Jump to content

Build Theme!
  •  
  • Infected?

Welcome to What the Tech - Register now for FREE

A community of volunteers who share their knowledge, and answer your tech questions. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message, and all ads will be removed once you have signed in.

Create an Account Login to Account


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1382 replies to this topic

#1381 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,642 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 28 January 2015 - 06:17 AM

FYI...

Fake 'invoice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
28 Jan 2015 - "'Windsor Flowers Invoice 1385' pretending to come from Windsor Flowers Accounts <windsorflowersaccounts@ hotmail .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has what appears to be a genuine word doc attached which is malformed and contains a macro script virus... The email looks like:
    Dear Accounts payable
    Please see attached invoice 1385 for flowers within January 15.
    Our bank details can be found at the bottom of the invoice.
    If paying via transfer please reference our invoice number.
    If you have any queries, please do not hesitate to contact me.
    Many thanks in advance
    Connie
    Windsor Flowers
    74 Leadenhall Market
    London
    EC3 V1LT
    Tel: 020 7606 4277...


28 January 23015: Windsor Flowers Invoice 1385 Sheet1.doc (2 different versions)
Current Virus total detections: (76kb) 3/57* | (84 kb) 3/57** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1422442083/

** https://www.virustot...sis/1422443094/
___

Fake 'RBS' SPAM - pdf-malware
- http://myonlinesecur...-pdf-malware-2/
28 Jan 2015 - "'RBS Morning commentary' pretending to come from RBS .COM <no-replay@ rbs .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Please refer to the details below if you are having problems reading the attached file.
    Please do not contact your Treasury Centre for technical issues – these should be routed to RBS FM support.The attached file is in zip format; first you have to unzip it (self-extracting archive, Adobe PDF) and then it can be viewed in Adobe Acrobat Reader 3.0 or above. If you do not have a copy of the software please contact your technical support department...


All the attachment numbers are random but all extract to same -malware- payload.
28 January 2015: attachment3532715.zip: Extracts to: attachment.exe
Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1422448752/
... Behavioural information
UDP communications
134.170.185.211: https://www.virustot...11/information/

- http://threattrack.t...commentary-spam
Jan 28, 2015
___

xHamster involved in large Malvertising campaign ...
- https://blog.malware...ising-campaign/
Jan 27, 2015 - "... a particular large malvertising campaign in progress from popular adult site xhamster[.]com, a site that boasts half a billion visits a month. In the past two days we have noted a 1500% increase in infections starting from xHamster. Contrary to the majority of drive-by download attacks which use an exploit kit, this one is very simple and yet effective by embedding landing page and exploit within a rogue ad network... The URL linked to is a simplified landing page hosted by what looks like a rogue ad network. The landing simply consists of preparing for a Flash Player exploit... the Flash exploit itself (0 detection on VT*), again hosted on the same ad network. Depending on your version of Flash you may get the recent 0-day:
> https://blog.malware...ash-300x262.png
Upon successful exploitation, a malicious payload (Bedep) VT 2/57**, is downloaded from:
hxxp ://nertafopadertam .com/2/showthread.php
What we see post exploitation is ad fraud as described here***... While malvertising on xHamster is nothing new, this particular campaign is extremely active. Given that this adult site generates a lot of traffic, the number of infections is going to be huge."
* https://www.virustot...sis/1422391909/

** https://www.virustot...sis/1422393597/

*** https://blog.malware...nd-in-the-wild/
 

:ph34r:  <_<


Edited by AplusWebMaster, 28 January 2015 - 09:30 AM.


#1382 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,642 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted Yesterday, 07:53 AM

FYI...

Fake 'Invoice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
29 Jan 2015 - "'Invoice #10413 from SPOTLESS CLEANING pretending to come from paulamatos@ btinternet .com with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    This message contains Invoice #10413 from SPOTLESS CLEANING. If you have questions about the contents of this message or Invoice, please contact SPOTLESS CLEANING.
    SPOTLESS CLEANING
    GLYNDEL HOUSE
    BOWER LANE
    DA4 0AJ
    07956 379907


29  January 2015 : SPOTLESS CLEANING-Invoice-10413.doc - Current Virus total detections: 0/57*
... this malicious word doc with macros downloads from www .otmoorelectrical .co.uk/js/bin.exe which is saved as %temp%\hDnyDA.exe (dridex banking Trojan) which has a current detection rate of 2/57** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1422523082/

** https://www.virustot...sis/1422531540/
___

Fake 'BACS Transfer' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
29 Jan 2015 - "'Garth Hutchison BACS Transfer : Remittance for JSAG400GBP' pretending to come from Garth Hutchison <accmng2556@ blumenthal .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    We have arranged a BACS transfer to your bank for the following amount : 5821.00
    Please find details attached.


29 January 2015 : BACS_transfer_JS87123781237.doc - Current Virus total detections: 0/57*
...  same malware payload as today’s Invoice #10413 from SPOTLESS CLEANING – Word doc malware** ..."
* https://www.virustot...sis/1422524523/

** http://myonlinesecur...rd-doc-malware/
___

Swiss users inundated with malware-laden SPAM
- http://net-security....ews.php?id=2950
29.01.2015 - "Swiss users are being heavily targeted by a number of spam campaigns delivering the Tiny Banker (TinBa or Busy) e-banking Trojan. Starting with Tuesday, the spammy emails seem to come from email addresses opened with big Swiss free email service providers (bluewin .ch, gmx .ch) and Swiss telecom provider Orange (orange .ch), but actually originate from broadband lines located all over the world. They masquerade as emails containing images sent from iPhones, an MMS sent to the user by Orange, and an application for a job position:
> http://www.net-secur...am-29012015.jpg
Unfortunately for those who fall for these tricks, the attached ZIP files contain only malware. "While most of the Tinba versions I usually come across of are utilising a Domain Generation Algorithm (DGA) to calculate the current botnet C&C domain, the version of Tinba that has been spread in Switzerland since yesterday is using hard-coded botnet C&C domains," noted Swiss security activist Raymond Hussy*. Further investigation revealed that all the sending IP addresses are Cutwail infected IPs, and the malware tries to contact four distinct C&C servers, two of which have already been sinkholed. Hussy recommends to network administrators to block traffic to and from the remaining two active domains (serfanteg .ru, midnightadvantage .ru) and the following IPs: 91.220.131.216 and 91.220.131.61. "In general, 91.220.131.0/24 looks quite suspect. So you may want to block the whole netblock," he pointed out, adding that it would also be a good idea to block filenames with multiple file extentions on their email gateway."
* https://www.abuse.ch/?p=9095

91.220.131.61: https://www.virustot...61/information/

91.220.131.216: https://www.virustot...16/information/
 

:ph34r:  <_<


Edited by AplusWebMaster, Today, 05:44 AM.


#1383 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,642 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted Today, 06:57 AM

FYI...

Fake 'BACS Transfer' SPAM - doc malware
- http://blog.dynamoo....remittance.html
30 Jan 2015 - "So far I have only seen one sample of this..
    From     "Garth Hutchison"
    Date     21/01/2015 11:50
    Subject     BACS Transfer : Remittance for JSAG400GBP
    We have arranged a BACS transfer to your bank for the following amount : 5821.00
    Please find details attached.


Attached is a malicious Word document BACS_transfer_JS87123781237.doc [VT 1/57*] which contains a macro... which downloads a file from:
http ://stylishseychelles .com/js/bin.exe
This is then saved as %TEMP%\iHGdsf.exe. This has a VirusTotal detection rate of 6/57** identifying it as a Dridex download... Sources indicate that this malware phones home to the following IPs which I recommend you block:
92.63.88.108
143.107.17.183
5.39.99.18
136.243.237.218
"
* https://www.virustot...sis/1422618493/

** https://www.virustot...sis/1422618468/
___

Fake BBB SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 Jan 2015 - "'BBB SBQ Form #2508(Ref#61-959-0-4)' pretending to come from Admin <no-replay@ bbbl .org> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...2015/01/BBB.png

30 January 2015: SBQForm-57675.zip ( 13kb) : Extracts to:  doc-PDF.exe
Current Virus total detections:  8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1422628270/
... Behavioural information
TCP connections
46.165.223.77: https://www.virustot...77/information/
31.170.162.203: https://www.virustot...03/information/
UDP communications
134.170.185.211: https://www.virustot...11/information/
208.91.197.54: https://www.virustot...54/information/
208.97.25.20: https://www.virustot...20/information/
___

Fake 'RE-CONFIRM' SPAM - malware
- http://myonlinesecur...1ll112-malware/
30 Jan 2015 - "'RE-CONFIRM P.O©{XX1ll112}' pretending to come from sensaire@ emirates .net .ae with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...O©XX1ll112.png

30 January 2015: Purchase order(1).zip: Extracts to: Purchase order.exe
Current Virus total detections: 12/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper file with an icon saying A instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1422633004/
___

Fake 'Apple Termination' – Phish ...
- http://myonlinesecur...ation-phishing/
30 Jan 2015 - "'Apple Termination' pretending to come from Apple Account <support@ apple-messages .com> is one of the latest -phish- attempts to steal your Apple Account and your Bank, credit card and personal details. This one only wants your personal details, Apple log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well...

Screenshot: http://myonlinesecur...Termination.png

If you follow the link you see a webpage looking like with a pre-filled in box with your email address in it:
> http://myonlinesecur...fy_apple_ID.png
When you fill in your user name and password you get a page looking like this ( split into sections), where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecur..._apple_ID_3.png
... these emails use Social engineering tricks to persuade you to open the attachments that come with the email... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details..."
___

Fake 'Tesco Bank' – Phish ...
- http://myonlinesecur...-bank-phishing/
30 Jan 2015 - "'Latest estatement is ready – Tesco Bank' pretending to come from savings@ tescobank .com <pol@ tesco .com> is one of the latest -phish- attempts to steal your Tesco bank Account and your other personal details. This one only wants your personal details, Tesco log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well... a website that looks at first glance like the genuine Tesco bank website but you can clearly see in the address bar, that it is -fake-. Some versions of this phish will ask you fill in the html (webpage) form that comes attached to the email.
    Certain restriction has been placed on your tesco bank online services
     View your eDocument attached to proceed
     Tesco Bank is a retail bank in the United Kingdom which was formed in 1997,
    and which has been wholly owned by Tesco PLC since 2008
    ©Tesco Personal Finance plc 2014 / ©Tesco Personal Finance Compare Limited 2014.


If you open the attached html form you see this message:
    Your Latest Tesco Bank Saving Account Statement is ready.
    Certain restriction has been placed on your tesco bank online service
    You would be required to re – activate your online banking access to proceed
    Activate Your Online Access


If you follow that link you see a webpage looking like:
> http://myonlinesecur...o_vouchers1.jpg
Then you get a page asking for password and Security number:
> http://myonlinesecur...o_vouchers2.jpg
After you fill in your Security number and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecur...o_vouchers3.jpg
Then they send you to this page  and eventually it auto redirects you to the genuine Tesco bank site:
> http://myonlinesecur...o_vouchers4.jpg
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
 

:ph34r: :ph34r:  <_<


Edited by AplusWebMaster, Today, 10:56 AM.



8 user(s) are reading this topic

0 members, 8 guests, 0 anonymous users