Jump to content

Build Theme!
  •  
  • Infected?

Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1173 replies to this topic

#1171 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,025 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 09 April 2014 - 07:04 AM

FYI...

Instagram Scam: Lottery Winners impersonated to offer Money for Followers
- http://www.symantec....money-followers
9 Apr 2014 - "... Instagram scammers have been posting images offering -fake- lottery winnings to followers. They have convinced users to share the posts, give up personal information, and even send money back to the scammers...
> http://www.symantec..../figure1_20.png
... In this -scam- a number of Instagram accounts have been created to impersonate real-life lottery winners from the UK and US. These accounts claim to offer US$1,000 to each Instagram user who follows them and leaves a comment with their email address... It’s clear that these accounts are fraudulent, but users continue to believe that they will be given US$1000 just for following Instagram accounts... if it sounds too good to be true, it is."
___

Something evil on 66.96.223.192/27
- http://blog.dynamoo....9622319227.html
9 Apr 2014 - "There seems to be some exploit activity today on the IP range 66.96.223.192/27 (a customer of Network Operations Center, US). Most domains are already -flagged- as malicious by Google, and I've reported on bad IPs in this range before. A list of the domains I can find in this range, their myWOT ratings and Google and SURBL prognoses can be found here* [csv]. I would recommend applying the following blocklist:
66.96.223.192/27
capcomcom .com
chebuesx .com
..."
(Long list at the dynamoo URL above.)
* http://www.dynamoo.c....223.192-27.csv
___

Fake eBay emails – Pharma SPAM
- http://myonlinesecur...ay-pharma-spam/
9 Apr 2014 - "... we are now seeing fake < Your name >, You have delayed mails from eBay. In exactly the same way as The Fake Facebook Messages, these fake Ebay messages appear to come from eBayNotifier but are being sent by one of the botnets and -not- by Ebay at all. These only have 1 link in them unlike the previous which normally have 2 links in them, that if you are unwise enough to click on them will either take you to a Women’s Health page trying to sell you fake drugs for slimming or other women’s problems. Other days they send you to one of the Canadian or Russian Pharmacy pages  selling Viagra, valium or other illegal drugs. Todays offerings are to a Canadian Pharma spam site. Always hover over the links in these emails and you will see that they do -not- lead to Ebay. Do not click on the links, just -delete- the emails as soon as they arrive. There is always the very high possibility that one of the other botnets will use these to send you to a malicious site where your computer will be infected... Email text will say something like:
Your name,
    You have delayed mail
    View mails
    Yours truly
    eBayNotifier


Screenshot: http://myonlinesecur...s-from-eBay.png ..."
 

:ph34r:  <_<


Edited by AplusWebMaster, 09 April 2014 - 10:57 AM.


#1172 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,025 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 10 April 2014 - 07:02 AM

FYI...

Fake CDS Invoice – fake PDF malware
- http://myonlinesecur...ke-pdf-malware/
10 April 2014 - "Following on from today’s and other recent DHL* and -other- delivery service failure notices, the malware gangs have changed track and are sending out local courier company invoices. CDS Invoice pretending to come from accounts@ cdsgroup .co .uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses...
Dear client
Please find attached your invoice number 168027
If you have any queries with this invoice, please email us... or call us...
For and on behalf ofThe CDS Group of Companies
Crawfords of London | CrawfordsDelivery Services | Media Express |CDS International
Passenger Car Services Same Day UK Couriers TV Support Units Overnight & International...
This message and any attachment are confidential and may be privileged...
This email has been scanned...


Screenshot: http://myonlinesecur...cds-invoice.png

9 April 2014: CDS_INVOICE_168027.zip (464 kb): Extracts to CDS_INVOICE_168027.exe
Current Virus total detections: 6/51**. This CDS Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecur...ke-pdf-malware/
10 April 2014

Fake DHL email Screenshot: http://myonlinesecur...very-report.png

** https://www.virustot...sis/1397115564/
___

SCAM: Climate Change And Health Conference ...
- http://blog.dynamoo....and-health.html
10 April 2014 - "This -spam- is a form of an advanced fee fraud scam:
    From:     CCAHC ccahc@ live .com
    Reply-To:     ccahc@ e-mile .co .uk
    Date:     10 April 2014 16:04
    Subject:     Call for Poster
    CCAHC: Climate Change And Health Conference 2014
    Dear Colleague,
    On behalf of the CCAHC Scientific Committee, you are cordially invited to attend the 14th Climate Change & Health Conference to be held in Ibis Garden Hotel, from 16th - 18th May, 2014.
    The CCAHC 2014 event promises unrivalled learning and networking opportunities for the general public. Invited speakers are experts from multiple sectors and disciplines. Case studies of successful collaborations of environment, nutrition and public health across a wide range of issues...
Sincerely yours,
Professor Jon Lloyd
Conference Chair
Maple House, 37-45 City Road, London EC1Y 1AT, United Kingdom


The email originates from 196.46.246.174 (Airtel, Nigeria) via 221.120.96.3 in Bangladesh. Note that the sender is using -free- email addresses rather than one that ties back to an identifiable organisation. The email was sent to a spamtrap... the sting is that there will be visa and hotel fees to pay before going to the conference, and once this money has been sent by Western Union then the scammers will -vanish- taking their mythical conference with them."
___

Fake UPS SPAM - Exception Notification – fake PDF malware
- http://myonlinesecur...ke-pdf-malware/
10 April 2014 - "... UPS Exception Notification pretending to be from UPS Quantum View [auto-notify@ ups .com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. This one has links in the email to download the malware laden zip, rather than an attachment...
UPS
Discover more about UPS:
Visit ups .com
At the request of the shipper, please be advised that delivery of the following shipment has been rescheduled.
Important Delivery Information
Tracking Number:1Z522A9A6892487822 [ clickable URL ]
Rescheduled Delivery Date:14-April-2014
Exception Reason:THE CUSTOMER WAS NOT AVAILABLE ON THE 1ST ATTEMPT. A 2ND ATTEMPT WILL BE MADE
Exception Resolution:PACKAGE WILL BE DELIVERED NEXT BUSINESS DAY.
Shipment Detail ...


Screenshot: http://myonlinesecur...otification.png

... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is..."
 

:ph34r:  :angry:


Edited by AplusWebMaster, 10 April 2014 - 03:07 PM.


#1173 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,025 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 11 April 2014 - 05:16 AM

FYI...

Something evil on 62.75.140.236, 62.75.140.237, 62.75.140.238 and 64.120.207.253, 64.120.207.254
- http://blog.dynamoo....6275140237.html
11 April 2014 - "This set of IPs is being used to push the Angler EK [1*] [2**]:
Intergenia, Germany
62.75.140.236
62.75.140.237
62.75.140.238

Network Operations Center (HostNOC), US
64.120.207.253
64.120.207.254

A look at the /24s that these ranges are in indicates a mix of malicious and legitimate sites, but on the whole it might be a good idea to consider blocking traffic to 62.75.140.0/24 and 64.120.207.0/24.
Sites on these IPs consist of hijacked subdomains of (mostly) legitimate domains in the Intergenia range and purely malicious domains in the HostNOC range..."
(Long list of domains at the dynamoo URL above.)
* http://wepawet.isecl...7206144&type=js

** http://urlquery.net/...d=1397206442682
___

Fake UKMail - Proof of Delivery Report – fake PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 April 2014 - "Continuing from yesterday’s theme of parcel & courier email messages, the malware bad guys are continuing with the same theme today. Proof of Delivery Report: 09/04/14-11/04/14, pretending to come from UKMail Customer Services [list_reportservices@ ukmail .com] is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
    Dear Customer,
    Please find attached your requested Proof of Delivery (POD) Download Report
    ………………………………………………………………………………………………………………………
    iMail Logo
    “For creating, printing and posting your next day mail”
    click here to realise the savings that you could make
    Please consider the environment before printing this e-mail or any attachments.
    This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed.
    If you have received this message in error, please notify us and remove it from your system. Any views or opinions expressed are solely those of the author and do not necessarily represent those of UK Mail Group Plc or any of its subsidiaries.
    UK Mail Group Plc is registered and incorporated in England.
    Registered Office: Express House, 120 Buckingham Avenue, Slough, SL1 4LZ, United Kingdom.
    Registered Company No.: 02800218.


11 April 2014: poddel-pdf-2014041103004500.zip (59 kb). Extracts to poddel-pdf-2014041103004500.exe
Current Virus total detections: 2/51*. This Proof of Delivery Report: 09/04/14-11/04/14 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...a8f0d/analysis/
 

:ph34r:  <_<


Edited by AplusWebMaster, 11 April 2014 - 06:17 AM.


#1174 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,025 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted Yesterday, 02:24 PM

FYI...

Something still evil on 66.96.223.192/27
- http://blog.dynamoo....9622319227.html
16 April 2014 - "Last week I wrote about a rogue netblock hosted by Network Operation Center* in the US. Well, it's still spreading malware but now there are -more- domains active on this range. A full list of the subdomains I can find are listed here [pastebin**]. I would recommend that you apply the following blocklist:
66.96.223.192/27
andracia .net
..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo....9622319227.html

** http://pastebin.com/RQfE69hn
___

Netflix-themed tech support SCAM ...
- http://blog.malwareb...-more-copycats/
April 16, 2014 - "A few weeks ago we blogged about this Netflix phishing scam -combined- with fake tech support that was extorting private information and money from people. The scam worked by asking unsuspecting users to log into their Netflix account and enter their username and password into a -fraudulent- website. After collecting the personal details, the perpetrators used a fake warning to state the particular account had been suspended. All this effort was really about leading potential victims into a trap, by making them call a 1-800 number operated by -fake- tech support agents ready to social engineer their mark and collect their credit card details. A slightly new variant is once again making the rounds with the same goal of funnelling traffic to -bogus- ‘customer support’ hotlines:
> http://cdn.blog.malw...red_netflix.png
... this time around the scammers behind it are expanding the phishing pages to other online services as well to target a wider audience. Crooks are buying online ads for each brand such as this one on Bing for “netflix tech support number”:
> http://cdn.blog.malw.../04/bingad1.png
... The quality of leads you get from targeted advertising is much higher than that from random cold calls. If you can attract people already looking for help and offer them your service, chances are conversion rates will be higher..."
 

:ph34r: :ph34r:  <_<


Edited by AplusWebMaster, Yesterday, 02:40 PM.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users