Fake BBB SPAM – PDF malware
15 July 2014 - "BBB SBQ Form #862054929(Ref#85-862054929-0-4) pretending to come from BBB Accreditation Services <Emmanuel_Hastings@ newyork .bbb .org> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Thank you for supporting your Better Business Bureau (BBB). As a service to BBB Accredited
Businesses, we try to ensure that the information we provide to
potential customers is as accurate as possible. In order for us to
provide the correct information to the public, we ask that you review
the information that we have on file for your company.
We encourage you to print this SBQ Form, answer the questions and respond to us. (Adobe PDF)...
Thank you again for your support, and we look forward to receiving this updated information.
15 July 2014:BBB SBQ Form.zip (7kb) : Extracted file name: BBB SBQ Form.exe.exe
Current Virus total detections: 2/53 * . This BBB SBQ Form #862054929(Ref#85-862054929-0-4) is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
Fake Notice to Appear in Court Email - Malware
15 July 2014 - "Email purporting to be from Green Winick Attorneys at Law claims that you are required to appear in court and should click a link to view a copy of the court notice... The email is -not- from Green Winick or any legitimate legal entity. The link in the email opens a webpage that harbours -malware- ...
... The email claims that you are required to appear in court and should therefore -click- a link to download the court notice and 'read it thoroughly'. The message warns that, if you fail to appear as requested, the judge may hear the case in your absence... If you click the link in the email, you will be taken to a website that harbours a version of the notorious Asprox/Kulouz malware. Once downloaded and installed, the malware attempts to download further malware and allows criminals to maintain control of the infected computer and join it to a botnet..."
Ref: ASProx botnet, aka Kulouz
July 13, 2014
Fake Virgin Airlines Calls ...
15 July 2014 - "A number of people in different parts of Australia have reported receiving 'prize' calls claiming to be from Virgin Australia. The callers claim that the 'lucky' recipient of the call has won a cash prize or 999 frequent-flyer points. Supposedly, winners were randomly drawn from the names of people who have flown with the airline in the past. 'Winners' are then told that they must provide their credit card details to claim their prize... the calls are certainly -not- from Virgin Australia and recipients have won nothing at all. The calls are a criminal ruse designed to steal credit card information. Virgin Australia has issued a statement* warning people about the scam..."
.pif files, Polish spam from Orange, and Tiny Banker (Tinba)
July 15, 2014 - "... we saw 1,440 copies of a spam message claiming to be from "orange .pl" with the subject "MMS-ie" and a 70,390 byte .zip file with a randomly numbered IMG#####.zip filename. The .ZIP file contained a 126,976 byte .PIF file that was named "IMG875002763.JPEG.pif" and had an MD5 hash of d382068a8666914584d0ae51dd162c6b. When I just checked the file a few minutes ago on VirusTotal, thinking I would see various Zeus-related malware names... I was surprised to see that the file was actually TinBa or "Tiny Banker"!... email that was distributed so prolifically this morning:
In case you aren't as fluent in Polish as the rest of us, here is how Google Translate renders that:
If your phone does not support multimedia messages, you can send and receive using the Crates MMS or MMS Album. Simply log on www .orange .pl. For each received in an MMS message box will send you e-mail. If the recipient of the message does not have MMS-capable phone will be able to pick it up by logging into the portal www .orange .pl, and then select Multi Box and MMS tab. Multimedia messages can also be sent to any e-mail.
The spam from Monday, July 14th, was Tinba spam according to VirusTotal. Late this evening (about 18 hours after the spam campaign) VirusTotal reported a (25 of 53)* detection rate. The spam from July 11th was also in Polish, and also imitated Orange, although this time the sender was Orange .com. There was a .zip file attached, which contained a file named "DKT_Faktura_indywidualna_2014_07_11_R.pdf.pif" which was 102,400 bytes in size and had an MD5 hash of da9330aa6d275ba28954b88ecf27dedb. The .zip file was 70,323 bytes with MD5 hash of fc1e0a665f99b347e424281a8a6a2526. The spam from July 11th was also Tinba spam, according to many vendors at VirusTotal... more malware, disquised as an invoice but actually a .pif file. The current detection at VirusTotal for that campaign is 33 of 53** detections. Unlike the Turkish Incident, where Tinba was being dropped by the Blackhole Exploit Kit, in the current spam, Tinba is directly attached to the email message..."
Edited by AplusWebMaster, 15 July 2014 - 11:28 AM.