Jump to content

Build Theme!
  •  
  • Infected?

Welcome to What the Tech Forums - Register now for FREE

We're your place for tech questions. Join 87491 others, and join the conversation. Ask questions. Find answers. Share your ideas and opinions. Browse our community. You'll find experts who enjoy helping others. Who explain technical issues in a non-technical way that anyone can understand. Create an account today (it's 100% free)!

Create an Account Login to Account


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1237 replies to this topic

#1231 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,235 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 15 July 2014 - 09:09 AM

FYI...

Fake BBB SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
15 July 2014 - "BBB SBQ Form #862054929(Ref#85-862054929-0-4) pretending to come from BBB Accreditation Services <Emmanuel_Hastings@ newyork .bbb .org> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Thank you for supporting your Better Business Bureau (BBB). As a service to BBB Accredited
Businesses, we try to ensure that the information we provide to
potential customers is as accurate as possible. In order for us to
provide the correct information to the public, we ask that you review
the information that we have on file for your company.
We encourage you to print this SBQ Form, answer the questions and respond to us. (Adobe PDF)...
Thank you again for your support, and we look forward to receiving this updated information.
Sincerely,
Accreditation Services


15 July 2014:BBB SBQ Form.zip (7kb) : Extracted file name:  BBB SBQ Form.exe.exe              
Current Virus total detections: 2/53 * . This  BBB SBQ Form #862054929(Ref#85-862054929-0-4) is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1405433104/
___

Fake Notice to Appear in Court Email - Malware
- http://www.hoax-slay...t-malware.shtml
15 July 2014 - "Email purporting to be from Green Winick Attorneys at Law claims that you are required to appear in court and should click a link to view a copy of the court notice... The email is -not- from Green Winick or any legitimate legal entity.  The link in the email opens a webpage that harbours -malware- ...
> http://www.hoax-slay...s-july-2014.jpg
... The email claims that you are required to appear in court and should therefore -click- a link to download the court notice and 'read it thoroughly'. The message warns that, if you fail to appear as requested, the judge may hear the case in your absence... If you click the link in the email, you will be taken to a website that harbours a version of the notorious Asprox/Kulouz malware. Once downloaded and installed, the malware attempts to download further malware and allows criminals to maintain control of the infected computer and join it to a botnet..."

Ref: ASProx botnet, aka Kulouz
- http://garwarner.blo...reenwinick.html
July 13, 2014
Screenshot: https://3.bp.blogspo...GreenWinick.jpg

- https://www.virustot...sis/1405216664/
___

Fake Virgin Airlines Calls ...
- http://www.hoax-slay...cam-calls.shtml
15 July 2014 - "A number of people in different parts of Australia have reported receiving 'prize' calls claiming to be from Virgin Australia. The callers claim that the 'lucky' recipient of the call has won a cash prize or 999 frequent-flyer points. Supposedly, winners were randomly drawn from the names of people who have flown with the airline in the past. 'Winners' are then told that they must provide their credit card details to claim their prize... the calls are certainly -not- from Virgin Australia and recipients have won nothing at all. The calls are a criminal ruse designed to steal credit card information. Virgin Australia has issued a statement* warning people about the scam..."
* http://www.virginaus.../travel-alerts/

___

.pif files, Polish spam from Orange, and Tiny Banker (Tinba)
- http://garwarner.blo...orange-and.html
July 15, 2014 - "... we saw 1,440 copies of a spam message claiming to be from "orange .pl" with the subject "MMS-ie" and a 70,390 byte .zip file with a randomly numbered IMG#####.zip filename. The .ZIP file contained a 126,976 byte .PIF file that was named "IMG875002763.JPEG.pif" and had an MD5 hash of d382068a8666914584d0ae51dd162c6b. When I just checked the file a few minutes ago on VirusTotal, thinking I would see various Zeus-related malware names... I was surprised to see that the file was actually TinBa or "Tiny Banker"!... email that was distributed so prolifically this morning:
> http://4.bp.blogspot...m.orange.pl.jpg
In case you aren't as fluent in Polish as the rest of us, here is how Google Translate renders that:
    If your phone does not support multimedia messages, you can send and receive using the Crates MMS or MMS Album. Simply log on www .orange .pl. For each received in an MMS message box will send you e-mail. If the recipient of the message does not have MMS-capable phone will be able to pick it up by logging into the portal www .orange .pl, and then select Multi Box and MMS tab. Multimedia messages can also be sent to any e-mail.

The spam from Monday, July 14th, was Tinba spam according to VirusTotal. Late this evening (about 18 hours after the spam campaign) VirusTotal reported a (25 of 53)* detection rate. The spam from July 11th was also in Polish, and also imitated Orange, although this time the sender was Orange .com. There was a .zip file attached, which contained a file named "DKT_Faktura_indywidualna_2014_07_11_R.pdf.pif" which was 102,400 bytes in size and had an MD5 hash of da9330aa6d275ba28954b88ecf27dedb. The .zip file was 70,323 bytes with MD5 hash of fc1e0a665f99b347e424281a8a6a2526. The spam from July 11th was also Tinba spam, according to many vendors at VirusTotal... more malware, disquised as an invoice but actually a .pif file. The current detection at VirusTotal for that campaign is 33 of 53** detections. Unlike the Turkish Incident, where Tinba was being dropped by the Blackhole Exploit Kit, in the current spam, Tinba is directly attached to the email message..."
* https://www.virustot...ce8c6/analysis/

** https://www.virustot...d61d8/analysis/
 

:ph34r:  <_<


Edited by AplusWebMaster, 15 July 2014 - 11:28 AM.


#1232 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,235 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 16 July 2014 - 10:56 AM

FYI...

Fake Fax / Secure msg SPAM
- http://blog.dynamoo....u-have-new.html
16 July 2014 - "This -pair- of spam messages leads to a malicious ZIP file downloaded via goo .gl (and -not- Dropbox as the spam says):
From:     Fax [fax@ victimdomain]
Date:     16 July 2014 16:12
Subject:     You've received a new fax
New fax at SCAN7905518 from EPSON by https ://victimdomain
Scan date: Wed, 16 Jul 2014 23:12:29 +0800
Number of pages: 2
Resolution: 400x400 DPI
You can download your fax message at:
https ://goo .gl/8AanL9
(Dropbox is a file hosting service operated by Dropbox, Inc.)
-------------
From:     NatWest [secure.message@ natwest .com]
Date:     16 July 2014 14:47
Subject:     You have a new Secure Message
You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
Please download your ecnrypted message at:
https ://goo .gl/8AanL9
(Dropbox is a file hosting service operated by Dropbox, Inc.)


I have seen three goo .gl URLs leading to three different download locations, as follows
https ://goo .gl/1dlcL3 leads to
http ://webbedenterprisesinc .com/message/Document-6936124.zip
https ://goo .gl/8AanL9 leads to
http ://rollermodena .it/Document-2816409172.zip
https ://goo .gl/pwgQID leads to
http ://www.vetsaudeanimal .net/Document-9879091.zip
- In all cases, the ZIP file contains a malicious .scr with the same name as the ZIP (e.g. Document-6936124.scr). The file is the same in all three locations and has a VirusTotal detection rate of exactly 0/54*. The Malwr report** shows that this then downloads components form the following locations (hosted by OVH France):
http ://94.23.247.202 /1607h/HOME/0/51Service%20Pack%203/0/
http ://94.23.247.202 /1607h/HOME/1/0/0/
An executable esoez.exe is then dropped onto the target system with a marginally better VT detection rate of 1/54***. The Malwr report for that is inconclusive.
Recommended blocklist:
94.23.247.202
vetsaudeanimal .net
rollermodena .it
webbedenterprisesinc .com
"
* https://www.virustot...sis/1405523997/

** https://malwr.com/an...DkzOTBmNWJjMjg/

*** https://www.virustot...sis/1405524493/

94.23.247.202: https://www.virustot...02/information/

 

- http://threattrack.t...re-message-spam
July 16, 2014 - "Subjects Seen:
    You have a new Secure Message
Typical e-mail details:
    You have received a encrypted message from NatWest Customer Support
    In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
    Please download your ecnrypted message at:
    goo .gl/1dlcL3


Screenshot: https://gs1.wac.edge...9zgJ1r6pupn.png

Malicious URLs:
    webbedenterprisesinc .com/message/Document-6936124.zip
    lavadoeimagen .com/Document-09962146.zip

Malicious File Name and MD5:
    Document-<random>.scr (2A835747B7442B1D58AB30ABC90D3B0F)
    Document-<random>.zip (323706E66968F4B973870658E84FEB69)


Tagged: NatWest, Upatre
 

  :ph34r:  <_<


Edited by AplusWebMaster, 16 July 2014 - 12:07 PM.


#1233 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,235 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 17 July 2014 - 05:44 PM

FYI...

Fake 'Take a look at this picture' email – malware
- http://myonlinesecur...ke-pdf-malware/
17 June 2014 - "'You should take a look at this picture' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... A very simple email with the subject of 'You should take a look at this picture' and the body just containing a smiley face.
17 July 2014: IMG3384698174-JPG.zip (24 kb) : Extracts to IMG4563693711-JPG.scr
Current Virus total detections: 3/54 * ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1405605234/
 

:ph34r:  <_<


Edited by AplusWebMaster, 17 July 2014 - 05:51 PM.


#1234 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,235 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 18 July 2014 - 08:32 AM

FYI...

Something evil on 5.135.211.52 and 195.154.69.123
- http://blog.dynamoo....521152-and.html
18 July 2014 - "This is some sort of malware using insecure OpenX ad servers to spread... don't know quite what it is, but it's running on a bunch of -hijacked- GoDaddy subdomains and is triggering a generic Javascript detection on my gateway... The two IPs in use both belong to OVH France, but 5.135.211.52 is suballocated to QHoster Ltd (Bulgaria) [VT*] and 195.154.69.123 is suballocated to Iliad Entreprises (France) [VT**]. This second IP has also been used to host "one two three" malware sites back in May***.
Recommended blocklist:
* 5.135.211.52: https://www.virustot...52/information/
** 195.154.69.123: https://www.virustot...23/information/
somerspointnjinsurance .com
risleyhouse .net
ecofloridian .info
ecofloridian .com
trustedelderlyhomecare .net
trustedelderlyhomecare .org
trustedelderlyhomecare .info
theinboxexpert .com
"
*** http://blog.dynamoo....ons-center.html
___

Law Firm Spam
- http://threattrack.t...8/law-firm-spam
July 18, 2014 - "Subjects Seen:
    Notice of appearance
Typical e-mail details:
    Notice to Appear,
    To view copy of the court notice click here. Please, read it thoroughly. Note: If you do not attend the hearing the judge may hear the case in your absence.


Malicious URLs:
    encoretaxcpa .com/wp-content/plugins/pm.php?notice=rAKMA0yBTjJaHycjLxYiPxWIuHzgUE6cEU/ZGGio7m4=


Screenshot: https://gs1.wac.edge...n8BS1r6pupn.png

Tagged: Law firm, Kuluoz
___

Hotel Business Center Machines - targeted by keyloggers
- https://atlas.arbor....index#802927307
Elevated Severity
July 17, 2014 - "The U.S. Secret Service has issued an advisory warning users to avoid using hotel business center computers, as cybercriminals frequently target these machines to install keylogging malware.
Analysis: Any publicly accessible computer, even those perceived to be in secure locations, should not be used to access personal or company data. If printing services are needed, users should consider forwarding the information to a throw-away email address, which is then accessed from the public computer.
- http://krebsonsecuri...usiness-centers

 

:ph34r:  <_<


Edited by AplusWebMaster, 18 July 2014 - 11:03 AM.


#1235 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,235 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 21 July 2014 - 07:28 AM

FYI...

Something evil on 188.120.198.1 - (IP4ISP / LuckyNet, Czech Republic)
- http://blog.dynamoo....981-ip4isp.html
21 July 2014 - "... Cushion Redirect sites closely related to this attack a few weeks ago* but this time hosted on 188.120.198.1 (IP4ISP / LuckyNet, Czech Republic). You can see the -redirect- in action in this URLquery report** and VirusTotal*** has a clear indication of badness on this IP. All the sites are -hijacked- subdomains of legitimate domains, a peculiar mix of pornography and Dora the Explorer... the most effective way of securing your network is to permablock 188.120.198.1.
Recommended blocklist:
188.120.198.1
e-meskiesprawy24 .com.pl
dora-explorer .co.uk
adultvideoz .net
alsancakescort .org
anadoluyakasiescort .asia
"
* http://blog.dynamoo....ovh-france.html

** http://urlquery.net/...d=1405937345878

*** 188.120.198.1: https://www.virustot....1/information/
___

Facebook video scam leaves unamusing Trojan
- http://net-security....ews.php?id=2814
21.07.2014 - "... video spreading on Facebook leaves a not-so-hilarious Trojan in its wake on users’ computers, according to research by Bitdefender. The malware, believed to originate from Albania, can access a large amount of data from the user’s internet browser. The scam begins with what appears to be a funny video of a Facebook friend. Once the video is clicked on, users are directed to a fake YouTube page, which then -redirects- them to a malicious Flash Player.exe for an Adobe update... Malware writers faked the number of views so the video seems to have been watched by over a million users... In an attempt to bypass security, the hackers got their hands on over 60 bit.ly API keys that helped them generate shortened URLs. The unique links are then spread on Facebook timelines. As API keys are randomly selected, blacklisting a couple does not stop the scam from spreading. Bitdefender has notified bit.ly of the issue. The malware writers used an add-on framework that allows their code to function on several browsers. With Google Chrome, the malicious YouTube video -redirects- users to a fake FlashPlayer install. The file, detected by Bitdefender as Trojan.Agent.BDYV, drops a password-protected archive on the computer and a .bat file, designed to run the executable in the archive after providing the password as a parameter. With Firefox, the page prompts for a malicious add-on install. On both browsers, the add-on tags 20 Facebook friends at a time and injects ad services into the page. The extension also fiddles with some of the social network’s functionalities so that users can't delete the malicious posts from their timeline and activity log..."
___

Bank of America - Activity Alert Spam
- http://threattrack.t...vity-alert-spam
July 21, 2014 - "Subjects Seen:
    Activity Alert: A Check Exceeded Your Requested Alert Limit
Typical e-mail details:
    Activity Alert
    A check exceeded your requested alert limit
    We’re letting you know a check written from your account went over the limit you set for this alert.
    For more details please check attached file


Malicious File Name and MD5:
    report072114_349578904357.exe (23E32D6A9A881754F1260899CB07AC55)
    report072114_349578904357.zip (4FE1365C55AA0C402384F068CDA7DF8E)


Screenshot: https://gs1.wac.edge...Nlop1r6pupn.png

Tagged: Bank of America, Upatre

- http://myonlinesecur...ke-pdf-malware/
21 July 2014
> https://www.virustot...sis/1405960609/
___

Bitly API key and MSNBC unvalidated redirects
- http://community.web...-redirects.aspx
21 Jul 2014 - "... observed a -spam/fraud- campaign whereby a user is -redirected- from a real news site to a -fake- news site. In this case the real site is msnbc.com, which belongs to the well-known cable and satellite channel MSNBC. We have discovered that cyber criminals appear to have gained access to the publicly available MSNBC Bitly API key. This is being abused to create custom URL shorteners. Websense Security Labs has been tracking fraudulent sites of this kind since 2012, but this was the first time that a redirection technique of this type was observed. Executive Summary: The various methods used by this group include:
- Use of publicly available Bitly API key for redirection
- Use of a famous news site to redirect to a fake news site
- Four redirection steps from real news site to fake news site
- Spreading the link through Google and Yahoo groups and spam mail
Here is the -fake- news site to which the user is directed, hosted on a legitimate-looking host of hxxp ://fcxnws .com/:
> http://community.web..._2D00_550x0.jpg
So far, Websense Security Labs has identified that the spam is spread through Google and Yahoo groups, and email. Example post on Google groups:
> http://community.web..._2D00_550x0.jpg
Example post on Yahoo groups:
> http://community.web..._2D00_550x0.jpg
... Bitly is a service to shorten URLs into a more user-friendly format. Shortened URLs are very convenient as they are easier to exchange due to their length, and can improve the look of a message. Businesses can set up their own 'short domains' and change their DNS settings to Bitly's servers. Each Bitly customer has their own API key that they can use to generate short URLs from full URLs. If the API key relates to an account that has set up their own short domain, the custom short domain will be used when generating a short URL... Bitly are currently blocking the redirection page at the time of writing.  Kudos to them.
>> http://community.web..._2D00_550x0.jpg
... Websense Security Labs identified other websites that keep their Bitly API key in public view. Exposing your Bitly API key is a risk if you have a short domain, as it allows anybody to generate short URLs on your short domain that redirect to anywhere of that person's choosing. This can make it appear as if your business is the one redirecting to malware/phishing/fraud etc. Fortunately, there's not much more that anybody can do with an API key as any account-related or link editing features can only be accessed after an OAuth login. All requests to the Bitly API should be done on the website's back end, on the server-side. This means that the API key will never be seen by public users on the front end and your API key remains safe. You can read about Bitly's API best practices here: http://dev.bitly.com..._practices.html . URL shorteners are very useful, but come with their own security risks and should be used with caution from a developer and from a user point of view."
 

:ph34r:  <_<


Edited by AplusWebMaster, 21 July 2014 - 09:52 PM.


#1236 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,235 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 22 July 2014 - 06:01 AM

FYI...

Facebook SCAM - 'Actual Footage Missile MH-17'
- http://www.hoax-slay...rvey-scam.shtml
July 22, 2014 - "Facebook message claims that users can see actual footage of the missile fired at downed Malaysian Airlines flight MH17 by pro-Russian militants. The promised video does not exist. The message is a -scam- designed to trick people into spamming their friends with the same fake material and participating in -bogus- online surveys. If this message comes your way, do not click any links that it contains.
> http://www.hoax-slay...rvey-scam-1.jpg
This message, which is being distributed on Facebook, promises users actual footage showing the missile that destroyed Malaysian Airlines flight MH17. The message invites users to click a link to view the footage... The supposed video is just a trick to get you to click the link in the message.  In fact, the message is a typical 'shocking video' survey scam. If you click the link in the message, you will be taken to a fake Facebook Page that supposedly hosts the video. The fake page comes complete with equally fake user comments... scammers quickly exploit every high-profile disaster and the MH17 tragedy is no exception. In coming days and weeks, be wary of any message that asks you to click a link to access video or breaking news pertaining to MH17..."
___

Facebook Scam leads to Nuclear Exploit Kit
- http://www.symantec....ear-exploit-kit
22 July 2014 - "... The “EXPOSED: Mom Makes $8,000/Month” scam, which we observed recently, redirected users to the Nuclear exploit kit. This particular scam has since been removed by Facebook..."
Regions affected by Nuclear exploit kit
> http://www.symantec....book Scam 4.png
___

Spammy Tumblr Apps and Stalker Hunting
- http://blog.malwareb...talker-hunting/
July 22, 2014 - "... the latest one currently bouncing around the popular social network. You’ll notice it apes the template of the site in the linked blog [1] – same spam posts, same spam application name – although the website for this one looks fairly slick. It’s possible this one is closely related to the February spamrun, as the same Bit.ly user account created shortening URLs for both. Here’s the spam popping up on various blogs:
> http://cdn.blog.malw.../tumbstalk1.jpg
Below is the site it leads to, located at reviewsloft(dot)com/a/?3
> http://cdn.blog.malw.../tumbstalk2.jpg
... Once the install is done, they’ll show the inevitable surveys to the end-user to make some money. As before, a bit.ly link is used... With this current spamrun we can see that we’re hitting about 19,000 in 12 days, with around 2,000 clicks listed as coming from Tumblr and the rest classed as “unknown”. Not a huge amount of information to go on, then, but a good reminder that people continue to fall for this type of scam which has been around for the longest time. As a final note, the -rogue- application will continue to post to your Tumblr until you go into your user settings and remove the app... follow the instructions listed on the Tumblr account security page*. At that point, the spam posts can stop..."
* https://www.tumblr.c...ccount_security

1] http://blog.malwareb...o-tumblr-users/
___

Fake Credit Applicaiton – PDF malware
- http://myonlinesecur...ke-pdf-malware/
22 July 2014 - "Fw: Credit Application is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
... Please see credit application for West Star Environmental.
The job we have for them is for $ 46,214.00
Thank you,
From: Jimmy Robertson
Sent: Tue, 22 Jul 2014 11:57:13 +0100
Subject: Credit Applicaiton
Good Afternoon,
Here is our credit application. If you should require further information please feel free to contact me.
Jimmy Robertson
West Star Environmental, Inc.
4770 W. Jennifer
Fresno, CA 93722 ...


22 July 2014: SWF_CREDIT_APPLICATION.pdf.zip (10kb)  Extracts to SWF_CREDIT_APPLICATION.pdf.scr... Current Virus total detections: 5/53*
This Fw: Credit Applicaiton is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1406038205/
___

Over 30 financial institutions defrauded by phone apps used to intercept passwords
- http://www.reuters.c...N0PX02T20140722
Jul 22, 2014 - "More than 30 financial institutions in six countries have been defrauded by sophisticated criminal software that convinces bank customers to install -rogue- smartphone programs... Though many of the elements of the malicious software, including the interception of one-time passwords sent to phones, have been used elsewhere, the latest criminal campaign is unusual in that it combines many different techniques and leaves few traces... Banks in Austria, Sweden, Switzerland and Japan have all been hit, with damages somewhere in the millions of dollars... The least sophisticated part of the gang's work so far appears to be in the delivery of the software, according to a report by Trend Micro researchers*. Emails that appear to be from major retailers come with attachments that, when opened, prompt the user to download a malicious attachment of an unusual type, called a control panel item. If users do not click again, they are safe. If they do, the software goes to work and hides itself out of view of most antivirus protection. When an infected user later tries to visit the website of one of the targeted banks, the software redirects them to a -fake- site, which asks for login details and then prompts the user to download a smartphone app. That app later intercepts the one-time passwords, giving the gang both that data as well as the login information, enough to clean out an account..."
* http://blog.trendmic...ation-emmental/
___

"Commingled" user data...
- http://www.reuters.c...N0FR1XA20140722
July 22, 2014 - "A federal judge rejected Google Inc's bid to dismiss a privacy lawsuit claiming it commingled user data across different products and disclosed that data to advertisers without permission... Google must face breach of contract and fraud claims by users of Android-powered devices who had downloaded at least one Android application through Google Play. Other parts of the lawsuit were dismissed, including claims brought on behalf of account users who switched to non-Android devices from Android devices after Google had changed its privacy policy in 2012 to allow the 'commingling'... The lawsuit arose after Google on March 1, 2012 scrapped a variety of privacy policies for different products, and created a single, unified policy letting it -merge- user data generated through platforms such as Gmail, Google Maps and YouTube. Users complained that Google made this change -without- their consent and with no way to opt out, in a bid to better compete for ad revenue against Facebook Inc and other social media companies "where all of a consumer's personal information is available in one site." They said this jeopardized their privacy by exposing names, email addresses and geographic locations, increasing the threat of harassment or identity theft by third parties. Google reported $15.42 billion of revenue in the first quarter, of which 90 percent came from advertising. The case is In re: Google Inc Privacy Policy Litigation, U.S. District Court, Northern District of California, No. 12-01382."
___

Scams exploit MH17 Disaster
- http://www.hoax-slay...m17-scams.shtml
July 21, 2014 - "... callous criminals waste no time in exploiting disasters such as air-crashes, terrorist attacks, storms, or tsunamis. The MH17 missile attack tragedy is no exception. In coming days and weeks, Internet users should be wary of scam attacks that attempt to trick people into following links or opening attachments in messages that are supposedly related to MH17... callous criminals waste no time in exploiting disasters such as air-crashes, terrorist attacks, storms, or tsunamis. The MH17 missile attack tragedy is no exception. In coming days and weeks, Internet users should be wary of scam attacks that attempt to trick people into following links or opening attachments in messages that are supposedly related to MH17... after clicking such a link, you are told that, before you proceed, you must share the post, participate in a survey, install an app or browser extension, or download a video player update or other software, close the page immediately..."

- http://blog.trendmic...-of-mh17-crash/
July 18, 2014
___

Facebook SCAM - Mercedes Benz CLA 45' Giveaway
- http://www.hoax-slay...ming-scam.shtml
July 21, 2014 - "Facebook Page claims that users can win a 'Mercedes Benz CLA 45 just by liking the page, liking and sharing a promotional post... The Page is -bogus- and the competitions that it promotes are not legitimate. There are no winners and no cars are being given away. This is a like-farming scam designed to fraudulently increase the number of likes garnered by the Page. Facebook Pages with high like-numbers can later be used to perpetrate further scams to a large audience. Alternatively, the Pages may be sold on the black market to other scammers...
> http://www.hoax-slay...ming-scam-1.jpg
According to a 'Competitions' Facebook Page that is currently being promoted across the network, you could win one of 6 Mercedes Benz CLA 45's just by liking the Page, liking and sharing a Page post... The scammers may also use the bogus Pages to perpetrate advance fee scams... the like-heavy Pages can be sold via a lucrative black market to other scammers who will repurpose it to further their own goals..."
 

:ph34r:  <_<


Edited by AplusWebMaster, Yesterday, 05:55 AM.


#1237 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,235 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted Yesterday, 07:22 AM

FYI...

Fake Facebook mails lead to Pharma Spam
- http://blog.malwareb...to-pharma-spam/
July 23, 2014 - "... it may look as though something has gone wrong with your Facebook account, but it’s just a ruse to convince you to -click- the provided link. The message reads:
    “[Name], your messages will be deleted soon responsibly
    You haven’t been to Facebook for a few days, and a lot happened while you were away.
    Your messages will be deleted soon.”


Clicking either the View Messages or Go to Facebook button will result in the clicker hitting a php page on a .com(dot)au URL, before being redirected to a Canadian Pharmarcy page:
> http://cdn.blog.malw...07/fbpharma.jpg
... we do not recommend purchasing random pills from websites you’ve discovered via -fake- Facebook spam mails. No matter how urgent-sounding or laced with impending doom a mail sounds, always consider that the sender simply wants you to click through with as much speed and as little thought as possible..."
___

Fake BBB complaint email – malware
- http://myonlinesecur...plaint-malware/
23 July 2014 - "Better Business Bureau complaint is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This version is slightly different to the usual BBB complaints emails because there is -no- attachment and they want you to click the link to download the gameover -zeus- malware binary directly:
July 23, 2014
Case# 5942415: Joe Russell
Dear Company:
As you are aware, the Better Business Bureau contacted you regarding the above-named complainant, seeking a response to this complaint. Your position is available online.
The following URL (website address) below will take you directly to this complaint and you will be able to view the response directly on our website:
http ://newyork.app.bbb .org/complaint/view/5942415/b/194439957f   
< http ://castlestrategies .net/css/new_7g1.exe>
The complainant has been notified of your response.
The BBB believes that your response adequately addresses the disputed issues and/or has exhibited a good faith effort to resolve the complaint. The complaint will close as “Administratively Judged Resolved” and our records will be updated...


23 July 2014: new_7g1.exe  Current Virus total detections: 2/53*
... it appears to come from a friend or is more targeted..."
* https://www.virustot...sis/1406137574/

184.168.152.4: https://www.virustot....4/information/

- http://threattrack.t...eless-bill-spam
23 July 2014
___

Live SSH Brute Force Logs and New Kippo Client
- https://isc.sans.edu...l?storyid=18433
2014-07-23 - "... a new feature we have been working on for a while, that will display live statistics on passwords used by SSH brute forcing bots. In addition, we also updated our script that will allow you to contribute data to this effort. Right now, we are supporting the kippo honeypot to collect data. This script will submit usernames, passwords and the IP address of the attacker to our system... For data we are collecting so far, see:
- https://isc.sans.edu/ssh.html
... some of the passwords these scripts try out are not necessarily trivial, but they may be common enough to be worth while brute forcing targets."
___

Fake "Redirected message" SPAM ...
- http://blog.dynamoo....redirected.html
23 July 2014 - "This spam pretends to be from a journalist called Paul Fulford at the Birmingham Mail. However, it isn't.. it is a forgery with a malicious attachment.
    Date:      Wed, 23 Jul 2014 20:59:48 +0800 [08:59:48 EDT]
    From:      Birminghammail [paul.fulford@ birminghammail .co.uk]
    Subject:      Redirected message
Dear [redacted]!
Please find attached the original letter received by our system.


I only have two samples of this, the originating IP addresses are:
1.34.211.10 (HINET, Taiwan)
117.212.18.140 (BSNL, India)
Poor Mr Fulford thinks that his email has been hacked.. it hasn't...
> https://3.bp.blogspo...600/fulford.png
Attached is an archive file 1.zip which contains a malicious executable original_letter_234389_193.scr.exe... The Malwr report* shows that this part reaches out to the following IPs:
37.139.47.103
37.139.47.117

Both of these belong to Comfortel Ltd in Russia. From there another file 2.exe is download which has a VT detection rate of just 3/53**. The Malwr report is inconclusive.
I'm not familiar with the Russian host, but having two bad IPs in close proximity makes me think that you probably want to block at least 37.139.47.0/24 or the whole 37.139.40.0/21 (almost all sites are in the /24 anyway). This netblock contains a mix of what look like legitimate Russian-language sites and obvious phishing sites."
* https://malwr.com/an...mZjNTA0YzBiNzI/

** https://www.virustot...sis/1406127100/

- http://myonlinesecur...essage-malware/
23 July 2014
> https://www.virustot...sis/1406126658/
___

Fake invoice 4904541 July SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
23 July 2014 - "invoice 4904541 July is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... A very plain simple email that just says:
This email contains an invoice file attachment

23 July 2014: invoice_4904541.zip (46 kb): Extracts to invoice_32990192.exe
Current Virus total detections: 3/53* ...This invoice 4904541 July  is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is..."
* https://www.virustot...sis/1406127329/
___

Some WSJ systems taken offline after cyber attack
- http://www.reuters.c...N0FS03N20140723
2014.07.23 - "Computer systems containing the Wall Street Journal's news graphics were -hacked- by outside parties, according to the paper's publisher Dow Jones & Co. The systems have been taken offline to prevent the spread of attacks, but Journal officials have not found any damage to the graphics, the newspaper said citing people at the Wall Street Journal familiar with the matter. A hacker who goes by the Twitter handle of 'w0rm' allegedly posted tweets and screenshots claiming to have hacked the Journal's website and offered to sell user information and credentials needed to control the server..."
- http://online.wsj.co...sion-1406074055
July 22, 2014
 

:ph34r:  <_<


Edited by AplusWebMaster, Today, 06:19 AM.


#1238 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,235 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted Today, 07:11 AM

FYI...

Fake Remittance Advisory SPAM – malware
- http://myonlinesecur...-email-malware/
24 july 2014 - "Remittance Advisory Email is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email... This email doesn’t have an attachment but has a link in the body for you to click on & download the malware:
Thursday 24 July 2014
This is a Remitter Advice following the submission of a payment instruction by Lloyds Bank Plc.
Please review the details of the payment here.  
<http ://dentairemalin .com/images/report934875438jdfg8i45jg_07242014.exe>
Lloyds Banking Group plc...


24 July 2014: report934875438jdfg8i45jg_07242014.exe
Current Virus total detections: 5/53* ..."
* https://www.virustot...sis/1406204716/

- http://centralops.ne...ainDossier.aspx
canonical name     dentairemalin.com.
addresses 217.16.10.2 ...

217.16.10.2: https://www.virustot....2/information/

- http://blog.dynamoo....ved-secure.html
24 July 2014

- http://threattrack.t...remittance-spam
July 24, 2014
Tagged: lloyds tsb, Dyreza
___

Fake VoiceMail SPAM
- http://blog.dynamoo....email-spam.html
24 July 2014 - "This tired old malware spam is doing the rounds again.
    From:      Voice Mail [voicemail_sender@local]
    Subject:      You have received a new VoiceMail
    Date:      Thu, 24 Jul 2014 17:31:25 +0700 [06:31:25 EDT]
    You have received a voice mail message.
    Message length is 00:03:27.


As you might expect, the attachment VoiceMail.zip does not contain a voice mail at all, but it is a malicious executable VoiceMail.scr which has a a VirusTotal detection rate of 3/53*. The CAMAS report** and Anubis report*** shows the malware downloading an encrypted file from the followng locations:
egozentrica .com/wp-content/uploads/2014/07/tor2800_2.7z
reneerlaw .com/wp-content/uploads/2014/07/tor2800_2.7z
Blocking those sites may give some protection against this malware."
* https://www.virustot...sis/1406214495/

** http://camas.comodo....81ab360a0b0806c

*** http://anubis.isecla...80b&format=html

50.115.19.181: https://www.virustot...81/information/

82.98.151.154: https://www.virustot...54/information/
___

CNN News Spam
- http://threattrack.t...aking-news-spam
July 24, 2014 - "Subjects Seen:
    CNN Breaking News - Malaysian Boing 777
Typical e-mail details:
    Ukraine recognizes that hit a Malaysian Boing 777
    Malaysia Airlines flight 17 shot down in Ukraine.
    FULL STORY


Malicious URLs:
    firstfiresystems .com/images/CNN_breaking_news_read_now.exe
Malicious File Name and MD5:
    CNN_breaking_news_read_now.exe (57D5055223344CF8814DCFC33E18D7E6)


Screenshot: https://gs1.wac.edge...rrEN1r6pupn.png

Tagged: CNN, Malaysian Airlines, Dyreza, MH17

208.69.121.22: https://www.virustot...22/information/
 

:ph34r: :ph34r:  <_<


Edited by AplusWebMaster, Today, 03:58 PM.



1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users