Jump to content

Build Theme!
  •  
  • Infected?

Welcome to What the Tech - Register now for FREE

Get answers from experts today. (it's 100% free). Spyware, Virus, Trojan, Rootkit? Remove malware > Virus Removal Forum. Learn how it works.

Create an Account Login to Account


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1509 replies to this topic

#1501 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,988 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 14 July 2015 - 02:50 PM

FYI...

IE 0-day added to mix...
- http://blog.trendmic...y-added-to-mix/
July 14, 2015 - "... -another- vulnerability that could take over user systems has been found. Our latest discovery is in Internet Explorer, and has been acknowledged by Microsoft and patched as part of the regular Patch Tuesday cycle as MS15-065*. It has been designated as CVE-2015-2425. While we did find proof-of-concept (POC) code, there are still no known attacks exploiting this vulnerability..."
* https://technet.micr...curity/MS15-065
July 14, 2015

> https://support.micr...n-us/kb/3065822
Last Review: 07/14/2015 - Rev: 1.0
Applies to:
    Internet Explorer 11
    Internet Explorer 10
    Windows Internet Explorer 9
    Windows Internet Explorer 8
    Windows Internet Explorer 7
    Microsoft Internet Explorer 6.0

> https://web.nvd.nist...d=CVE-2015-2425
Last revised: 07/14/2015
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 15 July 2015 - 05:49 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1502 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,988 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 16 July 2015 - 07:58 AM

FYI...

Fake 'Perfect job' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
16 July 2015 - "An email with subjects like 'Perfect achievement !  / Perfect job !  / Great work !' coming from random email addresses and names with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Congratulations ! You will take a 30% rake-off for the latest selling. Please overlook the attached documents to know the entire sum you’ve received.
    Every day you demonstrate that you are the superior strength of our crew in the market. I am elate and appreciative to get such a capable and experienced subordinate. Keep up the good achievements.
    With the best regards.
    Michelle Silva General manager

-Or-
    Congratulations ! You will receive a 30% commission for the previous disposition. Please check out the enclosed documents to find out the whole amount you’ve won.
    Everyday you prove that you are the major force of our crew in the trading. I am sublime and appreciative to get such a capable and skilled workman. Continue the great job.
    All the best.
    Kathryn Brooks Company management

-Or-
    Congratulations ! You will win a 40% commission for the latest realization. Please overlook the next documentation to get to know the whole amount you’ve won.
    Everyday you demonstrate that you are the major strength of our team in the world of trade. I am sublime and appreciative to have such a capable and proficient subordinate. Proceed the good achievements.
    All the best.
    Sharon Silva General manager

-Or-
    Congratulations ! You will gain a 45% rake-off for the last disposal. Please overlook the following documentation to know the whole amount you’ve won.
    Everyday you convince that you are the best power of our team in the market. I am sublime and beholden to have such a clever and able sub. Continue the perfect job.
    With best wishes.
    Kathryn Pearson General manager


And others with similar wording... If you are unwise enough to try to open the word doc, you will see this message:
> http://myonlinesecur...osition_doc.png
Do -not- follow their suggestions to enable editing  or content, otherwise you will be infected...

25 February 2015: total_sum_from_latest_disposition.doc - Current Virus total detections: 4/55*
... This tries to connect to 2 web sites:
thereis.staging.nodeproduction .com/wp-content/uploads/78672738612836.txt
... which downloads an encrypted text file... and to
www.buildingwalls .co.za/wp-content/themes/corporate-10/papa.txt which gives the web address of http ://midwestlabradoodles .com/wp-content/themes/twentyeleven/qwop.exe. This file is an Upatre downloader for the typical Dyre banking malware (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1437049226/

** https://www.virustot...sis/1437046046/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustot...83/information/
93.185.4.90: https://www.virustot...90/information/
176.36.251.208: https://www.virustot...08/information/
88.221.14.249: https://www.virustot...49/information/

nodeproduction .com: 72.10.52.104: https://www.virustot...04/information/

buildingwalls .co.za: 196.220.41.72: https://www.virustot...72/information/

midwestlabradoodles .com: 72.167.131.160: https://www.virustot...60/information/

- http://blog.dynamoo....t-job-good.html
16 July 2015
"... Recommended blocklist:
93.185.4.90
thereis.staging.nodeproduction .com
www.buildingwalls .co.za
midwestlabradoodles .com
"
___

Fake 'About your suggestions' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
16 July 2016 - "'About your suggestions' pretending to come from emaillambflan <emaillambflan@ totalnetwork .it> with a zip attachment is another one from the current bot runs... The email looks like:
    We chatted few hours ago. We have thought about your programs how to perfect our work and financial profit. Your suggestions seem extremely inspiring and we undoubtedly want such a genius like you. We consider your plans are feasible and would like to implement them. Attached are our progression charts and processes directory. Please look through them and if you will have some questions ask about it. Also make a succinct plan thus we will confer about the elements of every step./r/n We are waiting for your reply soon !

16 July 2015: figures_and_guide.zip: Extracts to: figures_and_directory.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1437056410/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustot...31/information/
93.185.4.90: https://www.virustot...90/information/
109.86.226.85: https://www.virustot...85/information/
23.14.92.65: https://www.virustot...65/information/
___

Sales Commission Spam
- http://threattrack.t...commission-spam
July 16, 2015 - "Subjects Seen
    Good achievement !
Typical e-mail details:
    Congratulations ! You will win a 43% commission for the last sale. Please see the next documents to get to know the whole sum you’ve obtained.
    Daily you prove that you are the best power of our team in the world of commerce. I am proud and grateful to get such a gifted and experienced worker. Go on the excelent job.
    With best wishes.
    Kathryn Brooks Director


Screenshot: https://41.media.tum...1r6pupn_500.png

Malicious File Name and MD5:
    amount_from_last_realization.scr (1e314705c1f154d7b848fcc20bfcd5e8)


Tagged: Sales Commission, Upatre
 

:ph34r: :ph34r:    <_<


Edited by AplusWebMaster, 16 July 2015 - 12:39 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1503 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,988 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 17 July 2015 - 07:23 AM

FYI...

Fake 'eFax' SPAM - leads to malware
- http://blog.dynamoo....om-unknown.html
17 July 2015 - "This -fake- fax spam leads to malware:

Screenshot: https://2.bp.blogspo...00/fake-fax.png

Although the numbers and some other details change in the spam messages, in all cases the download location has been from a legitimate but -hacked- site at:
breedandco .com/fileshare/FAX-1400166434-707348006719-154.zip
The ZIP file has a detection rate of 6/55* and it contains a malicious exeuctable named FAX-1400166434-707348006719-154.scr which has a detection rate of 4/55**. Automated analysis... shows a characterstic callback pattern that indicates Upatre (which always leads to the Dyre banking trojan):
93.185.4.90 :12325/ETK7//0/51-SP3/0/GKBIMBFDBEEE
93.185.4.90 :12325/ETK7//41/5/1/GKBIMBFDBEEE
This IP is allocated to C2NET in the Czech Republic. The malware also attempts to enumerate the IP address of the target by accessing checkip .dyndns .org which is a legitimate service. It is worth looking for traffic to that domain because it is a good indicator of compromise.
The malware reaches out to some other malicious IPs (mostly parts of a botnet):
93.185.4.90 (C2NET, Czech Republic)
62.204.250.26 (TTNET, Czech Republic)
76.84.81.120 (Time Warner Cable, US)
159.224.194.188 (Content Delivery Network Ltd, Ukraine)
178.222.250.35 (Telekom Srbija, Serbia)
181.189.152.131 (Navega.com, Guatemala)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
194.28.191.213 (AgaNet Agata Goleniewska, Poland)
199.255.132.202 (Computer Sales & Services Inc., US)
208.123.135.106 (Secom Inc, US)
Among other things, the malware drops a file XGwdKLWhYBDqWBb.exe [VT 10/55***] and vastuvut.exe [VT 6/55****].
Recommended blocklist:
93.185.4.90
62.204.250.26
76.84.81.120
159.224.194.188
178.222.250.35
181.189.152.131
194.28.190.84
194.28.191.213
199.255.132.202
208.123.135.106
"
* https://www.virustot...sis/1437133169/

** https://www.virustot...sis/1437133178/

*** https://www.virustot...sis/1437135014/

**** https://www.virustot...sis/1437135026/
___

Fake 'You've earned it' SPAM - malware
- http://blog.dynamoo....d-it-youve.html
17 July 2015 - "This is another randomly-generated round of malware spam, following on from this one[1].
1] http://blog.dynamoo....t-job-good.html

     Date:    16 July 2015 at 12:53
    Subject:    Excelent job !
    Congratulations ! You will obtain a 25% commission for the latest sale. Please overlook the next papers to know the whole sum you've gained.
    Daily you prove that you are the main force of our branch in the sales. I am elate and beholden to have such a gifted and able employee. Proceed the good achievements.
    All the best.
    Michelle Curtis Company management
    ---------------------
    Date:    16 July 2015 at 11:53
    Subject:    Good achievement !
    Congratulations ! You will win a 40% rake-off for the latest sale. Please see the these documents to find out the entire sum you've won.
    Everyday you assure that you are the head power of our group in the sales. I am sublime and beholden to get such a talented and skillful workman. Continue the good achievements.
    With the best regards.
    Sharon Silva Company management
...

Attached is a malicious Word document which in the two samples I saw was called
total_sum_from_last_sale.doc
total_sum_from_latest_disposition.doc
Both these documents were identical apart from the filename, and have a VirusTotal detection rate of 4/55*. Inside the document is this malicious macro... which according to Hybrid Analysis downloads several components (scripts and batch files) from:
thereis.staging .nodeproduction .com/wp-content/uploads/78672738612836.txt
www .buildingwalls .co.za/wp-content/themes/corporate-10/78672738612836.txt
www .buildingwalls .co.za/wp-content/themes/corporate-10/papa.txt
These are executed, then a malicious executable is downloaded from:
midwestlabradoodles .com/wp-content/themes/twentyeleven/qwop.exe
This has a VirusTotal detection rate of 8/55** and that report plus other automated analysis tools... phones home to the following malicious URLs:
93.185.4.90 :12317/LE2/<MACHINE_NAME>/0/51-SP3/0/MEBEFEBFEBEFJ
93.185.4.90 :12319/LE2/<MACHINE_NAME>/41/7/4/
That IP belongs to C2NET in the Czech Republic. It also sends non-malicious traffic to icanhazip.com (a legitimate site that returns the IP address) which is a good indicator of compromise.
This malware drops the Dyre banking trojan.
Recommended blocklist:
93.185.4.90
thereis .staging.nodeproduction .com
www .buildingwalls .co.za
midwestlabradoodles .com

* https://www.virustot...sis/1437053265/

** https://www.virustot...sis/1437054039/
 

:ph34r: :ph34r: <_<


Edited by AplusWebMaster, 17 July 2015 - 10:33 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1504 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,988 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 27 July 2015 - 05:57 AM

FYI...

Fake 'copy' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
27 July 2015 - "An email with a subject simply saying 'copy' pretending to come from belinda.taylor@ bssgroup .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email body simply says: copy

27 July 2015 : 13409079779.docm - Current Virus total detections: 4/56*
Downloads Dridex banking malware from:
 terrasses-de-santeny .com/yffd/yfj.exe . Other versions of this downloader will download the -same- Dridex banking malware from alternative locations. So far we have seen
http ://www.madagascar-gambas .com/yffd/yfj.exe
http ://technibaie .net/yffd/yfj.exe
http ://terrasses-de-santeny .com/yffd/yfj.exe  
http ://blog.storesplaisance .com/yffd/yfj.exe
http ://telechargement.storesplaisance .com/yffd/yfj.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1437987707/

terrasses-de-santeny .com: 94.23.55.169: https://www.virustot...69/information/

madagascar-gambas .com: 'Could not find an IP address for this domain name' (May have been taken-down)

technibaie .net: 94.23.1.145: https://www.virustot...45/information/

storesplaisance .com: 94.23.1.145: FR / 16276 (OVH SAS)
___

Fake 'Order Confirmation' SPAM - malicious attachment
- http://blog.dynamoo....mation-ret.html
27 July 2015 - "This spam does not come from Royal Canin, but is instead a simple -forgery- with a malicious attachment:
    From     "[1NAV PROD RCS] " [donotreply@ royal-canin .fr]
    Date     Mon, 27 Jul 2015 18:49:16 +0700
    Subject     Order Confirmation RET-396716 Your Ref.: JL0815/1333 230715
    Please find attached your Sales Order Confirmation
    Note: This e-mail was sent from a notification only e-mail address that
    cannot accept incoming e-mail. PLEASE DO NOT REPLY TO THIS MESSAGE.


Attached to the message is a file Order Confirmation RET-396716 230715.xml (it wasn't attached properly in the samples I saw) with a VirusTotal detection rate of 1/55*, which in turn contains a malicious macro... which downloads an executable from one of the following locations (there are probably more):
http ://www.madagascar-gambas .com/yffd/yfj.exe
http ://technibaie .net/yffd/yfj.exe
http ://blog.storesplaisance .com/yffd/yfj.exe
This is saved as %TEMP%\ihhadnic.exe, and has a detection rate of 2/55**. Automated analysis tools... show that it attempts to phone home to:
93.171.132.5 (PE Kartashev Anton Evgen'evich, Ukraine)..."

* https://www.virustot...sis/1437999231/

** https://www.virustot...sis/1437999249/

> http://myonlinesecur...dsheet-malware/
27 July 2015: Order Confirmation RET-396716 230715.xml - Current Virus total detections: 1/56*
... Which downloads an updated version of Dridex banking malware..."
* https://www.virustot...sis/1437997926/
___

Fake 'Loan service' – PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 July 2015 - "'New Loan service nearby' with a zip attachment is another one from the current bot runs... Alternative subjects for this malspam run include: 'New Credit service near you'. The email looks like:
    We are happy to inform you that we are founding a affiliate in your vicinity next week. We are credit services firm with more than 15 years practice , and several branches in the region. We give help to individuals and corporations in profiting money for the objective. We provide all the acts , consisting of bringing the money source that sets the lowest percentage and the best conditions of pays , all the paperwork , and etc.
    We are enclosing the invite ticket for the opening celebration and service’s accommodation schedule. Wish to see you on our opening.
    Give us a chance to maintain you!
    Thanks,
    Truly yours,
    Mike Ward General management Info

-Or-
    We are happy to announce you that we are opening a branch in your area soon. We are loan accommodations firm with more than 25 years workmanship, and several offices in the region.
    We provide help to ordinary people and corporations in availing money for the objective.
    We ensure all the actions, consisting of bringing the fiscal source that offers the lowest commissions and the best terms of payment, all the papers, and so on.
    We are applying the engagement card for the opening and organization’s accommodation schedule. Hope to see you on that day.
    Give us a chance to serve you!
    Thanking you,
    Yours truly,
    Mike Ward General management Superior


And the usual other variety of computer bot generated wording that doesn’t quite read as proper English.
27 July 2015: invitation_and_accommodations.zip: Extracts to: call_and_accommodations.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438000007/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustot...70/information/
93.185.4.90: https://www.virustot...90/information/
173.248.31.6: https://www.virustot....6/information/
2.18.213.48: https://www.virustot...48/information/
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 27 July 2015 - 10:11 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1505 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,988 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 28 July 2015 - 05:55 AM

FYI...

Fake 'suspicious account activity' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
28 July 2015 - "'Important Notice: Detecting suspicious account activity' pretending to come from 'Service Center' with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Subject: Important Notice: Detecting suspicious account activity
    Date:   Mon, 27 Jul 2015 22:51:16 +0000 (GMT)
    From:   Service Center <redacted >
    Detecting suspicious account activity
    <https ://dl.dropboxusercontent .com/s/dr20sz06iuluwtv/Email%20activity.doc?dl=0>
    The attachment contain steps to secured your account. If you are viewing
    this email on a mobile phone or tablets, please save the document first
    and then open it on your PC.
    Click Here to download attachment.
    <https ://dl.dropboxusercontent .com/s/dr20sz06iuluwtv/Email%20activity.doc?dl=0>
    Thanks,
    Account Service


If you are unwise enough to follow the links then you will end up with a word doc looking like:
> http://myonlinesecur...ctivity_doc.png
DO -NOT- follow their advice/instructions or suggestions to enable content, that will activate the malicious macro inside the document and download and automatically run a file named Account Details.exe which has an icon of an Excel spreadsheet to fool you into thinking it is innocent and infect you.
28 July 2015 : Email activity.doc Current Virus total detections: 21/55*
... Downloads https ://onedrive.live .com/download?resid=9AC15691E4E70C4D!123&authkey=!AL1jJDlqNUg-vAM&ithint=file%2cexe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438037595/

** https://www.virustot...sis/1438062482/
___

Fake 'Please Find Attached' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
28 July 2015 - "'Please Find Attached – Report form London Heart Centre' pretending to come from lhc.reception@ heart. org.uk with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...eart-Centre.png

28 July 2015: calaidzis, hermione.docm - Current Virus total detections: 9/55*
... Downloads what looks like Dridex banking malware from http ://chloedesign .fr/345/wrw.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438067899/

** https://www.virustot...sis/1438068193/
... Behavioural information
TCP connections
93.171.132.5: https://www.virustot....5/information/
2.18.213.25: https://www.virustot...25/information/

chloedesign .fr: 85.236.156.24: https://www.virustot...24/information/
___

Fake 'Air France' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
28 June 2015 - "'Your Air France boarding documents on 10Jul. pretending to come from Air France <cartedembarquement@ airfrance .fr> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ts-on-10Jul.png

28 July 2015: Boarding-documents.docm - Current Virus total detections: 9/55*
... which downloads Dridex banking malware from http ://laperleblanche .fr/345/wrw.exe which is the -same- malware as in today’s earlier malspam run using malicious word docs with macros**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438071620/

** http://myonlinesecur...rd-doc-malware/

laperleblanche .fr: 94.23.1.145: https://www.virustot...45/information/

- http://blog.dynamoo....e-boarding.html
28 June 2015 - "... -same- exact payload as this earlier attack* today..."
* http://blog.dynamoo....d-attached.html
"... phones home to:
93.171.132.5 (PE Kartashev Anton Evgen'evich, Ukraine)
I recommend that you -block- that IP. The malware is the Dridex banking trojan..."
___

Fake 'Invoice notice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
28 July 2015 - "A series of emails with subjects of: 'Invoice delivery / Invoice notice / Receipt alert / DHL notice / UPS notification / Invoice information' and numerous -other- similar subjects with a malicious word doc attachment is another one from the current bot runs... The email looks like:
    You had got the bill !
    Delivered at: Tue, 28 Jul 2015 16:15:36 +0500.
    Number of sheets: 0.
    Mailer ID: 3.
    Delivery number: 843.
    Kindly be advised that attached is photo-copy of the 1st page alone.
    We are going to mail the originals to You at the address indicated already.

-Or-
    You have received the bill !
    Received at: Tue, 28 Jul 2015 11:43:15 +0000.
    Amount of sheets: 9.
    Addresser ID: 79187913.
    Delivery order: 6199843296.
    Kindly be advised that attached is scan-copy of the 1st page alone.
    We are going to dispatch the originals to You at the location mentioned earlier.


And multiple similar content. If you are unwise enough to open the attachment then you will end up with a word doc looking like this:
> http://myonlinesecur..._6199843296.png
DO -NOT- follow their advice/instructions or suggestions to enable content, that will activate the malicious macro inside the document and download and automatically run a file named word.exe which has an icon designed to fool you into thinking it is innocent and infect you. These emails have attachments with names like Invoice_number_6199843296.doc / Order_No._843.doc / Bill_No._95.doc and -multiple- variations of the names and numbers.
28 July 2015 : Invoice_number_6199843296.doc - Current Virus total detections:7/56*
... goes through a convoluted download procedure giving you http ://bvautumncolorrun .com/wp-content/themes/minamaze/lib/extentions/prettyPhoto/images/78672738612836.txt which is a base 64 encoded file that transforms into a password stealer. It also goes to http ://iberianfurniturerental .com/wp-content/plugins/nextgen-gallery/admin/js/Jcrop/css/fafa.txt which automatically downloads http ://umontreal-ca .com/word/word.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438080189/

** https://www.virustot...sis/1438081346/

bvautumncolorrun .com: 184.168.166.1: https://www.virustot....1/information/

iberianfurniturerental .com: 173.201.169.1: https://www.virustot....1/information/

umontreal-ca .com: 89.144.10.200: https://www.virustot...00/information/
___

Fake 'Voice Message' SPAM – wav malware
- http://myonlinesecur...ke-wav-malware/
28 July 2015 - "'Voice Message Attached from 08439801260' pretending to come from voicemessage@ yourvm .co.uk with a wav (sound file) attachment is another one from the current bot runs... The email looks like:

    Time: Jul 28, 2015 3:08:34 PM
    Click attachment to listen to Voice Message


28 July 2015: 08439801260_20150725_150834.wav - Current Virus total detections: 2/55*
... Which downloads Dridex banking malware from laurance-primeurs .fr/345/wrw.exe
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438082138/

laurance-primeurs .fr: 94.23.1.145: https://www.virustot...45/information/
___

Fake 'Incoming Fax' SPAM - malware
- http://blog.dynamoo....ernal-only.html
28 July 2015 - "This -fake- fax message leads to malware:
    From:    Incoming Fax [Incoming.Fax@ victimdomain]
    Date:    18 September 2014 at 08:39
    Subject:    Internal ONLY
    **********Important - Internal ONLY**********
    File Validity: 28/07/2015
    Company : http ://victimdomain
    File Format: Microsoft word
    Legal Copyright: Microsoft
    Original Filename: (#2023171)Renewal Invite Letter sp.doc
    ********** Confidentiality Notice ********** ...
    (#2023171)Renewal Invite Letter sp.exe


Attached is a Word document with a malicious macro. The Hybrid Analysis report shows it downloading components from several locations, but doesn't quite catch the malicious binary being downloaded from:
http ://umontreal-ca .com/word/word.exe ... This has a VirusTotal detection rate of 2/55*.
umontreal-ca .com (89.144.10.200 / ISP4P, Germany) is a -known- bad domain. Other analysis is pending, however the payload is likely to be the Dyre banking trojan.
UPDATE: This Hybrid Analysis report shows traffic to the following IPs:
67.222.202.183 (Huntel.net, US)
195.154.163.4 (Online SAS, France)
192.99.35.126 (OVH, Canada)
95.211.189.208 (Leaseweb, Netherlands)
Recommended blocklist:
89.144.10.200
67.222.202.183
195.154.163.4
192.99.35.126
95.211.189.208
"
* https://www.virustot...sis/1438087963/
___

Fake 'cash prizes for shopping' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
28 July 2015 - "Another set of emails with subjects including 'Get cash prizes for shopping' and 'Get cash payments for purchasing' with a zip attachment is another one from the current bot runs... The email looks like:
    Love purchasing? We have something special for you!
    Do you want to get cash compensations on buys you make in your favorite stores? Just get our debit card to make your purchases, and then you will commence enhancing the rewards. Bear in mind only one rule – the more you use it – the more you receive. So kindly check out the applied info to learn how this offer proceeds and how to open your bank account.
    It was never so pure, fast and so close to your dreams. Don’t lose your time. Join us, keep to us and shopping will give!

-Or-
    Being fond of shopping? We propose something special for you!
    Do you want to get cash rewards on purchases you make in your favorite shops? Just use our debit card to make your purchases, and then you will start increasing the  remunerations. Bear in mind one rule – the more you use it – the more you get. So please read the enclosed documentations to see how it operates and how to open your account.
    It was never so elementary, fast and so close to your dreams. Don’t lose your chance. Join us, stick to us and shopping will pay!


And numerous other similar computer generated text...
28 July 2015: bank_offering_and_card_information.zip: Extracts to: special_offering_and_card_details.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438090452/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
93.185.4.90: https://www.virustot...90/information/
24.33.131.116: https://www.virustot...16/information/
95.100.255.176: https://www.virustot...76/information/
___

Russian Underground - Revamped
- http://blog.trendmic...round-revamped/
July 28, 2015 - "When big breaches happen and hundreds of millions of credit card numbers and SSNs get stolen, they resurface in other places. The underground now offers a vast landscape of shops, where criminals can buy credit cards and other things at irresistible prices. News and media coverage on significant breaches are increasingly shaping up to becoming an everyday occurrence. 2014 became the “year of the POS breach” for the retailers like Neiman Marcus, Staples, Kmart, and Home Depot. The first part of 2015 has also seen some major breaches within the consumer industry (Chick-fil-A, RyanAir) but also with health insurers (Anthem, Premera). A simple shopping trip to the grocery store (Albertsons or Supervalu) or to Home Depot can prove fatal—paying with debit/credit card has its inherent risks. But what happens with the compromised data and personal information?... right after a significant data breach, the underground experiences an influx of new cards. These stolen credentials surface in places, where they get categorized within databases and sold in a very orderly fashion in underground “marketplaces.” Marketplaces in many ways are what forums used to be: a place of trade, but marketplaces now allow for standardized sales of products and services at a set price that can be bought with a few easy clicks similar to online-shopping. These places often have a professional-looking, user-friendly graphical interface, where the buyer can easily filter the available cards by very specific criteria such as ZIPcode, city, address of the card owner, type of card, etc... several credit cards that can be linked to big, well-known corporations by looking at the (valid) information offered about the card owner, his (corporate) address, zip code, and card number and validity date. What this tells us is that the clever cybercriminal, wanting to operate in a time-efficient manner and maximize his earnings, will make the best use of these new search/filter options offered by marketplaces. He will narrow his search to the big corporations, keep a database with addresses and locations and regularly filter the best marketplaces for the most recent outpour of -fresh- credit card leaks... Many corporations allow their employees to use credit cards for business travels but in the event of a card being stolen, the corporation is affected directly. The benefit these cards render for criminal purposes is obvious: if a corporate card has a transaction limit of, say, US$ 2,000, it can be a gold mine for cybercriminals. Due to hundreds of transactions that are processed, it’s difficult for the corporate card owner to detect and trace back any suspicious movement..."
> https://www.trendmic...isticated-tools
July 28, 2015
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 28 July 2015 - 10:14 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1506 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,988 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 29 July 2015 - 06:08 AM

FYI...

Fake 'New mobile banking app' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
29 July 2015 - "Today’s set of Upatre downloaders come with an email subject of 'New mobile banking application / The latest mobile banking application / Renewed mobile banking app' with a zip attachment is another one from the current bot runs... The email looks like:
    Dear patron!
    We would like to introduce you new mobile banking app for our bank patrons. Our mobile banking options help you to enter your bank account safely anywhere you want. A quick and easy registration is all you need to start using mobile banking options. With mobile banking, you can realize most of all financial operations. Our application is simple to use and highly safe.
    To learn more about application features and work, please view the enclosed info. Download link is also included.

-Or-
    Dear client!
    We would like to introduce you new mobile banking app for our bank customers. Our mobile banking services help you to access your bank account securely anywhere you want. A quick and easy registration is all you need to start using mobile banking options. With mobile banking, you can realize most of all financial procedures. Our application is toiless to use and extremely safe.
    To know more about application details and work, please see the attached information. Download link is also inside.

-Or-
    Dear patron!
    We are glad to present you new mobile banking app for our bank patrons. Our mobile banking accommodations help you to enter your bank account safely any place you want. A quick and simple registration is all you need to begin using mobile banking options. With mobile banking, you can realize most of all bank operations. Our app is toiless to use and very safe.
    To know more about application details and functioning, kindly view the affixed document. Download link is also inside.


 And numerous very similar computer generated versions of the above.
29 July 2015: id697062389app_features.doc.zip: Extracts to:  app_brochure.exe
Current Virus total detections: 0/55*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438168067/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustot...70/information/
93.185.4.90: https://www.virustot...90/information/
176.36.251.208: https://www.virustot...08/information/
95.101.72.123: https://www.virustot...23/information/
___

Fake 'Get our deposit card' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
29 July 2015 - "The latest upatre downloader to hit the presses is an email with a subject of 'Get our deposit card and receive 067' (varying amounts) pretending to come from jesse_rice with a zip attachment is another one from the current bot runs... The email looks like:
    Deposit card containing many profitable features is new extraordinary proposal of ours.
    One of the great items that will actually intrigue you is the 98 money back pize. When you outlay 300 USD or more within 3,2,5,4,6 months buying by this card, you will earn a 23 award. There is also 5% cash back award function that give you opportunity to take 5% cash back on up to 1500 USD during each three month quarter. It’s not a disposable prize. You will turn on your feature every 3 month quarter without any extra fees! There are a lot of other bonuses that you will have. You can browse them in the applied to learn more about it and find all details. Feel free to to ask if you have any questions.
    We sincerely look forward to your response


29 July 2015: 220317964deposit_card_features_details.zip: Extracts to: card_features_details.exe
Current Virus total detections: 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438176115/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustot...75/information/
93.185.4.90: https://www.virustot...90/information/
69.144.171.44: https://www.virustot...44/information/
2.20.143.37: https://www.virustot...37/information/
___

USA TODAY Fantasy Sports... serves Malware
- https://blog.malware...serves-malware/
July 28, 2015 - "... We routinely detect infections coming from forums during our daily crawl of potentially malicious URLs. One of the reasons for this comes from the underlying infrastructure that powers those sites. Indeed, server side pieces of software such as Apache or vBulletin are often abused by cyber criminals who can easily exploit security holes especially if these applications are not kept up to date. Case in point, the Fantasy Sports discussion forum part of USA TODAY Sports Digital Properties was recently redirecting members towards scam sites and even an exploit kit that served malware. The forum statistics show a total of 117,470 threads, 3,348,218 posts and 18,447 members.
> https://blog.malware...15/07/graph.png
...  domain is involved in multiple nefarious activities via -malvertising- such as -fake- Flash Player applications, tech support scams or exploit kits. In some cases, all of the above combined...
> https://blog.malware...07/scampage.png
Nuclear exploit kit: Probably the worst case scenario is to be -redirected- to an exploit kit page and have your computer infected.
> https://blog.malware...7/Fiddler21.png
In this particular instance, we were served the Nuclear EK, although given the URL pattern it would have been very easy to call this one Angler EK. This change was noted by security researcher @kafeine* about a week ago...
* https://twitter.com/...564043345858562
Had the exploit been successful, a piece of malware known as Glupteba (VT link**) would have been dropped and executed. Compromised machines are enrolled into a large botnet that can perform many different malicious tasks... We have notified USA Today about this security incident..."
** https://www.virustot...sis/1437954473/
... Behavioural information
TCP connections
195.22.103.43: https://www.virustot...43/information/
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 29 July 2015 - 08:10 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1507 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,988 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 30 July 2015 - 05:39 AM

FYI...

Fake 'settlement failure' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 July 2015 - "Today’s first set of Upatre downloaders come with email subjects that include 'Calculated response settlement failure / Estimated response settlement failure / Estimated response payment default / Calculated invoice payment default' with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ent-failure.png

30 July 2015: official_document_copies_id942603754.pdf.zip: Extracts to: public_order_copies.exe
Current Virus total detections: 0/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438249041/
___

Fake 'ADP Payroll' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 July 2015 - "'Invoice #[random numbers]' pretending to come from ADP – Payroll Services <payroll.invoices@ adp .com> with a zip attachment is another one from the current bot runs... The email looks like:
     Attached are the latest statements received from your bank.
    Please print this label and fill in the requested information. Once you have filled out
    all the information on the form please send it to payroll.invoices@adp.com.
     For more details please see the attached file.
    Please do not reply to this e-mail, it is an unmonitored mailbox!
     Thank you ,
    Automatic Data Processing, Inc.
    1 ADP Boulevard
    Roseland
    NJ 07068
    © Automatic Data Processing, Inc. (ADP®) . All rights reserved...


30 July 2015: ADP_Invoice _0700613.zip : Extracts to: ADP_Invoice.scr
Current Virus total detections: 2/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438267744/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustot...31/information/
93.185.4.90: https://www.virustot...90/information/
178.222.250.35: https://www.virustot...35/information/
2.18.213.56: https://www.virustot...56/information/
___

Fake 'check returned' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 July 2015 - "'Your cheque has been returned' pretending to come from jobs-asia with a zip attachment is another one from the current bot runs... The email looks like:
    I enclose a check that has been returned unpaid for occasions shown there.
    We have written off you with the sum.
    If you have any questions, kindly write to us. We’ll endeavor to help you.
    Faithfully,
    Lloyd Bailey
    Service department


30 July 2015: cheque_and_description_i4Aev0CF.zip: Extracts to: cheque_and_explanation.exe
Current Virus total detections: 0/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438267061/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustot...75/information/
93.185.4.90: https://www.virustot...90/information/
67.221.195.6: https://www.virustot....6/information/
2.18.213.24: https://www.virustot...24/information/
___

Fake 'Income tax settlement failure' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
29 July 2015 - "'Income tax settlement failure sent id: [number]' with a zip attachment is another one from the current bot runs... The email looks like:
    In accordance with taxing authority information You have defaulted a term to settle the estimated tax sums.
    Kindly see attached the official order from the revenue service.
    Furthermore please be noted of the fact that additory penalties would be applied unless the debt amounts are not remitted within four working days.
    Regard this reminder as highly important.
    Rebecca Crouch Tax Department


29 July 2015: public_order_scan713432229.zip: Extracts to: official_order_copies.exe
Current Virus total detections: 3/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438208026/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustot...31/information/
93.185.4.90: https://www.virustot...90/information/
87.249.142.189: https://www.virustot...89/information/
88.221.14.145: https://www.virustot...45/information/
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 30 July 2015 - 10:44 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1508 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,988 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 31 July 2015 - 06:08 AM

FYI..

Fake 'Chess Bill' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
31 July 2015 - "'Your latest Chess Bill Is Ready' pretending to come from  CustomerServices@ chesstelecom .com with a malicious word doc attachment is another one from the current bot runs... The email looks like:
    Your bill summary
    Account number: 24583
    Invoice Number: 2398485
    Bill date: July 2015
    Amount: £17.50
    How can I view my bills?
    Your Chess bill is ready and waiting for you online. To check out your detailed bill, previous bills and any charges you’ve incurred since your last bill, just sign into My Account www .chesstelecom .com/myaccount ...


31 July 2015 : 2015-07-Bill.docm - Current Virus total detections: 5/56*
Downloads Dridex banking malware from:
http ://laboaudio .com/4tf33w/w4t453.exe
http ://chateau-des-iles .com/4tf33w/w4t453.exe
http ://immobilier-ctoovu .com/4tf33w/w4t453.exe
http ://delthom .eu.com/4tf33w/w4t453.exe
http ://ctoovu .com/4tf33w/w4t453.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438334839/

laboaudio .com: 94.23.55.169: https://www.virustot...69/information/
chateau-des-iles .com: 94.23.1.145: https://www.virustot...45/information/
immobilier-ctoovu .com: 94.23.55.169
delthom .eu.com: 94.23.1.145
ctoovu .com: 94.23.55.169
___

Apple Care – phish
- http://myonlinesecur...-care-phishing/
31 July 2015 - "'Apple Care' pretending to come from Apple <secure@ appletechnicalteam .com> is one of the latest phish attempts to steal your Apple Account and your Bank, credit card and personal details...

Screenshot: http://myonlinesecur.../Apple-Care.png

... The actual site this sends you to is http ://applesurveillance .com/account/?email=a@a.a which can very easily be mistaken for a genuine Apple site. To make it even worse, the phishers have gone to the effort of setting up the domain properly and are using an email address to send from “Apple <secure@ appletechnicalteam .com> ” which has the correct domainkeys and SPF records so it doesn’t look like spam and will be allowed past most spam filters. They have also set up the applesurveillance .com site so that it appears to a security researcher or investigator that the account has been suspended by the hosting provider, when it actually is -live- when you put any email address into the url:
> http://myonlinesecur...fy_apple_ID.png
When you fill in your user name and password you get a page looking very similar to this one ( split into sections), where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecur..._apple_ID_2.png
...
> http://myonlinesecur..._apple_ID_3.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 31 July 2015 - 06:27 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1509 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,988 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 01 August 2015 - 12:29 PM

FYI...

Countrywide Money Ltd SPAM
- http://blog.dynamoo....-money-ltd.html
1 Aug 2015 - "You know things must be desperate when a business turns to spam. Here's a dubious-looking spam that seems to be presenting itself in a way that looks like a get-rich-quick scheme:
From:    Countrywide Money [info@ countrywidemoney .co.uk]
Reply-To:    Info@ countrywidemoney .co.uk
Date:    1 August 2015 at 05:11
Subject:    Extra Income FOR YOU!...
... to Unsubscribe Click Here!

Screenshot: https://1.bp.blogspo...countrywide.jpg

... the Unsubscibe link doesn't work. Tsk tsk. Now, I'm sure this is a legitimate business offer and not some sort of scam. But all those banknotes and the general pitch seems to suit an operation in Lagos rather than one in the UK... A non-trading individual? Let's look at that web site for a moment:
> https://1.bp.blogspo...ountrywide2.jpg

Well, it doesn't look like a personal homepage to me... It turns out that the sole director is one "Tony Edwards"... A little bit more digging at DueDil* shows some equally disappointing looking financials...  I'm not sure why this person feels that promoting their business through -spam- is appropriate. I certainly won't be signing up to this scheme."
* https://www.duedil.c...e-money-limited
___

Your Files Are Encrypted with a 'Windows 10 Upgrade'
- http://blogs.cisco.c...tb-locker-win10
July 31, 2015 - 'Update 8/1: To see a video of this -threat- in action click here:
> http://cs.co/ctb-locker-video
Adversaries are always trying to take advantage of current events to lure users into executing their malicious payload. These campaigns are usually focussed around social events and are seen on a constant basis. Today, Talos discovered a -spam- campaign that was taking advantage of a different type of current event. Microsoft released Windows 10 earlier this week (July 29) and it will be available as a free upgrade to users who are currently using Windows 7 or Windows 8. This threat actor is impersonating Microsoft in an attempt to exploit their user base for monetary gain. The fact that users have to virtually wait in line to receive this update, makes them even more likely to fall victim to this campaign:
> https://blogs.cisco....blacked_out.png
Email Message: The email message above is a sample of the type of messages that users are being presented with. There are a couple of key indicators in the message worth calling out.
First, the from address, the adversaries are spoofing the email to look like it is coming directly from Microsoft (update<at>microsoft.com). This is a simple step that tries to get users to read further:
> https://blogs.cisco....in10_header.png
However, a quick look at the email header reveals that the message actually originated from IP address space allocated to Thailand. Second, the attackers are using a similar color scheme to the one used by Microsoft. Third, there are a couple of red flags associated with the text of the email. As you can see below, there are several characters that don’t parse properly. This could be due to the targeted audience, a demographic using a non-standard character set, or the character set the adversaries were using to craft the email:
> https://blogs.cisco....cter_errors.png
... Payload: Once a user moves past the email, downloads the zip file, extracts it, and runs the executable, they are greeted with a message similar to the following:
>> https://blogs.cisco..../CTB-Locker.png
The payload is CTB-Locker, a ransomware variant. Currently, Talos is detecting the ransomware being delivered to users at a high rate. Whether it is via spam messages or exploit kits, adversaries are dropping a huge amount of different variants of ransomware. The functionality is standard however, using asymmetric encryption that allows the adversaries to encrypt the user’s files without having the decryption key reside on the infected system. Also, by utilizing Tor and Bitcoin they are able to remain anonymous and quickly profit from their malware campaigns with minimal risk...
Conclusion: The threat of ransomware will continue to grow until adversaries find a more effective method of monetizing the machines they compromise. As a defense, users are encouraged to backup their data in accordance with best practices. These backups should be stored offline to prevent them from being targeted by attackers.  Adversaries are always looking to leverage current events to get users to install their malicious payloads. This is another example, which highlights the fact that technology upgrades can also be used for malicious purposes..."
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 01 August 2015 - 02:00 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1510 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,988 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted Today, 04:50 AM

FYI...

Bogus Win10 'activators'
- http://net-security....ews.php?id=3082
03.08.2015 - "... bogus Windows 10 "activators".
* http://www.net-secur...ld.php?id=17960

> https://blog.malware...ps-and-surveys/
___

Fake 'E-bill' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
3 Aug 2015 - "'E-bill : 6200228913 – 31.07.2015 – 0018' pretending to come from  noreply.UK.ebiller@ lyrecobusinessmail .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Dear customer,
    Please find enclosed your new Lyreco invoicing document nA^ 6200228913 for a total amount of 43.20 GBP, and  due on 31.08.2015
    We would like to remind you that all of your invoices are archived electronically free of charge and can be reviewed by  you at any time.
    For any questions or queries regarding your invoices, please contact Customer Service on Tel : 0845 7676999*.
    Your Lyreco Customer Service
    *** Please do not reply to the sender of this email...


3 August 2015: 0018_6200228913.docm - Current Virus total detections: 5/55*
Downloads Dridex banking malware from http ://immobilier-roissyenbrie .com/w45r3/8l6mk.exe or http ://scootpassion .com/w45r3/8l6mk.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438596426/

** https://www.virustot...sis/1438596617/

immobilier-roissyenbrie .com: 94.23.55.169: https://www.virustot...69/information/

scootpassion .com: 37.0.72.24: https://www.virustot...24/information/

- http://blog.dynamoo....3-31072015.html
3 Aug 2015
"... Recommended blocklist:
46.36.219.141
94.23.55.169
"
___

DHL DELIVERY - phish ...
- http://myonlinesecur...ils-_-phishing/
3 Aug 2015 - "'DHL DELIVERY DETAILS' pretending to come from noreply@ dhl .com is one of the latest attempts to steal your email account details...

Screenshot: http://myonlinesecur...phish_email.png

... click-the-link (DON'T) in the email you will be sent to http ://cherysweete1843 .org/DHL%20_%20Tracking/DHL%20_%20Tracking.htm (or whichever other site the phishers have set up to steal your information). The site looks like:
> http://myonlinesecur...8/dhl_phish.png
... entering an email address and password, just gives you a download of the image that was originally in the email. It just looks like the phishers are trying to get email account details and hoping that an unwary user will be unwise enough to give them the password for their email account so it can be used for sending more spam. Of course there will be a few users who genuinely have DHL accounts and the log in details might be enough to compromise the account and use the account to send stolen or illegal items through the DHL network with minimum risk to the criminals. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

cherysweete1843 .org: 178.217.186.27: https://www.virustot...27/information/
___

First Firmware Worm That Attacks Macs
- http://www.wired.com...m-attacks-macs/
8.03.15 - "... when it comes to firmware, people have assumed that Apple systems are locked down in ways that PCs aren’t. It turns out this isn’t true. Two researchers have found that several known vulnerabilities affecting the firmware of all the top PC makers can also hit the firmware of MACs. What’s more, the researchers have designed a proof-of-concept worm for the first time that would allow a firmware attack to spread automatically from MacBook to MacBook, without the need for them to be networked... The only way to eliminate malware embedded in a computer’s main firmware would be to re-flash the chip that contains the firmware... findings on August 6 at the Black Hat security conference in Las Vegas. A computer’s core firmware — also referred to at times as the BIOS, UEFI or EFI—is the software that boots a computer and launches its operating system. It can be infected with malware because most hardware makers don’t cryptographically sign the firmware embedded in their systems, or their firmware updates, and don’t include any authentication functions that would prevent any but legitimate signed firmware from being installed... it operates at a level below the level where antivirus and other security products operate and therefore does not generally get scanned by these products, leaving malware that infects the firmware unmolested. There’s also no easy way for users to manually examine the firmware themselves to determine if it’s been altered... malware infecting the firmware can maintain a persistent hold on a system throughout attempts to disinfect the computer. If a victim, thinking his or her computer is infected, wipes the computer’s operating system and reinstalls it to eliminate malicious code, the malicious firmware code will remain intact..."
___

Fake Android Virus Alert(s)...
- https://blog.malware...hinese-hackers/
Aug 3, 2015 - "... messages of impending doom on a mobile device are always more worrying than on a desktop, because many device owners may not be locking down their phones the way they do their PCs. It’s even worse if on a mobile data package, because nobody wants to end up on premium rate services or websites and contend with spurious charges. Once the popups and redirects take hold, it’s sometimes hard to keep your composure and get a handle on multiple tiny screens doing weird things. In the above case, there’s no infection to worry about so no need to panic. Advert redirects to unwanted locations are always a pain – especially if younger members of your family happen to be on the phone at the time the -redirects- happen – but you’ve generally got to work at it to infect a mobile device with something bad. Keeping the “Allow installs from unknown sources” checkbox -unticked- and the “Very Apps” checkbox -ticked- won’t make your phone bulletproof, but it will go a long way towards keeping you secure."
___

Fake 'pictures' SPAM - JS malware
- http://myonlinesecur...ion-js-malware/
2 Aug 2015 - "'my relaxation' pretending to come from Facebook <update+pw_k1-d2r1@ facebookmail .com> with a zip attachment is another one from the current bot runs... The email looks like:

    Here are some pictures!!
    See you later! I love you.


2 August 2015: File_7866.zip: Extracts to: File_7866.js - Current Virus total detections: 10/56*
Downloads Adobe_update-86R8IJHUY0CCI.exe from http ://kheybarco .com and also downloads a genuine PDF file which is a German language hotel invoice from HRS group (this is an updated version of this Malspam run** from last week)...
** http://myonlinesecur...oup-js-malware/
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438493868/

kheybarco .com: 176.9.8.205: https://www.virustot...05/information/
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, Today, 12:21 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.



3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users