Jump to content

Build Theme!
  •  
  • Infected?

Welcome Guest to What the Tech - Register now for FREE

We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

Create an Account Login to Account


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1277 replies to this topic

#1276 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,344 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 11 September 2014 - 05:53 AM

FYI...

Fake job offer SPAM - llcinc .net
- http://blog.dynamoo....-job-offer.html
11 Sep 2014 - "This -fake- company's name looks like it has been designed to be hard to find on Google. The so-called LLC INC using the domain llcinc .net does -not- exist.
    Date:      Wed, 10 Sep 2014 19:51:50 -0400 [09/10/14 19:51:50 EDT]
    From:      LLC INC
    Reply-To:      recruiter@ llcinc .net
    Subject:      EMPLOYMENT OFFER
    Hello,
      Good day to you overthere we will like to inform you that our company is currently
    opening an opportunity for employment if you are interested please do reply with your resume
    to recruiter@ llcinc .net
    Thanks
    Management LLC INC


This so-called job is going to be something like a money mule, parcel mule or some other illegal activity. The domain llcinc .net was registered just a few days ago with -fake- details... There is no website. The email originates from 209.169.222.37, the mail headers indicate that this is probably a compromised email server mail .swsymphony .org.
Avoid."
___

Fake eFax SPAM leads to Cryptowall
- http://blog.dynamoo....cryptowall.html
11 Sep 2014 - "Yet another -fake- eFax spam. I mean really I cannot remember the last time someone sent me a (real) fax...
From:     eFax [message@ inbound .efax .com]
Date:     11 September 2014 20:35
Subject:     eFax message from "unknown" - 1 page(s), Caller-ID: 1-865-537-8935
Fax Message [Caller-ID: 1-865-537-8935
You have received a 1 page fax at Fri, 12 Sep 2014 02:35:44 +0700.
* The reference number for this fax is atl_did1-1400166434-52051792384-154.
Click here to view this fax using your PDF reader.
Please visit www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service! ...


... the link in the message goes somewhere bad, in this case it downloads a ZIP files from cybercity-game .com/game/Documents.zip which unzips to a malicious executable Documents.scr which has a pretty low VirusTotal detection rate of 2/55*. The ThreatTrack report** clearly identifies this as Cryptowall and identifies that it either downloads data from or posts data... The 111.exe has a much wider detection rate of 22/53*** and according the the ThreatTrack analysis of that binary there is some sort of network connection... I would recommend blocking the following:
188.165.204.210
193.19.184.20
193.169.86.151
goodbookideas .com
mtsvp .com
suspendedwar .com
"
* https://www.virustot...sis/1410467960/

** http://www.dynamoo.c...20a381ad91f.pdf

*** https://www.virustot...sis/1410468901/
___

Malicious WordPress injection sending to 178.62.254.78 and 176.58.100.98
- http://blog.dynamoo....on-sending.html
11 Seo 2014 - "There is currently some sort of injection attack against WordPress sites that is injected code into the site's .js files. Not so unusual.. except that the payload site in the file changes every half hour or so... The site mentioned in the IFRAME is the one that keeps -changing- so presumably there is either something running on the compromised WordPress site, or there is some other mechanism for the bad guys to update the details... All these subdomains are hijacked from legitimate domains using AFRAID.ORG nameservers, and are hosted on 178.62.254.78 (Digital Ocean, Netherlands). These then pass the victim onto another domain in the format... blocking the following IPs may give you better protection:
176.58.100.98
178.62.254.78
"

176.58.100.98: https://www.virustot...98/information/

178.62.254.78: https://www.virustot...78/information/
___

Fake Employee Important Address UPDATE/SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 Sep 2014 - "'To All Employee’s –  Important Address UPDATE' which pretends to come from Administrator at your own domain is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     To All Employee’s:
    The end of the year is approaching and we want to ensure every employee receives their W-0 to the correct address. Verify that the address is correct... If changes need to be made, contact HR .. Administrator ...


11 September 2014: Documents.zip: Extracts to: Documents.scr
Current Virus total detections: 0/53* ...  another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
*https://www.virustot...sis/1410456657/

- http://blog.dynamoo....nt-address.html
11 Sep 2014 - "This -fake- HR spam leads to a malicious ZIP file:
From:     Administrator [administrator@ victimdomain .com]
    Date:     11 September 2014 22:25
    Subject:     To All Employee's - Important Address UPDATE
    To All Employee's:The end of the year is approaching and we want to ensure every employee receives their W-5 to the correct address. Verify that the address is correct... If changes need to be made, contact HR...


The link in the email goes to the same site as described in this earlier post*, which means that the payload is Cryptowall."
* http://blog.dynamoo....cryptowall.html
___

Fake picture or video SPAM – jpg malware
- http://myonlinesecur...ke-jpg-malware/
11 Sep 2014 - "'A new picture or video' message pretending to come from getmyphoto@ vodafone .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The attachment file names are so far all the same and it extracts to a fake windows short cut file .pif Even setting show file extensions will, not show the .pif extension in windows 8  and the unzipped file will look like a genuine windows short cut, so you need to be especially wary and cautious. See below:
> http://myonlinesecur...not-showing.png
The email looks like:
    You have received a picture message from mobile phone number +447586595142 picture
    Please note, the free reply expires three days after the original message is sent from the Vodafone network. Vodafone Service


There is a second version of this email doing the rounds today. Instead of an attachment it has a link to a compromised/ infected/newly created malware pushing site where it automatically tries to download the malware in a zip file.
You have received a picture message from mobile phone number +447557523496 click here to view picture message
Please note, the free reply expires three days after the original message is sent from the Vodafone network. Vodafone Service


... there will be hundreds of different sites. The  zip was 90837744-2014_481427.zip which extracts to 90837744-2014_481427.scr which has the same #  and detection rate as the pif file earlier submitted to virus total*

11 September 2014: IMG_00005_09112014.jpeg.zip : Extracts to:    IMG_00005_09112014.jpeg.pif
Current Virus total detections:4/53** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg file instead of the .pif ( windows shortcut) file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410430034/

** https://www.virustot...sis/1410427007/
___

Fake 'new order' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 Sep 2014 - "'new order' pretending to come from random names at live .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has various subjects, including new order, new invoice, FWD:invoice, FWD Order... The attachment file names are so far all the same and it extracts to a -fake- windows short cut file .pif . Even setting show file extensions will -not- show the .pif extension in windows 8  and the unzipped file will look like a genuine windows short cut, so you need to be especially wary and cautious. See below:
> http://myonlinesecur...not-showing.png
The email looks like:
Warmest regards,
> http://myonlinesecur...9/new-order.png


11 September 2014: 2014.09.11.zip : Extracts to:    2014.09.11.pdf.pif
Current Virus total detections: 4/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .pif ( windows shortcut) file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email..."
* https://www.virustot...sis/1410427007/
 

//


Edited by AplusWebMaster, 11 September 2014 - 08:25 PM.

Advertisement

    Register to Remove


#1277 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,344 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 12 September 2014 - 03:06 AM

FYI...

Fake Invoice SPAM - contains malicious VBS script
- http://blog.mxlab.eu...ous-vbs-script/
Sep 12, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “[COPIE FACTURE SOCIETE LWS FC-408185] – [LWS INVOICE] 10/09/2014″. This email is sent from the spoofed address “Service clients LWS <noreply@ lws .com>” and has the following body:
S.A.R.L LWS
4, rue galvani
75838 PARIS Cedex 17
Paris le, 10/09/2014
Veuillez trouver en pièce jointe votre facture de référence: facture FC-408185 (Fichier: facture-408185) au format ZIP.
Si vous n’avez pas WinRar (Logiciel permettant de lire les fichiers ZIP) vous pouvez le télécharger ici:
http ://www .rarlab .com/download.htm
Merci pour la confiance que vous nous accordez,
Le service comptabilité LWS ...


The attached ZIP file has the name FACTURE_45871147.zip and contains the 4 kB large file FACTURE_45871147.vbs. the VBS script in fact is encoded to hide the real purpose but it seems that this script will download other malicious files and will install them on a system in order to infect the computer. The trojan is known as Trojan.Script.Crypt.deehcf or VBS/Dloadr-DVY. At the time of writing, 2 of the 53* AV engines did detect the trojan at Virus Total..."
* https://www.virustot...196a5/analysis/
___

Fake Household Improvement SPAM - Zbot Malware
- https://blog.malware...h-zbot-malware/
Sep 12, 2014 - "... malicious email in circulation at the moment which claims to contain an invoice from a Kitchen Appliance company. According to another recipient of the mail*, the named company is actually a real business entity although there’s no suggestion that they’ve been hacked or otherwise compromised – it seems the scammers just opened up a directory, said “That one” and just started pretending to be them. The mail reads as follows:
Screenshot: https://blog.malware...9/kitchens1.jpg
... The email comes with a .zip attachment, which contains a piece of Malware known as Zbot.  Zeus (aka Zbot) is something to be avoided, as it can lead to banking password theft, form grabbing, keystroke logging and also Ransomware. The zip contains an executable made to look like a Word .doc file, which is a trick as old as the hills yet extremely effective where catching people out is concerned. Telling Windows to display known file extensions will help to avoid this particular pitfall... we detect this as Trojan.Spy.Zbot, and the current Virus Total scores currently clock in at 29/54**...  there’s another mail*** doing the rounds which spoofs the same email address mentioned above, yet claims to be sent from a toiletries company. If you’ve bought any form of kitchen / household upgrade or addition recently and receive mails with zipped invoices, you may not recall exactly who you bought all of your items from. With that in mind, you may wish to have a look at your receipts and bank statements, and – on the off chance the randomly selected company named in the spam mails matches up – give them a call directly to confirm they really did send you something. There’s a good chance they probably didn’t..."
* http://myonlinesecur...rd-doc-malware/

** https://www.virustot...14f73/analysis/

*** http://blog.mxlab.eu...ontains-trojan/
___

Data Breaches and PoS RAM Scrapers
- http://blog.trendmic...s-ram-scrapers/
Sep 11, 2014 - "... Ever since the Target data breach came into the limelight, there has been a constant stream merchants/retailers publicly disclosing data breach incidents. These data breaches typically involve credit card data theft using PoS RAM scrapers. Early this month, Brian Krebs reported yet another big data breach that involves U.S. retailer Home Depot using a new variant of the BlackPOS PoS RAM scraper. Nearly all Home Depot locations in the US are believed to have been affected and it is speculated this data breach might surpass the Target breach in terms of volume of data stolen. In addition to an increased number of data breaches, 2014 also brings an increase in the number of new PoS RAM scraper families. Our PoS RAM scraper family tree illustrates the evolution as follows:
Evolution of the PoS RAM scraper family
> http://blog.trendmic...Figure-3-01.png
... Of the six new variants discovered in 2014, four were discovered between June and August.
- Soraya – discovered in June and is a Dexter- and ZeuS-inspired malware. In addition to scraping RAM for credit card Tracks 1 and 2 data, it borrows tricks from ZeuS for hooking the NtResumeThread API, and injects itself into all new processes. It also borrows ZeuS’s form-grabbing functionality and hooks the browser’s HTTP POST function. Trend Micro detects Soraya variants as TSPY_SORAYA.A.
- BrutPOS – discovered in July and appears to have borrowed functionality from a BlackPOS variant. It attempts to exploit PoS systems that use weak or default passwords and has open Remote Desktop Protocol (RDP) ports. BrutPOS will brute-force the login:password combinations to gain entry into the system. Trend Micro detects BrutPOS variants as TROJ_TIBRUN.B and TROJ_TIBRUN.SM.
- Backoff – discovered in July is a successor of Alina. It implements an updated data search function and drops a watchdog process that ensures Backoff is always running on the system. The cybercriminals use publicly available tools to brute-force entry into RDP applications on PoS systems and installs Backoff. Trend Micro detects Backoff variants as TSPY_POSLOGR.A, TSPY_POSLOGR.B, and TSPY_POSLOGR.C.
- BlackPOS ver 2.0 – discovered in August, clones the exfiltration technique that the BlackPOS variant used to compromise U.S. retailer Target. BlackPOS ver 2.0 also adds a unique feature where it pretends to be an AV product installed on the system to avoid drawing unwanted attention to itself. Reports indicate that this malware appears to have been used in the latest big data breach targeting Home Depot. Trend Micro detects BlackPOS ver 2.0 variants as TSPY_MEMLOG.A..."
 

:ph34r:  <_<


Edited by AplusWebMaster, 12 September 2014 - 08:44 AM.


#1278 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,344 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted Today, 06:43 PM

FYI...

Phish - Paypal ...
- http://myonlinesecur...-hear-phishing/
14 Sep 2014 - "'Paypal Your account will be limited until we hear from you' pretending to come from service_paypal=cczazmam .com@ wpengine .com; on behalf of; service_paypal@ cczazmam .com. There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card... The original email looks like this. It will NEVER be a genuine email from  PayPal or Your Bank so don’t ever follow the links in the email...
    PayPal account information :
    Hello,
    Dear PayPal user ,
    Your account will be limited if you not confirm it .
    Need Assistance?
    Some information on your account appears to be missing or incorrect.
    Please update your account promptly so that you can continue to enjoy
    all the benefits of your PayPal account.
    If you don’t update your account within 37 days, we’ll limit what you can do with your PayPal account.
    Please Login to confirm your information :
    http ://rangeviewrentals .com//wp-content/themes/twentytwelve/wester.html
    Reference Number: PP-003-211-347-423
    Yours sincerely,
    PayPal


This particular phishing campaign starts with an email with a link. In this case to a hacked compromised website, which looks nothing like any genuine PayPal page:
> http://myonlinesecur...ishing-scam.png
This one wants your personal details, your Paypal account log in details and your credit card and bank details and your email log in details . Many of them are also designed to specifically steal your facebook and other social network log in details..."
 

:ph34r: :ph34r:  <_<


Advertisement

    Register to Remove



6 user(s) are reading this topic

0 members, 6 guests, 0 anonymous users