Fake 'Credit Card Statement' SPAM – doc/xls malware
17 Apr 2015 - "'Credit Card Statement' pretending to come from Julie Mckenzie <julie38@ swift-cut .co .uk> ( random numbers after Julie) with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
17 April 2015 : C Swift Credit Card.doc - Current Virus total detections: 0/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
17 Apr 2015
"... Attached is a file C Swift Credit Card.doc which comes in at least -four- different versions, all of which are malicious and all of which have a macro... These macros download a file from one of the following locations:
http ://oolagives .com/24/733.exe
http ://derekthedp .com/24/733.exe
http ://sempersleep .com/24/733.exe
This is saved as %TEMP%\grant8i.exe and has a VirusTotal detection rate of 11/54* (identified clearly as a Dridex component). Automated analysis... shows that it attempts to communicate with:
184.108.40.206 (FastVPS, Estonia)
I recommend that you -block- traffic to that IP address. Furthermore, the Malwr report shows it dropping a malicious DLL with a detection rate of 6/53**."
... Behavioural information
Fake 'Conference' SCAM
17 Apr 2015 - "This spam email forms part of a Conference Scam*:
From: United Nations Summit [no_replytoold@ live .com]
Reply-To: unitednation .unt@gmail .com
Date: 16 April 2015 at 17:59
Subject: Your Invited For A Five Days Summit 5th -9th May, 2015 in London (UK),
Dear Invitee, Nonprofit/NGO Colleague,
UN General Assembly invites companies and organizations to participate in this important meeting. UN convening a Four-day Global Summit of Economists, Educationists, Administrators, Manufacturers, International Finance, Corporate Finance, Researchers, Non-Governmental Organizations, Religious Leaders, Community Organizations,lawyer and law firm,individuals from the public and Private Sector from 5th-9th May, 2015 in London (UK) to assess the worst global economic down turn since the Great Depression. The aim is to identify emergency and long-term responses to mitigate the impact of the crisis, especially on vulnerable populations, and initiate a needed dialogue on the transformation of the international financial architecture, taking into account the needs and concerns of all countries of the world. You are invited to take part in the International Conference.
Registration to this Summit is absolutely "free" and strictly for invited individuals and organizations only. As an invitee, you have received a registration code UN/CODE/66987/2015-UK with the invitation letter, which grants you access to the registration form.
The United Nations General Assembly will sponsor free travel costs and all-round flight tickets for all participant. Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel...
... Notice that "Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel." There is -no- hotel in London with the name "Royal Queens Hotel", but the scammers will magic one up for you to take pre-payment for your hotel.. and will then -vanish- with your money. There are some similarly-named hotels in London, for example the Hotel Royal @ Queens, but this is not the same hotel. Be warned though that sometimes scammers do go to the effort of setting up a -fake- hotel website to make the scam more credible.
Flash EK strikes again via Google’s DoubleClick
Apr 16, 2015 - "A few days ago, we blogged about a -malvertising- attack on the HuffingtonPost website* via a major ad network which took advantage of a vulnerability in Flash Player... another major attack was also being carried on around the same time, most likely by the same gang. Working with ClarityAd, we quickly confirmed the malicious activity around 04/11 which showed a well-known ad network (merchenta) with direct ties to Google’s DoubleClick being caught in a large malvertising incident. The latest malvertising attack was carried through merchenta, a company that provides a platform for ad exchange and direct integrations with top publishers. They boast a 28 -billion- monthly impressions for the US alone and work directly with top tier ad networks such as Google’s DoubleClick. The criminals posed as an advertiser, infiltrated the platform via a third party and managed to house a malicious advert directly on merchanta’s ad platform which was fed into Google’s DoubleClick channels. Within minutes, the booby trapped ad had a 95% reach in USA, Europe & UK exposing a huge number of people worldwide:
Although DoubleClick is 'not directly responsible' for loading the malicious ad, it starts the chain of trust with the publisher, which unfortunately has little control over the subsequent transactions taking place:
... this malicious SWF had -zero- detection on VirusTotal** when it was first submitted... All ad networks have been informed, but the attack did last for a few days most likely infecting a significant number of people. This latest example is yet another reminder of one of the big weaknesses with online advertising. Ad networks rely on third parties and the chain of trust can easily be broken when -one- rogue actor joins in... These crooks essentially pose as working for a fortune 500 company and submit a clean advert. The ad network is very interested because that will be a big customer and so they make sure to accommodate the client as much as they can. The advert still goes through quality assurance and security tests before finally getting ready for prime time. Right before that happens, the rogue advertiser sends a new version of the ad (with only a minor change they claim) and the ad network, not wanting to lose a client, skips the checks that were already done. It turns out that the new version of the ad is malicious and yet has -full- clearance to be displayed via major networks. This is just one of the many tricks rogue advertisers will use to insert themselves in the chain..."
Apr 13, 2015
File name: merchenta-flash-malware.swf
Detection ratio: 0/57
Edited by AplusWebMaster, 17 April 2015 - 09:08 PM.