Fake 'Summary Paid Against' SPAM - doc malware
12 Jan 2015 - "'Summary Paid Against' pretending to come from Jason Bracegirdle JPS Projects Ltd <jason.bracegirdle@ jpsprojectsltd .co.uk>with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email contains the same malware payload as today’s Invoice from 'simply carpets of Keynsham Ltd' - Word doc malware* although the file attachment has a different name...
11 January 2015: Copy of Weekly Summary 28 12 2014 w.e 28.12.14.doc - Current Virus total detections: 3/54**
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
12 Jan 2015
12 Jan 2015
Outlook Settings Spam
Jan 12, 2015 - "Subjects Seen:
Important - New Outlook Settings
Typical e-mail details:
Please carefully read the downloaded instructions before updating settings.
This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@ Outlook-us.com and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.
Malicious File Name and MD5:
Tagged: Outlook, Upatre
12 Jan 2015
"... Recommended blocklist:
coffeeofthemonth .biz "
iPhone 6 SCAM
Jan 12, 2015 - "... a familiar -scam- on the verge of a come-back:
... we first encountered the spammed link on LinkedIn, thanks to a user named Kolko Kolko, who according to his profile is a coach and has the face of an A-list celebrity. Doing a quick online search using the Goog.gl shortened URL brings up other domains—Google Plus, Livejournal, and Picasa, specifically — where the list is also being posted and shared. Once users click-the-link, they are directed to a survey -scam- page. Below is an example:
The above page is a type of survey that gives users the option to skip. Doing so, however, opens additional layers of survey pages that needs skipping until such a point that users encounter a page they could not escape, such as this:
... the surveys vary depending on the user’s location... Should you encounter any posts from random users on sites you frequent with regard to claiming an iPhone 6, don’t click-the-link... warn friends and contacts on that site to avoid falling for it..."
Phish - Barclaycard Credit limit increase
12 Jan 2015 - "'Credit limit increase' pretending to come from Barclaycard <barclaycard@ mail.barclaycard .co.uk>is one of the latest phish attempts to steal your Bank, credit card and personal details. We are seeing a quite big run of this email today. We see these phishing emails frequently, but today’s spam run of them has a much larger number than usual. This one only wants your personal details, Barclaycard log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well...
If you open the attached html file you see a webpage looking like:
When you fill in your user name and password you get a page where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format. They then send you on to the genuine Barclaycard website..."
Google/Microsoft feud over latest 0-day disclosures
Jan 12, 2015 - "... The subject is the long-running feud between Google and Microsoft over the handling of zero-day flaws. Google engineer Tavis Ormandy has built quite a reputation in security circles for finding zero days in Windows and notifying Microsoft. If no action is forthcoming from Microsoft in a pre-determined amount of time (usually 90 days), Ormandy releases the details (presumably with Google's permission), typically on the Full Disclosure mailing list... The process is now formally supported by Google, under the name Project Zero*. There's no better way I know to get Microsoft's attention. The latest instances actually concern two zero-day bugs, both reported by a Google researcher known as Forshaw... Here's how the argument boils down, in my estimation. If you trust Microsoft to fix the holes in Windows, then Coordinated Vulnerability Disclosure - where we, as customers, trust Microsoft to dig in and fix problems as soon as they're discovered - is a great idea. We would trust Microsoft to fix the problems expeditiously, because other people may have discovered the problem already. We also trust Microsoft to put enough money into the patching effort to make the fixes appear quickly and accurately. If you don't trust Microsoft, then the question becomes how best to hold Microsoft's feet to the fire. Although some believe in full, immediate disclosure, I don't buy that. There has to be a better way. Google's approach seems to me a reasonable one - although it's arguable that the zero-day notification window should be extended to 120 days..."
TorrentLocker -ransomware- hits ANZ Region
Jan 11, 2015 - "... the EMEA (Europe-Middle East-Africa) region experienced a surge in ransomware, specifically, crypto-ransomware attacks. It appears that these attacks are no longer limited to that region. Research from Trend Micro engineers shows that the ANZ (Australia-New Zealand) region is the latest to be greatly affected by this type of malware—this time by TorrentLocker ransomware. The Infection Chain:
Infection diagram for ANZ attacks:
The malware arrives through -emails- that pretend to be penal notices from the New South Wales government (referred in this entry as “NSW”) -or- shipping information from the Australia Post. Once users click-the-link, they will be -redirected- to a -spoofed- page bearing a newly-registered domain similar to the official, legitimate one. The page instructs users to download a file by first entering a CAPTCHA code. If correctly entered, it triggers the download of the malicious file in a zipped format from SendSpace, a file-hosting site. If the user -opens- the zipped file and executes the malware, it will connect to secure command-and-control (C&C) servers. After successful sending and receiving of information, the malware will then encrypt files in the users’ machines using Elliptic Curve Cryptography Encryption and appends the string .encrypted. Afterwards, it drops an .HTML file with decryption instructions and displays a ransom page. It also deletes the shadow copy of the infected system by executing the command line instruction vssadmin.exe Delete Shadows /All /Quiet, thus preventing the user to restore their files from back-up. Based on feedback from the Smart Protection Network, 98.28% of the recipients are from Australia... ... we have identified several fake domains, 180 for Australia Post and 134 for NSW. These domains are hosted in the following Russian name servers, registered to certain email addresses:
The C&C servers in these attacks are newly registered and hosted under IP addresses ranging from 220.127.116.11 to 18.104.22.168. We have also identified eight domains, including adwordshelper[.]ru and countryregion[.]ru... Sample hashes of the files supported by our detections:
(More detail at the trendmicro URL at the top of this post.)
Edited by AplusWebMaster, 12 January 2015 - 01:51 PM.