Jump to content

Build Theme!
  • Infected?

Welcome to What the Tech - Register now for FREE

A community of volunteers who share their knowledge, and answer your tech questions. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message, and all ads will be removed once you have signed in.

Create an Account Login to Account


SPAM frauds, fakes, and other MALWARE deliveries...

  • Please log in to reply
1336 replies to this topic

#1336 AplusWebMaster



  • Authentic Member
  • PipPipPipPipPipPip
  • 8,519 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted Yesterday, 07:32 AM


Fake HMRC SPAM - fake PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Nov 2014 - "'HMRC taxes application with reference 68J9 WDWK 1NMJ P0ZA received' pretending to come from noreply@ taxreg.hmrc .gov.uk with  a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    The application with reference number 68J9 WDWK 1NMJ P0ZA submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
   The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
    Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

27 November 2014: HM Revenue & Customs – TAX.zip: Extracts to: HM Revenue & Customs – TAX.scr
Current Virus total detections: 2/56* ( same malware as THIS**). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1417085413/
... Behavioural information
TCP connections https://www.virustot...37/information/ https://www.virustot...67/information/

**  http://myonlinesecur...ke-pdf-malware/

Tainted network: Crissic Solutions (
- http://blog.dynamoo....-solutions.html
27 Nov 2014 - "Several IPs hosted on the Crissic Solutions range of (suballocated from QuadraNet) have been hosting exploit kits in the past few days, leading to Cryptolocker and other nastiness. I analysed over 1500 sites hosted in the Crissic IP address range... and many sites were already marked as being -malicious- by Google, and some other sites obviously follow the same naming pattern and must be considered as malicious... Given the concentration of active malicious servers in and then I would recommend -blocking- your traffic to those ranges at least temporarily, despite there being legitimate sites in that range. You might choose to block the entire /19 of course, I will leave you to look at the evidence..."
More detail at the dynamoo URL above.)

:ph34r: :ph34r:  <_<

Edited by AplusWebMaster, Yesterday, 11:43 AM.

#1337 AplusWebMaster



  • Authentic Member
  • PipPipPipPipPipPip
  • 8,519 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted Today, 06:41 AM


Black Friday: deal or no deal
- https://blog.malware...eal-or-no-deal/
Nov 27, 2014 - "... Spammers and scammers have risen to the occasion with deals that are too good to be true such as in this example for -fake- Gucci products. This was reported in a Tweet by Denis Sinegubko, from Unmask Parasites*
* http://www.unmaskparasites.com/ -- https://twitter.com/unmaskparasites
'Denis @unmaskparasites - Chinese spammers are ready for Black Friday. Found these domains in code on a hacked site: GucciBlackFridays .com, BlackFridayCDN .com'
... and also a security researcher at Sucuri** -- http://sucuri.net/ -- http://blog.sucuri.net/2014/11
The site boasts incredible prices on normally very expensive merchandise... Shoppers might get fooled by the security badges and stamps, which of course are only here for show... Traffic to these -bogus- sites will come from spam or, as in this case, from compromised websites... This code resides on the compromised server and performs different checks, in particular whether the user visiting the page is real or a search engine... When Black Friday is over, the crooks will be ready to serve you special deals for Cyber Monday... There certainly are good deals to be made during this holiday season but you really ought to be careful what you click on. You might order counterfeit goods or have your banking credentials stolen and money depleted..."
(More detail at the malwarebytes URL above.)

- https://blog.malware...ing-made-safer/
Nov 24, 2014

- http://www.trendmicr...scams-on-mobile
Nov 24, 2014

- http://www.trendmicr...is-thanksgiving
Nov 21, 2014

Lots of Black Friday SPAM & Phishing
- https://isc.sans.edu...l?storyid=19003
2014-11-28 23:20:46 UTC - "Likely every reader out there, their friends and family, even their pets with email accounts, have received Black Friday SPAM or phishing attempts today. Our own Dr. J sent the handlers an Amazon sample for 'One Click Black Friday Rewards'.
Of course, that one click goes -nowhere- near Amazon and directs you to the likes of Black Fiday (yes, it's misspelled) at hXXp ://www.jasbuyersnet .com/cadillac/umbered/sedatest/styes/coleuses/unterrified.htm. Can't speak to the payload there, don't bother, just use it at as ammo for heightened awareness and safe shopping on line during these holidays, and...well, all the time. Be careful out there. :-)
Cheers and happy holidays."

Best Buy Order Spam
- http://threattrack.t...-buy-order-spam
Nov 28, 2014 - "Subjects Seen:
    Details of Your Order From Best Buy
Typical e-mail details:
    E-shop Best Buy has received an order addressed to you which has to be confirmed by the recipient within 4 days.
    Upon confirmation you may pick it in any nearest store of Best Buy.
    Detailed order information is attached to the letter.
    Wishing you Happy Thanksgiving!
    Best Buy

Malicious File Name and MD5:
    BestBuy_Order.exe (bff17aecb3cc9b0281275f801026b75d)

Screenshot: https://gs1.wac.edge...zYyG1r6pupn.jpg

Tagged: Best Buy, Kuluoz

:ph34r: :ph34r:  <_<

Edited by AplusWebMaster, Today, 08:25 PM.

8 user(s) are reading this topic

0 members, 8 guests, 0 anonymous users