Jump to content

Build Theme!
  •  
  • Infected?

Welcome to What the Tech - Register now for FREE

A community of volunteers who share their knowledge, and answer your tech questions. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message, and all ads, will be removed once you have signed in.

Create an Account Login to Account


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1291 replies to this topic

#1291 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,380 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted Yesterday, 04:43 AM

FYI...

Fake NatWest, new FAX SPAM
- http://blog.dynamoo....u-have-new.html
30 Sep 2014 - "The daily mixed spam run has just started again, these two samples seen so far this morning:

    NatWest: "You have a new Secure Message"
    From:     NatWest [secure.message@ natwest .com]
    Date:     30 September 2014 09:58
    Subject:     You have a new Secure Message - file-3800
    You have received a encrypted message from NatWest Customer Support
    In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
    Please download your ecnrypted message at ...

 "You've received a new fax"
From:     Fax [fax@victimdomain .com]
Date:     30 September 2014 09:57
Subject:     You've received a new fax
New fax at SCAN4148711 from EPSON by https ://victimdomain .com
Scan date: Tue, 30 Sep 2014 14:27:24 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at ...


The link in the email goes through a script to ensure that you are using a Windows PC and then downloads a file document3009.zip which contains a malicious executable document3009.scr which has a VirusTotal detection rate of 3/54*. The Comodo CAMAS report and Anubis report are rather inconclusive."
* https://www.virustot...sis/1412070442/
... Behavioural information
DNS requests
maazmedia .com (69.89.22.130)
TCP connections
188.165.198.52: https://www.virustot...52/information/
69.89.22.130: https://www.virustot...30/information/
___

Fake Delta Air SPAM - word doc malware
- http://myonlinesecur...rd-doc-malware/
30 Sep 2014 - "'Delta Air Thank you for your order' being sent to bookings@ uktservices .com and BCC copied  to you pretending to come from Delta Air <login@ proche-hair .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     Order Notification,
    E-TICKET NUMBER / ET-98191471
    SEAT / 79F/ZONE 1
    DATE / TIME 2 OCTOBER, 2014, 11:15 PM
    ARRIVING / Berlin
    FORM OF PAYMENT / XXXXXX
    TOTAL PRICE / 214.61 GBP
    REF / OE.2368 ST / OK
    BAG / 3PC
    Your electronic ticket is attached to the letter as a scan document.
    You can print your ticket.
    Thank you for your attention.
    Delta Air Lines.


30 September 2014: ET-17843879.zip: Extracts to: DT-ET_5859799188.exe
Current Virus total detections: 4/55* . This 'Delta Air Thank you for your order' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper  Microsoft word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1412075964/
 

:ph34r:  <_<


Edited by AplusWebMaster, Yesterday, 06:49 AM.

Advertisement


#1292 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,380 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted Today, 04:48 AM

FYI...

Fake Police 'Suspect' SPAM
- http://blog.dynamoo....rtant-spam.html
1 Oct 2014 - "... the New York City police have finally tracked me down for eviscerating that spammer in Times Square.
    From:     ALERT@ police .uk [ALERT@ police-uk .com]
    Date:     1 October 2014 08:49
    Subject:     Homicide Suspect - important
    Bulletin Headline: HOMICIDE SUSPECT
    Sending Agency: New York City Police
    Sending Location: NY - New York - New York City Police
    Bulletin Case#: 14-49627
    Bulletin Author: BARILLAS #1264
    Sending User #: 56521
    APBnet Version:
    The bulletin is a pdf file. To download please follow the link below ...


Weirdly, the message comes from a police .uk email address and the link goes to a driving school in Australia. And it comes from 63.234.220.114 which is an IP address in Kansas City. Perhaps the biggest anomaly is the file that is downloaded, a ZIP file called file-viewonly7213_pdf.zip which contains an executable file-viewonly7213_pdf.scr which is (as you might guess) malicious with a VirusTotal detection rate of 2/55*. The Anubis report** shows that the malware phones home to santace .com  which is probably worth blocking or monitoring. Other analyses are pending. I've also seen the same payload promoted through a "You've received a new fax" spam, and no doubt there will be others during the course of the day."
* https://www.virustot...sis/1412150049/

** https://anubis.isecl...dda&format=html
___

Something evil on 87.118.127.230
- http://blog.dynamoo....7118127230.html
1 Oct 2014 - "... what exploit kit this is I cannot determine, but there's something evil on 87.118.127.230 (Keyweb, Germany) which is using hijacked GoDaddy-registered subdomains to distribute carp**. It's definitely worth -blocking- this IP. The source looks like some sort of malvertising, but I have incomplete data..."

87.118.127.230: https://www.virustot...30/information/
___

Fake 'Booking Cancellation' SPAM
- http://blog.dynamoo....ncellation.html
1 Oct 2014 - "... a -mass- of these purporting to be from uktservices .com ("UK Travel Services"), but in fact it is a -forgery- and does -not- come from them at all - they are -not- responsible for sending the spam and their systems have -not- been compromised.
    From:     email@ uktservices .com
    Date:     1 October 2014 14:01
    Subject:     Booking Cancellation
    Hello.
    Your booking at 13:15 on 1st Oct 2014 has been Cancelled.
    Here is a link to your updated bookings view...


All the emails are somewhat mangled, but the first link in the email (not the uktservices .com link) goes to what appears to be an exploit kit... In -all- cases, those pages forward to a malicious page at: [donotclick]37.235.56.121 :8080/njslfxqqw9. The IP of 37.235.56.121 belongs to EDIS GmbH in Austria, and I suspect it has been hacked through an insecure Joomla installation. I haven't been able to identify which exploit kit it is as it it has been hardened against analysis, but you can guarantee that this -is- malicious in some way or another..."

37.235.56.121: https://www.virustot...21/information/
___

More Fake Invoice SPAM
- http://myonlinesecur...ke-pdf-malware/
1 Oct 2014 - "'Invoice 08387 from Them Digital' pretending to come from Jason Willson <jason@ themdigital .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...gital_email.png

There are actually about 15 different sizes and repackaged versions of this malware that I have seen so far today.  All have the same zip file name but the contents inside are named differently, Some will be caught by antivirus generic detections and some won’t, so be careful & watch out.  Use your eyes and intuition and don’t rely on yoiur antivirus to protect you from these types of malware
Todays Date: Them Digital Invoice 08387.pdf.zip: Extracts to:   ThemDigital_Invoice_42559029506452623.pdf.exe | Current Virus total detections: 9/55**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1412153387/
___

Fake 'Cashbuild Copied invoices' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
1 Oct 2014 - "'Cashbuild Copied invoices' pretending to come from billing@ cashbuild .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

get copies of invoices. We will not be able to pay them. Please send clear invoices

1 October 2014: copies_908705.zip ( 10kb): Extracts to: copies_908705.exe
Current Virus total detections: 0/55* This Cashbuild Copied invoices is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1412156828/
___

GNU bash vulns...
- http://www.securityt....com/id/1030890
Updated: Oct 1 2014*
Original Entry Date: Sep 24 2014
- https://web.nvd.nist...d=CVE-2014-6271 - 10.0 (HIGH)
- https://web.nvd.nist...d=CVE-2014-6277 - 10.0 (HIGH)
- https://web.nvd.nist...d=CVE-2014-6278 - 10.0 (HIGH)
- https://web.nvd.nist...d=CVE-2014-7169 - 10.0 (HIGH)
- https://web.nvd.nist...d=CVE-2014-7186 - 10.0 (HIGH)
- https://web.nvd.nist...d=CVE-2014-7187 - 10.0 (HIGH)
* ... archive entries have one or more follow-up message(s)...
___

DoubleClick abused - malvertising
- https://blog.malware...tising-attacks/
30 Sep 2014 - "Last week we uncovered a large-scale malvertising* attack involving Google’s DoubleClick and Zedo that affected many high-profile sites**... another incident where DoubleClick is part of the advertising chain has happened again... the publisher is trusting them to only allow ‘clean’ ads. Many popular sites were caught in the cross-fire including examiner . com... they can be widespread in an instant by leveraging the advertising networks’ infrastructure. alicious ads are displayed to millions of visitors who do -not- actually need to click them to get infected:
> https://blog.malware...09/overview.png
... Flash-based redirection: ad looks legit but hides a silent redirection to an exploit page. Once again, no user interaction is required to trigger the -redirection- and anyone running an outdated Flash plugin is at risk of getting exploited... It is the infamous CryptoWall*** (hat tip @kafeine) ransomware that encrypts your files and demands a ransom..."
* https://blog.malware...click-and-zedo/

** https://blog.malware...rael-newspaper/

*** https://www.virustot...sis/1412048718/
 

:ph34r: :ph34r:  <_<


Edited by AplusWebMaster, Today, 11:48 AM.

Advertisement



5 user(s) are reading this topic

0 members, 5 guests, 0 anonymous users