skype, Microsoft's online telephone and video service, said some users are unable to make calls on Monday because their settings show that they and their contacts are offline, even when they are logged in. In an updated blog post*, Skype also said some messages to group chats are not being delivered and that users who are not already signed in may face difficulty while accessing their accounts:
> http://heartbeat.skype.com/2015/09/skype_presence_issues.html
Skype added that users could experience delays in seeing changes made to their accounts, such as credit balance and profile details. Users may also face difficulty loading web pages on the Skype Community... In an earlier post, Skype had said its instant messaging and Skype for Web services were not facing technical issues."

:fear::fear:

AplusWebMaster · Sep 22, 2015

Malvertising, Fake 'Dislike' Facebook, 'Grand Theft Auto online' scams

FYI...

Malvertising attack hits Realtor .com visitors
- https://blog.malwarebytes.org/malvertising-2/2015/09/malvertising-attack-hits-realtor-com-visitors/
Sep 22, 2015 - "... malvertising keeps on striking high profile sites. The latest victim is popular real estate website realtor.com, ranked third in its category with an estimated 28 million monthly visits... People browsing the site in the last few days may have been exposed to this malvertising campaign and consequently infected if their computers were -not- patched or did -not- have adequate security software. Like all other malvertising attacks, this one did -not- require to click on the -bogus- ad to get infected. The same gang that was behind the recent campaign we documented on this blog is still going at it using the same stealth tactics, which we will elaborate on a little more here:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/realtor_flow.png
Rogue advertisers are putting a lot of efforts into making ad banners that look legitimate and actually promote real products or services. We should also note that the use of SSL to encrypt web traffic is getting more and more common in the fraudulent ad business and that only makes tracking bad actors more difficult. We have alerted both the publisher (Realtor .com) and the ad serving technology platform (AdSpirit) about this attack and the latter has already taken action to disable the malicious creative... the Bedep Trojan (ad fraud, ransomware) via the Angler exploit kit."
___

Fake 'Dislike' Facebook scam ...
- http://www.theregister.co.uk/2015/09/22/facebook_dislike_survey_scam/
22 Sep 2015 - "Survey scammers have already capitalised on Facebook's tentative plans to develop a 'Dislike' button... no such app is yet available and the offers are a scam, designed to hoodwink people into filling in pointless online surveys or buying into get-rich-quick schemes. Survey scams are a well-worn short con on the internet that, at best, waste surfers' time while yielding nothing in return. Victims are not infrequently tricked into disclosing their mobile numbers through survey scams and are subsequently signed up to premium rate services. Either ruse might also be used to coax marks into handing over Facebook login credentials. More details on the resurgence of Facebook Dislike -scams- can be found in a blog post by security industry veteran Graham Cluley here*, and by on Sophos's Naked Security blog here**."
* https://grahamcluley.com/2015/09/right-cue-come-facebook-dislike-button-scams/

** https://nakedsecurity.sophos.com/2015/09/21/guess-what-facebook-dislike-scams-are-back/
___

Fake 'Grand Theft Auto online' scams ...
- https://blog.malwarebytes.org/fraud-scam/2015/09/gta-5-money-generator-scams-theyre-wheelie-bad/
Sep 22, 2015 - "Grand Theft Auto online is still as popular as ever, with new content being released soon and everybody ramping up their “Must play it now” levels to the max. Money makes the online GTA world go round, and you certainly need a lot of it to progress. With that in mind, you might want to avoid the following sites claiming to offer up ridiculous amounts of money via a few “simple steps”. First out of the gate, we have
gta5moneyserver(dot)com
... which has an amazing line in -faked- videogame site news pieces about their awesome money grabbing technique. Totally can’t see the Photoshop, guys:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/gtamoney1.jpg
...
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/gtamoney2.jpg
... The focus of this one is what they’ve chosen to call “Genius Theft Auto”, where you enter your Username into the box and a pile of money awaits (or something):
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/gtamoney3.jpg
... Elsewhere, we have
gta5moneyhackonline(dot)com
... which doesn’t beat about the bush, dispensing with pretty much everything other than a box asking for your info, desired money amount and a -survey- pop immediately after hitting the generate button... it’s a safe bet that every single “Money Generator” website you visit will end in little more than -spamming- a website to your friends, lots of -surveys- and the occasional download:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/gtamoney8.jpg
... you’ll likely see a burst of activity on the GTA fakeout front, so steer clear of the following:
Money generators
Free DLC generators
Rank improvement
Account unbanning
“DNS codes“
Follow these steps, and you won’t get caught up in a 'Grand Theft Internet'."

gta5moneyserver(dot)com: 104.152.168.16: https://www.virustotal.com/en/ip-address/104.152.168.16/information/

gta5moneyhackonline(dot)com: 162.255.118.48: https://www.virustotal.com/en/ip-address/162.255.118.48/information/
___

Fake 'Worldpay' SPAM - xls malware
- http://myonlinesecurity.co.uk/premi...for-merchant-82682006-fake-xls-excel-malware/
21 Sep 2015 - "An email with the subject of 'Premium Charging MI Package for Merchant 82682006' pretending to come from GEMS@ Worldpay .com with a zip attachment is another one from the current bot runs... The content of the email says :
*** Please do not reply to this Message *** Attached is the Management
Information to support your Monthly Invoice. Should you have any queries,
please refer to your usual helpdesk number.
This e-mail and any attachments are confidential, intended only for the
addressee and may be privileged. If you have received this e-mail in error,
please notify the sender immediately and delete it. Any content that does
not relate to the business of Worldpay is personal to the sender and not
authorised or endorsed by Worldpay. Worldpay does not accept responsibility
for viruses or any loss or damage arising from transmission or access.
Worldpay (UK) Limited (Company No: 58544680/ Financial Conduct Authority
No: 42068), Worldpay Limited (Company No:03424752 / Financial Conduct
Authority No: 640149), Worldpay AP Limited (Company No: 82351023 ...

21 September 2015: 82682006.zip: Extracts to: 70346783.scr
Current Virus total detections 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Xls Excel file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...e76b0506dcfe32c42a84dec1/analysis/1442846468/

:fear::fear:

AplusWebMaster · Sep 23, 2015

Fake 'NDISPlan', 'Bankline ROI' SPAM, 'DHL Courier' Phish

FYI...

Fake 'NDISPlan' SPAM – PDF malware
- http://myonlinesecurity.co.uk/ndisplan-fake-pdf-malware/
23 Sep 2015 - "An email with the subject of 'NDISPlan' pretending to come from random names @ndis .gov.au <filepoint@ dss .gov.au> with a zip attachment is another one from the current bot runs... The content of the email says:
You have received 1 secure file from Edgar.Townsend@ ndis .gov.au.
Use the secure link below to download.
Hi Loik, As requested, please find attached a copy of Shelby’s plan. Cheers, Edgar
Secure File Downloads:
Available until: 16 October 2015
Click link to download:
Shelby-MyNDISPlan.zip
681.07 KB, Fingerprint: 3F540085E625C8C2E5EB84A6B060E403 (What is this?)
You have received secure links within this email sent via filepoint.dss .gov.au. To retrieve the files, please click on the links above.
The link is to https ://www.sugarsync .com/pf/D8992504_764_6670557430?directDownload=true and not any gov.au site

Todays Date: Shelby-MyNDISPlan.zip: Extracts to: Shelby-MyNDISPlan.scr
Current Virus total detections 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...eaa9787b17573eb152692ba5/analysis/1442985111/

sugarsync .com: 74.201.86.21: https://www.virustotal.com/en/ip-address/74.201.86.21/information/
___

Fake 'Bankline ROI' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malware-spam-bankline-roi-password-re.html
23 Sep 2015 - "This -fake- banking spam does not come from RBS, but is instead a simple forgery with a malicious attachment:
From "RBS" [secure.message@ rbs .co.uk]
Date Wed, 23 Sep 2015 11:28:48 GMT
Subject Bankline ROI - Password Re-activation Form
Please find the Re-activation form attached, send one per user ensuring only one
box is selected in section 3. A signatory on the bank mandate must sign the form.
Fax to 1850 826978 or alternatively you may wish to email the completed document,
by attaching it to an email and sendinsg it to banklineadministration@rbs.co.uk
On receipt of the completed form we will respond to the request within 2 working
hours and communicate this to the user by email.
Please note - The life-span of an activation code is 21 days; after this time, the
activation code will expire and a new one must be ordered.
Please be aware when choosing a new pin and password for the service, it is important
not to use pin/passwords that you have used before but to use completely different
details.
If you are the sole Standard Administrator may I take this opportunity to suggest
when you are reinstated on the system, to set up another User in a Standard Administrator
role. This will prevent you being locked out completely and allow you to order a
new activation code from within the system and reset your security sooner.
If you require any further assistance then please do not hesitate to contact us on
1850 310269 and one of our associates will be happy to assist you.
Regards
Bankline Product Support ...

In the sample I saw, the attached file was Bankline_Password_reset_3537684.zip containing a malicious exeucutable Bankline_Password_reset_8569474.scr which has a VirusTotal detection rate of 2/56*. The Hybrid Analysis report** shows behaviour consistent with Upatre/Dyre and shows that the malware communicates with a known bad IP of 197.149.90.166 (Cobranet, Nigeria) which I definitely recommend -blocking- or monitoring."
* https://www.virustotal.com/en/file/...15316c668b1c91f703d87ad1/analysis/1443010402/

** https://www.hybrid-analysis.com/sam...f25d815316c668b1c91f703d87ad1?environmentId=1
___

'DHL Courier' - Phish ...
- http://blog.dynamoo.com/2015/09/phish-shipment-label-dhl-courier.html
23 Sep 2015 - "This DHL-themed spam is actually a phishing email:
From: DHL Courier Services [roger@community .mile .org]
To:
Date: 23 September 2015 at 11:15
Subject: SHIPMENT LABEL
Signed by: community. mile.org
Dear customer,
Your shipment arrived at the post office.Our courier was unable to deliver the shipment to your address.To receive the shipment,please visit the nearestDHL office and take your mailing label with you.
The mailing label is attached in this email. Please print and show at the nearest DHL office to receive the shipment.
Thank you for using DHL services...

Attached is a PDF file shipmentt_label.pdf which is not malicious in itself, but contains a hypertext link (as you can see in this Hybrid Analysis report*):
> https://4.bp.blogspot.com/-dIqTVhvNLlI/VgKhYr-6ByI/AAAAAAAAHDw/gz2xk6GXVPk/s1600/dhl5.png
If the potential victim clicks "Click here" then they are directed to ow .ly/Sq9to and from there to a phishing page at br1-update .be/wg/lhd.php on 64.20.51.22 (Inetserver Inc, US) which belongs to a netblock 64.20.51.16/29 which -also- looks highly suspect:
> https://1.bp.blogspot.com/-mNlcOztRLbE/VgKjULTyCCI/AAAAAAAAHD8/osQ1Y-sftp0/s1600/dhl6.png
The phishing page itself is a complex script which is Base 64 encoded, then hex encoded... which is presumably phishing for email accounts. The spam itself appears to have been sent from a -compromised- webmail account at community .mile.org . For the moment, I would suggest that the entire 64.20.51.16/29 range is malicious and should be -blocked-."
* https://www.hybrid-analysis.com/sam...1eaa12de72c9a0836dc7232db8e25?environmentId=1

br1-update .be: 64.20.51.22: https://www.virustotal.com/en/ip-address/64.20.51.22/information/

:fear::fear:

AplusWebMaster · Sep 24, 2015

Evil network: 64.20.51.16/29, Fake 'Federal Fiscal evasion' SPAM

FYI...

Evil network: 64.20.51.16/29 ...
- http://blog.dynamoo.com/2015/09/evil-network-6420511629-interserver-inc.html
24 Sep 2015 - "This DHL-themed phish* got me looking at an IP address range of 64.20.51.16/29 which is a range belonging to Interserver Inc in the US, but which has been -reallocated- to a customer... the WHOIS details for that block are not valid..
* http://blog.dynamoo.com/2015/09/phish-shipment-label-dhl-courier.html
... an analysis of the sites currently and formerly hosted in that range indicate a very high proportion of -phishing- sites.. in fact, the range is a hotbed of sophisticated fraud sites, many of which seem to be undiscovered. I combined current reverse IP data from DomainTools and current and historical data from DNSDB and then ran them through an IP lookup and a check against the Google Safe Browsing... a very large number of sites -flagged- by SURBL in particular, amounting to 47 out of 167 sites (i.e. 28%) that I can identify as being currently hosted in that range. In addition, a large number of phishing and other malicious sites have been hosted on 64.20.51.16/29 in the past and are now hosted elsewhere...
Conclusion: I really just skimmed the surface with my analysis here, but it is clear that the 64.20.51.16/29 block is being used almost exclusively for fraud. Moreover, the fraud is extremely sophisticated involving things like -fake- business registries and couriers. It is also clear that the Pakistani web hosts apparently providing these services have been doing so for some time.
Recommended blocklist:
64.20.51.16/29
76.73.85.136/29
185.24.233.16 "
(Much more detail at the dynamoo URL at the top of this post.)
___

Fake 'Federal Fiscal evasion' SPAM - PDF malware
- http://myonlinesecurity.co.uk/federal-fiscal-evasion-notification-fake-pdf-malware/
24 Sep 2015 - "An email with the subject of 'Federal Fiscal evasion notification' pretending to come from random email addresses at random companies with a zip attachment is another one from the current bot runs... The content of the email says:
Hi
Last Monday our colleagues were delivered final notice letter of tax authority.
They are accusing You of tax avoidance that is considered a federal crime and might lead to considerable fines.
In the attachment kindly see scan-copy of above official notice.
You are highly asked inspect the enclosure very carefully so as to argue to the contrary later.
According to our executive management’s information the appointment with Internal Revenue authorities is to be confirmed this week.
We strictly advise You to be prepared for upcoming deposition because serious charges are brought against You.
Right after getting Your approval specialists will commence filling required form-sheets.
Katherine Dowson Senior Associate

Other subjects in this malspam run include:
Federal levy avoidance prosecution
Federal levy avoidance indictment
State Fiscal evasion charges
Federal levy avoidance conviction
Federal Fiscal dodging notification ...
24 September 2015: Doc_320762_Federal Fiscal evasion notification .pdf.zip:
Extracts to: timber carrier dive gamma.exe - Current Virus total detections 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...569b6c2d9cd66b7ebb0b62df/analysis/1443113149/
___

Apple tackles XcodeGhost by removing apps, alerting devs and users
- http://net-security.org/malware_news.php?id=3111
24.09.2015 - "The XcodeGhost incident has demonstrated that however secure a system is thought to be, there's always a way in. It also shows how the very human tendency of trying to simplify and hasten the execution of a task can lead to decreased security. Apple has expanded on its initial comment about the malware and its proliferation in the App Store, and has explained that they have removed the infected apps from the store and that they are blocking submissions of new apps that contain the malware. They listed* the top 25 most popular apps impacted, among which is the popular messaging app WeChat, and noted that "after the top 25 impacted apps, the number of impacted users drops significantly."
Users are advised to update those apps as soon as possible (once they are available on the App Store once again). Uninstalling the affected apps until that time is also a good idea, although the company says that the found malware was only capable of harvesting some general information about the apps and the OS... This incident might ultimately prove very beneficial for both Apple and app developers. As noted above, the former has already decided to do something about the downloading difficulties developers outside the US are facing..."
* https://www.apple.com/cn/xcodeghost/#english

:fear::fear:

AplusWebMaster · Sep 25, 2015

Fake 'Cancellation', 'Post Office emails' SPAM, Fake Avast scanner

FYI...

Fake 'Cancellation' SPAM – PDF malware
- http://myonlinesecurity.co.uk/cancellation-of-your-last-transaction-fake-pdf-malware/
25 Sep 2015 - "Another series of emails delivering Upatre downloaders with the subject of 'Cancellation of your last transaction' pretending to come from random companies and email addresses with a zip attachment is another one from the current bot runs... The content of the email says :

Unfortunately your remittance transfer was cancelled. Please verify your transaction details. Full info attached.

Other subjects in this malspam run include:
Cancellation of transaction
Suspension transaction
Invaild data in your transaction
Suspension your transaction
Blocking transaction
Problems with your last transaction ...
25 September 2015: Doc_26638351_Cancellation of your last transaction .pdf.zip
Extracts to: mgt emblem abreact.exe - Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...b9654324222fafa6225c3b57/analysis/1443176862/
___

Fake online -Avast- scanner
- https://blog.malwarebytes.org/social-engineering/2015/09/fake-online-avast-scanner/
Sep 25, 2015 - "... we came across a -fake- online scanner that abuses the good name of Avast. The idea to get you to visit this site is by waiting for someone to make a typo and end up at facebooksecuryti(dot)com; The site shows a picture of a pornographic nature just long enough to -redirect- you to the fake online scanner at avast(dot)services:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/site.png
The scanner page looks a bit like Jotti’s malware scan, and they have quite a few logos in common:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/jotti.png
The -fake- scanner will end up showing you that there is only one antivirus that can find a problem which is... you guessed it, avast! A bit predictable given the name and the logo of the site. This is where we hope that our readers would get very suspicious. A security software company offering to scan your computer using the scanning engines of competitors would be strange enough, but I’m sure if anyone did they would make it a fair competition and not declare themselves the one and only solution every time:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/prompt.png
It immediately offers you the options to “Install” or “Save” the file Avast.exe which is obviously -not- the installer for the actual Avast antivirus software. What the installer really does is drop an information stealing Trojan in several places on the victims system and point to them from two startup locations. One is a Run key for the current user pointing to a file in a temporary “System Restore” folder... This type of Trojan can be used to gather information on the victims’ computer and encrypt it. The encrypted information will be sent to the operator, who can determine which kind of information will be gathered from the compromised system... The files involved are detected as Trojan.InfoStealer.Generic and Stolen.Data. Thanks to our friend at hpHosts* for the tip."
* http://www.hosts-file.net/

avast(dot)services: 160.153.16.36: https://www.virustotal.com/en/ip-address/160.153.16.36/information/

> https://www.virustotal.com/en/url/2...e73e9521d63181e81122d380b7c649a036a/analysis/
2015-09-25
7/65
___

Scandinavian users hit with -fake- post office emails, ransomware
- http://net-security.org/malware_news.php?id=3112
25.09.2015 - "Scandinavian PC users are the latest group to be targeted with Cryptolocker ransomware. According to Heimdal Security*, the threat comes via email. The malware peddlers are impersonating the Norwegian, Swedish and Danish postal services, and are trying to trick users into believing that there has been a failed delivery of a package. They are instructed to click-on-the-link in the email, supposedly to download the document needed to claim the package at the post office, but what they'll get is an executable. Those users who -fail- to find this suspicious and run the file will have all their files encrypted (both on the computer and on connected devices), and will be faced with a ransom message... The emails are usually written in the victim's language, and are equipped with the logos and images associated with that country's postal services (e.g. in Denmark: Post Denmark and PostNord):
> http://www.net-security.org/images/articles/denmark-25092015.jpg
The delivered malware is Cryptolocker2. When the campaign was first noticed earlier this week, the delivered malware variant had an extremely low AV detection rate - only one out of 56 AV engines used by VirusTotal** flagged it as malware. Three days later, the numbers are better (34 out of 55), but the danger is still present. Anyone can fall for this type of scheme, although it has been most successful with home users and employees of small-to-medium size businesses. Users of all kinds should educate themselves about the danger, and first and foremost should stop clicking-on-links contained in emails whose senders they haven't verified..."
* https://heimdalsecurity.com/blog/se...cryptolocker-as-a-package-campaign-continues/

** https://www.virustotal.com/en/file/...40b7f63d857afa7f9267c73a/analysis/1442488273/

dshome .ru: 37.140.192.89: https://www.virustotal.com/en/ip-address/37.140.192.89/information/
___

Cisco releases tool for detecting malicious router implants
- http://net-security.org/malware_news.php?id=3114
25.09.2015 - "Cisco Systems has provided a tool* that allows -enterprise- users to scan their networks and discover if their routers have been compromised with malicious SYNful Knock implants:
* http://talosintel.com/scanner/
... If a compromised router is found, the scanner will provide instructions on what to do next. Users are can also contact the Cisco Product Security Incident Response Team (PSIRT) for help. The SYNful Knock router implant was first discovered by FireEye researchers, and other researchers have found instances of compromised routers around the world. The discovery came roughly a month after Cisco warned about attackers replacing the Cisco IOS ROMMON (IOS bootstrap) with a -malicious- ROMMON image, after gaining administrative or physical access to a Cisco IOS device. These compromises are not the result of the exploitation of a vulnerability, but of a legitimate feature that allows network admins to install an upgraded ROMMON image on IOS devices for their own purposes. For more technical details and tool caveats, check out McVey's blog post**."
** http://blogs.cisco.com/security/talos/synful-scanner
Sep 23, 2015 - "... We updated the tool to version 1.0.1."

:fear::fear:

AplusWebMaster · Sep 28, 2015

Fake 'toll road payment', 'latest proposal' SPAM, Malvertising

FYI...

Fake 'toll road payment' SPAM – PDF malware
- http://myonlinesecurity.co.uk/unsettled-toll-road-payment-reminder-fake-pdf-malware/
28 Sep 2015 - "Another load of emails from the Upatre downloaders with the subject of 'Unsettled toll road payment reminder' pretending to come from random companies and email addresses with a zip attachment is another one from the current bot runs... The content of the email says:
Good day!
Your toll road ticket #2515380112 is still unsettled. Please make a remittance to avoid additional fees within 12 days.
The copy of ticket is attached to this e-mail.

Other subjects in today’s malspam run include:
Turnpike road invoice reminder
Outstanding turnpike invoice message
Outstanding turnpike payment email reminder
Oustanding toll road ticket notification
Oustanding toll road payment notification
Unsettled toll road bill notice
Turnpike road bill reminder
Toll road bill notice
Toll road payment message
Turnpike road ticket notification

28 September 2015: Doc_9911815_Unsettled toll road payment reminder .pdf.zip:
Extracts to: copious strumpet kernel mode.exe
Current Virus total detections 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...6d2dbccf325e4655d4fb08df/analysis/1443433322/

Similar: https://isc.sans.edu/diary.html?storyid=20191
2015-09-28
Screenshot: https://isc.sans.edu/diaryimages/images/Screen Shot 2015-09-28 at 6_25_33 AM.png
[1] https://www.virustotal.com/en/file/...dd1d486e1c3682083b5f61f8/analysis/1443436044/
4/55
___

Fake 'latest proposal' SPAM – PDF malware
- http://myonlinesecurity.co.uk/the-latest-proposal-fake-pdf-malware/
28 Sep 2015 - "Another set of emails with Upatre downloaders involve the subject of 'The latest proposal' pretending to come from random email addresses and companies with a zip attachment is another one from the current bot runs... The content of the email says :
Good day,
I’ve attached a new project and business proposal to this e-mail. I suppose it will interest you.
... This message and any attachments are confidential and intended for the named
addressee(s) only.If you have received this message in error, please notify
immediately the sender, then delete the message. Any unauthorized modification,
edition, use or dissemination is prohibited. The sender does not be liable for
this message if it has been modified, altered, falsified, infected by a virus
or even edited or disseminated without authorization...

Other subjects in this Malspam run include:
My commercial proposal
Please read my new commercial proposal
Please read my new business project
Please view my new project
New business proposal
The latest proposal of common business ...
28 September 2015: Doc_21123802_My commercial proposal .pdf.zip:
Extracts to: attendee parent bank manage to.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...58b89769a1136ef7e3b262b4/analysis/1443448919/
___

Pornhub, YouPorn - Malvertising ...
- https://blog.malwarebytes.org/malve...atest-victims-of-adult-malvertising-campaign/
Sep 28, 2015 - "The xHamster malvertising campaign we wrote about last week[1] was part of several attacks against many top adult sites. It is unclear whether this was a planned effort from threat actors but the timing is certainly strange. Over the week-end we detected -another- incident affecting Pornhub and YouPorn, some of the biggest adult websites with a combined 800 million monthly visits... Overview:
Publishers: Pornhub .com/YouPorn .com
Ad network: syndication.exoclick .com/{redacted}
Malicious code: trackitsup .com/cookiecheck.js?{redacted}
Redirection to exploit-kit: beatiful.sextubehard .pw/{redacted}
Angler Exploit Kit: knutterigemukaantulolleen.colleenmhammond .org
Rogue advertisers abused the ExoClick ad network by inserting a seemingly legitimate piece of code as an ad banner. The first documented instance of the ‘cookiecheck.js‘ campaign appears to have taken place on Sept. 19th according to this tweet from malware hunter Malekal:
> https://twitter.com/malekal_morte/status/645148983959113728
#Browlock #Ransomware at @Exoclick network...
'The ‘cookiecheck’ malvertising campaign. Rotating domain names all use the same JavaScript snippet.'
Fortunately, the malvertising on Pornhub and YouPorn did not last as long, thanks to an immediate action from both the publisher and ad network... During the past several months, high profile malvertising attacks against top adult sites have been sparse. This makes what we have seen during the past couple of weeks very unusual but also impactful given the sheer volume of traffic these sites receive. What’s more, the attack against top adult ad network TrafficHaus we documented last week[1] may have been the result of a security breach, according to a comment left on security blogger Graham Cluley’s site**. Users should make sure that their computers are fully patched and protected with several layers of security (the 3 A’s is a very effective line of defense: Anti-exploit, Antivirus, Anti-malware) in order to defeat malvertising and drive-by download attacks."
1] https://blog.malwarebytes.org/malve...alvertising-campaign-targets-top-adult-sites/
Sep 24, 2015
* https://grahamcluley.com/2015/09/xhamster-malware/
Sep 25, 2015
** https://grahamcluley.com/2015/09/xhamster-malware/#comment-49405
Sep 27, 2015 - "... 89.187.142.208..."
> https://www.virustotal.com/en/ip-address/89.187.142.208/information/

Pornhub .com: 31.192.117.132: https://www.virustotal.com/en/ip-address/31.192.117.132/information/

exoclick .com: 178.33.165.129: https://www.virustotal.com/en/ip-address/178.33.165.129/information/

trackitsup .com: 80.86.89.178: https://www.virustotal.com/en/ip-address/80.86.89.178/information/

sextubehard .pw: "A temporary error occurred during the lookup..."

colleenmhammond .org: 184.168.221.56: https://www.virustotal.com/en/ip-address/184.168.221.56/information/

:fear::fear:

AplusWebMaster · Sep 29, 2015

Fake 'Western Union', 'Blocked profile', 'SantanderBillpayment' SPAM, Malvertising

FYI...

Fake 'Western Union' SPAM – PDF malware
- http://myonlinesecurity.co.uk/contr...ons-online-fx-for-corporate-fake-pdf-malware/
29 Sep 2015 - "An email with the subject of 'Contract 61936417 About to Expire: Final Notice – Western Union Business Solutions Online FX for Corporate' pretending to come from Western Union via random email addresses and companies with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-co...olutions-Online-FX-for-Corporate-1024x779.png

29 September 2015: WU Business Contract 45827544.zip:
Extracts to: WU Business Contract 770352457.scr
Current Virus total detections 18/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...82c9aada682df20f303d8b41/analysis/1443506282/
___

Fake 'Blocked profile' SPAM – PDF malware
- http://myonlinesecurity.co.uk/block...fication-nab-bank-australia-fake-pdf-malware/
29 Sep 2015 - "An email with the subject of 'Blocked profile management notification' pretending to come from NAB Bank Australia with a zip attachment is another one from the current bot runs... The content of the email says :
Good day!
We have detected suspicious activity with Your Online-Banking profile. Please be informed that
the access and some capabilities of Your profile were restricted for security reasons. Temporarily
You cannot conduct transactions with online-banking profile. In order to obtain full management
powers You have to fill in and send back the attached form.
Please use codename for authorization (contained in the attachment).
Online-Banking profile: 8947626947780852875
Code Name: no doubt insolvent noncancerogenic
Our security department representative will contact You later to provide further instructions.
Regards,
Patrick Olsen
NAB Support Team.

29 September 2015: Bank_no doubt insolvent noncancerogenic_protection.zip:
Extracts to: whose noodle soullessness.exe
Current Virus total detections 15/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...c5a8aab27124d193aa407c38/analysis/1443507454/
___

Fake 'SantanderBillpayment' SPAM - malware attachment
- http://blog.dynamoo.com/2015/09/malware-spam-info-from.html
29 Sep 2015 - "This -fake- financial spam comes with a malicious attachment:
From "Santanderbillpayment-noreply@ SantanderBillPayment .co.uk" [Santanderbillpayment-noreply@ SantanderBillPayment .co.uk]
Date Tue, 29 Sep 2015 12:33:56 GMT
Subject Info from SantanderBillpayment .co.uk
Thank you for using BillPay. Please keep this email for your records.
The following transaction was received on 29 September 2015 at 09:11:36.
Payment type: VAT
Customer reference no: 0343884
Card type: Visa Debit
Amount: GBP 4,683.00
For more details please check attached payment slip.
Your transaction reference number for this payment is IR0343884.
Please quote this reference number in any future communication regarding this payment.
Yours sincerely,
Banking Operations ...

The attachment is named SantanderBillPayment_Slip0343884.zip although I have not been able to get a working copy. The payload is most likely the Upatre/Dyre banking trojan. My sources tell me that the current wave of this is phoning home to 197.149.90.166 in Nigeria which is worth -blocking- or monitoring."
___

Fake 'Attorney-client' SPAM – PDF malware
- http://myonlinesecurity.co.uk/attorney-client-agreement-fake-pdf-malware/
29 Sep 2015 - "An email with the subject of 'Attorney-client agreement' pretending to come from random names and random companies with a zip attachment is another one from the current bot runs... The content of the email says :
It went OK. The court understood that it may be that you might not have much relevant
information but he couldn’t rule as a matter of law that you had no relevant information
and did not need to appear. However he ordered the other side to make clear when they were
going to call you and provide information on that so that you are not standing around
waiting to be called. He also made it clear that I preserve my right to object to their
questions on grounds of relevance, so, you need to be available on Monday or Tuesday the
29th and 30th to appear but I will let you know as we get closer what time and day.
We will also need to prepare for your testimony the week before.
With regard to the other motions, the court ruled that they cannot present any evidence as
damages of costs incurred or the fee received while Gary Ferguson was representing the
Grover’s. That is pretty good ruling.
As to many of the other issues he simply punted them for trial, preserving our arguments
The only issue that we need to discuss is the Court’s willingness to consider their claim
for breach of contract. The court is going to allow them to assert a claim for breach of
contract. The Court indicated that it was a close call, but they have one paragraph in
their complaint suggesting a claim for breach of contract, but he limited the breach of
contract claim to their allegation that under the fee agreement you would not take any
money without paying the Grovers under your retainer agreement. That is the only breach
of contract claim. If you look at the retainer agreement attached, I don’t think it says
that (paragraph 1) . What it says is that if the case is settled, you can take your fee
and pay costs. However they are arguing that the whole case had to be settled before you
took any fee.
Even if that were the case, then you should have been able to receive the 63,665 at the end
of the case after they lost to Timpanogos (either under P&M’s agreement or your agreement.)
and they would’ve had to pay the costs. In other words, I think we have the stronger
argument here. And, if we win, we will be able to assert a claim for attorny’s fees.
But if they win, they also have that right.
However, because the court allowed them to assert this claim for breach of contract ruled
that he would allow me to conduct more limited discovery before trial if I think I needed to.
Upon first glance of the issue, I don’t think I need any additional discovery. But I wanted
to run this by you guys. Let me know your thoughts as soon as possible. He also said he
might consider bumping the trial if I tell him why I need to for this new claim. but I think
if it is limited to that issue. I don’t think ‘ll be able to convince him to bump the trial
unless I simply demand it.
I would like your thoughts.
Ana Marvin | Grady-Wintheiser | 49544 Josue Hills | Lake Kennith City, 32914
Direct: (628) 652-6347 | Facsimile: (628) 652-6347 ... vCard
This email is from a law firm and may contain privileged or confidential information.
Any unauthorized disclosure, distribution, or other use of this email and its contents
is prohibited. If you are not the intended recipient, please contact the sender and
delete this email. Thank you.

29 September 2015: View financial bargain.zip: Extracts to: Finish past due invoice.exe
Current Virus total detections 7/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...7eb25e592eee921178205efb/analysis/1443537708/
___

Instagram Account preys on Trust Issues
- https://blog.malwarebytes.org/onlin...instagram-account-preys-on-your-trust-issues/
Sep 29, 2015 - "Questionable posts from random users — usually from those with a significant number of (bot) followers — are already becoming not uncommon within the photo- and video- sharing social site, Instagram. In fact, we have encountered a number of them before, with some falsely claiming to increase your follower count — an attempt we’ve seen floating around on Twitter and Facebook in the past — and with others attesting to a mass purge of accounts unless they have been verified. Recently, we’ve discovered an attempt at baiting users with the lure of catching his/her potentially cheating partner red-handed using a “trusted” service. All one needs is their target’s phone number.
Enter @INSTANTPHONELOOKUP.
Below is mobile screenshot of the post that my test account received:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/dodgy-post.png
... whoever came up with this kind of bait has been following stories revolving around the Ashley Madison hacking incident, probably a little too closely. Anyway, the link on the profile page of @INSTANTPHONELOOKUP is a bit.ly shortened URL that points to the destination, cheaterslookup[DOT]com:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/dodgy-post-bitly.png
As of this writing, traffic to the destination has reached more than -100K- clicks since the bit.ly URL has been created last month. And this is just one of the many high-trafficked sub-pages from the same domain we’ve seen so far:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/bitly-destination-traffic.png
Clicking the shortened link points to try[DOT]textspy[DOT]us, wherein one is asked to enter their target’s mobile number. Once done, he/she sees a series of pages that were created to make him/her believe that the site is scanning for data related to the number. The final destination is an advertorial piece written on instantcheckmate[DOT]com... Users of Malwarebytes Anti-Malware are already protected from accessing cheaterslookup[DOT]com, including other sites such as the following that are found to be similar or related to it:
caughtcheating[DOT]co
spytext[DOT]us
textingspy[DOT]com
textspy[DOT]us
Although it’s tempting to try out such services either out of curiosity or for the fun of it, it’s still best to -avoid- shenanigans such as these. Your wallet and perhaps your partner will thank you for it."

caughtcheating[DOT]co: 192.64.119.193: https://www.virustotal.com/en/ip-address/192.64.119.193/information/
spytext[DOT]us: 162.255.119.144: https://www.virustotal.com/en/ip-address/162.255.119.144/information/
textingspy[DOT]com: 160.153.47.40: https://www.virustotal.com/en/ip-address/160.153.47.40/information/
textspy[DOT]us: 162.255.118.48: https://www.virustotal.com/en/ip-address/162.255.118.48/information/
instantcheckmate[DOT]com:
141.101.113.31: https://www.virustotal.com/en/ip-address/141.101.113.31/information/
190.93.242.31: https://www.virustotal.com/en/ip-address/190.93.242.31/information/
141.101.123.31: https://www.virustotal.com/en/ip-address/141.101.123.31/information/
190.93.241.31: https://www.virustotal.com/en/ip-address/190.93.241.31/information/
190.93.240.31: https://www.virustotal.com/en/ip-address/190.93.240.31/information/
cheaterslookup[DOT]com: 192.163.198.92: https://www.virustotal.com/en/ip-address/192.163.198.92/information/
___

Scam Texts 'Phish' for Banking Info
- https://www.bbb.org/blog/2015/09/scam-texts-phish-for-banking-info/
Sep 29, 2015 - "Watch out for this text message scam. Con artists are trying to fool users into sharing personal information by sending text messages that look like alerts from banks.
How the Scam Works:
You receive a text message that appears to be from a bank. It’s prompting you to update your profile and provides a link to a website. The link may even have the bank’s name as -part- of the domain...
If you click on the URL, you will be taken to a form that looks-like part of the bank’s website. The page will prompt to “confirm” your identity by entering your name, user ID, password and/or bank account number.
Don’t do it! Sharing this information puts you at-risk for identity theft.
Protect yourself from text message scams.
> Just hit delete! -Ignore- instructions to confirm your phone number or visit-a-link. Some scam texts instruct you to text “STOP” or “NO” to prevent future texts. But this is a common ploy by scammers to confirm they have a real, active phone number.
> Read your phone bill. Check your phone bill for services you haven’t ordered. Some charges may appear only once, but others might be monthly 'subscriptions'..."
___

Malvertising Via Google AdWords - Fake BSOD
- https://blog.malwarebytes.org/fraud-scam/2015/09/malvertising-via-google-adwords-leads-to-fake-bsod/
Sep 28, 2015 - "... fraudulent businesses also use online advertising as a way to reel in potential victims. This is nothing new and we have seen many examples of targeted keywords on search engine results before. Many times these rogue advertisers will abuse legitimate brands to trick people and provide services on behalf of these companies. Beyond copyright infringement laws, there is also the almost always present social engineering aspect that follows, to con people into spending hundreds of dollars for no good reason. And then you have advertisers that aren’t shy about doing their dirty deed at all. Take for example this recent campaign we spotted on AdWords, Google’s largest online advertising service:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/youtube_search.png
Here the crooks bid on the “youtube” keyword and got their ads displayed way at the top, before the organic search results. What’s interesting in this case is that the supposed destination URL is the actual YouTube.com site itself, and even placing the mouse over the ad shows a link to a YouTube channel. This really makes it look like a click-on-the-link would take you directly to YouTube but unfortunately that was not the case:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/flow2.png
Clicking on either one of the ads leads to a scary and convincing looking web page with the infamous Blue Screen of Death.The BSOD is a popular theme as of late and an effective way to display -bogus- but legitimate error codes that would trouble many internet users. As with most similar -scam- pages, users are instructed to call a toll-free ‘helpline’ to resolve their computer issues. This is no help line at all however; con artists are waiting for victims to phone in so that they can further scare them into purchasing expensive – and unnecessary – support packages. Innocent and unsavvy computer users will be defrauded from anywhere between $199 to $599. However, many online crooks don’t stop here, often committing identity theft and trying to empty out their victims’ bank accounts:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/BSODandpopup.png
The actors behind this particular malvertising attack had registered (at least) two domains to perform the illicit redirection from the Google advert to the BSOD page... Both of these domains are hosted on IP address 166.62.28.107 where the rest of the -fraudulent- sites also reside... We reported this campaign to Google and the bogus ads were pulled right away. The best defense against tech support scams (in all their forms) is awareness. For more information on this topic, please check out our help page*."
* https://blog.malwarebytes.org/tech-support-scams/

166.62.28.107: https://www.virustotal.com/en/ip-address/166.62.28.107/information/
___

Compromised WordPress Campaign - Spyware Edition
- http://research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html
Sep 25, 2015 - "... started investigating multiple WordPress related security events earlier this month and came across a -new- widespread compromised WordPress campaign leading to the download of unwanted applications. This has been briefly covered by dynamoo* and has been reported by some users on official WordPress forums**...
* http://blog.dynamoo.com/2015/09/tainted-network-kfciilluminationescomsn.html
...
** https://wordpress.org/support/topic/virus-not-found-in-wordfence
During our research, we discovered that this campaign started in the first week of August, 2015 and has been fairly active since then resulting in over 20,000 security events to date from over 2,000 web pages. Majority of the WordPress sites affected by this campaign -are- running latest version 4.3.1 but the compromise could have occurred -prior- to the update... The infection starts when a user visits a compromised WordPress site. The compromised pages will have injected JavaScript... Although the target domains varied across the transactions that we saw, the associated server IP address has remained the same... The IP Address 91.226.33.54 associated with these domains is hosted in Latvia through a VPS hosting provider... In one of the cases, we observed the user is prompted to update the Flash Player as seen below:
> https://4.bp.blogspot.com/-GCAJIizxulc/VgQXxjFc8qI/AAAAAAAAASA/qqnQ6OVYElc/s1600/1.png
The page prompts the user to update or install a new flash player update. Regardless of the option the user selects, a -fake- Adobe Flash Player application is downloaded...
> https://3.bp.blogspot.com/-UpnA1hfbfSo/VgQXx6BOw5I/AAAAAAAAASI/4E96GKYaibs/s1600/2.png
... Conclusion: WordPress, being one of the most popular Content Management Systems & Blogging platform, remains an attractive target for cybercriminals. Unlike previous campaigns involving Malware Authors and Exploit Kit operators, the end payload getting served in this campaign involves spyware and potentially unwanted applications. These applications may seem innocuous but can facilitate malvertising based attacks through unsolicited advertisements..."

91.226.33.54: https://www.virustotal.com/en/ip-address/91.226.33.54/information/
2015-09-29

:fear::fear:

SPAM frauds, fakes, and other MALWARE deliveries...

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member