Fake 'Hilton Hotels' SPAM – PDF malware
24 June 2015 - "'A for guest WARDE SAID' pretending to come from CTAC_DT_Hotel@ Hilton .com with a zip attachment is another one from the current bot runs... The email looks like:
Thank you for choosing our hotel and we very much hope that you enjoyed your stay with us.
Enclosed is a copy of your receipt(FOLIODETE_9601395.pdf). Should you require any further assistance please do not hesitate to contact us directly.
We look forward to welcoming you back in the near future.
This is an automatically generated message. Please do not reply to this email address...
24June 2015: FOLIODETE_9601395.zip: Extracts to: FOLIODETE_2015_0006_0024.exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
Fake 'Considerable law alternations' SPAM - malicious payload
24 June 2015 - "This -fake- legal spam comes with a malicious payload:
Date: Wed, 24 Jun 2015 22:04:09 +0900
Subject: Considerable law alternations
Pursuant to alternations made to the Criminal Code securities have to be reestimated.
Described proceeding is to finish until April 2016.
However shown levy values to be settled last in this year.
Please see the documents above .
In the sample I saw there was an attachment named excerptum_from_the_implemented_rule.zip containing a malicious executable excerptum_from_the_implemented_act.exe which has a VirusTotal detection rate of 2/55*. Automated analysis tools... show malicious traffic to the following IPs:
22.214.171.124 (C2NET Przno, Czech Republic)
126.96.36.199 (Clarity Telecom LLC / PrairieWave, US)
188.8.131.52 (Radionet, Ukraine)
184.108.40.206 (Safelink Internet , US)
220.127.116.11 (Orion Telekom, Serbia)
18.104.22.168 (SWAN, a.s. TRIO network, Slovakia)
22.214.171.124 (Rostelecom / VolgaTelecom, Russia)
126.96.36.199 (Telekom Srbija, Serbia)
The Malwr report and Hybrid Analysis report indicate a couple of dropped files, gebadof.exe (VT 2/55**) and qppwkce.exe (VT 3/55***). This malware appears to be a combination of the Upatre downloader and Dyre banking trojan.
Fake Bank of America Twitter Feed Leads to Phish ...
June 24, 2015 - "Over the last day or so, a Twitter feed claiming to be a support channel for Bank of America has been sending links and messages to anybody having issues with their accounts. Here’s the dubious BoA Twitter account in question:
... In most cases, they direct people to a URL where they can supposedly fix their problems, which is
They’ve also been seen asking for credentials directly via DM (Direct Message). They appear to be using that classic Twitter -phishing- technique: look for people sending help messages to an official account, then inject themselves into the conversation:
Here’s a sample list of messages they’ve been sending to BoA customers:
The site asks for the following information: Online ID, Passcode, Account Number, Complete SSN or Tax Identification Number and Passcode. Once all of this information is entered, the victim is redirected to the real Bank of America website... At time of writing, the site is being flagged by Chrome for phishing:
We’ve also spotted another page on the same domain which looks like a half-finished Wells Fargo “Security Sign On” page:
We advise customers of BoA to be very careful where they’re sending account credentials – note that the official BoA Twitter feed has a -Verified- icon, and that small but crucial detail could make all the difference where keeping your account secure is concerned."
sclgchl1(dot)eu(dot)pn: 188.8.131.52: https://www.virustot...11/information/
Samsung laptops deliberately disable Windows Update with bloatware
Jun 24 2015 - "... Samsung, in common with a number of manufacturers, has an app for finding the latest drivers and updates to, well, frankly, bloatware. In Samsung's case the app is called SW Updater. Samsung describes it thus: 'Find easy ways to install and maintain the latest software, protect your computer, and back up your music, movies, photos and files'... a teardown from Microsoft MVP Patrick Barker* has revealed that Samsung laptops -include- an executable file called Disable_Windowsupdate.exe which kind of explains itself really. What's really disturbing about this, as if it wasn't enough already, is that if you turn Windows Update back on, SW Updater goes back and turns it back -off- again..."
Jun 24, 2015
Instapaper App vulnerable to Man-in-the-Middle Attacks
June 23, 2015 - "... analyzed popular Android app Instapaper and found it can be vulnerable to man-in-the-middle attacks that could expose users’ signup/login credentials when they try to log in into their accounts. The vulnerability may have serious consequences, especially if users have the same password for more than one account, leaving them potentially vulnerable to intrusions.
The Problem: Instapaper allows users to save and store articles for reading, particularly for when they’re offline, on the go, or simply don’t have access to the Internet. The application works by saving most web pages as text only and formatting their layout for tablets or phone screens. Everyone who wants to use the application is required to sign-up and create an account to check out notes, liked articles or access other options. However, the vulnerability lies not in the way the application fetches content, but in the way it implements (or in this case, doesn’t implement) certificate validation. Although the entire communication is handled via HTTPS, the app performs no certificate validation. If someone were to perform a man-in-the-middle attack, he could use a self-signed certificate and start “communicating” with the application...
The Attack: If a user were to sign into his account while connected to a Wi-Fi network that’s being monitored by an attacker, his authentication credentials (both username and password) could easily be intercepted using any fake certificate and a traffic-intercepting tool...
Implications: While the attacker might seem to only gain access to your Instapaper account, most people use the same password for multiple accounts. A cybercriminal could try and use your Instapaper password to access your social media or email accounts. Studies have shown that more than 50% of users reuse the same password, so the chances are -better- than even that more than one account could be vulnerable if your Instapaper credentials have been stolen. We have notified the development team behind the Android Instapaper app about the found vulnerability, but they have yet to confirm when a fix will become available..."
SEC hunts hacks who stole corp emails to trade stocks
Jun 23, 2015 - "U.S. securities regulators are investigating a group of hackers suspected of breaking into corporate email accounts to steal information to trade on, such as confidential details about mergers, according to people familiar with the matter. The Securities and Exchange Commission has asked at least eight listed companies to provide details of their data breaches, one of the people said. The unusual move by the agency reflects increasing concerns about cyber attacks on U.S. companies and government agencies. It is an "absolute first" for the SEC to approach companies about possible breaches in connection with an insider trading probe, said John Reed Stark, a former head of Internet enforcement at the SEC. "The SEC is interested because failures in cybersecurity have prompted a dangerous, new method of unlawful insider trading," said Stark, now a private cybersecurity consultant. According to people familiar with the matter, the SEC's inquiry and a parallel probe by the U.S. Secret Service - which investigates cyber crimes and financial fraud - were spurred by a December report by security company FireEye Inc about a sophisticated hacking group that it dubbed 'FIN4'. Since mid-2013, FIN4 has tried to hack into email accounts at more than 100 companies, looking for confidential information on mergers and other market-moving events. The targets include more than 60 listed companies in biotechnology and other healthcare-related fields, such as medical instruments, hospital equipment and drugs, according to the FireEye report*..."
Nov 30, 2014
Edited by AplusWebMaster, 25 June 2015 - 06:12 AM.