Fake 'Payment Summary', 'Optus agreement', 'ein Foto', 'SWIFT transfer' SPAM
FYI...
Fake 'Payment Summary' SPAM – PDF malware
- http://myonlinesecurity.co.uk/payme...e-for-201415-financial-year-fake-pdf-malware/
30 Sep 2015 - "An email with the subject of 'Payment Summary (Group Certificate) for 2014/15 financial year' pretending to come from payslip@ hss.health.nsw. gov.au with a zip attachment is another one from the current bot runs... The content of the email says :
Please find attached a copy of your 2014/15 Payment Summary (Group Certificate).
Note: You will receive a separate payment summary for each Health Agency you worked for during the 2014/15 financial year. Payment Summaries are also available in Employee Self Service.
Further information, including fact sheets ...
For taxation advice and information, visit ...
Thank you,
Recruitment and Employee Transactional Services
HealthShare NSW ...
30 September 2015: PAYG-EoY-2014-15-77015286-008001475.zip:
Extracts to: PAYG-EoY-2014-15-77015286-008001475.scr
Current Virus total detections 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...d84546a712d9241b6b4662e2/analysis/1443589224/
___
Fake 'Optus agreement' SPAM – PDF malware
- http://myonlinesecurity.co.uk/completed-optus-agreement-no-rdre-211363-fake-pdf-malware/
30 Sep 2015 - "An email with the subject of 'Completed: Optus agreement no RDRE-211363' pretending to come from DocuSign via DocuSign <dse_eu8@ docusign .net> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Completed-Optus-agreement-1024x647.png
30 September 2015: Optus agreement no RDRE-211363.zip:
Extracts to: Optus agreement no CDDO-248440.scr
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...80e08c74b547e4b913ba74d3/analysis/1443586066/
___
Fake 'ein Foto' SPAM – jpg malware
- http://myonlinesecurity.co.uk/ein-foto-fake-jpg-malware/
30 Sep 2015 - "An email with the subject of 'ein Foto' pretending to come from Z@ t-mobile .de with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/ein-photo-1024x521.png
30 September 2015: 77895767_IMG ‘jpeg’.zip:
Extracts to: 77266374_IMG ‘jpeg’.JPEG.exe
Current Virus total detections 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper JPG (Image) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...9d108fb21a44caa67dd03b0d/analysis/1443597445/
___
Fake 'SWIFT transfer' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malware-spam-fw-incoming-swift-clyde.html
30 Sep 2015 - "This -fake- banking email comes with a malicious attachment:
From "Clyde Medina" [Clyde.Medina@ swift .com]
Date Wed, 30 Sep 2015 12:35:56 GMT
Subject FW : Incoming SWIFT
We have received this documents from your bank regarding an incoming SWIFT transfer.
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom
the message was addressed. If you are not the intended recipient of this message,
please be advised that any dissemination, distribution, or use of the contents of
this message is strictly prohibited. If you received this message in error, please
notify the sender. Please also permanently delete all copies of the original message
and any attached documentation. Thank you.
Attached is a file SWIFT_transfer.zip which contains a malicious executable SWIFT_transfer.scr which currently has a detection rate of 2/56*. Automated analysis is pending, although the payload is almost definitely Upatre/Dyre..."
* https://www.virustotal.com/en/file/...65f74cf662e60da779896e11/analysis/1443616096/
UPDATE: "The Hybrid Analysis report** shows Upatre/Dyre activity, including the malware phoning home to a familiar IP address of 197.149.90.166 in Nigeria which I recommend you -block- or monitor."
** https://www.hybrid-analysis.com/sam...d75ce65f74cf662e60da779896e11?environmentId=2
197.149.90.166: https://www.virustotal.com/en/ip-address/197.149.90.166/information/
2015-09-30
___
Optus DocuSign Spam
- http://threattrack.tumblr.com/post/130196981088/optus-docusign-spam
Sep 30, 2015 - "Subjects Seen
Completed: Optus agreement no AELT-773123
Typical e-mail details:
Carole Dean,
All parties have completed the envelope ‘Optus agreement no AELT-773123’.
Please find attached the signed agreement.
Malicious File Name and MD5:
Optus agreement no CDDO-248440.scr (ADCAED61174AF9FA4C1DB3F27A767316)
Screenshot: https://41.media.tumblr.com/fce5190eff6e1733726d81f67aa793d3/tumblr_inline_nvhoy953JK1r6pupn_500.png
Tagged: Optus, DocuSign, Upatre
___
ATM Skimmer Gang -firebombed- A/V Firm
- http://krebsonsecurity.com/2015/09/atm-skimmer-gang-firebombed-antivirus-firm/
Sep 29, 2015 - "... cybercime spills over into real-world, physical attacks... a Russian security firm whose operations were pelted with Molotov cocktail attacks after exposing an organized crime gang that developed and sold malicious software to steal cash from ATMs. The threats began not long after December 18, 2013, when Russian antivirus firm Dr.Web posted a writeup about a new Trojan horse program designed to steal card data from infected ATMs. Dr.Web received an email warning the company to delete all references to the ATM malware from its site. The anonymous party, which self-identified as the 'International Carders Syndicate', said Dr.Web’s ATM Shield product designed to guard cash machines from known malware 'threatens activity of Syndicate with multi-million dollar profit'... In an interview with KrebsOnSecurity, Dr.Web CEO Boris Sharov said the company did not comply with the demands. On March 9, 2014, someone threw a Molotov cocktail at the office of a third-party company that was distributing Dr.Web’s ATM Shield product. Shortly after that, someone attacked the same office again... After a third attack on the St. Petersburg office, a suspect who was seen running away from the scene of the attack was arrested but later released because no witnesses came forward to confirm he was the one who threw the bomb. Meanwhile, Sharov said Dr.Web detected two physical intrusions into its Moscow office... Sharov said Dr.Web analysts believe the group that threatened the attacks were not cyber thieves themselves but instead an organized group of programmers that had sold — but not yet delivered — a crimeware product to multiple gangs that specialize in cashing out hacked ATM cards... Sharov said he also believes that the group of malware programmers who sent the threats weren’t the same miscreants who threw the Molotov cocktails. Rather, Dr.Web maintains that those attacks were paid for and ordered over the Internet, for execution by strangers who answered a criminal help wanted ad... Sharov said his office got confirmation from a bank in Moscow that the team behind on the ATM Trojan that caused all the ruckus was operating out of Kiev, Ukraine. In the 18 months since then, the number of ATM-specific Trojans has skyrocketed, although the attackers seem to be targeting mainly Russian, Eastern European and European banks with their creations..."
(More detail at the krebsonsecurity URL above.)
:fear::fear:
FYI...
Fake 'Payment Summary' SPAM – PDF malware
- http://myonlinesecurity.co.uk/payme...e-for-201415-financial-year-fake-pdf-malware/
30 Sep 2015 - "An email with the subject of 'Payment Summary (Group Certificate) for 2014/15 financial year' pretending to come from payslip@ hss.health.nsw. gov.au with a zip attachment is another one from the current bot runs... The content of the email says :
Please find attached a copy of your 2014/15 Payment Summary (Group Certificate).
Note: You will receive a separate payment summary for each Health Agency you worked for during the 2014/15 financial year. Payment Summaries are also available in Employee Self Service.
Further information, including fact sheets ...
For taxation advice and information, visit ...
Thank you,
Recruitment and Employee Transactional Services
HealthShare NSW ...
30 September 2015: PAYG-EoY-2014-15-77015286-008001475.zip:
Extracts to: PAYG-EoY-2014-15-77015286-008001475.scr
Current Virus total detections 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...d84546a712d9241b6b4662e2/analysis/1443589224/
___
Fake 'Optus agreement' SPAM – PDF malware
- http://myonlinesecurity.co.uk/completed-optus-agreement-no-rdre-211363-fake-pdf-malware/
30 Sep 2015 - "An email with the subject of 'Completed: Optus agreement no RDRE-211363' pretending to come from DocuSign via DocuSign <dse_eu8@ docusign .net> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/Completed-Optus-agreement-1024x647.png
30 September 2015: Optus agreement no RDRE-211363.zip:
Extracts to: Optus agreement no CDDO-248440.scr
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...80e08c74b547e4b913ba74d3/analysis/1443586066/
___
Fake 'ein Foto' SPAM – jpg malware
- http://myonlinesecurity.co.uk/ein-foto-fake-jpg-malware/
30 Sep 2015 - "An email with the subject of 'ein Foto' pretending to come from Z@ t-mobile .de with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/09/ein-photo-1024x521.png
30 September 2015: 77895767_IMG ‘jpeg’.zip:
Extracts to: 77266374_IMG ‘jpeg’.JPEG.exe
Current Virus total detections 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper JPG (Image) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...9d108fb21a44caa67dd03b0d/analysis/1443597445/
___
Fake 'SWIFT transfer' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malware-spam-fw-incoming-swift-clyde.html
30 Sep 2015 - "This -fake- banking email comes with a malicious attachment:
From "Clyde Medina" [Clyde.Medina@ swift .com]
Date Wed, 30 Sep 2015 12:35:56 GMT
Subject FW : Incoming SWIFT
We have received this documents from your bank regarding an incoming SWIFT transfer.
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom
the message was addressed. If you are not the intended recipient of this message,
please be advised that any dissemination, distribution, or use of the contents of
this message is strictly prohibited. If you received this message in error, please
notify the sender. Please also permanently delete all copies of the original message
and any attached documentation. Thank you.
Attached is a file SWIFT_transfer.zip which contains a malicious executable SWIFT_transfer.scr which currently has a detection rate of 2/56*. Automated analysis is pending, although the payload is almost definitely Upatre/Dyre..."
* https://www.virustotal.com/en/file/...65f74cf662e60da779896e11/analysis/1443616096/
UPDATE: "The Hybrid Analysis report** shows Upatre/Dyre activity, including the malware phoning home to a familiar IP address of 197.149.90.166 in Nigeria which I recommend you -block- or monitor."
** https://www.hybrid-analysis.com/sam...d75ce65f74cf662e60da779896e11?environmentId=2
197.149.90.166: https://www.virustotal.com/en/ip-address/197.149.90.166/information/
2015-09-30
___
Optus DocuSign Spam
- http://threattrack.tumblr.com/post/130196981088/optus-docusign-spam
Sep 30, 2015 - "Subjects Seen
Completed: Optus agreement no AELT-773123
Typical e-mail details:
Carole Dean,
All parties have completed the envelope ‘Optus agreement no AELT-773123’.
Please find attached the signed agreement.
Malicious File Name and MD5:
Optus agreement no CDDO-248440.scr (ADCAED61174AF9FA4C1DB3F27A767316)
Screenshot: https://41.media.tumblr.com/fce5190eff6e1733726d81f67aa793d3/tumblr_inline_nvhoy953JK1r6pupn_500.png
Tagged: Optus, DocuSign, Upatre
___
ATM Skimmer Gang -firebombed- A/V Firm
- http://krebsonsecurity.com/2015/09/atm-skimmer-gang-firebombed-antivirus-firm/
Sep 29, 2015 - "... cybercime spills over into real-world, physical attacks... a Russian security firm whose operations were pelted with Molotov cocktail attacks after exposing an organized crime gang that developed and sold malicious software to steal cash from ATMs. The threats began not long after December 18, 2013, when Russian antivirus firm Dr.Web posted a writeup about a new Trojan horse program designed to steal card data from infected ATMs. Dr.Web received an email warning the company to delete all references to the ATM malware from its site. The anonymous party, which self-identified as the 'International Carders Syndicate', said Dr.Web’s ATM Shield product designed to guard cash machines from known malware 'threatens activity of Syndicate with multi-million dollar profit'... In an interview with KrebsOnSecurity, Dr.Web CEO Boris Sharov said the company did not comply with the demands. On March 9, 2014, someone threw a Molotov cocktail at the office of a third-party company that was distributing Dr.Web’s ATM Shield product. Shortly after that, someone attacked the same office again... After a third attack on the St. Petersburg office, a suspect who was seen running away from the scene of the attack was arrested but later released because no witnesses came forward to confirm he was the one who threw the bomb. Meanwhile, Sharov said Dr.Web detected two physical intrusions into its Moscow office... Sharov said Dr.Web analysts believe the group that threatened the attacks were not cyber thieves themselves but instead an organized group of programmers that had sold — but not yet delivered — a crimeware product to multiple gangs that specialize in cashing out hacked ATM cards... Sharov said he also believes that the group of malware programmers who sent the threats weren’t the same miscreants who threw the Molotov cocktails. Rather, Dr.Web maintains that those attacks were paid for and ordered over the Internet, for execution by strangers who answered a criminal help wanted ad... Sharov said his office got confirmation from a bank in Moscow that the team behind on the ATM Trojan that caused all the ruckus was operating out of Kiev, Ukraine. In the 18 months since then, the number of ATM-specific Trojans has skyrocketed, although the attackers seem to be targeting mainly Russian, Eastern European and European banks with their creations..."
(More detail at the krebsonsecurity URL above.)
:fear::fear:
Last edited: