Jump to content

Build Theme!
  •  
  • Infected?

Welcome Guest to What the Tech - Register now for FREE

We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

Create an Account Login to Account


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1283 replies to this topic

#1276 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,360 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 11 September 2014 - 05:53 AM

FYI...

Fake job offer SPAM - llcinc .net
- http://blog.dynamoo....-job-offer.html
11 Sep 2014 - "This -fake- company's name looks like it has been designed to be hard to find on Google. The so-called LLC INC using the domain llcinc .net does -not- exist.
    Date:      Wed, 10 Sep 2014 19:51:50 -0400 [09/10/14 19:51:50 EDT]
    From:      LLC INC
    Reply-To:      recruiter@ llcinc .net
    Subject:      EMPLOYMENT OFFER
    Hello,
      Good day to you overthere we will like to inform you that our company is currently
    opening an opportunity for employment if you are interested please do reply with your resume
    to recruiter@ llcinc .net
    Thanks
    Management LLC INC


This so-called job is going to be something like a money mule, parcel mule or some other illegal activity. The domain llcinc .net was registered just a few days ago with -fake- details... There is no website. The email originates from 209.169.222.37, the mail headers indicate that this is probably a compromised email server mail .swsymphony .org.
Avoid."
___

Fake eFax SPAM leads to Cryptowall
- http://blog.dynamoo....cryptowall.html
11 Sep 2014 - "Yet another -fake- eFax spam. I mean really I cannot remember the last time someone sent me a (real) fax...
From:     eFax [message@ inbound .efax .com]
Date:     11 September 2014 20:35
Subject:     eFax message from "unknown" - 1 page(s), Caller-ID: 1-865-537-8935
Fax Message [Caller-ID: 1-865-537-8935
You have received a 1 page fax at Fri, 12 Sep 2014 02:35:44 +0700.
* The reference number for this fax is atl_did1-1400166434-52051792384-154.
Click here to view this fax using your PDF reader.
Please visit www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service! ...


... the link in the message goes somewhere bad, in this case it downloads a ZIP files from cybercity-game .com/game/Documents.zip which unzips to a malicious executable Documents.scr which has a pretty low VirusTotal detection rate of 2/55*. The ThreatTrack report** clearly identifies this as Cryptowall and identifies that it either downloads data from or posts data... The 111.exe has a much wider detection rate of 22/53*** and according the the ThreatTrack analysis of that binary there is some sort of network connection... I would recommend blocking the following:
188.165.204.210
193.19.184.20
193.169.86.151
goodbookideas .com
mtsvp .com
suspendedwar .com
"
* https://www.virustot...sis/1410467960/

** http://www.dynamoo.c...20a381ad91f.pdf

*** https://www.virustot...sis/1410468901/
___

Malicious WordPress injection sending to 178.62.254.78 and 176.58.100.98
- http://blog.dynamoo....on-sending.html
11 Seo 2014 - "There is currently some sort of injection attack against WordPress sites that is injected code into the site's .js files. Not so unusual.. except that the payload site in the file changes every half hour or so... The site mentioned in the IFRAME is the one that keeps -changing- so presumably there is either something running on the compromised WordPress site, or there is some other mechanism for the bad guys to update the details... All these subdomains are hijacked from legitimate domains using AFRAID.ORG nameservers, and are hosted on 178.62.254.78 (Digital Ocean, Netherlands). These then pass the victim onto another domain in the format... blocking the following IPs may give you better protection:
176.58.100.98
178.62.254.78
"

176.58.100.98: https://www.virustot...98/information/

178.62.254.78: https://www.virustot...78/information/
___

Fake Employee Important Address UPDATE/SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 Sep 2014 - "'To All Employee’s –  Important Address UPDATE' which pretends to come from Administrator at your own domain is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     To All Employee’s:
    The end of the year is approaching and we want to ensure every employee receives their W-0 to the correct address. Verify that the address is correct... If changes need to be made, contact HR .. Administrator ...


11 September 2014: Documents.zip: Extracts to: Documents.scr
Current Virus total detections: 0/53* ...  another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
*https://www.virustot...sis/1410456657/

- http://blog.dynamoo....nt-address.html
11 Sep 2014 - "This -fake- HR spam leads to a malicious ZIP file:
From:     Administrator [administrator@ victimdomain .com]
    Date:     11 September 2014 22:25
    Subject:     To All Employee's - Important Address UPDATE
    To All Employee's:The end of the year is approaching and we want to ensure every employee receives their W-5 to the correct address. Verify that the address is correct... If changes need to be made, contact HR...


The link in the email goes to the same site as described in this earlier post*, which means that the payload is Cryptowall."
* http://blog.dynamoo....cryptowall.html
___

Fake picture or video SPAM – jpg malware
- http://myonlinesecur...ke-jpg-malware/
11 Sep 2014 - "'A new picture or video' message pretending to come from getmyphoto@ vodafone .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The attachment file names are so far all the same and it extracts to a fake windows short cut file .pif Even setting show file extensions will, not show the .pif extension in windows 8  and the unzipped file will look like a genuine windows short cut, so you need to be especially wary and cautious. See below:
> http://myonlinesecur...not-showing.png
The email looks like:
    You have received a picture message from mobile phone number +447586595142 picture
    Please note, the free reply expires three days after the original message is sent from the Vodafone network. Vodafone Service


There is a second version of this email doing the rounds today. Instead of an attachment it has a link to a compromised/ infected/newly created malware pushing site where it automatically tries to download the malware in a zip file.
You have received a picture message from mobile phone number +447557523496 click here to view picture message
Please note, the free reply expires three days after the original message is sent from the Vodafone network. Vodafone Service


... there will be hundreds of different sites. The  zip was 90837744-2014_481427.zip which extracts to 90837744-2014_481427.scr which has the same #  and detection rate as the pif file earlier submitted to virus total*

11 September 2014: IMG_00005_09112014.jpeg.zip : Extracts to:    IMG_00005_09112014.jpeg.pif
Current Virus total detections:4/53** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg file instead of the .pif ( windows shortcut) file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410430034/

** https://www.virustot...sis/1410427007/
___

Fake 'new order' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 Sep 2014 - "'new order' pretending to come from random names at live .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has various subjects, including new order, new invoice, FWD:invoice, FWD Order... The attachment file names are so far all the same and it extracts to a -fake- windows short cut file .pif . Even setting show file extensions will -not- show the .pif extension in windows 8  and the unzipped file will look like a genuine windows short cut, so you need to be especially wary and cautious. See below:
> http://myonlinesecur...not-showing.png
The email looks like:
Warmest regards,
> http://myonlinesecur...9/new-order.png


11 September 2014: 2014.09.11.zip : Extracts to:    2014.09.11.pdf.pif
Current Virus total detections: 4/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .pif ( windows shortcut) file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email..."
* https://www.virustot...sis/1410427007/
 

//


Edited by AplusWebMaster, 11 September 2014 - 08:25 PM.

Advertisement

    Register to Remove


#1277 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,360 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 12 September 2014 - 03:06 AM

FYI...

Fake Invoice SPAM - contains malicious VBS script
- http://blog.mxlab.eu...ous-vbs-script/
Sep 12, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “[COPIE FACTURE SOCIETE LWS FC-408185] – [LWS INVOICE] 10/09/2014″. This email is sent from the spoofed address “Service clients LWS <noreply@ lws .com>” and has the following body:
S.A.R.L LWS
4, rue galvani
75838 PARIS Cedex 17
Paris le, 10/09/2014
Veuillez trouver en pièce jointe votre facture de référence: facture FC-408185 (Fichier: facture-408185) au format ZIP.
Si vous n’avez pas WinRar (Logiciel permettant de lire les fichiers ZIP) vous pouvez le télécharger ici:
http ://www .rarlab .com/download.htm
Merci pour la confiance que vous nous accordez,
Le service comptabilité LWS ...


The attached ZIP file has the name FACTURE_45871147.zip and contains the 4 kB large file FACTURE_45871147.vbs. the VBS script in fact is encoded to hide the real purpose but it seems that this script will download other malicious files and will install them on a system in order to infect the computer. The trojan is known as Trojan.Script.Crypt.deehcf or VBS/Dloadr-DVY. At the time of writing, 2 of the 53* AV engines did detect the trojan at Virus Total..."
* https://www.virustot...196a5/analysis/
___

Fake Household Improvement SPAM - Zbot Malware
- https://blog.malware...h-zbot-malware/
Sep 12, 2014 - "... malicious email in circulation at the moment which claims to contain an invoice from a Kitchen Appliance company. According to another recipient of the mail*, the named company is actually a real business entity although there’s no suggestion that they’ve been hacked or otherwise compromised – it seems the scammers just opened up a directory, said “That one” and just started pretending to be them. The mail reads as follows:
Screenshot: https://blog.malware...9/kitchens1.jpg
... The email comes with a .zip attachment, which contains a piece of Malware known as Zbot.  Zeus (aka Zbot) is something to be avoided, as it can lead to banking password theft, form grabbing, keystroke logging and also Ransomware. The zip contains an executable made to look like a Word .doc file, which is a trick as old as the hills yet extremely effective where catching people out is concerned. Telling Windows to display known file extensions will help to avoid this particular pitfall... we detect this as Trojan.Spy.Zbot, and the current Virus Total scores currently clock in at 29/54**...  there’s another mail*** doing the rounds which spoofs the same email address mentioned above, yet claims to be sent from a toiletries company. If you’ve bought any form of kitchen / household upgrade or addition recently and receive mails with zipped invoices, you may not recall exactly who you bought all of your items from. With that in mind, you may wish to have a look at your receipts and bank statements, and – on the off chance the randomly selected company named in the spam mails matches up – give them a call directly to confirm they really did send you something. There’s a good chance they probably didn’t..."
* http://myonlinesecur...rd-doc-malware/

** https://www.virustot...14f73/analysis/

*** http://blog.mxlab.eu...ontains-trojan/
___

Data Breaches and PoS RAM Scrapers
- http://blog.trendmic...s-ram-scrapers/
Sep 11, 2014 - "... Ever since the Target data breach came into the limelight, there has been a constant stream merchants/retailers publicly disclosing data breach incidents. These data breaches typically involve credit card data theft using PoS RAM scrapers. Early this month, Brian Krebs reported yet another big data breach that involves U.S. retailer Home Depot using a new variant of the BlackPOS PoS RAM scraper. Nearly all Home Depot locations in the US are believed to have been affected and it is speculated this data breach might surpass the Target breach in terms of volume of data stolen. In addition to an increased number of data breaches, 2014 also brings an increase in the number of new PoS RAM scraper families. Our PoS RAM scraper family tree illustrates the evolution as follows:
Evolution of the PoS RAM scraper family
> http://blog.trendmic...Figure-3-01.png
... Of the six new variants discovered in 2014, four were discovered between June and August.
- Soraya – discovered in June and is a Dexter- and ZeuS-inspired malware. In addition to scraping RAM for credit card Tracks 1 and 2 data, it borrows tricks from ZeuS for hooking the NtResumeThread API, and injects itself into all new processes. It also borrows ZeuS’s form-grabbing functionality and hooks the browser’s HTTP POST function. Trend Micro detects Soraya variants as TSPY_SORAYA.A.
- BrutPOS – discovered in July and appears to have borrowed functionality from a BlackPOS variant. It attempts to exploit PoS systems that use weak or default passwords and has open Remote Desktop Protocol (RDP) ports. BrutPOS will brute-force the login:password combinations to gain entry into the system. Trend Micro detects BrutPOS variants as TROJ_TIBRUN.B and TROJ_TIBRUN.SM.
- Backoff – discovered in July is a successor of Alina. It implements an updated data search function and drops a watchdog process that ensures Backoff is always running on the system. The cybercriminals use publicly available tools to brute-force entry into RDP applications on PoS systems and installs Backoff. Trend Micro detects Backoff variants as TSPY_POSLOGR.A, TSPY_POSLOGR.B, and TSPY_POSLOGR.C.
- BlackPOS ver 2.0 – discovered in August, clones the exfiltration technique that the BlackPOS variant used to compromise U.S. retailer Target. BlackPOS ver 2.0 also adds a unique feature where it pretends to be an AV product installed on the system to avoid drawing unwanted attention to itself. Reports indicate that this malware appears to have been used in the latest big data breach targeting Home Depot. Trend Micro detects BlackPOS ver 2.0 variants as TSPY_MEMLOG.A..."
 

:ph34r:  <_<


Edited by AplusWebMaster, 12 September 2014 - 08:44 AM.


#1278 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,360 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 14 September 2014 - 06:43 PM

FYI...

Phish - Paypal ...
- http://myonlinesecur...-hear-phishing/
14 Sep 2014 - "'Paypal Your account will be limited until we hear from you' pretending to come from service_paypal=cczazmam .com@ wpengine .com; on behalf of; service_paypal@ cczazmam .com. There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card... The original email looks like this. It will NEVER be a genuine email from  PayPal or Your Bank so don’t ever follow the links in the email...
    PayPal account information :
    Hello,
    Dear PayPal user ,
    Your account will be limited if you not confirm it .
    Need Assistance?
    Some information on your account appears to be missing or incorrect.
    Please update your account promptly so that you can continue to enjoy
    all the benefits of your PayPal account.
    If you don’t update your account within 37 days, we’ll limit what you can do with your PayPal account.
    Please Login to confirm your information :
    http ://rangeviewrentals .com//wp-content/themes/twentytwelve/wester.html
    Reference Number: PP-003-211-347-423
    Yours sincerely,
    PayPal


This particular phishing campaign starts with an email with a link. In this case to a hacked compromised website, which looks nothing like any genuine PayPal page:
> http://myonlinesecur...ishing-scam.png
This one wants your personal details, your Paypal account log in details and your credit card and bank details and your email log in details . Many of them are also designed to specifically steal your facebook and other social network log in details..."
 

:ph34r: :ph34r:  <_<



#1279 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,360 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 15 September 2014 - 04:11 AM

FYI...

Fake Termination SPAM – malware
- http://myonlinesecur...lation-malware/
15 Sep 2014 - "There can’t be a much more alarming email to open first thing on a Monday Morning than one that pretends to say that you have been fired... 'Termination due to policy violation #33205939124' pretending to come from random names at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Today’s email template  attaches an arj file. This sort of compressed file is rarely used nowadays and many popular zip file programs will not automatically extract them. -Any- email received with an ARJ attachment should be immediately -deleted- . NO legitimate company or program ever uses that form of compression nowadays. To make it even harder to quickly detect, all the attachments are randomly named and extract to a different randomly named file and each one has a totally different SH1 or MD5#. Loads of slightly different subjects with this one, including
    Policy violation #59892665326
    Termination due to policy violation #33205939124
    Termination #59147901198
All the alleged infringements or violations have different numbers... The email looks like:
     Hello,
    We regret to inform you that your employment with A&M Defence & Marine Services Ltd is being terminated. Your termination is the result of the following violations of company policy:
    - 0A4 44 12.09.2011
    - 0A4 46 12.09.2011
    - 0A4 85 12.09.2011
     You were issued written warnings on 19.08.2014. As stated in your final warning, you needed to take steps to correct your behavior by 15.09.2014. Your failure to do so has resulted in your termination. To appeal this termination, you must return written notification of your intention to appeal to Wynona Kinnare in A&M Defence & Marine Services Ltd no later than 06:00PM on 21.09.2014.
     Sincerely,
    Pauletta Stephens ...


15 September 2014: disturbance_2014-09-15_08-38-12_33205939124.arj:
Extracts to:  disturbance_2014-09-15_08-38-12_33205939124.exe
Current Virus total detections: 3/53* . This 'Termination due to policy violation #33205939124' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...4c4ef/analysis/
... Behavioural information
TCP connections:
187.45.193.139: https://www.virustot...39/information/
213.186.33.87: https://www.virustot...87/information/
23.62.99.33: https://www.virustot...33/information/
66.96.147.117: https://www.virustot...17/information/
UDP communications:
137.170.185.211: https://www.virustot...11/information/
___

LinkedIn feature exposes Email Addresses
- http://krebsonsecuri...mail-addresses/
Sep 15, 2014 - "One of the risks of using social media networks is having information you intend to share with only a handful of friends be made available to everyone. Sometimes that over-sharing happens because friends betray your trust, but more worrisome are the cases in which a social media platform itself exposes your data in the name of marketing... According to researchers at the Seattle, Wash.-based firm Rhino Security Labs, at the crux of the issue is LinkedIn’s penchant for making sure you’re as connected as you possibly can be. When you sign up for a new account, for example, the service asks if you’d like to check your contacts lists at other online services (such as Gmail, Yahoo, Hotmail, etc.). The service does this so that you can connect with any email contacts that are already on LinkedIn, and so that LinkedIn can send invitations to your contacts who aren’t already users... Rhino Security founders Benjamin Caudill and Bryan Seely have a recent history of revealing how trust relationships between and among online services can be abused to expose or divert potentially sensitive information... In an email sent to this reporter last week, LinkedIn said it was planning at least two changes to the way its service handles user email addresses..."
(More at the krebsonsecurity URL above.)
___

Fake Overdue invoice SPAM - malicious .arj attachment  
- http://blog.dynamoo....0-spam-has.html
15 Sep 2014 - "This -fake- invoice email has a malicious attachment:
    From:     Mauro Reddin
    Date:     15 September 2014 10:32
    Subject:     Overdue invoice #6767390
    Morning,
    I was hoping to hear from you by now. May I have payment on invoice #84819995669 today please, or would you like a further extension?
    Best regards,
    Mauro Reddin ...


The attachment is an archive file invc_2014-09-15_15-07-11_6767390.arj so in order to get infected you would need an application capable of handling ARJ archives. Once unpacked, there is a malicious executable called invc_2014-09-15_15-07-11_88499270.exe which has a VirusTotal detection rate of just 1/55*... recommend that you apply the following blocklist (Long list at the dynamoo URL above.) ..."
* https://www.virustot...sis/1410773681/
___

Fake Sage 'Outdated Invoice' SPAM ...
- http://blog.dynamoo....ce-spam_15.html
15 Sep 2014 - "... another -fake- Sage email leading to malware:

Screenshot: http://4.bp.blogspot.../s1600/sage.png

... This ZIP file contains a malicious executable Invoice18642.scr which has a VirusTotal detection rate of just 1/55*. The ThreatTrack report... shows that it attempts to communicate with the following resources:
188.165.204.210/1509uk1/NODE01/0/51-SP3/0/
188.165.204.210/1509uk1/NODE01/1/0/0/
green-fuel .us/upload/box/1509uk1.ltc
www .green-fuel .us/upload/box/1509uk1.ltc
Recommended blocklist:
188.165.204.210
green-fuel .us
petitepanda .net
florensegoethe .com.br
coursstagephoto .com
vicklovesmila .com
flashsavant .com
"
* https://www.virustot...sis/1410779812/
___

Fake 'secure' NatWest SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
15 Sep 2014 - "'You have received a new secure message from NatWest' pretending to come from NatWest <secure@natwest.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
[ NatWest logo ]
You have a new private message from NatWest
To view/read this your secure message please click here
Email Encryption Provided by NatWest. Learn More.
Email Security Powered by Voltage IBE
Copyright 2014 National Westminster Bank Plc. All rights reserved.
Footer Logo NatWest
To unsubscribe please click here ...

    
15 September 2014: SecureMessage.zip ( 8kb) : Extracts to:   SecureMessage.scr
Current Virus total detections: 1/55* . This 'You have received a new secure message from NatWest' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410779812/

- http://threattrack.t...re-message-spam
Sep 15, 2014
Screenshot: https://gs1.wac.edge...Zu2c1r6pupn.png
___

Phish - LLoyds 'Secure' SPAM...
- http://myonlinesecur...ssage-phishing/
15 Sep 2014 - "There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like:
- There have been unauthorised or suspicious attempts to log in to your account, please verify
- Your account has exceeded its limit and needs to be verified
- Your account will be suspended !
- You have received a secure message from < your bank>
- New Secure Message
- We are unable to verify your account information
- Update Personal Information
- Urgent Account Review Notification
- We recently noticed one or more attempts to log in to your PayPal account  from a foreign IP address
- Confirmation of Order
This one is 'LLoyds bank New Secure Message' pretending to come from Eli.Ray@ lloydsbank .com or David.Ricard@ lloydsbank .com... Email looks like:
[ Lloyds TSB logo ]     
    (New users may need to verify their email address)
    If you do not see or cannot click “Read Message” / click here
    Desktop Users:
    You will be prompted to open (view) the file or save (download) it to your computer. For best results, click Read Message button.
    Mobile Users:
    Install the mobile application.
    Protected by the Voltage SecureMail Cloud
    SecureMail has a NEW LOOK to better support mobile devices!
    Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender...


Screenshot: http://myonlinesecur...ure_message.png

This one wants your personal details and bank details..."
___

Fake Fax SPAM - malware attachment
- http://myonlinesecur...ke-pdf-malware/
15 SEP 2014 - "'You have received a fax' pretending to come from fax .co.uk <fax@ documents55 .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    You have received a new fax. This fax was received by Fax Server.
    The fax has been downloaded to dropbox service (Google Inc).
    To view your fax message, please download from the link below. It’s
    operated by Dropbox and safety...
    Received Fax Details
    Received on:1 5/09/2014 10:14 AM
    Number of Pages: 1 ...


15 September 2014: Docs0972.zip ( 8kb): Extracts to:  Docs0972.scr
Current Virus total detections: 0/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410804563/
___

Twitch users shook by money spending malware
- http://www.theinquir...pending-malware
15 Sep 2014 - "... F-Secure has warned gamers that the Twitch video streaming service has been hit with malware that can spend users' money. The firm revealed its concerns in a blog post on Friday*, shining a dark light on the new gaming console darling and its role in the world of Steam. F-Secure said that an alarmed Twitch user - not Amazon - approached it with some concerns, explaining that a lure in the Twitch chat feature offers access to a raffle. We all know what can and usually does follow the clicking an unsolicited link, and that is the start of a one-way trip to malware. This link, which purports to offer gaming gewgaws, is yet another lie, said F-Secure. It explained that a "Twitch-bot" account "bombards" the chat feature and tickles users with its lure..."
More detail here:
* http://www.f-secure....s/00002742.html
 

:ph34r: :ph34r:  <_<


Edited by AplusWebMaster, 15 September 2014 - 02:41 PM.


#1280 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,360 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 16 September 2014 - 03:13 AM

FYI...

Fake 'Payments' SPAM ...
- http://blog.mxlab.eu...rding-payments/
Sep 16, 2014 - "...  intercepted different campaigns where the trojan Gen:Variant.Graftor.155439 is present in the attached ZIP archive. The trojan is known as Gen:Variant.Graftor.155439 by most AV engines but it’s also known as Trojan/Win32.Zbot, HW32.Paked.1F59, Generic-FAUS!BA7599C952BE or PE:Malware.XPACK-HIE/Heur!1.9C48. The first email comes with the subject “Re: today payment done” is sent from a spoofed address and has the following body:
    Dear sir,
    Today we have able to remit the total amount of US$ 51,704.97 to your account. Details of our payments are as follows:
    Cont. #41 SPV001/APR/13 US$34,299.13 – 11,748.82 (50% disc. For R008 & R016) =
    Cont. #42 EXSQI013/MAY/13 US$29,154.66
    Total Remittance: US$ 51,704.97
    Attached is the TT copy, check with your bank and let us know when you will proceed with shipment.
    Thank you very much.
    Best regards,
    Me


The attached ZIP file has the name swift copy.zip and contains the swift copy.scr file. At the time of writing, 11 of the 54 AV engines did detect the trojan at Virus Total*...
* https://www.virustot...6c686/analysis/
The second email comes with the subject “Re: Balance payment” is sent from a spoofed address and has the following body:
    The attached TT copy is issued at the request of our customer. The advice is for your reference only.
    Yours faithfully,
    Global Payments and Cash Management
    Bank of America (BOA)
    This is an auto-generated email, please DO NOT REPLY. Any replies to this
    email will be disregarded...


The attached ZIP file has the name original copy.zip and contains the original copy.scr file. At the time of writing, 12 of the 55 AV engines did detect the trojan at Virus Total**..."
** https://www.virustot...c1635/analysis/
___

Fake 'My new photo ;)' SPAM - malware attachment
- http://blog.mxlab.eu...zzor-2o-trojan/
Sep 16, 2014 - "... intercepted a new trojan variant distribution campaign by email with the subject “My new photo ;)”. This email is sent from a spoofed address and has the following short body in very poor English:
    my new photo ;)
    if you like my photo to send me u photo


The attached ZIP file has the name photo.zip, once extracted a folder photo is available with that contains the 127 kB large file photo.exe. The trojan is known as a variant of Trojan.Win32.Swizzor.2!O. At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...817cb/analysis/
... Behavioural information
TCP connections:
131.253.40.1: https://www.virustot....1/information/
137.254.60.32: https://www.virustot...32/information/
134.170.188.84: https://www.virustot...84/information/
157.56.121.21: https://www.virustot...21/information/
91.240.22.62: https://www.virustot...62/information/
___

Fake USPS SPAM - word doc malware
- http://myonlinesecur...rd-doc-malware/
16 Sep 2014 - "'USPS Postal Notification Service' pretending to come from USPS  is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecur...ion-service.png

16 September 2014: Label.zip ( 82 kb): Extracts to:  Label.exe             
Current Virus total detections: 20/54* . This USPS Postal Notification Service is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft Word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410841682/
___

Fake 'inovice' SPAM ...
- http://blog.dynamoo....ember-spam.html
16 Sep 2014 - "This spam mis-spells "invoice" in the subject line, and has an .arj file attached that contains a malicious binary.
Example subjects:
inovice 8958508 September
inovice 7682161 September
inovice 4868431 September
inovice 0293991 September
Body text:
This email contains an invoice file attachment


The name of the attachment varies, but is in the format invoice_8958508.arj which contains a malicious executable invoice_38898221_spt.exe which has a VirusTotal detection rate of just 3/54*. The ThreatTrack report...and Anubis report show a series a DGA domains... that are characteristic of Zbot, although none of these domains are currently resolving. If your organisation can -block-  .arj files at the mail perimeter then it is probably a good idea to do so."
* https://www.virustot...sis/1410860283/
... Behavioural information
TCP connections:
208.91.197.27: https://www.virustot...27/information/
___

Fake FAX SPAM... again
- http://blog.dynamoo....w-fax-spam.html
16 Sep 2014 - "... a facsimile transmission...
From:     Fax
Date:     16 September 2014 11:05
Subject:     You've received a new fax
New fax at SCAN0204102 from EPSON by ...
Scan date: Tue, 16 Sep 2014 15:35:59 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can download your fax message at: ...
(Google Disk Drive is a file hosting service operated by Google, Inc.) ...


The link is so obviously not anything to do with Google. Clicking on it loads another script from triera .biz.ua/twndcrfbru/zjliqkgppi.js which in turn downloads a ZIP file from www .yerelyonetisim .org.tr/pdf/Message_2864_pdf.zip which has a VirusTotal detection rate of 3/55*. This malware then phones home... Recommended blocklist:
188.165.204.210
brisamarcalcados .com.br
triera .biz.ua
yerelyonetisim .org.tr
ngujungwap .mobi.ps
"
* https://www.virustot...sis/1410862754/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustot...10/information/
198.143.152.226: https://www.virustot...26/information/
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake forgeries 'Copied invoices' SPAM
- http://blog.dynamoo....oices-spam.html
16 Sep 2014 - "Kifilwe Shakong is a real person who works for Cashbuild in South Africa. She is  not the person sending these messages, they are forgeries. Cashbuild's systems have not been compromised in any way. As you might guess, these messages have a malicious attachment.
From:     Kifilwe Shakong [kshakong@ cashbuild .co.za]
Date:     16 September 2014 12:17
Subject:     Copied invoices
The attached invoices are copies. We will not be able to pay them. Please send clear invoices.
This outbound email has been scanned by the IS Mail Control service.
For more information please visit http ...
The attached invoices are copies. We will not be able to pay them. Please send clear invoices...


Attached is a file with a filename in the format SKMBT_75114091015230.zip which in turn contains a malicious executable SKMBT_75114091015230.exe which has a very low detection rate at VirusTotal of just 1/54*... the malware attempts to phone home to the following domains and IPs which are worth blocking:
golklopro .com
94.100.95.109
31.134.29.175
176.213.10.114
176.8.72.4
176.99.191.49
78.56.92.46
195.114.159.232
46.98.234.76
46.185.88.110
46.98.122.183
46.211.198.56
195.225.147.101
176.53.209.231
..."
(More detail at the dynamoo URL above.)
* https://www.virustot...sis/1410866733/
... Behavioural information
DNS requests
golklopro .com
cosjesgame .su
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake 'Unpaid invoice' SPAM - leads to Angler Exploit Kit
- http://blog.dynamoo....spam-leads.html
16 Sep 2014 - "This convincing-looking but -fake- spam leads to an exploit kit.
    From:     Christie Foley [christie.foley@ badinsky .sk]
    Reply-to:     Christie Foley [christie.foley@ badinsky .sk]
    Date:     16 September 2014 13:55
    Subject:     Unpaid invoice notification ...


Screenshot: https://1.bp.blogspo...600/invoice.png

The link in the email goes to:
[donotclick]tiragreene .com/aspnet_client/system_web/4_0_30319/invoice_unn.html
Which in turn goes to an Angler EK landing page at:
[donotclick]108.174.58.239:8080 /wn8omxftff
You can see the URLquery report for the EK here*. I would strongly recommend blocking web traffic to 108.174.58.239 (ColoCrossing, US)."
* http://urlquery.net/...d=1410873578924

- http://myonlinesecur...xploit-malware/
16 Sep 2014
___

Fake 'PAYMENT SCHEDULE' email -  419 SCAM
- http://myonlinesecur...ngozi-o-iweala/
16 Sep 2014 - "'RE:YOUR PAYMENT SCHEDULE' pretending to come from Dr Mrs Ngozi O. Iweala is a -scam- . After all the current batches of very nasty and tricky malware being attached to emails or as links in emails, it really is a change to see a good old fashioned 419 scam:
    Attn:Beneficiary,
     My name is Mrs Ngozi Okonjo Iweala,I am the current minister of finance of Nigeria.
     Your payment file has been in our desk since two weeks ago and Mr.Croft from Australia submitted claims on your funds stating that
    you have given him the authority to claim the funds but we stopped him first until we receive a confirmation from any of you. You are
    therefore requested to get back to us to confirm the authenticity of the application of claim submitted by Mr Croft or if you did not
    authorized him for any reason,urgently get back to us so that we can direct you on how you are going to receive your fund via Automated
    Teller Machine System( ATM CARD).
     Please,response back with all your full details mostly your confidential address where you will have the ATM card delivered to you. Your urgent response is highly needed.
     Reply also to : fminister88 @gmail .com
     Your faithfully.
     Dr Mrs Ngozi O. Iweala.
    Finance Of Minister.


[Arrgghh...]
___

Fake Nat West SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
16 Sep 2014 - "'Nat West BACS Transfer : Remittance for JSAG828GBP' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     We have arranged a BACS transfer to your bank for the following amount : 4933.00
    Please find details at our secure link below: ...


This is another version of the same upatre zbot downloaders that have been spammed out today with exactly the same payload as 'NatWest You have a new Secure Message – file-4430 – fake PDF malware'*. This 'Nat West BACS Transfer : Remittance for JSAG828GBP' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecur...ke-pdf-malware/

- https://www.virustot...sis/1410862754/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustot...10/information/
198.143.152.226: https://www.virustot...26/information/
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake 'Dhl Delivery' SPAM - contains trojan
- http://blog.mxlab.eu...ontains-trojan/
Sep 16, 2014 - "... intercepted a new trojan distribution campaign by email with the subject 'Fwd: Dhl Delivery Attempt (Invoice Documents)'. This email is sent from the spoofed address 'enquiry@ dhl .com' and has the following body:
    We attempted to deliver your item at 17:32pm on Sept 15th, 2014.
    The delivery attempt failed because nobody was present at the shipping address, so this notification has been automatically generated.
    You may rearrange delivery by visiting the link on the attached document or pick up the item at the DHL depot/office indicated on the receipt attached.
    If the package is not rescheduled for delivery or picked up within 48 hours, it will be returned to the sender.
    Airway Bill No: 7808130095
    Class: Package Services
    Service(s): Delivery Confirmation
    Status: eNotification sent
    Print this label to get this package at our depot/office.
    Thank you
    © 2014 Copyright© 2013 DHL. All Rights Reserved...


The attached ZIP file has the name DHL EXPRESS DELIVERY ATTEMPT.zip and contains the 293 kB large file DHL EXPRESS DELIVERY ATTEMPT.exe. The trojan is known as Trojan/Win32.Necurs, a variant of Win32/Injector.BLYN, W32/Injector.GLA!tr, Backdoor.Bot or Win32.Trojan.Bp-generic.Ixrn. At the time of writing, 6 of the 55 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...sis/1410870424/
 

:ph34r: :ph34r:  <_<


Edited by AplusWebMaster, 16 September 2014 - 09:50 AM.


#1281 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,360 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 17 September 2014 - 04:18 AM

FYI...

Fake FAX SPAM - malware
- http://blog.dynamoo....you-havent.html
17 Sep 2014 - "This tired old spam format comes with warmed-over malware attachment.
    From:     Fax [fax@ victimdomain .com]
    Date:     17 September 2014 09:32
    Subject:     You've received a new fax
    New fax at SCAN6405035 from EPSON by https ://victimdomain .com
    Scan date: Wed, 17 Sep 2014 16:32:29 +0800
    Number of pages: 2
    Resolution: 400x400 DPI
    You can secure download your fax message at ...
    (Google Disk Drive is a file hosting service operated by Google, Inc.)


The link in the email downloads an archive file Message_Document_pdf.zip from the same estudiocarraro .com .br site. This has a VirusTotal detection rate of 3/54*. The ThreatTrack report shows that the malware attempts to phone home to:
denis-benker .de/teilen/1709uk1.hit
188.165.204.210/1709uk1/NODE01/0/51-SP3/0/
188.165.204.210/1709uk1/NODE01/1/0/0/
188.165.204.210/1709uk1/NODE01/41/5/4/
Recommended blocklist:
188.165.204.210
denis-benker .de
estudiocarraro .com.br
"
* https://www.virustot...sis/1410943351/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustot...11/information/

188.165.204.210: https://www.virustot...10/information/
___

Fake ADP Invoice SPAM – PDF malware
- http://myonlinesecur...ce-pdf-malware/
17 Sep 2014 - "'ADP Invoice' pretending to come from billing.address.updates@ adp .com is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... we always say don’t open any attachment or file sent to you in an email, but with fake or malicious PDF files that is quite difficult.

Screenshot: http://myonlinesecur...licious-pdf.png

17 September 2014: adp_invoice_46887645.pdf
Current Virus total detections: 8/55* . This ADP Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410974477/
___

Android Malware uses SSL for Evasion
- http://blog.trendmic...sl-for-evasion/
Sep 17, 2014 - "... a double-edged sword. Android malware is now utilizing SSL to hide their routines and to evade detection. SSL servers have become a target of Android malware. Malware can use any of the three types of servers... This malware steals user and device information, such as the IMEI, phone number, and images stored in the SD card. Whenever the user starts the app or once the phone reboots, the app will start a backend service to dump the aforementioned information and use a hard-coded Gmail account and password to send the information to a particular email address... ANDROIDOS_TRAMP.HAT attempts to disguise itself as an official Google service. It collects user information like the phone number, location, and contact list. Upon execution, it registers GCMBroadCastReceiver. The malicious app will then post the -stolen- data via Google Cloud Messaging. Google Cloud Messaging is used for C&C communication of the malicious app. Commands such as “send message,” “block call,” and “get current location” are sent and received via Google Cloud Messaging... ANDROIDOS_BACKDOORSNSTWT.A triggers its C&C attack through Twitter. The malware crawls for Twitter URLs and combine the obtained information with a hard-coded string to generate a new C&C URL for attacks. The stolen information is sent to the generated URL... Cybercriminals may have also targeted SSL servers and services because because they do not need to exert much effort into gaining access to these sites. They can do so via normal and legal means, such as buying a virtual host from web-hosting services or registering a new account on Twitter. Should we see more use (and abuse) of SSL, detecting malicious apps may not be enough. Collaboration with server providers and services will be needed in removing related URLs, email addresses, and the like. Given the constant evolution of Android malware, we advise users to download Android apps only from legitimate sources. Third-party app stores may not be as strict when it comes to scanning for potentially malicious apps. We also advise users to use a security solution that can detect and block threats that may cause harm to mobile devices..."
(More detail at the trendmicro URL above.)
___

Fake UKFast invoice SPAM – malware attachment
- http://myonlinesecur...ke-pdf-malware/
17 Sep 2014 - "'UKFast invoice' pretending to come from UKFast Accounts <accounts@ ukfast .co.uk>is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The subject line and the to: lines on these emails are blank...

Screenshot: http://myonlinesecur...ast-invoice.png

17 September 2014: Invoice-17009106-001.zip ( 137 kb): Extracts to:  Invoice 17009106-001.exe
Current Virus total detections: 0/55* . This UKFast invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410939664/
___

Fake Invoice SPAM ...
- http://myonlinesecur...ke-pdf-malware/
17 Sep 2014 - "'Strabane Weekly News INV0071981 – Newspaper copy' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... - same- malware as one version of today’s UKFast invoice – fake PDF malware*... The email looks like:
    Dear Sir,
    Please find attached the copy of the advert for INV0071981 in the Strabane Weekly News.
    Thank you,
    Darragh


This 'Strabane Weekly News INV0071981 – Newspaper copy' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecur...ke-pdf-malware/
 

:ph34r:  <_<


Edited by AplusWebMaster, 17 September 2014 - 12:10 PM.


#1282 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,360 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 18 September 2014 - 05:31 AM

FYI...

Fake NatWest SPAM - malware attached
- http://blog.dynamoo....voice-spam.html
18 Sep 2014 - "This -fake- NatWest invoice (since when did banks send invoices?) leads to a malicious ZIP file.
    From:     NatWest Invoice [invoice@ natwest .com]
    Date:     18 September 2014 11:06
    Subject:     Important - New account invoice
      Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
    To view/download your invoice please click here or follow the link below ...
    Thank you for choosing NatWest...


The link in this particular email goes to bnsoutlaws .co.uk/qvgstopmdi/njfeziackv.html which then downloads a ZIP file from bnsoutlaws .co.uk/qvgstopmdi/Account_Document.zip which in turn contains a malicious executable Account_Document.scr which has a VirusTotal detection rate of just 1/53*. The ThreatTrack report [pdf] shows that the malware attempts to call home...
Recommended blocklist:
188.165.204.210
liverpoolfc .bg
bnsoutlaws .co.uk
"
* https://www.virustot...sis/1411032337/
... Behavioural information
TCP connections
91.215.216.52: https://www.virustot...52/information/
188.165.204.210: https://www.virustot...10/information/
UDP communications
137.170.185.211: https://www.virustot...11/information/

UPDATE: The -same- malware is also being pushed by a fake Lloyds Bank email..
From:     Lloyds Commercial Bank [secure@ lloydsbank .com]
Date:     18 September 2014 11:45
Subject:     Important - Commercial Documents
Important account documents
Reference: C146
Case number: 68819453
Please review BACs documents.
Click link below, download and open document. (PDF Adobe file) ...


- http://myonlinesecur...ke-pdf-malware/
18 Sep 2014
Screenshot: http://myonlinesecur...unt-invoice.png
___

USAA Phish ...
- https://blog.malware...hing-campaigns/
Sep 18, 2014 - "... phish pages targeting the United Services Automobile Association (USAA), a Fortune 500 financial company that offers banking, investing, and insurance to US Military soldiers and their families. Here is what the fake page looks like:
> https://blog.malware...lt-1024x851.png
... Users are then led to this page:
> https://blog.malware...in-1024x665.png
... Clicking the “Next” button opens this page wherein users can supply their secret questions and their respective answers:
> https://blog.malware...na-1024x789.png
... Clicking “Next” opens the last page, which asks for more information that needs “updating”, including full name and date of birth:
> https://blog.malware...fo-967x1024.png
... Users are then shown the door by redirecting them to the legitimate USAA page one sees when they log out... In case you receive emails claiming to be from USAA, please note that they do -not- send out emails to their clients, or to anyone for that matter, asking for their information. Here is a short list of tips to help you steer clear of USAA phishing attempts:
- Remain aware of phishing cases involving USAA. It’s also good to have their contact details handy in the event of fraud or account compromise.
- The legitimate USAA website, www.usaa.com, is a verified domain. As such, look for the green box beside its URL on the browser address bar. This site also uses SSL encryption, which means that it uses the https protocol, making it safe to access even over public networks.
- Ensure that the anti-phishing feature of your Internet browser is enabled. Do this for your antivirus software as well..."
___

Fake eFax SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
18 Sep 2014 - "'eFax Report' pretending to come from eFax Report <noreply@ efax-reports .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    INCOMING FAX REPORT
    Date/Time: Thursday, 18.09.2014
    Speed: 353bps
    Connection time: 08:02
    Page: 4
    Resolution: Normal
    Remote ID: 611-748-177946
    Line number: 3
    DTMF/DID:
    Description: Internal only ...


18 September 2014: fax-id9182719182837529.zip ( 189 kb): Extracts to: fax-id9182719182837529.scr
Current Virus total detections: 1/54* . This eFax Report is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411049220/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Line Voice Message Spam
- http://threattrack.t...ce-message-spam
18 Sep 2014 - "Subjects Seen:
    You have a voice message
Typical e-mail details:
    LINE Notification
    You have a voice message, listen it now.
    Time: 21:12:45 14.10.2014, Duration: 45sec


Malicious URLs:
    iagentnetwork .com/sql.php?line=gA7EF9bA7ns68jJ0eBi8ww
Malicious File Name and MD5:
    LINE_Call_<phone number>.zip (7FC6D33F62942B55AD94F20BDC7A3797)
    LINE_Call_<phone number>.exe (C3E0F4356A77D18438A38110F8BD919E)


Screenshot: https://gs1.wac.edge...Jmds1r6pupn.png

Tagged: Line.me, Kuluoz

147.202.201.24: https://www.virustot...24/information/
___

Chinese hacked U.S. military contractors ...
- http://www.reuters.c...N0HC1TA20140918
Sep 18, 2014 - "Hacks associated with the Chinese government have repeatedly infiltrated the computer systems of U.S. airlines, technology companies and other contractors involved in the movement of U.S. troops and military equipment, a U.S. Senate panel has found. The Senate Armed Services Committee's year-long probe, concluded in March but made public on Wednesday, found the military's U.S. Transportation Command, or Transcom, was aware of only two out of at least -20- such cyber intrusions within a single year. The investigation also found gaps in reporting requirements and a lack of information sharing among U.S. government entities. That in turn left the U.S. military largely unaware of computer compromises of its contractors..."
 

:ph34r: :ph34r:  <_<


Edited by AplusWebMaster, 18 September 2014 - 02:04 PM.


#1283 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,360 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 19 September 2014 - 06:11 AM

FYI...

Fake 'voice mail' SPAM ...
- http://blog.dynamoo....e-leads-to.html
19 Sep 2014 - "This -fake- voice mail message leads to malware:
    From:     Microsoft Outlook [no-reply@ victimdomain .com]
    Date:     19 September 2014 11:59
    Subject:     You have received a voice mail
    You received a voice mail : VOICE976-588-6749.wav (25 KB)
    Caller-Id: 976-588-6749
    Message-Id: D566Y5
    Email-Id: <REDACTED>
    Download and extract to listen the message.
    We have uploaded voicemail report on dropbox, please use the following link to download your file...
    Sent by Microsoft Exchange Server


The link in the email messages goes to www .prolococapena .com/yckzpntfyl/mahlqhltkh.html first and then downloads a file from www .prolococapena .com/yckzpntfyl/Invoice102740_448129486142_pdf.zip which contains exactly the -same- malicious executable being pushed in this earlier spam run*."
* http://blog.dynamoo....-yet-again.html
19 Sep 2014 - "... shows network activity to hallerindia .com on 192.185.97.223. I would suggest that this is a good domain to -block- ..."
Screenshot: https://2.bp.blogspo...600/natwest.png

192.185.97.223: https://www.virustot...23/information/

- http://myonlinesecur...ke-pdf-malware/
19 Sep 2014
Screenshot: http://myonlinesecur...t-statement.png
Current Virus total detections: 1/54*
* https://www.virustot...sis/1411120481/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake 'Police Suspect' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
19 Sep 2014 - "'City of London Police Homicide Suspect' pretending to come from City of London Police is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Bulletin Headline: HOMICIDE SUSPECT
    Sending Agency: London City Police
    Sending Location: GB – London – London City Police
    Bulletin Case#: 14-62597
    Bulletin Author: BARILLAS #1169
    Sending User #: 92856
    APBnet Version: 684593
    The bulletin is a pdf attachment to this email.
    The Adobe Reader (from Adobe .com) will display and print the bulletin best.
    You can Not reply to the bulletin by clicking on the Reply button in your email software.


Of course it is -fake- and -not- from any Police force or Police service in UK or worldwide.
19 September 2014: Homicide-case#15808_pdf.zip : Extracts to:   Homicide-case#15808_pdf.exe
Current Virus total detections: 4/55* . This 'City of London Police Homicide Suspect' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411120670/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustot...10/information/
192.185.97.223: https://www.virustot...23/information/
___

Fake 'Courier Svc' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
19 Sep 2014 - "'TNT UK Limited Package tracking' pretending to come from TNT COURIER SERVICE <tracking@tnt.co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     TNT COURIER SERVICE (TCS)
    Customer/Delivery Services Department
    Central Pk Est/Mosley Rd, Trafford Park
    Manchester, M17 1TT UK.
    DETAILS OF PACKAGE
    Reg order no: 460911612900
    Your package have been picked up and is ready for dispatch.
    Connote #           :               460911612900
    Service Type      :               Export Non Documents – Intl
    Shipped on         :               18 Sep 14 12:00
    Order No                    :       4240629
    Status          :       Driver’s Return
    Description     :      Wrong Address
    Service Options: You are required to select a service option below.
    The options, together with their associated conditions.
    Please check attachment to view information about the sender and package.


19 September 2014: Label_GB1909201488725UK_pdf.zip: Extracts to: Label_GB1909201488725UK_pdf.exe
Current Virus total detections: 5/55* . This 'TNT UK Limited Package tracking' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411121703/
... Behavioural information
DNS requests
hallerindia .com (192.185.97.223)
TCP connections
188.165.204.210: https://www.virustot...10/information/
192.185.97.223: https://www.virustot...23/information/
___

Bitcoin Ponzi scheme ...
- http://www.reuters.c...N0HE1Z820140919
Sep 19, 2014 - "A U.S. federal judge in Texas ordered Bitcoin Savings and Trust and its owner to pay a combined $40.7 million after the Securities and Exchange Commission established that the company, which sold investments using the virtual currency, was a Ponzi scheme. In a decision dated Thursday, U.S. Magistrate Judge Amos Mazzant said Trendon Shavers "knowingly and intentionally" operated his company "as a sham and a Ponzi scheme," misleading investors about the use of their bitcoin, how he would generate promised returns and the safety of their investments... The SEC said Shavers used the online moniker "pirateat40" to raise more than 732,000 bitcoin from February 2011 to August 2012, promising investors up to 7 percent in weekly interest to be paid based on his ability to trade the currency. But according to the decision, Shavers used new bitcoin to repay earlier investors, diverted some to personal accounts at the now-bankrupt Mt. Gox exchange and elsewhere, and spent some investor funds on rent, food, shopping and casino visits..."
___

Apple Phish ...
- https://isc.sans.edu...l?storyid=18669
2014-09-18 23:58:53 UTC - "... this in this morning:
Dear Client,
We inform you that your account is about to expire in less 48 hours, it's imperative to update your information with our audit forms, otherwise your session and/or account will be a limited access.
just click the link below and follow the steps our request form
Update now...
This is an automatically generated message. Thank you not to answer.  If you need help, please visit the Apple Support.
Apple Client Support.


A variation on the -many- phishing emails we see regularly, just taking advantage of two public events, the celebrity photos and the release of the new phone. Maybe a reminder to staff as well as friends and family to -ignore- emails that say "click here" ..."
___

Hack the ad network like a boss...
- https://www.virusbtn.../2014/08_15.xml
4 Sep 2014 - "... Exploit kits have been the scourge of the web for many years. Typically starting with a single line of inserted code, they probe for a number of vulnerabilities in the browser or its plug-ins and use this to drop malware onto the victim's machine. Given the high proportion of Internet users that haven't fully patched their systems, it is a successful way to spread malware.
> https://www.virusbtn...licious_ads.png
... in order for exploit kits to do their work, a vulnerable website must first be infected, or the user must be enticed into clicking a malicious link. But by purchasing ad space, and using this to place malicious ads, attackers have discovered a cheap and effective way to get their malicious code to run inside the browser of many users. They can even tailor their advertisements to target specific languages, regions or even website subjects... We learned last month that this is a serious problem - when researchers found that cybercriminals had purchased advertising space on Yahoo in order to serve the 'Cryptowall' ransomware.
> https://www.virusbtn...licious_ads.png
Ideally... advertising networks would block malicious ads as they are added to their systems... this is easier said than done: given the size of such networks, it would take a lot of time and resources - plus, technically, it's difficult to block most malicious ads without a certain percentage of false positives..."
 

:ph34r: :ph34r:  <_<


Edited by AplusWebMaster, 20 September 2014 - 04:35 AM.


#1284 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,360 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted Today, 05:58 AM

FYI...

Fake gov't SPAM
- http://blog.dynamoo....ssion-spam.html
22 Sep 2014 - "This -fake- spam from the UK Government Gateway leads to malware:

Screenshot: https://4.bp.blogspo...600/gateway.png

The link in the email does -not- go to gateway .gov.uk at all, but in this case the the link goes to the following:
http ://maedarchitettura .it/wfntvkppqi/wnazvamlzv.html ->
http ://www .maedarchitettura .it/wfntvkppqi/wnazvamlzv.html ->
http ://maedarchitettura .it/wfntvkppqi/GatewaySubmission.zip
The ZIP file contains a malicious executable GatewaySubmission.exe which has a VirusTotal detection rate of 1/55*. The Anubis report** shows that it attempts to make a connection to ruralcostarica .com which is probably worth blocking."
* https://www.virustot...sis/1411383282/

184.168.152.32: https://www.virustot...32/information/

** https://anubis.isecl...f82&format=html

- http://myonlinesecur...ke-pdf-malware/
22 Sep 2014
Screenshot: http://myonlinesecur...-Submission.png
...
> https://www.virustot...sis/1411381013/
___

Fake 'LogMeIn' SPAM – malware
- http://myonlinesecur...update-malware/
22 Sep 2014"'September 22, 2014 LogMeIn Security Update' pretending to come from LogMeIn .com <auto-mailer@ logmein .com>is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Dear client,
    We are pleased to announce that LogMeIn has released a new security certificate.
    It contains new features:
    •    The certificate will be attached to the computer of the account holder, which will prevent any fraud activity
    •    Any irregular activity on your account will be detected by our security department
    •       This SSL security certificate patches the “Heartbleed” bug discovered earlier this year
    Download the attached certificate. Update will be automatically installed by double click.
    As always, your Logmein Support Team is happy to assist with any questions you may have.
    Feel free to contact us ...


22 September 2014: cert_client.zip (66 kb): Extracts to: cert.scr
Current Virus total detections: 2/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a large blue i instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411400614/
... Behavioural information
DNS requests
icanhazip .com (23.253.218.205)
www .download .windowsupdate .com (95.101.0.104): https://www.virustot...04/information/
t54cjs4qc2r4bn63 .tor2web .org (65.112.221.20): https://www.virustot...20/information/
TCP connections
23.253.218.205: https://www.virustot...05/information/
95.101.0.83: https://www.virustot...83/information/
38.229.70.4: https://www.virustot....4/information/

- https://isc.sans.edu...l?storyid=18695
2014-09-22
Screenshot: https://isc.sans.edu...11_34_06 AM.png
...
> https://www.virustot...b0c3b/analysis/
File name: cert.scr.exe
Detection ratio: 3/51
... Behavioural information
DNS requests
icanhazip .com (23.253.218.205): https://www.virustot...05/information/
www .download.windowsupdate .com (95.101.0.104): https://www.virustot...04/information/
t54cjs4qc2r4bn63 .tor2web .org (65.112.221.20): https://www.virustot...20/information/
TCP connections
23.253.218.205: https://www.virustot...05/information/
95.101.0.83: https://www.virustot...83/information/
38.229.70.4: https://www.virustot....4/information/
___

Fake 'RBC Invoice' SPAM – PDF malware
- http://myonlinesecur...es-pdf-malware/
22 Sep 2014 - "'RBC Invoices' pretending to come from RBC Express <ISVAdmin@ rbc .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Please review the attached invoices and pay them at your earliest convenience. Feel free to contact us if you have any questions.
    Thank you.


22 September 2014: invoice058342.pdf . Current Virus total detections: 10/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1411409482/
___

Fake 'Payment Advice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
22 Sep 2014 - "'HSBC Payment Advice Issued' pretending to come from HSBC Bank UK <payment.advice@ hsbc .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment or follow the link in the email... The email looks like:
    Your payment advice is issued at the request of our customer. The advice is for your reference only.
     Please download your payment advice at ...
     Yours faithfully,
    Global Payments and Cash Management
    This is an auto-generated email, please DO NOT REPLY. Any replies to this email will be disregarded.


... this drops a slightly different malware paymentadvice .exe with a current VT detections 0/53* . This HSBC Payment Advice Issued  is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411386112/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake Invoice SPAM
- http://myonlinesecur...ke-pdf-malware/
22 Sep 2014 - "'PETER HOGARTH & SONS LTD Invoice 642555' pretending to come from john.williamson@ peterhogarth .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Please find attached your Invoice(s)/Credit(s)
    PETER HOGARTH & SONS LTD
    INDUSTRIAL HYGIENE and PROTECTION
    Tel: 01472 345726 | Fax: 01472 250272 | Web...
    Estate Road No. 5, South Humberside Industrial Estate, Grimsby, North East Lincolnshire, DN31 2UR
    Peter Hogarth & Sons Ltd is a company registered in England.
    Company Registration Number: 1143352...


22 September 2014: Attachment.zip (230 kb): Extracts to: Invoice 77261990001.PDF.exe
Current Virus total detections: 3/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411380202/
___

European banks / Europol in cybercrime fightback
- http://www.reuters.c...N0RN1WO20140922
Sep 22, 2014 - "Europe's banks have joined forces with Europol's cybercrime unit to try to combat the rising and increasingly sophisticated threat being posed by cyber criminals to financial firms. The European Banking Federation (EBF), which represents about 4,500 banks, and Europol's European Cybercrime Centre - known as EC3 - said on Monday they had signed a memorandum of understanding to intensify cooperation between law enforcement and the financial sector. Banks are facing frequent attacks from sophisticated hackers. Wall Street bank JP Morgan said last month it was working with U.S. law enforcement authorities to investigate a possible cyber attack, and Royal Bank of Scotland and its UK peers have suffered serious attacks by hackers that have disrupted systems... Cybercrime attacks faced by banks include coordinated attempts to disrupt websites, payment card fraud, and attempts to infiltrate systems to steal money. The agreement between the EBF, which is a federation of 32 national banking lobby groups, and EC3, which links cybercrime divisions of police forces in EU countries, will allow them to exchange know-how, statistics and strategic information. Banks are typically working closely with national police forces to fight cybercrime, and the new agreement should widen that across Europe..."
 

:ph34r:  <_<


Edited by AplusWebMaster, Today, 01:21 PM.

Advertisement

    Register to Remove



2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users