2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'toll road invoice' SPAM – JS malware
- http://myonlinesecur...297-js-malware/
2 Sep 2015 - "An email with the subject of 'Pay for driving on toll road, invoice #00212297' [ random numbered] pretending to come from E-ZPass Agent with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...97-1024x476.png

2 September 2015: E-ZPass_00212297.zip: Extracts to:  E-ZPass_00212297.doc.js
Current Virus total detections 2/57*  which downloads 2 files  51053011.exe (virus total**) and 9360abf00281f3aa[1].gif (VirusTotal***) from a combination of these 3 sites
ihaveavoice2 .com
leikkihuone .com
etqy .com
... the 51053011.exe has a stolen digital signature from ESET Antivirus, which has been blocked and at least in Internet Explorer, Smart Filter warns about an invalid digital signature and blocks the file. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441173827/

** https://www.virustot...sis/1441160077/

*** https://www.virustot...sis/1441173275/

ihaveavoice2 .com: 50.116.104.205: https://www.virustot...05/information/
leikkihuone .com: 23.91.123.160: https://www.virustot...60/information/
etqy .com: "... query for etqy .com failed"
___

Fake 'order cancelled' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
2 Sep 2015 - "An email with the subject of 'The shipment of your ordered goods is impossible' pretending to come from random companies with a zip attachment is another one from the current bot runs... The content of the email says :
    Hello!
    Unfortunately, the delivery of you order # 003313 was cancelled since
    the specified address of the recipient was not correct. You’re recommended to
    complete the attached form and send it back or print it and get this package
    on your own at our office.
    Alf Gottlieb, Corporate Intranet Director ...
-Or-
    Hello!
    Unfortunately, the delivery of you order # 4534481 was cancelled since
    the specified address of the recipient was not correct. You’re recommended to
    complete the attached form and send it back or print it and get this package
    on your own at our office.
    Arnoldo Strosin, Dynamic Markets Producer

And hundreds of other random names and job titles and companies. Some of the subjects in this series of emails include:
    The shipment of your ordered goods is impossible
    The delivery of your ordered goods isn’t finished
    The shipment of your parcel is impossible
    The shipping of your parcel is impossible to complete
    The shipping of your items has failed
    The shipping of your items isn’t finished
    The delivery of your items was cancelled
    The shipping of your goods is impossible
    The delivery of your parcel has failed ...
2 September 2015: orderHayes Flat.zip: Extracts to: orderYost Dale.exe
Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441191343/
___

Fake 'Companies House' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
2 Sep 2015 - "Another perennial email that constantly does the rounds has a subject matter about 'Companies House WebFiling service' and pretends to be either a complaint or a filing acknowledgement. They come with a zip attachment which is another one from the current bot runs... The content of the email says :
    This message has been generated in response to the company complaint submitted to Companies House WebFiling service.
    (CC01) Company Complaint for the above company was accepted on 02/09/2015.
    The submission number is 1GS31QZLMK1BCRG
    Please quote this number in any communications with Companies House.  
    All WebFiled documents are available to view / download for 10 days after their original submission. However it is not possible to view copies of accounts that were downloaded as templates.
    Not yet filing your accounts online? See how easy it is…
    Note: reference to company may also include Limited Liability Partnership(s).
    Thank you for using the Companies House WebFiling service.
    Service Desk tel +44 (0)303 1234 500 or email...
    Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.

2 September 2015: Case_1GS31QZLMK1BCRG.zip: Extracts to: Case_081415.scr
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441193027/
 

 

Edited by AplusWebMaster, 02 September 2015 - 07:40 AM.

[AplusWebMaster]

FYI...

 

Malvertising found on Dating Site Match[dot]com
- https://blog.malware...te-matchdotcom/
Sep 3, 2015 - "In an attack similar to the one that happened last month on PlentyOfFish, the UK version of online dating site Match .com was caught serving malvertising. Both companies are actually related since the Match Group bought out POF.com last summer. This latest malvertising incident is the work of the same gang using Google shortened URLs leading to the Angler exploit kit.
Infection flow:
    Initial URL: uk.match .com/search/advanced_search.php
    Malvertising: tags.mathtag .com/notify/js?exch={redacted}&price=0.361
    Malvertising: newimageschool .com/adframe/banners/serv.php?uid=215&bid=14&t=image&w=728&h=90
    Malicious Redirector: goo .gl/QU2x0w
    Exploit Kit (Angler): med.chiro582help .com/carry.shtm?{redacted}
> https://blog.malware...015/09/math.png
The malvertising goes through a Goo.gl shortened URL (already blacklisted) that loads the Angler exploit kit:
> https://blog.malware...5/09/google.png
Angler EK is known to serve the Bedep ad fraud Trojan as well as CryptoWall ransomware. The cost per thousand impressions (CPM) for the booby trapped ad was only 36 cents, which is nothing compared to how much infected computers can bring in terms of revenues. For instance, CryptoWall demands $5oo per victim. We alerted Match .com and the related advertisers but the malvertising campaign is still-ongoing via other routes."

chiro582help .com: 74.207.227.69: https://www.virustot...69/information/
___

Fake 'chat history' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
3 Sep 2015 - "An email with the subject of 'You need to read this chat history' coming from random senders and email addresses from with a zip attachment is another one from the current bot runs... The content of the email says :
    Good day!
    You should know this. View the chat history that I’ve attached. Remember
    it’s strongly confidential, so please don’t show it to anyone.
    Mrs. Edmund Schultz | (859) 913-2400
    Toys | Hackett-Kiehn

And hundreds of other random names, email addresses, phone numbers and companies. Other subjects in this series include:
    You should view this correspondence
    Please view this correspondence
    You need to view it
    Please see it
    You need to review this information
    You need to review this chat history
    Please see this messages
    You need to read this chat history
    You should read this messages
    You should view this correspondence
And hundreds of other similar variations on the theme of messages and chat history...
3 September 2015: history Ward LockUG.zip: Extracts to:  history Chelsea VillagePY.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441271691/
___

Fake 'Invoice / credit note' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
3 Sep 2015 - "The latest set of -Upatre- downloader emails are 'Invoice' or 'credit note' from random companies. An email with the subject of 'Invoice INV-91659 from [random company]' for [Your web domain] (random numbers) or 'Credit Note CN-85402 from [random company]' for [Your web domain] (random numbers)   pretending to come from Accounts with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...94-1024x493.png

3 September 2015: Invoice INV-91659.zip: Extracts to: Invoice.scr
Current Virus total detections 1/56 . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441279729/
___

Fake 'Lloyds Bank' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
3 Sep 2015 - "An email with the subject of 'Customer Account Correspondence' pretending to come from Lloyds Bank Commercial Finance <customermail@ lloydsbankcommercialfinance .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ce-1024x490.png

3 September 2015: Lloyds-Commercial_Documents.zip: Extracts to: Lloyds-Commercial_Documents.scr
Current Virus total detections 3/56 . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441281692/
___

Fake 'overdue balance' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
3 Sep 2015 - "Following on from the earlier -Upatre- downloaders, the latest set of  emails are about an overdue balance from random companies. An email with the subject of 'Urgent' e-mail letter of 'overdue balance' or 'Important reminder notice about outstanding balance' or very similar wording with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...es-1024x314.png

Some of the subjects so far seen include:
    Important reminder letter about outstanding remittances
    Urgent e-mail letter of overdue balance
    Important reminder letter about outstanding remittances
    Urgent letter of past due balance
    Urgent reminder about your delinquent balance
    Important reminder notice of delinquent remittances
    Urgent reminder about outstanding balance ...
3 September 2015: documents Heidenreich MillsDE.zip: Extracts to: documents Stark LodgeFR.exe
Current Virus total detections 2/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1441291670/
___

Fake 'Canadian Bank' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
3 Sep 2015 - "An email with the subject of 'You have received a secure e-mail / Vous avez reu un courriel prot&#233;g&#233;' pretending to come from Canadian Imperial Bank of Commerce <noreply@ cibc .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...il-1024x580.png

3 September 2015: SecureMail.zip: Extracts to: SecureMail.scr
Current Virus total detections 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441298777/
___

Skype Spam...
- https://blog.malware...his-skype-spam/
Sep 3, 2015 - "Over the last few weeks, there’s been a spam campaign taking place on Skype which involves the following steps:
> Scammers use an automated technique to break old/weak Skype passwords (this has been contested by Skype users in that forum thread*).
* http://community.sky.../4038620#M47813
> They then use these accounts to send spam messages to contacts.
> The spam frequently hides the “real” destination by providing (say) a Baidu search engine link instead – along with the Skype Username of the person who clicked the link in the URL.
> The websites the “masked” URls lead to tend to use redirects – it’s possible they’ve been compromised – before dumping the end-user on a diet spam page.
Here’s an example of the spam currently going around:
>> https://blog.malware.../skypespam0.jpg
“Hi [username] | baidu(dot)com/[url string] advise”
Below you can see the initial landing page, the final destination and a screenshot of a Fiddler log:
> https://blog.malware.../skypespam3.jpg
...
> https://blog.malware...spam2.jpg?w=564
If your Skype password is in need of a spring clean... feel free to check out the list of hints and tips on the Skype Security page**."
** https://www.skype.com/en/security/
 

  

Edited by AplusWebMaster, 03 September 2015 - 11:45 AM.

[AplusWebMaster]

FYI...

Fake 'RE:resume' SPAM / Cryptowall
- http://blog.dynamoo....t-happened.html
4 Sep 2015 - "This -fake- résumé spam leads to ransomware:
    From:     fredrickkroncke@ yahoo .com
    Date:    5 September 2015 at 03:50
    Subject:    RE:resume
    Signed by:    yahoo.com
    Hi my name is Teresa Alexander attach is my resume
    Awaiting your prompt reply
    Kind regards
    Teresa Alexander

The attached document in this case is Teresa_Alexander_resume.doc, which upon opening asks you to enable active content:
> https://1.bp.blogspo...ed-document.png
Following these steps would be a Very-Bad-Idea as the malware would encrypt all your files on the disk. This malicious DOC file itself has a VirusTotal detection rate of 4/56*.
The Hybrid Analysis report** shows pretty clearly what is going on. An infection sequence begins, with the following domains and IPs contacted:
46.30.46.117 [Eurobyte LLC, Russia)
186.202.153.84 (gaiga .net)
192.186.235.39 (satisgoswamicollege .org)
52.88.9.255 (entriflex .com)
23.229.143.32 (eliasgreencondo .com)
-Blocking- those domains and IPs may be enough to stop the ransomware working. The malicious macro in the document drops a file carved_0.exe which has a detection rate of 4/56***.
Once the machine is infected, various "What happened to your files?" messages pop up, such as this one (from the Hybrid Analysis report):
> https://3.bp.blogspo...cryptowall2.png
This further references another bunch of domains that you might want to -block- especially in a corporate environment:
namepospay .com
optiontosolutionbbs .com
optionpay2all .com
democraticash .com
This further Hybrid Analysis report**** on the dropped binary also identifies the following malicious site:
68.178.254.208 (erointernet .com)
... it is worth noting that the malware attempts to identify the IP address of the infected system by visiting ip-addr .es - although this is -not- a malcious site, you can consider it to be a potential indicator of compromise. The payload here is Cryptowall 3.0 and as is typical, removing the malware is easy.. but decrypting the files without paying the ransom is fearsomely difficult.
Recommended blocklist:
46.30.46.0/24
gaiga .net
satisgoswamicollege .org
entriflex .com
eliasgreencondo .com
erointernet .com
namepospay .com
optiontosolutionbbs .com
optionpay2all .com
democraticash .com "
* https://www.virustot...sis/1441396906/

** https://www.hybrid-a...environmentId=1

*** https://www.virustot...sis/1441396906/

**** https://www.hybrid-a...environmentId=1
___

Fake 'reservation confirmed' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
4 Sep 2015 - "An email with the subject of 'Your reservation is now confirmed!' pretending to come from Booking .com with a zip attachment is another one from the current bot runs... The content of the email says:
    Thanks! Your reservation is now confirmed.
    To view additional information about your reservation, please open the attachment.
    Booking number:     376627092
    PIN Code:     6524
    Email:     [Redacted]
    Your reservation:     1 night, 1 room
    Check in:     Saturday, September 05, 2015
    (2:00 pm – 00:00 am)
    Check out:     Sunday, September 06, 2015
    (until 12:00 pm)
    Superior Double Room     £1,799.68
    VAT (20%) included     £449.92
    Total Price     £2,249.60
    Please note: additional supplements (e.g. extra bed) are not added to this total.
The total price shown is the amount you will pay to the property. Booking.com does not charge any reservation, administration or other fees.
You can easily change or cancel this booking for free before September 05 – 2015, to cancel or modify your reservation please complete the attached form and fax it to:
+1 888 850 5250
Have a great trip!
– The Booking.com Team
Copyright 1996 – 2013 Booking .com. All rights reserved.
This email was sent by Booking .com, Herengracht 597, 1017 CE Amsterdam, Netherlands

4 September 2015: Booking number 376627092.zip: Extracts to:  Booking.scr
Current Virus total detections 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441343056/
___

Fake 'account security' SPAM
- http://myonlinesecur...count-security/
4 Sep 2015 - "An email with the subject of 'Important system notification about account security' coming from random companies and random email addresses with a zip attachment is another one from the current bot runs... However the attachment is defective and corrupt. If previous experience is anything to go by, the bad guys controlling the botnet will soon realise their mistake and send out a new batch of -working- emails and attachments. The content of the email says:
    This is an automatically generated security system alert. It happens when something goes wrong with your account.
    To view full details, please open the attached report.
    Mrs. Myriam Dach
    tel: 1-606-773-7379
    Email : cyineosoy5964lqw@ allpromoprint .com

... other subjects include:
    Notice concerning your account
    Important system notification about your account protection ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Fake 'Order' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
4 Sep 2015 - "An email with the subject of 'Order is finished' coming from random companies and random email addresses with a zip attachment is another one from the current bot runs... The content of the email says :
    Hello!
    Many thanks for purchasing! Please retain attached transaction summary for your records.
    Please do not respond to this e-mail message. It’s automatically generated.
    Terence Kilback
    tel: 936.953.8037
    Lehner LLC
    Email: ...

Other subjects in this series of emails include:
    Your purchase is finished
    Your order is finished
    Your purchase is confirmed ...
4 September 2015: Krystel StreetMT_report.zip: Extracts to: Tristin LandBL_report.exe
Current Virus total detections 5/57 . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441384453/
 

 

Edited by AplusWebMaster, 04 September 2015 - 08:31 PM.

[AplusWebMaster]

FYI...

Fake 'Court appearance' SPAM - JS malware
- http://myonlinesecur...urt-js-malware/
5 Sep 2015 - "An email with the subject of 'Notice of appearance in Court #0000440904' [random numbered] pretending to come from County Court  with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-0000440904.png

5 September 2015: 0000440904.zip: Extracts to: 0000440904.doc.js
Current Virus total detection 9/57* ... which downloads 2 files 14136619.exe (Virus total**) and 1e0e6fda2680957[1].gif (VirusTotal***) from a combination of these 3 sites:
selmaryachtmarket .com
fibrasinteticafm .com
laterrazzafiorita .it
... None of the automatic analysers even mention any reference to digital signatures whatsoever: Hybrid Analysis Win8.1 [1] | Hybrid Analysis Win 7 [2] | MALWR [3]
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441437273/

** https://www.virustot...sis/1441413005/

*** https://www.virustot...sis/1441438363/

1] https://www.hybrid-a...environmentId=3

2] https://www.hybrid-a...environmentId=1

3] https://malwr.com/an...WMzNTM2ZGU1OTY/

selmaryachtmarket .com: 174.137.191.22: https://www.virustot...22/information/
fibrasinteticafm .com:
54.228.191.204: https://www.virustot...04/information/
45.55.195.124: https://www.virustot...24/information/
177.71.183.219: https://www.virustot...19/information/
54.241.242.142: https://www.virustot...42/information/
54.83.41.200: https://www.virustot...00/information/
177.71.188.70: https://www.virustot...70/information/
laterrazzafiorita .it: 208.43.65.115: https://www.virustot...15/information/
___

UK bank phish-sites on teamhelpers .com
- http://myonlinesecur...eamhelpers-com/
5 Sep 2015 - "I received a couple of -phishing- emails this morning that both lead to UK bank phishing sites on teamhelpers .com. So far I have seen one for Halifax Bank and one for Lloyds Bank. The subjects include 'Your Halifax online banking needs updating' and 'Your Lloyds online banking needs updating'. I would not be at all surprised to find out that there are many other different UK bank phishing sites on teamhelpers .com. I just haven’t found them yet...

Screenshot1: http://myonlinesecur...ng-1024x610.png

Screenshot2: http://myonlinesecur...ng-1024x612.png

They are both common subjects in a bank phishing attempt. We see them pretending to be from PayPal and your Bank or Credit Card, with a message saying some thing like :
    There have been unauthorised or suspicious attempts to log in to your account, please verify
    Your online banking needs updating
    Your account has exceeded its limit and needs to be verified
    Your account will be suspended !
    You have received a secure message from < your bank>
    We are unable to verify your account information
    Update Personal Information
    Urgent Account Review Notification
    We recently noticed one or more attempts to log in to your PayPal account  from a foreign IP address
    Confirmation of Order
... These will NEVER be genuine emails from  PayPal or Your Bank so don’t ever follow the link-in-the-email  which leads to a website that looks at first glance like the genuine bank website. This particular phishing campaign starts with an email with-a-link. In this case to a newly created base domain teamhelpers .com  Which is hosted on Godaddy .com... you would be very hard-pressed to tell the difference from the -fake- one and the genuine site. The only way is look at the address bar and in the -Genuine- bank site, when using Internet Explorer the entire address bar is in green. (in Chrome or Firefox, only the padlock symbol on the left of the browser is green)... This either means that the new domain has been hacked already due to insecurities in the site software and Godaddy servers or more likely that the entire site was set up to act as a -fraud- site and Godaddy are not being as efficient and proactive as they should be with weeding out fake registrations..."

Phish1: http://myonlinesecur...rs-1024x678.png

Phish2: http://myonlinesecur...rs-1024x707.png

Genuine: http://myonlinesecur...te-1024x672.png

teamhelpers .com: 107.180.41.152: https://www.virustot...52/information/
 

  

Edited by AplusWebMaster, 06 September 2015 - 09:55 AM.

[AplusWebMaster]

FYI...

Fake 'Companies House' SPAM - malicious attachment
- http://blog.dynamoo....nies-house.html
7 Sep 2015 - "This spam does -not- come from Companies House, but is instead a simple forgery with a malicious attachment:
    From     "Companies House" [WebFiling@ companieshouse .gov.uk]
    Date     Mon, 7 Sep 2015 12:40:01 +0100
    Subject     RE: Case 0676414
    The submission number is: 0676414
    For more details please check attached file.
    Please quote this number in any communications with Companies House.
    All Web Filed documents are available to view / download for 10 days after their
    original submission. However it is not possible to view copies of accounts that
    were downloaded as templates.
    Companies House Executive Agency may use information it holds to prevent
    and detect fraud. We may also share such information, for the same purpose,
    with other Organizations that handle public funds.
    If you have any queries please contact the Companies House Contact Centre
    on +44 (0)303 1234 500 or email enquiries@ companies-house .gov.uK
    Note: This email was sent from a notification-only email address which cannot
    accept incoming email. Please do not reply directly to this message...

The "case number" is random, and is reflected in the name of the attachment (in this case Case_0676414.zip) which in turn contains a malicious executable Case_0043258.scr which has an icon to make it look like a PDF file. This executable has a detection rate of 4/56*. The Hybrid Analysis report** shows that it communicates with 197.149.90.166 (Cobranet, Nigeria) which has been seen handling malicious traffic for the past couple of weeks. The payload is Upatre/Dyre."
* https://www.virustot...sis/1441627466/

** https://www.hybrid-a...environmentId=1

197.149.90.166: https://www.virustot...66/information/
___

Fake 'scanner notice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
7 Sep 2015 - "An email with the subject of 'Important system scanner notice' coming from random companies and email addresses with a zip attachment is another one from the current bot runs... The content of the email says :
    Hello!
    Our system scanner indicates 69405063 error(s). Please see the attached documentation and contact with us ASAP.
    Regards,
    Online system security
    Mrs. Kendall Howell
    tel. 503-012-0597
    Email : prabha@ klcc .com.my

The alleged sender matches the name of the company and email address in the body of the email. The numbers of errors are random. Some of the other subjects inn this series of -Upatre- downloaders include:
    Important system e-mail
    Protection shield system scanner report
    Urgent security system notification
    Protection shield system scanner e-mail
    Security system scanner notification
    Urgent system scanner notice
    Protection shield system scanner e-mail
And -hundreds- of other variations along the same theme...
7 Serptember 2015: Cary PlazaGL_report-HUDY9Ife7_.zip: Extracts to: Imogene CoveBR_report.exe
Current Virus total detections 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441621866/
___

Something evil on 184.105.163.192/26 ...
- http://blog.dynamoo....9226-white.html
7 Sep 2015 - "... I spotted some Nuclear EK (or some other Flash exploit) traffic on our network which attracted my interest. The IP in question was 184.105.163.243* hosted on what appears to be a Hurricane Electric IP... I don't tend to see a lot of bad stuff on HE so I looked more closely at the IP WHOIS and saw it was part of a range 184.105.163.192/26... given the sheer volume of carp** that White Falcon has hosted in the past and its current problem with exploit kits, I would definitely recommend blocking-traffic to 184.105.163.192/26 to be on the safe side."
(More detail at the dynamoo URL above.)
* 184.105.163.243: https://www.virustot...43/information/
 

  

Edited by AplusWebMaster, 07 September 2015 - 09:00 AM.

[AplusWebMaster]

FYI...

Evil network: 89.144.2.0/24 / Echo Romeo LLP (AS199762)
- http://blog.dynamoo....echo-romeo.html
8 Sep 2015 - "This post at malware.kiwi* caught my eye after a sort-of challenge by Techhelplist**. Well, the bottom line is that these get-rich-quick schemes are run by serious organised criminals who tend not to leave too many traces behind.
* http://malware.kiwi/...shing-campaign/
...
** https://twitter.com/...107799796137984
This appears to be a binary options scam*** that is using illegally -hacked- sites as redirectors, and I suspect that it is using a botnet to send the spam in the first place, although this is not clear. Eventually, victims are sent via an affiliate link to a site searchingprofit .me...
*** http://www.cftc.gov/...v_binaryoptions
It turns out that dailybusinessdirect .com is hosted alongside a cluster of related domains on a set of IPs belonging to a firm called Echo Romeo LLP in the UK. From the research I have done, it appears that Echo Romeo are a legitimate small business doing web design and hosting. However, they operate an IP range 89.144.2.0/24 which seems to be almost completely full of spam, scam and malware sites... Echo Romeo have a portfolio on their site of designs they have done for customers. As far as I can tell, -none- of those customer sites are actually hosted in this IP address range. The first thing I noticed was a cluster of sites and IPs[4] that appear to be closely related to dailybusinessdirect .com:
4] http://pastebin.com/mieQQj5s
... Overall, the evil-ness factor of 89.144.2.0/24 seems very high indeed (for example, this Damballa report on POSeidon[5] shows how the bad guys moved to this netblock), and yet Echo Romeo LLP seems to be completely legitimate. I even went to the effort of checking them out at Companies House, and all seems OK. I wonder if perhaps the bad guys have either gained control of the IP block or have popped a large number of their servers?"
5] https://www.damballa...seidon-spotted/
(More detail at the dynamoo URL at the top of this post.)

AS199762 (ECHOROMEO-AS)
> https://www.google.c...?site=AS:199762

- https://www.google.c...c?site=t9e.net/

- https://www.google.c...ite=89.144.2.0/

searchingprofit .me: 82.192.91.16: https://www.virustot...16/information/

dailybusinessdirect .com: 89.144.2.158: https://www.virustot...58/information/
___

ipserver .su, 5.133.179.0/24 and 212.38.166.0/24
- http://blog.dynamoo....1238166024.html
8 Sep 2015 - "A follow-up to this post*, I took a look at the netblocks 5.133.179.0/24 and 212.38.166.0/24 suballocated to:
person:         Oleg Nikol'skiy
address:        British Virgin Islands, Road Town, Tortola, Drake Chambers
phone:          +18552100465
e-mail:         abuse@ ipserver .su
nic-hdl:        ON929-RIPE
mnt-by:         IPSERVER-MNT
changed:        abuse@ ipserver .su 20150528
created:        2015-05-28T11:11:09Z
last-modified:  2015-05-28T11:11:09Z
source:         RIPE

I'm going to say straight away that my methodology is flawed, but I will share what I have. Very many IPs in this range have hosted badness in the past year-and-a-bit (e.g. 5.133.179.165**), mostly using subdomains.. to the extent that there are too many sites to analyse easily if I take the data from a passive DNS service. Instead, I elected to use the DomainTools reverse DNS which limits the results to domains only (not subdomains) and these are mostly active sites. Running the list through my analyser checks that the IPs are valid, and would normally tell me things such as the Google Safebrowsing Diagnostics and SURBL rating... I would expect to see about 1% in a normal sample, and out of 399 sites it comes back with zero. In fact, none of these sites seem to have any web presence at all, and all the ones that I have tried come back with almost no references on Google at all. I am going to suggest that there is nothing of value in these IP ranges, and given that historically .SU domains have a bad reputation***, then my suggestion is that you block traffic to:
5.133.179.0/24
212.38.166.0/24
In the meantime I will continue digging.."
* http://blog.dynamoo....echo-romeo.html

** 5.133.179.165: https://www.virustot...65/information/

*** https://www.abuse.ch/?p=3581

Diagnostic page for AS20860 (IOMART-AS)
- https://www.google.c...c?site=AS:20860
"... over the past 90 days, 289 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2015-09-08, and the last time suspicious content was found was on 2015-09-08... we found 6 site(s) on this network... that appeared to function as intermediaries for the infection of 9 other site(s)... We found 97 site(s)... that infected 127 other site(s)..."
___

Fake 'FedEx' SPAM - JS malware
- http://myonlinesecur...cel-js-malware/
8 Sep 2015 - "An email with the subject of 'We could not deliver your parcel, #00184416 [ random numbered]' pretending to come from FedEx Standard Overnight <kevin.swartz@ 189-38-86-3 .net2 .com.br> with a zip attachment is another one from the current bot runs... The content of the email says:
    Dear Customer,
    We could not deliver your parcel.
    Delivery Label is attached to this email.
    Regards,
    Kevin Swartz,
    Station Agent.

8 September 2015: Delivery_Notification_00184416.zip: Extracts to: Delivery_Notification_00184416.doc.js
Current Virus total detections 9/56* ... which downloads 2 files 97823c.gif (VirusTotal**)  | 12918408.exe (VirusTotal***) from a combination of these 3 sites:
dominaeweb .com
idsecurednow .com
les-eglantiers .fr
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441689276/

** https://www.virustot...sis/1441689928/

*** https://www.virustot...sis/1441658746/

dominaeweb .com: 174.36.231.69: https://www.virustot...69/information/
idsecurednow .com: 96.31.36.46: https://www.virustot...46/information/
les-eglantiers .fr: 76.74.242.190: https://www.virustot...90/information/
___

Fake 'contract' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
8 Sep 2015 - "An email with the subject of 'Edits of contract #oyMolGA of Tue, 08 Sep 2015 12:33:32 +0200 (random characters and times)' pretending to come from random companies and email addresses with  a zip attachment is another one from the current bot runs... The content of the email says :
    Good day,
    Please check out the edits of contract 181254053. Pay your particular attention to
    paragraphs 121.39 and 148.85.
    Until this contract isn’t signed, an amount won’t be remitted. If you have any questions,
    please mail or call me on my additional number 63779928.
    Emmalee Schaden
    phone: 842-690-4561
    Robel, McCullough and Gibson

8 September 2015: agreement changes Bruen Mall_jEHqrF.zip: Extracts to: renewed agreement Harber Village.exe
Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441708637/
___

PayPal Overpayment Scams that target Craigslist Sellers
- https://isc.sans.edu...l?storyid=20115
Last Updated: 2015-09-08 - "... when people become familiar with the tactics employed by scammers, they will be less likely to get ripped off. With this in mind, I'd like to describe my recent interactions with miscreants who target sellers on Craigslist. This encounter, which involved SMS messages, emails and a click, is a variation of a PayPal-themed overpayment -scam- that has been quite prolific in the recent years... The -fake- PayPal message in my inbox clarified that I might not see the funds in my PayPal account until I sent money to the buyer's pickup agent using MoneyGram... Soon, I received two more messages claiming to be from PayPal and impressing upon me of the 'safety' of the transaction... more of my articles about online scams, take a look at How Victims Are Redirected to IT Support Scareware Sites* and Conversation With a Tech Support Scammer**."
(More detail at the isc URL at the top of this post.)
* https://isc.sans.edu...re Sites/19487/

** https://zeltser.com/...r-conversation/
___

Com[dot]com site leads to -Fake- Daily Mail Article, Other Dodgy Sites
- https://blog.malware...er-dodgy-sites/
Sep 7, 2015 - "When news of “com .com” (previously owned by CNET) being quietly sold to dsparking .com*, a known entity in the realm of browser hijacking and domain squatting, had rippled within the security industry a couple of years ago, some experts expressed concern**...
* https://www.virustot...om/information/
...
** https://blog.whiteha...ould-scare-you/
... We recently encountered the URL, dw[DOT]com[DOT]com, that directed us to various destinations whenever we refresh it. Although this site is no longer accessible as we write this post, we were still able to visit one particular live URL destination that stood out among the rest during our testing. It is a -fake- Daily Mail news piece[3] reporting about British citizens finding a loophole wherein they can get the iPhone 6 for £1...
3] https://blog.malware...dailymail00.png
... All links on the fake Daily Mail article point to one URL, which then leads users to -random-  destinations where they are offered freebies-behind-surveys or certain services... A little more digging around about dw[DOT]com[DOT]com has revealed that it also has a history of housing adware, PUPs[4], and spyware[5]... there are relatively few reports of com .com sites getting abused. That may be a good thing — at least for now; however, there may come a time when criminals would make full use of these sites for their malicious campaigns. So be advised, dear Reader, to avoid and proactively -block- them as early as now..."
4] https://www.herdprot...dw.com.com.aspx

5] https://www.f-secure...w_com_com.shtml

dw .com .com: 54.201.82.69: https://www.virustot...69/information/

com .com: 209.132.243.234: https://www.virustot...34/information/

dsparking .com: 141.8.225.89: https://www.virustot...89/information/
 

  

Edited by AplusWebMaster, 08 September 2015 - 01:37 PM.

[AplusWebMaster]

FYI...

Fake 'Internship' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
9 Sep 2015 - "An email with the subject of 'Internship' pretending to come from SAMETRICE BLACKBURN <pwlc@ healthassets .net> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ip-1024x571.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content...
> http://myonlinesecur...21-1024x412.png
...
> http://myonlinesecur...de-1024x604.png
... 9 September 2015: My_Resume_7049.doc . Current Virus total detections 7/56*.
Downloads Dridex banking malware from http ://bakingsoda404 .com/dd/12345.exe (VirusTotal** 1/57)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1441779828/

** https://www.virustot...sis/1441780825/
___

Fake 'new contract' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 Sep 2015 - "An email saying 'We have submitted a new contract for your approval. Please view the attached documentation' with the subject of 'Please view' pretending to come from FAX with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ew-1024x481.png

9 September 2015: renewed contract Blanda Common.zip: Extracts to: agreement Braden Views.exe
Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441795477/
___

Fake 'MP2541' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 Sep 2015 - "An email with the subject of 'Message from “MP2541” (random numbers)' pretending to come from DoNotReply@ b(your own email domain) with a zip attachment is another one from the current bot runs... The content of the email says :
    This E-mail was sent from “MP2541” (MP 2541).
    Scan Date: Wed, 09 Sep 2015 10:33:34 GMT
    Queries to: DoNotReply@ ...

9 September 2015: omp cheque.zip: Extracts to: omp cheque.scr
Current Virus total detections 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441799167/
___

Fake 'enrollment contract' SPAM – doc macro malware
- http://myonlinesecur...-macro-malware/
9 Sep 2015 - "An email with the subject of 'RE: enrollment contract' pretending to come from Calvin Hobbs <accounting@ steelgrill .com> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ct-1024x506.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content:
> http://myonlinesecur...21-1024x412.png
...
> http://myonlinesecur...de-1024x604.png
9 September 2015: charles_contract.doc - Current Virus total detections 2/56* ... Which goes through a convoluted download process via thetunaslab .com/wp-snapshots/sasa.txt (which simply contains the download link) and thetunaslab .com/wp-snapshots/66836487162.txt (a VB script to transform the downloaded .exe to a new location and name and autorun it) to end up with what is almost certainly a Dridex banking Trojan from http ://www. heavensound .it/wp-content/uploads/2015/06/pa.exe (VirusTotal 2/57 **)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1441810073/

** https://www.virustot...sis/1441811453/
... Behavioural information
TCP connections
93.170.105.115: https://www.virustot...15/information/
128.199.119.166: https://www.virustot...66/information/
___

'Famous Spy Software' - SCAM
- https://blog.malware...s-spy-software/
Sep 9, 2015 - "... received a tip from one of our researchers, Steven Burn, who is continuously investigating on several persistent Facebook hacking scams... the individuals or group behind them merely rehashing the same lures and tactics; services that offer the hacking of Facebook accounts is one such scam. Using a single line of text to look for potential scam destinations, Burn came across not one but -thousands- of compromised sites offering this particular type of hacking service... Once users click any of the search result links, they are -redirected- multiple-times and then land on a page in the domain, trackphone[DOT]tk:
> https://blog.malware.../trackphone.png
Clicking the big-green-button that says “Go to new site” directs to a page from mspy[DOT]com:
> https://blog.malware...015/09/mspy.png
... mSpy is a highly popular and controversial software that markets itself as a tool that a parent can use to monitor their child’s activities on their mobile devices -or- a tool that a doubting husband or wife can use to catch their cheating partners red handed... others who are contemplating on using tools similar to mSpy, especially if you’re a parent, we implore that you think this through carefully before using it, because you may inadvertently expose your child to harm more than good this way."

mspy .com: 104.20.26.47: https://www.virustot...47/information/
104.20.27.47: https://www.virustot...47/information/
 

  

Edited by AplusWebMaster, 09 September 2015 - 11:21 AM.

[AplusWebMaster]

FYI...

Fake 'QuickBooks Invoice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
10 Sep 2015 - "An email with the subject of 'Payment Overdue' pretending to come from QuickBooks Invoice <auto-invoice@ quickbooks .com> with a zip attachment is another one from the current bot runs... The content of the email says :
    Please find attached your invoices for the past months. Remit the payment by 10/09/2015 as outlines under our “Payment Terms” agreement.
    Thank you for your business,
    Sincerely,
    Rosendo Numbers
    This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.
    The information contained in this message may be privileged, confidential and protected from disclosure...

10 September 2015: Invoice.zip: Extracts to: Invoice.scr
Current Virus total detections 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441880136/

- http://blog.dynamoo....-by-intuit.html
10 Sep 2015 - "... Attached is a file payroll_report.zip which in turn contains a malicious executable payroll_report.scr which has a VirusTotal detection rate of 3/56*. The Hybrid Analysis report** shows traffic patterns that are consistent with the Upatre downloader -and- Dyre banking trojan. In particular, the malware contacts a familiar server at 197.149.90.166 (Cobranet, Nigeria) which you should definitely block ..."
* https://www.virustot...sis/1441886437/

** https://www.hybrid-a...environmentId=1

197.149.90.166: https://www.virustot...66/information/
___

Fake 'America Airlines' SPAM – JS malware
- http://myonlinesecur...643-js-malware/
10 Sep 2015 - "An email with the subject of 'Your ticket order #00000239643 approved' [random numbered] pretending to come from America Airlines with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ed-1024x504.png

10 September 2015: Order_00000239643.zip: Extracts to: Order_00000239643.doc.js
Current Virus total detections 13/57* ... which downloads 2 files 42809780.exe (Virus total 1/57 **) (Hybrid analysis***) and 3233543213348c1[1].gif (VirusTotal 10/56 [4]) (Hybrid Analysis[5]) from a combination of these 3 sites:
64.239.115.111: https://www.virustot...11/information/
les-eglantiers .fr: 76.74.242.190: https://www.virustot...90/information/
readysetgomatthew .com: 205.144.171.28: https://www.virustot...28/information/
See MALWR report[6] and Wepawet[7] ... which decodes or deobfuscates the javascript... note that the 42809780.exe has a -stolen- digital signature from Microsoft, which has been blocked (at least in Internet Explorer), Smart Filter warns about an invalid digital signature:
> http://myonlinesecur...t-signature.png
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1441858346/

** https://www.virustot...sis/1441845045/

*** https://www.hybrid-a...environmentId=1

4] https://www.virustot...sis/1441859040/

5] https://www.hybrid-a...environmentId=1

6] https://malwr.com/an...WZiNzQ0OGZmMDk/

7] https://wepawet.isec...d90f4e9&type=js
___

Fake 'New Fax' SPAM - malicious attachment
- http://blog.dynamoo....011-uk2fax.html
10 Sep 2015 - "This -fake- fax spam comes with a malicious attachment:
    From     "UK2Fax" [fax2@ fax1.uk2fax .co.uk]
    Date     Thu, 10 Sep 2015 14:07:11 +0100
    Subject     New Fax - 3901535011
    UK2Fax Fax2Email : New fax attached, received at 10/09/2015 10:26:29 GMT

Attached is a file Fax-3901535011.zip which in turn contains a malicious executable Fax-800312316.scr which is exactly the -same- Upatre/Dyre payload as seen in this attack also seen today*."
* http://blog.dynamoo....-by-intuit.html
___

'Spear-phishing' - Know the Risk, Raise Your Shield
- http://arstechnica.c...e-your-shields/
Sep 9, 2015 - "... the director of the National Counterintelligence and Security Center (NCSC) announced a "new counterintelligence campaign" focused on reducing the potential security damage done by the Office of Personnel Management data breaches. Called 'Know the Risk, Raise Your Shield', the campaign's opening salvo is a pair of spear-phishing awareness videos, urging people -not-to-click-on 'those links'*... The Office of the Director of National Intelligence, which the NCSC is part of, is pushing out materials for the campaign through its website and social media channels..."
* https://www.youtube....J3CpklC2vNkbtiD
Video 2:53
Know the Risk, Raise Your Shield
 

  

Edited by AplusWebMaster, 10 September 2015 - 08:22 AM.

[AplusWebMaster]

FYI...

Fake 'e-invoice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 Sep 2015 - "An email with the subject of 'Your latest e-invoice from TNT 1568467424 9445661 (random numbers)' pretending to come from eInvoicing <groupadminstubbinsDONOTREPLY@ tnt .com> with a zip attachment is another one from the current bot runs... The content of the email says :
    PLEASE DO NOT RESPOND – Emails to this address are not monitored or responded to.
    Please find attached your TNT Invoice. Please note that our standard payment terms require cleared funds in our account by the 15th of the month following the month of invoice.
    IMPORTANT CONTACT DETAILS
    To register an invoice query please contact us at ukinvoicequeries@ tnt .co.uk
    To forward a remittance advice or confirm payment please contact us at tntuk.cash.allocation@ tnt .com
    To set up a Direct Debit plan please contact us at tntdirectdebit@ tnt .co.uk
    For quick and easy access to your invoices simply log in using your user name and password to https ://express .tnt .com/eInvoicing and you’ll be able to view and download your electronic invoices immediately.
    If you have forgotten your user name or password please follow the above link where you will be able to reset your log-in details. If you are experiencing any technical issues with your e-Invoicing account please contact us at ukeinvoice@ tnt .co.uk
    Rest assured, we operate a secure system, so we can confirm that the invoice PDF originates from TNT and is authenticated with a digital signature. Thank you for using e-invoicing...

11 September 2015: 1568467424_9445661.zip: Extracts to: 0230516548_6835403.scr
Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441967307/
___

Fake 'Sales Order' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 Sep 2015 - "An email with the subject of 'Sales Order Acknowledgement – Order No: 7M661725 – Your Reference: 89 /Bud (random numbers and names)' pretending to come from random companies and email addresses with a zip attachment is another one from the current bot runs... The content of the email says :
    Please find attached your sales order acknowledgement
    Order No: 7M661725
    Account: MGQ313
    Your Reference: 89 /Bud
    Web Reference:
    Kind Regards
    Office Team

11 September 2015: SalesOrderAcknowledgement_2G060028.zip: Extracts to: SalesOrderAcknowledgement.scr
Current Virus total detections 0/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441964692/

- http://blog.dynamoo....ales-order.html
11 Sep 2015 - "This -fake- financial spam comes with a malicious payload:
From     "reports@officeteam .co.uk" [reports@ officeteam .co.uk]
Date     Fri, 11 Sep 2015 10:39:32 GMT
Subject     Sales Order Acknowledgement - Order No: EF150085 - Your Reference: 14 /Geneva
Please find attached your sales order acknowledgement
Order No: EF150085...
... SalesOrderAcknowledgement_EF150085.zip which in turn contained a malicious executable SalesOrderAcknowledgement.scr which has a VirusTotal detection rate of 3/55*. The Hybrid Analysis report**  shows that amongst other traffic, it communicates with a familiar Nigerian IP of 197.149.90.166 (Cobranet)... the payload is Upatre downloading the Dyre banking trojan."
* https://www.virustot...sis/1441972298/

** https://www.hybrid-a...environmentId=1
___

Fake 'SOP Invoice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 Sep 2015 - "An email with the subject of 'SOP Invoice (Single)' pretending to come from “Carlene Kidd” <Carlene.Kidd@ ppl-leeds .co.uk> (random names @ ppl-leeds .co.uk) with a zip attachment is another one from the current bot runs... The content of the email says :
    Hi Nicolas
    Please find attached copy Invoice No: J292G64W  as requested.
    Regards
    Carlene
    The attached file is a Sage Report in PDF (Adobe Acrobat) format. To view
    the report you will need Acrobat Reader, available as a free download...

11 September 2015: Invoice_J292G64W.zip: Extracts to: invoice.scr
Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441965422/
___

Fake 'PO & New Order' SPAM – doc malware
- http://myonlinesecur...xploit-malware/
11 Sep 2015 - "An email with the subject of 'PO & New Order' pretending to come from Sales with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...er-1024x599.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be -blank- or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png
...
> http://myonlinesecur...tected-mode.png
11 September 2015: PO & New Order.doc - Current Virus total detections 23/56* .   
Downloads http ://creativelinkspk .com/.css/ashok.exe (VirusTotal** 18/57). This looks like an old exploit CVE-2012-0158 that was fixed in MS12-027... but there is always a possibility that the exploit creators have added to it to work in modern office versions... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."  
* https://www.virustot...sis/1441931051/

** https://www.virustot...sis/1441887586/

creativelinkspk .com: 192.3.105.250: https://www.virustot...50/information/
 

  

Edited by AplusWebMaster, 11 September 2015 - 04:00 PM.

[AplusWebMaster]

FYI...

Fake 'Pretrial requirements' SPAM – JS malware
- http://myonlinesecur...nts-js-malware/
13 Sep 2015 - "An email with the subject of 'Pretrial requirements' pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ts-1024x388.png

12 September 2015: pretrial_requirements488.zip: Extracts to: pretrial_requirements488.js
Current Virus total detections 21/57* . (Wepawet**) (MALWR***) which downloads multiple files including  Adobe_update-S3NS81Y2MJC[1].exe (virus total 0/56 [4]) and Adobe_update-1SGMQ65OVG[1].exe (VirusTotal 0/57 [5]) and a genuine pdf (Adobe_update-BI5T99S2B9W[1].pdf) which displays an invoice to think that the entire download is innocent from a combination of these sites (this particular version only uses the first 2 sites, but if it cannot contact either of them, it will try each site in turn until it downloads the malware):
ERVINSOLAR .NET: 88.198.60.20: https://www.virustot...20/information/
JAIINSTITUTEFORPARENTING .NET: 50.62.232.1: https://www.virustot....1/information/
C3SMS .COM: 72.249.68.39: https://www.virustot...39/information/
www .prairiehouse .ie: 80.93.29.15: https://www.virustot...15/information/
DIGITALCONTACT .COM: 54.154.210.110: https://www.virustot...10/information/
LIVINGLAVIDAPYME .COM: 72.47.236.23: https://www.virustot...23/information/
LASALCHICHONERIA .COM: 72.47.236.23
AZHINEHPS .COM: 149.3.137.13: https://www.virustot...13/information/
XINHFURNITURE .COM: 112.78.2.205: https://www.virustot...05/information/
The PDF is genuine and obviously a stolen invoice from an Italian company Eco srl being -reused- to try to fool you into thinking that it is only an invoice being displayed while the other malware is silently downloaded and run in the background:
> http://myonlinesecur...df-1024x619.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1442130826/

** https://wepawet.isec...1a149de&type=js

*** https://malwr.com/an...DM3MzNhOWM1ZTQ/

4] https://www.virustot...sis/1442105203/

5] https://www.virustot...sis/1442131135/
 

  

Edited by AplusWebMaster, 13 September 2015 - 06:20 AM.

[AplusWebMaster]

FYI...

HMRC Tax Refund / Phish ...
- https://blog.malware...x-refund-phish/
Sep 14, 2015 - "... here’s the spam mail, which is titled 'Tax Refund New Message Alert!':
> https://blog.malware...9/hmrcform0.jpg
Some standouts:
1. The -typo- in the sender address. Yes, we already mentioned it but it’s such an amazingly silly way to blow the cover of an attempted phish that I’m going to point and roll my eyes at it twice.
2. Do Tax Departments send anybody emails with exclamation-marks in the subject? It doesn’t seem in line with the notion of serious people sending out serious tax emails, really.
3. “See this email? Yeah, don’t tell anyone about it okay? It’s our little secret. Cough cough.”
4. “Download and fill out a form” HMRC don’t send out mails about tax rebates.
5. “Allow 5 to 9 business days, because we won’t have enough time to rip-off the card details you just sent us if you’re checking your account every five minutes”.
Note that in the above example, the mail was sent to an Outlook account and was-flagged as spam – not all mail providers catch something, so it pays to always be on your guard.
Clicking the link offers up a HTML file download from: liveinlove(dot)us/index(dot)php:
> https://blog.malware...9/hmrcform1.jpg
Opening up the file in a browser will fetch elements of real HMRC pages to add that little extra splash of authenticity:
> https://blog.malware...9/hmrcform2.jpg
There is, of course, no HTTPS / padlock which one would hope sets off a few alarm bells. The form follows the common pattern of not letting you proceed unless you’ve entered information in the relevant boxes. They want full card details, bank name, security code, name, DOB, address – the works. Once the submit button is hit, the victim will be redirected to a real HMRC page via the liveinlove URL. It seems the website being used for this scam has been -hacked-... In a first for me, I’ve had to let someone know their site has been compromised via a wedding RSVP form. As the wedding was due to take place back in -2014- I’m not entirely sure someone will be there to pick up the message but we’ll see how it goes. Should you receive one of these mails, feel free to delete it."

liveinlove .us: 192.186.248.162: https://www.virustot...62/information/
___

Next Gen ATM Malware
- https://www.fireeye....ext_genera.html
Sep 11, 2015 - "You dip your debit card in an automated teller machine (ATM) and suddenly realize it is stuck inside, what happened?
a) You took too much time entering details.
b. There was an error in the network connection to the bank.
c) The machine is infected with malware and your card was intentionally retained to be ejected to the crooks once you walk away asking for help.
If you answered ‘c’ you might be correct! FireEye Labs discovered a new piece of ATM malware (4BDD67FF852C221112337FECD0681EAC) that we detect as Backdoor.ATM.Suceful (the name comes from a typo made by the malware authors), which targets cardholders and is able to retain debit cards on infected ATMs, disable alarms, or read the debit card tracks. ATM malware is not new, back in 2013 and 2014 threats like Ploutus[1] or PadPin[2] (Tyupkin) were used to empty ATMs in Mexico, Russia and other countries, but SUCEFUL offers a new twist by targeting the cardholders. SUCEFUL was recently uploaded to VirusTotal (VT) from Russia, and based on its timestamp, it was likely created on August 25, 2015. It might still be in its development phase; however, the features provided are shocking and never seen before in ATM malware:
> https://www.fireeye....UL/suceful1.png
Potential SUCEFUL capabilities in Diebold or NCR ATMs include:
1. Reading all the credit/debit card track data
2. Reading data from the chip of the card
3. Control of the malware via ATM PIN pad
4. Retention or ejection of the card on demand: This could be used to steal physical cards
5. Suppressing ATM sensors to avoid detection ..."
(More detail at the fireye URL above.)
 

 

Edited by AplusWebMaster, 14 September 2015 - 05:51 AM.

[AplusWebMaster]

FYI...

Fake 'Payment Summary' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
15 Sep 2015 - "2 sets of  emails pretending to come from payslip@ hss.health.nsw. gov.au with the subject of 'Payment Summary (Group Certificate) for 2014/15 financial year' or 'Payslip for the period 31 Aug 2015 to 14 sep 2015' with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...te-1024x506.png

15 September 2015: PAYG-EoY-2014-15-11577085-181466719.zip: Extracts to: PAYG-EoY-2014-15-04831806-000718002.scr   
Current Virus total detections 11/56*
15 September 2015: Payslip13526234054137704-78242.zip: Extracts to: Payslip00477196470196471-00038.scr
Current Virus total detections 6/57**
... Techhelplist.com have done a breakdown of these Upatre downloaders from yesterday’s versions of these emails with similar attachments... HERE[3] and Here[4].
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1442293989/

** https://www.virustot...sis/1442282228/

3] https://techhelplist...al-year-malware

4] https://techhelplist...to-date-malware
___

Fake 'Unsettled invoice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
15 Sep 2015 - "The latest -Upatre- style downloaders are attached to series of emails with the subject of 'Unsettled invoice e-mail notice' pretending to come from random addresses with a  zip attachment is another one from the current bot runs... The content of the email says:
    Hello dear customer,
    I urgently ask you to settle an invoice from Tue, 15 Sep 2015 11:39:13 +0100

Other subjects in this malspam run include:
    Unsettled invoice e-mail reminder
    Important invoice e-mail notice
    Overdue invoice e-mail reminder
    Unsettled invoice notification
    Outstanding invoice e-mail notice
    Important invoice final reminder
The times are all random, but the dates all say Tue, 15 Sep 2015..
15 September 2015: Voluptas soluta laborum illum aperiam praesentium molestiae sequi..zip:
Extracts to: Consequatur sint consectetur qui esse..exe
Current Virus total detections 1/57*
This doesn’t actually appear to be Upatre and we haven’t managed to get any other downloads from it via automatic analysis so far... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1442313814/
___

WhatsApp scam/SPAM ...
- https://blog.malware...tsapp-stickers/
Sep 15, 2015 - "We’ve spotted a WhatsApp scam using the same general template as the previously covered WhatsApp Elegant Gold*, located at:
stickers-whatsapp(dot)com
... which asks for your WhatsApp Number in return for some “stickers“. You typically have to pay for stickers via a number of Apps, so potential freebies are always going to pull in some eyeballs.
> https://blog.malware...atstickers1.jpg
It follows the familiar pattern of “Spam a bunch of people and we’ll give you what you want”, complete with inevitable Shyamalan-style plot twist at the end (no, your phone wasn’t a ghost the whole time). Here’s the spam request:
> https://blog.malware...atstickers2.jpg
... As with other sites of a similar nature**, we advise you to not bother and stick to legit apps on your mobile store of choice if you really want to plaster your texts with images. All you’ll get for your time and trouble with these websites are adverts, PUPs and surveys (also, your phone was totally a ghost the whole time)."
* https://blog.malware...igital-catwalk/

** https://blog.malware...pp-voice-users/

stickers-whatsapp(dot)com: 54.254.185.159: https://www.virustot...59/information/
___

Cisco router break-ins bypass cyber defenses
- http://www.reuters.c...N0RF0N420150915
Sep 15, 2015 - "... researchers* say they have uncovered clandestine attacks across three continents on the routers that direct traffic around the Internet, potentially allowing suspected cyberspies to harvest vast amounts of data while going undetected. In the attacks, a highly sophisticated form of malicious software, dubbed "SYNful Knock'*, has been implanted in routers made by Cisco..."
* https://www.fireeye....ock_-_acis.html
Sep 15, 2015 - "... recent vendor advisories indicate that these have been seen in the wild. Mandiant can confirm the existence of at least -14- such router implants spread across four different countries:  Ukraine, Philippines, Mexico, and India... Conclusion: ... It should be evident now that this attack vector is very much a reality and will most likely grow in popularity and prevalence..."
1] http://www.cisco.com...-assurance.html
 

  

Edited by AplusWebMaster, 15 September 2015 - 01:49 PM.

[AplusWebMaster]

FYI...

Fake 'Renewed insurance policy' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
16 Sep 2015 - "An email with the subject of 'Renewed insurance policy' e-mail pretending to come from random companies (all appearing to be either Australian or New Zealand addresses) with a zip attachment is another one from the current bot runs... The content of the email says :
    Good afternoon,
    This email address was specified to get a new insurance policy. Your policy is attached

Other subjects include:
    Important insurance e-mail notice
    Insurance policy e-mail notice
    Health insurance notice
    Renewed insurance policy e-mail notice
    Important insurance e-mail
16 September 2015: 23720.zip: Extracts to: 96998.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1442351794/
___

Fake 'HSBC SecureMail' SPAM - malicious payload
- http://blog.dynamoo....l-you-have.html
16 Sep 2015 - "This -fake- HSBC email message has a malicious payload:
    From:    HSBC SecureMail [HSBCRepresentative_WilliamsBlankenship@ hsbc .co.uk]
    Date:    16 September 2015 at 13:13
    Subject:    You have received a secure message ...

... file HSBC_Payment_87441653.zip which in turn contains a malicious executable HSBC_Payment_87441653.exe, this has a VirusTotal detection rate of 4/56*. Automated analysis is pending... but the payload is most likely to be Upatre/Dyre."
* https://www.virustot...sis/1442407433/
___

Fake 'Lloyds Bank' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
16 Sep 2015 - "A BOGOF (Buy one, get one free) today pretending to come from various Lloyds bank email addresses with 2 different subjects both containing the same word macro downloader malware: 'You have received a new debit and  Lloyds Bank – Pendeford Securities – Please Read Action Required/PI Documents/ Region code East 2/ 1831383/' with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshots:
> http://myonlinesecur...ed-1024x742.png
-Or-
> http://myonlinesecur...it-1024x511.png

DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
...
> http://myonlinesecur...de-1024x604.png
The version of this word doc that I received  actually has this content which tries to suggest it is protected with an RSA  digital signature key that needs you to enable macros and editing to be able to see the proper content. You definitely do-not-want-to-enable-macros or editing or you-will-be-infected:
> http://myonlinesecur...oc-1024x597.png

16 September 2015: ReportonTitle0045168.1Final.doc - Current Virus total detections 4/53* .
The malicious macros in this malware are giving problems to the automatic analysers, who aren’t able to actually get the malware. The macro contacts:
obiectivhouse .ro/wp-content/plugins/maintenance/load/images/fonts-icon/
... which is an open directory where it gets various instructions to download the actual malware from http ://vandestaak .com/css/libary.exe and autorun it (VirusTotal**) which is itself an Upatre downloader that will download today’s version of the Dyre/dyreza/dridex banking Trojan malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1442403104/

** https://www.virustot...sis/1442407381/

obiectivhouse .ro: 178.156.230.216: https://www.virustot...16/information/

- http://blog.dynamoo....-pendeford.html
16 Sep 2016 - "...In the sample I saw, there was a Word document ReportonTitle7117152.1Final.doc attached (detection rate 4/56*)... malicious macro. The macro attempts to download components from the following locations:
thebackpack .fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/66836487162.txt
thebackpack .fr/wp-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/sasa.txt
obiectivhouse .ro/wp-content/plugins/maintenance/load/images/fonts-icon/66836487162.txt
obiectivhouse .ro/wp-content/plugins/maintenance/load/images/fonts-icon/sasa.txt
A further download  then takes place from:
vandestaak .com/css/libary.exe
This has a detection rate of 3/56**. The general characteristics of this file make it a close match to the Upatre/Dyre payload of this concurrent spam run [3] (automated analysis is pending).
Recommended blocklist:
197.149.90.166
vandestaak .com
thebackpack .fr
obiectivhouse .ro "
* https://www.virustot...sis/1442408475/

** https://www.virustot...sis/1442411964/

3] http://blog.dynamoo....l-you-have.html

vandestaak .com: 213.179.202.11: https://www.virustot...11/information/
thebackpack .fr: 195.144.11.40: https://www.virustot...40/information/
obiectivhouse .ro: 178.156.230.216: https://www.virustot...16/information/
___

Fake 'Autopay information' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
16 Sep 2015 - "An email with the subject of 'Autopay information' pretending to come from random companies  with a zip attachment is another one from the current bot runs... The content of the email says :
    Hello,
    A new monthly invoice for the services is available to view online and is included as an attachment.
    No action is required because you’ve signed up for the AutoPay.
    Just review and retain this invoice #52467 for your records.

Other subjects in this series of emails include:
    Settled invoice info
    Online service invoice info ...
16 September 2015: Get new check MacGyver Station.zip: Extracts to: Repay insurance bill Ullrich Falls.exe
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1442410631/
___

Fake Amazon UK Mail - phish...
- https://blog.malware...t-after-breach/
Sep 16, 2015 - "There is an Amazon phishing scam currently making rounds, so you better keep an eye on your inboxes, assuming your spam traps haven’t picked up on this one yet. And much like majority of phish campaigns, this one also begins with an email. The samples we retrieved all originated from the Linode server (24.236.39.51):
> https://blog.malware...-phish-mail.png
... The “Get Started” text is, of course, a link leading to the phishing page (screenshot below), which is at ukamazonverify[DOT]com:
> https://blog.malware...sh-page-one.png
... After text boxes have been filled out, the user is taken to another page asking for -more- details, which includes personally identifiable information (PII), payment card details, and account security details (screenshot below), while data about email address and password are saved to Verify.php, which is located within the domain:
> https://blog.malware...verify-page.jpg
Data that users enter on this page are saved to Finish.php after clicking the Validate button. The page then changes to tell users to wait as this site processes all their details, complete with a “spinny” indicator to denote that indeed some semblance of data processing is taking place at the background:
> https://blog.malware...hish-spinny.png
What users don’t realize is that they’re actually taking their cue from a GIF file, and not an actual indicator, as they wait for what happens next. In the end, they are directed to the real Amazon UK site.
ukamazonverify[DOT]com was created two-days-ago, along with other domains registered under a specific email address from 126[DOT]com, a popular email provider in China. Some browsers have already flagged the domain as a potential threat, which is great... when you see a similar email like the one above in your inbox, simply delete them..."

ukamazonverify[DOT]com: 103.42.180.253: https://www.virustot...53/information/
___

Fake 'New payment for tax refund' SPAM – JS malware
- http://myonlinesecur...599-js-malware/
16 Sep 2016 - "An email with the subject of 'New payment for tax refund #0000255599' [random numbered]  pretending to come from Internal Revenue Service <office@ irs .gov> with a zip attachment is another one from the current bot runs... The content of the email says :
    This is to inform you that your tax refund request has been processed.
    Please find attached a copy of the approved 94035N form you have submitted.
    Transaction type – Tax Refund
    Payment method – Wire transfer
    Amount – $ 3214.00
    Status – Processed
    Form – 94035N
    Additional information regarding tax refunds can be found on our website...
    Regards,
    Internal Revenue Service
    Address: 1111 Constitution Avenue, NW
    Washington, DC 20224 ...
    Phone: 1-800-829-1040

16 September 2015: Tax_Refund_0000255599_Processed.zip: Extracts to: Tax_Refund_0000255599_Processed.doc.js
Current Virus total detections 22/56* ... which downloads -3- files
53212428.exe (Virustotal 1/57 **)
13876688.exe (VirusTotal 2/57 ***) and
0cedc1[1].gif (VirusTotal 1/57 ****) from a combination of these 3 sites:
crossfitrepscheme .com
dickinsonwrestlingclub .com
les-eglantiers .fr
(MALWR[5])
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1442419074/

** https://www.virustot...sis/1442414485/

*** https://www.virustot...sis/1442414434/

**** https://www.virustot...sis/1442419912/

5] https://malwr.com/an...DBlMzNmMDU0OTU/

crossfitrepscheme .com: 199.175.49.19: https://www.virustot...19/information/
dickinsonwrestlingclub .com: 72.20.64.58: https://www.virustot...58/information/
les-eglantiers .fr: 76.74.242.190: https://www.virustot...90/information/
 

  

Edited by AplusWebMaster, 16 September 2015 - 10:46 AM.

[AplusWebMaster]

FYI...

Fake 'E-Bill' SPAM - malicious attachment
- http://blog.dynamoo....or-week-38.html
17 Sep 2015 - "This -fake- financial spam comes with a malicious attachment:
    From     [invoices@ ebillinvoice .com]
    To     administrator@victimdomain.com
    Date     Thu, 17 Sep 2015 11:10:15 GMT
    Subject     Shell E-Bill for Week 38 2015
    Customer No         : 28834
    Email address       : administrator@ victimdomain .com
    Attached file name  : 28834_wk38_2015.PDF
    Dear Customer,
    Please find attached your invoice for Week 38 2015.
    In order to open the attached PDF file you will need
    the software Adobe Acrobat Reader...
    Yours sincerely
    Customer Services...

Attached is a file 28834_wk38_2015.zip containing a malicious executable 67482_wk38_2015.scr which has a detection rate of 2/56*. Automated analysis is pending, but the payload is almost definitely Upatre/Dyre which has been consistently sending traffic to 197.149.90.166 (Cobranet, Nigeria) for some time now, so I suggest that you -block- or monitor that IP."
* https://www.virustot...sis/1442489503/
___

Fake 'REFURBISHMENT' SPAM - malicious attachment
- http://blog.dynamoo....ncashirego.html
17 Sep 2015 - "This -fake- financial spam... comes in several different variants (I saw two):
    From     "Workflow Mailer" [hrwfmailerprod@ lancashire. gov.uk]
    To     hp_printer@ victimdomain .com
    Date     Thu, 17 Sep 2015 12:16:26 GMT
    Subject     FYI: Sent: Online Discussion Message for RFQ 6767609,1 (LCDC - NF014378 R.R. Donnelley & Sons Company - REFURBISHMENT)
__
    From             Mabel Winter
    To             hp_printer@ victimdomain .com
    Sent             Thu, 17 Sep 2015 12:12:26 GMT
    ID             7216378
    Number             6767609,1
    Title             Q3EX - 1C995408 R.R. Donnelley & Sons Company - REFURBISHMENT
    Negotiation Preview Immediately upon publishing
    Negotiation Open Immediately upon publishing
    Negotiation Close September 21, 2015 10:00 am GMT
    Company R.R. Donnelley & Sons Company
    Subject ITT Clarifications
    To view the message, please open attachment.

The other version I had mentioned "QMDM - 5J673827 CDW Computer Centers Inc. - REFURBISHMENT" instead. The attachment appears to have a randomly-generated name e.g. REFURBISHMENT 7216378.zip and REFURBISHMENT 4435708.zip which contain a malicious executable REFURBISHMENT 7015295.scr which has a VirusTotal detection rate of 3/55*. The payload appears to be Upatre/Dyre..."
* https://www.virustot...sis/1442492094/
___

Fake 'Important notice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
17 Sep 2015 - "An email with the subject of 'Important notice about document signing' pretending to come from random companies with a zip attachment is another one from the current bot runs... The content of the email says :
    Hello,
    You have been sent the document to sign it using Signority. To view this document, user’s personal data and secured link to signing, please open the attachment.
    Regards,
    The Signority Team

Other subjects in this malspam run delivering Upatre downloaders include:
    Notice of documentation signing
    Important notification of document signing
    Important notice about documentation signing ...
17 September 2015: Gain infringement fine .zip: Extracts to: Send proposed sum .exe
Current Virus total detections 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1442507711/
 

  

Edited by AplusWebMaster, 17 September 2015 - 12:57 PM.

[AplusWebMaster]

FYI...

Fake 'Transaction confirmation' SPAM - malicious attachment
- http://blog.dynamoo....nfirmation.html
18 Sep 2015 - "This -fake- banking spam comes with a malicious attachment:
    From     donotreply@ lloydsbank .co.uk
    Date     Fri, 18 Sep 2015 11:52:36 +0100
    Subject     Transaction confirmation
    Dear Customer,
    Please see attached the confirmation of transaction conducted from Your
    account. Kindly sign and forward the copy to us for approval.
    Best regards,
    Your personal Manager
    Thora Blanda
    tel: 0345 300 0000
    LLOYDS BANK.

Attached is a file Notice.zip which contains a malicious executable Value mortgage policy .exe (note the rogue space) which has a VirusTotal detection rate of 3/55*. The Hybrid Analysis report** shows activity consistent with Upatre/Dridex including a key indicator of traffic to 197.149.90.166 in Nigeria."
* https://www.virustot...sis/1442574773/

** https://www.hybrid-a...environmentId=1
___

Fake 'Approval' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
18 Sep 2015 - "An email with the subject of 'Approval of the pages' pretending to come from random companies with a zip attachment is another one from the current bot runs... The content of the email says :
    Hi,
    Please take a quick look at the headlines of the attached docs.
    As I’ve told you before, the main part of project is almost ready.
    I guarantee that I’ll send it to you within this week.
    Please remember: the attached information is strongly confidential.

Other subjects in this series of -Upatre- downloaders include:
    Check out the following pages
    Approval of renewed project part
    See the part of work
    Check updated part of work
    Review updated pages
    View renewed pages ...
18 September 2015: Do obligatory agreeement .zip: Extracts to: Maintain remittance fund .exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1442583621/
___

'Tax Credits Refund' - Phish ...
- https://blog.malware...s-refund-phish/
Sep 18, 2015 - "... scammers leap onto the bandwagon with promises of tax credit refunds – effectively targeting those already most under threat from potential financial loss. If you’ve clicked-on-a-message along these lines in the last few days, you may want to get in touch with your bank as soon as possible. The message, which reads as follows, makes use of a Goo.gl shortening URL to -redirect- victims to what appears to be a compromised website:
"Dear valued customer, we are happy to inform you that you have a new tax credit refund from HMRC. Click on the following link [url] to claim your HMRC refund"
... Here’s the stats for the shortened URL:
> https://blog.malware...editsphish1.jpg
• 731 clicks so far, with the majority of them coming from the UK.
• 440 of those were on iPhone, and 252 were using Android. Just 31 people were browsing via Windows.
• The shortened link is 4 days old, so the scam is pretty fresh.
Here’s the phishing page, located at savingshuffle(dot)com/hmrc/Tax-Refund(dot)php:
> https://blog.malware...editsphish3.jpg
As you can see, they want name, address, phone, email, telephone number, card details, sort code and account number. Further down the page, they also want some “Identity Verification” in the form of driving license number, national insurance number and mother’s maiden name. There’s also a pre-filled refund amount of £265.48 next to the submit button:
> https://blog.malware...editsphish4.jpg
... By the time you end up checking to see if the money has gone in, they’ll likely have tried to clean you out. Given we’re talking about those who might be severely affected by the changes to the tax credits system, this would be quite the blow to say the least (and even if you’re not impacted, it’s still not a nice thing to happen either way)... HMRC does -not- send out missives offering refunds."

savingshuffle(dot)com: 50.63.202.37: https://www.virustot...37/information/
___

Malicious SYNful Cisco router implant found on more devices...
- https://zmap.io/synful/
Sept 16, 2015 - "... The attack is known to affect Cisco 1841, 2811, and 3825 series routers, but may also affect similar Cisco devices... Further details on the -firmware- implant can be found in the original FireEye post:
> https://www.fireeye....ock_-_acis.html
... by modifying ZMap to send the specially crafted TCP SYN packets. We completed four scans of the public IPv4 address space on September 15, 2015 and found -79- hosts displaying behavior consistent with the SYNful Knock implant. These routers belong to a range of institutions in -19- countries. We have found no immediate pattern in the organizations affected, but note a surprising number of routers in Africa and Asia (compared to IP allocations). We note that the -25- hosts in the United States belong to a single service provider on the East Coast, and that the hosts in both Germany and Lebanon belong to a single satellite provider that provides coverage to Africa. A map of devices is available here:
> https://zmap.io/synful/map.html "

> https://zmap.io/synful/graph.png

> https://www.eecs.umi.../2013/zmap.html

>> http://net-security....ews.php?id=3104
18.09.2015
___

Fake 'Monthly account report' SPAM – PDF malware
17 Sep 2-15 - "An email with the subject of 'Monthly account report' pretending to come from info@ nab. com.au with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...rt-1024x645.png

17 September 2015: Finance received statement .zip: Extracts to: Transfer online paying system cashback .exe
Current Virus total detections 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1442524683/
 

  

Edited by AplusWebMaster, 18 September 2015 - 10:42 AM.