Jump to content

Build Theme!
  •  

Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1175 replies to this topic

#1171 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,028 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 09 April 2014 - 07:04 AM

FYI...

Instagram Scam: Lottery Winners impersonated to offer Money for Followers
- http://www.symantec....money-followers
9 Apr 2014 - "... Instagram scammers have been posting images offering -fake- lottery winnings to followers. They have convinced users to share the posts, give up personal information, and even send money back to the scammers...
> http://www.symantec..../figure1_20.png
... In this -scam- a number of Instagram accounts have been created to impersonate real-life lottery winners from the UK and US. These accounts claim to offer US$1,000 to each Instagram user who follows them and leaves a comment with their email address... It’s clear that these accounts are fraudulent, but users continue to believe that they will be given US$1000 just for following Instagram accounts... if it sounds too good to be true, it is."
___

Something evil on 66.96.223.192/27
- http://blog.dynamoo....9622319227.html
9 Apr 2014 - "There seems to be some exploit activity today on the IP range 66.96.223.192/27 (a customer of Network Operations Center, US). Most domains are already -flagged- as malicious by Google, and I've reported on bad IPs in this range before. A list of the domains I can find in this range, their myWOT ratings and Google and SURBL prognoses can be found here* [csv]. I would recommend applying the following blocklist:
66.96.223.192/27
capcomcom .com
chebuesx .com
..."
(Long list at the dynamoo URL above.)
* http://www.dynamoo.c....223.192-27.csv
___

Fake eBay emails – Pharma SPAM
- http://myonlinesecur...ay-pharma-spam/
9 Apr 2014 - "... we are now seeing fake < Your name >, You have delayed mails from eBay. In exactly the same way as The Fake Facebook Messages, these fake Ebay messages appear to come from eBayNotifier but are being sent by one of the botnets and -not- by Ebay at all. These only have 1 link in them unlike the previous which normally have 2 links in them, that if you are unwise enough to click on them will either take you to a Women’s Health page trying to sell you fake drugs for slimming or other women’s problems. Other days they send you to one of the Canadian or Russian Pharmacy pages  selling Viagra, valium or other illegal drugs. Todays offerings are to a Canadian Pharma spam site. Always hover over the links in these emails and you will see that they do -not- lead to Ebay. Do not click on the links, just -delete- the emails as soon as they arrive. There is always the very high possibility that one of the other botnets will use these to send you to a malicious site where your computer will be infected... Email text will say something like:
Your name,
    You have delayed mail
    View mails
    Yours truly
    eBayNotifier


Screenshot: http://myonlinesecur...s-from-eBay.png ..."
 

:ph34r:  <_<


Edited by AplusWebMaster, 09 April 2014 - 10:57 AM.


#1172 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,028 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 10 April 2014 - 07:02 AM

FYI...

Fake CDS Invoice – fake PDF malware
- http://myonlinesecur...ke-pdf-malware/
10 April 2014 - "Following on from today’s and other recent DHL* and -other- delivery service failure notices, the malware gangs have changed track and are sending out local courier company invoices. CDS Invoice pretending to come from accounts@ cdsgroup .co .uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses...
Dear client
Please find attached your invoice number 168027
If you have any queries with this invoice, please email us... or call us...
For and on behalf ofThe CDS Group of Companies
Crawfords of London | CrawfordsDelivery Services | Media Express |CDS International
Passenger Car Services Same Day UK Couriers TV Support Units Overnight & International...
This message and any attachment are confidential and may be privileged...
This email has been scanned...


Screenshot: http://myonlinesecur...cds-invoice.png

9 April 2014: CDS_INVOICE_168027.zip (464 kb): Extracts to CDS_INVOICE_168027.exe
Current Virus total detections: 6/51**. This CDS Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecur...ke-pdf-malware/
10 April 2014

Fake DHL email Screenshot: http://myonlinesecur...very-report.png

** https://www.virustot...sis/1397115564/
___

SCAM: Climate Change And Health Conference ...
- http://blog.dynamoo....and-health.html
10 April 2014 - "This -spam- is a form of an advanced fee fraud scam:
    From:     CCAHC ccahc@ live .com
    Reply-To:     ccahc@ e-mile .co .uk
    Date:     10 April 2014 16:04
    Subject:     Call for Poster
    CCAHC: Climate Change And Health Conference 2014
    Dear Colleague,
    On behalf of the CCAHC Scientific Committee, you are cordially invited to attend the 14th Climate Change & Health Conference to be held in Ibis Garden Hotel, from 16th - 18th May, 2014.
    The CCAHC 2014 event promises unrivalled learning and networking opportunities for the general public. Invited speakers are experts from multiple sectors and disciplines. Case studies of successful collaborations of environment, nutrition and public health across a wide range of issues...
Sincerely yours,
Professor Jon Lloyd
Conference Chair
Maple House, 37-45 City Road, London EC1Y 1AT, United Kingdom


The email originates from 196.46.246.174 (Airtel, Nigeria) via 221.120.96.3 in Bangladesh. Note that the sender is using -free- email addresses rather than one that ties back to an identifiable organisation. The email was sent to a spamtrap... the sting is that there will be visa and hotel fees to pay before going to the conference, and once this money has been sent by Western Union then the scammers will -vanish- taking their mythical conference with them."
___

Fake UPS SPAM - Exception Notification – fake PDF malware
- http://myonlinesecur...ke-pdf-malware/
10 April 2014 - "... UPS Exception Notification pretending to be from UPS Quantum View [auto-notify@ ups .com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. This one has links in the email to download the malware laden zip, rather than an attachment...
UPS
Discover more about UPS:
Visit ups .com
At the request of the shipper, please be advised that delivery of the following shipment has been rescheduled.
Important Delivery Information
Tracking Number:1Z522A9A6892487822 [ clickable URL ]
Rescheduled Delivery Date:14-April-2014
Exception Reason:THE CUSTOMER WAS NOT AVAILABLE ON THE 1ST ATTEMPT. A 2ND ATTEMPT WILL BE MADE
Exception Resolution:PACKAGE WILL BE DELIVERED NEXT BUSINESS DAY.
Shipment Detail ...


Screenshot: http://myonlinesecur...otification.png

... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is..."
 

:ph34r:  :angry:


Edited by AplusWebMaster, 10 April 2014 - 03:07 PM.


#1173 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,028 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 11 April 2014 - 05:16 AM

FYI...

Something evil on 62.75.140.236, 62.75.140.237, 62.75.140.238 and 64.120.207.253, 64.120.207.254
- http://blog.dynamoo....6275140237.html
11 April 2014 - "This set of IPs is being used to push the Angler EK [1*] [2**]:
Intergenia, Germany
62.75.140.236
62.75.140.237
62.75.140.238

Network Operations Center (HostNOC), US
64.120.207.253
64.120.207.254

A look at the /24s that these ranges are in indicates a mix of malicious and legitimate sites, but on the whole it might be a good idea to consider blocking traffic to 62.75.140.0/24 and 64.120.207.0/24.
Sites on these IPs consist of hijacked subdomains of (mostly) legitimate domains in the Intergenia range and purely malicious domains in the HostNOC range..."
(Long list of domains at the dynamoo URL above.)
* http://wepawet.isecl...7206144&type=js

** http://urlquery.net/...d=1397206442682
___

Fake UKMail - Proof of Delivery Report – fake PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 April 2014 - "Continuing from yesterday’s theme of parcel & courier email messages, the malware bad guys are continuing with the same theme today. Proof of Delivery Report: 09/04/14-11/04/14, pretending to come from UKMail Customer Services [list_reportservices@ ukmail .com] is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
    Dear Customer,
    Please find attached your requested Proof of Delivery (POD) Download Report
    ………………………………………………………………………………………………………………………
    iMail Logo
    “For creating, printing and posting your next day mail”
    click here to realise the savings that you could make
    Please consider the environment before printing this e-mail or any attachments.
    This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed.
    If you have received this message in error, please notify us and remove it from your system. Any views or opinions expressed are solely those of the author and do not necessarily represent those of UK Mail Group Plc or any of its subsidiaries.
    UK Mail Group Plc is registered and incorporated in England.
    Registered Office: Express House, 120 Buckingham Avenue, Slough, SL1 4LZ, United Kingdom.
    Registered Company No.: 02800218.


11 April 2014: poddel-pdf-2014041103004500.zip (59 kb). Extracts to poddel-pdf-2014041103004500.exe
Current Virus total detections: 2/51*. This Proof of Delivery Report: 09/04/14-11/04/14 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...a8f0d/analysis/
 

:ph34r:  <_<


Edited by AplusWebMaster, 11 April 2014 - 06:17 AM.


#1174 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,028 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 16 April 2014 - 02:24 PM

FYI...

Something still evil on 66.96.223.192/27
- http://blog.dynamoo....9622319227.html
16 April 2014 - "Last week I wrote about a rogue netblock hosted by Network Operation Center* in the US. Well, it's still spreading malware but now there are -more- domains active on this range. A full list of the subdomains I can find are listed here [pastebin**]. I would recommend that you apply the following blocklist:
66.96.223.192/27
andracia .net
..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo....9622319227.html

** http://pastebin.com/RQfE69hn
___

Netflix-themed tech support SCAM ...
- http://blog.malwareb...-more-copycats/
April 16, 2014 - "A few weeks ago we blogged about this Netflix phishing scam -combined- with fake tech support that was extorting private information and money from people. The scam worked by asking unsuspecting users to log into their Netflix account and enter their username and password into a -fraudulent- website. After collecting the personal details, the perpetrators used a fake warning to state the particular account had been suspended. All this effort was really about leading potential victims into a trap, by making them call a 1-800 number operated by -fake- tech support agents ready to social engineer their mark and collect their credit card details. A slightly new variant is once again making the rounds with the same goal of funnelling traffic to -bogus- ‘customer support’ hotlines:
> http://cdn.blog.malw...red_netflix.png
... this time around the scammers behind it are expanding the phishing pages to other online services as well to target a wider audience. Crooks are buying online ads for each brand such as this one on Bing for “netflix tech support number”:
> http://cdn.blog.malw.../04/bingad1.png
... The quality of leads you get from targeted advertising is much higher than that from random cold calls. If you can attract people already looking for help and offer them your service, chances are conversion rates will be higher..."
 

:ph34r: :ph34r:  <_<


Edited by AplusWebMaster, 16 April 2014 - 02:40 PM.


#1175 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,028 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 18 April 2014 - 05:32 AM

FYI...

Fake Facebook Chat Verification used for SPAM
- http://blog.trendmic...-used-for-spam/
Apr 17, 2014 - "Facebook users are once again the target of a malicious scheme—this time in the form of a notification about “Facebook Chat”. The spammed notification pretends to come from the “official Facebook Chat Team.” A notification shows users of a tagged comment to a Facebook Note containing a fake announcement about a Facebook Chat verification requirement.
> http://blog.trendmic...-chat-spam1.jpg
The spam tries to sound urgent to convince users to verify their accounts. To do so, they are first asked to to go to a Pastebin URL and are instructed to copy a specific code. The set of instructions differ depending on what browser is being used (Google Chrome, Mozilla Firefox, or Internet Explorer). Users are then directed to a shortened link and are asked to press a particular function key (F12 for Google Chrome users, for example). After clicking on the console tab, users are supposed to paste the provided Javascript code into the address bar, then press Enter. This actually gives bad guys access to the user’s account, giving them the capability to auto-tag anyone in the users’ friends list and start the cycle of victimizing other account users... From the get-go, users should know that there is -no- product called “Facebook Chat,” let alone a team that sends out a supposed “advisory” to its users. The social media site’s official instant messaging feature is called Facebook Messenger, which also the name of its stand-alone app. Earlier this month, Facebook announced* that Android and iOS users will be required use this stand-alone app by eliminating the chat features of the traditional app versions of the site. Facebook has taken action against threats like this by releasing an official announcement. The official Facebook warning** notes, “This is a variant on the self-XSS attack. By pasting the code in the browser console, the user gives the code access to their account. The code usually posts the same scam on other people’s walls, and subscribes the user to pages controlled by the attacker – but it could do much worse things”..."
* http://mashable.com/...ring-messenger/

** https://www.facebook.com/selfxss
___

Zeus with your coffee ...
- https://www.secureli...ith_your_coffee
Apr 16, 2014 - "Cybercriminals often like to use a bogus letter to trick people into opening malicious attachments. There are two tricks that make this work: a message from a familiar name (a bank, social network, service provider or other organization that might interest the recipient) and an intriguing or alarming subject. An attack based on -fake- messages supposedly from coffee chain Starbucks combined the two.
> https://www.secureli...s_starbucks.jpg
The detected distribution claimed... a recipient's friend made an order for him to celebrate a special occasion in a Starbucks coffee shop. That mysterious friend wished to remain anonymous, enjoying the intrigue he was creating, but was sending out invitations with details of a special menu, which is available in the attachment. In the end they wished the recipient an awesome evening. All the messages were sent out with high importance. Besides, the addresses, created on the Gmail and Yahoo! free mail services, changed from letter to letter and seemed to be randomly generated combinations like incubationg46@, mendaciousker0@ and so on. The attachment was a .exe file and the cybercriminals made no effort to mask it with an archive or double filename extension. They seemed to be sure a happy recipient would open the attachment without any suspicion. Kaspersky Lab detects the attached file as Rootkit.Win32.Zbot.sapu - a modification of one of the most notorious spyware family Zbot (ZeuS). These applications are used by cybercriminals to steal confidential information. This version of Zbot is able to install a rootkit Rootkit.Win32.Necurs or Rootkit.Win64.Necurs, which disrupts the functioning of antiviruses or other security solutions."
___

Google patches Android icon Hijacking vuln
- http://www.securityw...g-vulnerability
Apr 15, 2014 - "Researchers at FireEye have identified a vulnerability affecting Google Android that could be exploited to lead users to malicious sites. According to FireEye*, the issue allows a malicious app with 'normal' protection level permissions to target legitimate icons on the Android home screen and modify them to point to attack sites or the malicious app itself without notifying the user. The issue has been acknowledged by Google, which has released a patch to its OEM partners..."
* http://www.fireeye.c...on_android.html
Apr 14, 2014

- https://atlas.arbor....ndex#-561580891
Elevated Severity
17 Apr 2014
 

:ph34r: <_<


Edited by AplusWebMaster, 18 April 2014 - 11:05 AM.


#1176 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,028 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted Yesterday, 03:57 AM

FYI...

Fake Santander Bank SPAM – word doc malware
- http://myonlinesecur...rd-doc-malware/
Apr 22, 2014 - "March Invoice pretending to be from Santander bank  with a sender address of Sarah Gandolfo [sgand0395@ aol.com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Please find attached your March invoice, we now have the facility to email invoices, but if you are not happy with this and would like a hard copy please let me know.
    New bank details for BACS payments are Santander Bank Sort Code 271201 Account No 56024641.
    Thanks very much
    Sarah


22April 2014: March invoice 5291.zip ( 10kb) Extracts to March invoice 8912.exe
Current Virus total detections: 1/51* . This March Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...75fbe/analysis/
___

Visa Card phish ...
- http://www.hoax-slay...hing-scam.shtml
Apr 22, 2014 - "... email purporting to be from Visa claims that the recipient's card access has been limited because 'unusual activity' has been detected... The email is -not- from Visa. It is a -scam- designed to steal the recipient's credit card data. A link in the email opens a -fake- website that asks for the user's credit card number, and other information pertaining to the recipient's Visa account...
Example:
Subject: Access to your Visa card has been blocked
Visa Card Status Notification
We are contacting you to Inform you that our Visa Card security department identified some unusual activity in your card. In accordance with Visa Card User Agreement and to ensure that your Visa Card has not been accessed from fraudulent locations, access to your Visa Card has been limited. Your Visa Card access will remain limited until this issue has been resolved please Click My Visa Card Activity to continue.
My Visa Card Activity
We take your online safety seriously, which is why we use state of the art notification systems to identify unusual activity and a challenge process to validate your details.
Thanks for banking with Visa.
Customer Finance Department
© Visa & Co, 2014.


Screenshot: http://www.hoax-slay...hing-scam-1.jpg

The message invites users to -click- a link to resolve the issue and restore access... the message is -not- from Visa and the claim that the account has been limited is a lie... the email is a typical phishing scam designed to extract financial information from users. The email's links open a -bogus- website created to closely mirror the look and feel of a genuine Visa webpage. The fake page will include a 'verification form' that requests users to supply their credit card number and other account details. After supplying the requested information, users will be taken to a second fake page that informs them that the problem has been resolved and restrictions have been removed... of course, there was no problem with the card to begin with..."

___

Fake 'Paintball Booking' SPAM ...
- http://blog.mxlab.eu...er-with-trojan/
Apr 22, 2014 - "... new trojan distribution campaign by email with the subject “Paintball Booking Confirmation”. This email is sent from the spoofed address “”ipguk52@ paintballbookingoffice .com” <ipguk@ paintballbookingoffice .com>” and has the following body:
    Dear client,
    Many thanks for your booking on Saturday 19/04/2014 at our Reading Paintball centre Mapledurham, Reading. Arrival time is 09:15AM prompt.
    Please view the attached booking confirmation, map and important game day documents prior to attending.
    Kind regards,
    Leigh Anderson
    Event Co-ordinator...


The attached ZIP file has the name Booking Confirmation 2826-66935.zip, once extracted a folder Booking Confirmation 0414-28921 is created which contains the 14 kB large file Booking Confirmation 0414-28921.exe. The trojan is known as Win32:Dropper-gen [Drp], W32/Trojan.ZLGD-2681, Trojan:W32/Zbot.BBLB or HEUR/Malware.QVM07.Gen. At the time of writing, 4/51 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 4c69e3b6d2f7dbaf78eacfd60f2de685da9d942fdf9c1ff7ae4b88be17075fbe "
* https://www.virustot...75fbe/analysis/

** https://malwr.com/an...WU1ODMyMmMyZGQ/
 

:ph34r:  <_<


Edited by AplusWebMaster, Yesterday, 07:56 AM.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users