2072 replies to this topic

[AplusWebMaster]

FYI...

Money mule recruiters ...
- http://ddanchev.blog...n-short_30.html
May 30, 2011 - "... currently active money mule recruitment web sites, actively recruiting money mules for the processing of fraudulently obtained funds... Currently active sites residing within AS42708, PORTLANE Network www.portlane .com; AS29713, INTERPLEXINC Interplex LLC; AS38913, Enter-Net-Team-AS; AS24940, HETZNER-AS Hetzner Online... Monitoring of money mule recruitment campaigns is ongoing."
(Screenshot and more detail available at the ddanchev URL above.)

- http://www.google.co...c?site=AS:42708
- http://www.google.co...c?site=AS:29713
- http://www.google.co...c?site=AS:38913
- http://www.google.co...c?site=AS:24940

[AplusWebMaster]

FYI...

Bulk SPAM msgs... Bulker .biz...
- http://blogs.technet...-headaches.aspx
1 Jun 2011 - "... Yahoo email account was hacked... his email account was used to send over 20 emails with links to domains like “Canadian Neighbor Pharmacy” to his contact lists at 2:59 AM in the morning, while he was asleep... spam messages sent in bulk by a spammer... the “Canadian Neighbor Pharmacy” site is part of a list of sites promoted by an underground organization called “Bulker .biz”. This organization encourages spammers and hackers to target email recipients from domains like Yahoo.com, Aol.com, Hotmail.com, etc. The site itself functions as a front for credit card fraud and identity theft by targeting unwitting users that register an account on the site and order promoted pharmaceuticals that may never arrive... Be alert to email messages with typos or bad form and a single hyperlink with little or no explanation about the link itself..."
(Screenshots and more detail at the technet URL above.)

[AplusWebMaster]

FYI...

LinkedIn SPAM emails download malware
- http://www.trusteer....ownload-malware
June 02, 2011 - "LinkedIn has more than 90 million members, many of which are business users... In the last couple of days, we've witnessed a malware campaign that targets LinkedIn users. It starts with a simple connect request sent to the victim's mailbox... If you click the "Confirm that you know" link on the genuine email, it takes you to LinkedIn's website. However if the same button is clicked on the fraudulent email, it takes you to a malicious website that downloads malware onto your computer. The fraudulent website is hxxp: //salesforceappi .com/ loginapi.php?tp=1da14085e243eaf9 ...The domain salesforceappi .com was registered two days ago and the IP address of the server is in Russia. The domain was designed to look like it's associated with Salesforce.com but in fact it has nothing to do with Salesforce .com. The malicious server uses the BlackHole exploit kit to download malware to the victim's computer... recently made available for free... It is based on PHP and has a MySQL database. Thousands of websites have been infected with BlackHole which is used to exploit vulnerabilities on visitors’ computers in order to place malware on them... drive by download... we've recently seen evidence of Zeus targeting enterprise networks in order to steal proprietary information and to gain unauthorized access to sensitive systems... Only two anti-malware solutions out of 42 detect this variant at the moment*..."
(Screenshots and more detail available at the trusteer URL above.)
* http://www.virustota...5d37-1306969338
File name: file-2324493_swat
Submission date: 2011-06-01 23:02:18 (UTC)
Result: 2/42 (4.8%)

- http://labs.m86secur...kedin-campaign/
June 3, 2011 - "... The messages look realistic, but the giveaway is the bogus link exposed when you hover over the confirm button... Remember, just because it looks legit, doesn’t mean it is."

Edited by AplusWebMaster, 04 June 2011 - 05:23 AM.

[AplusWebMaster]

FYI...

Phoenix exploit kit updated...
- http://labs.m86secur...-to-be-updated/
June 4th, 2011 - "... As expected, the author of the exploit kit released a new version of the tool, version 2.7... The new pack 2.7 contains the following updates:
• JAVA exploit added – Java for Business JRE Trusted Method Chaining Remote Code Execution Vulnerability – CVE-2010-0840
Old exploits were removed, the exploit kit currently contains the following exploits:
• Windows Help and Support Center Protocol Handler Vulnerability – CVE-2010-1885
• Integer overflow in the AVM2 abcFile parser in Adobe Flash Player – CVE-2009-1869,
• Integer overflow in Adobe Flash Player 9 – CVE-2007-0071
• IEPeers Remote Code Execution – CVE-2009-0806
• Internet Explorer Recursive CSS Import Vulnerability – CVE-2010-3971
• PDF Exploit – collab. collectEmailInfo – CVE-2007-5659
• PDF Exploit – util.printf – CVE-2008-2992
• PDF Exploit – collab.geticon – CVE-2009-0927
• PDF Exploit – doc.media.newPlayer – CVE-2009-4324
• PDF Exploit – LibTIFF Integer Overflow – CVE-2010-0188
... cybercriminals use JAVA and PDF exploits, as they have become the most efficient and reliable attack vector."

[AplusWebMaster]

FYI...

Spam from Hotmail compromised accounts
- http://isc.sans.org/...l?storyid=11026
Last Updated: 2011-06-08 13:47:30 UTC - "We keep getting ongoing reports from readers about SPAM being sent from legitimate Hotmail accounts. Like web mail systems in general, Hotmail accounts are targeted to be able to send spam from "trusted" sources. If an e-mail is received from a friend or relative, you are much more likely to open and read it. These accounts are compromised via many ways, most commonly these days via phishing. The question always is if it is actually a compromised account, or just someone spoofing the "From" address. Hotmail adds some characteristic headers that can be used to identify the source as hotmail. While they may be faked of course, they allow you to narrow down the chances of the account being compromised. You should see a "Received" header from a hotmail.com host, using Microsoft SMTSVC. If the e-mail was posted via the web interface, you should also see an "X-Oritinating-IP" header, with the IP address of the sender... Next question we get: What to do if you find out your friends hotmail account was compromised? If your friend is "lucky", all that happened was a phishing attack. Your friend only needs to change the password (and of course, -all- sites he uses the same password with). Worse case: Your friend is infected with malware that stole the password. Point the friend to some decent anti-malware detection, or if you are a real good friend, help with the cleanup."

Hotmail and Windows Live Hotmail
To see the full, unmangled headers in Hotmail: http://spamcop.net/f...e/cache/22.html

[AplusWebMaster]

FYI...

PPI svcs - badness on the Web ...
- https://krebsonsecur...rce-of-badness/
June 9, 2011 - "... Pay-per-install (PPI) services are advertised on shadowy underground Web forums. Clients submit their malware—a spambot, fake antivirus software, or password-stealing Trojan to the PPI service, which in turn charges rates from $7 to $180 per thousand successful installations, depending on the requested geographic location of the desired victims. The PPI services also attract entrepreneurial malware distributors, or “affiliates,” hackers who are tasked with figuring out how to install the malware on victims’ machines. Typical installation schemes involve uploading tainted programs to public file-sharing networks; hacking legitimate websites in order to automatically download the files onto visitors; and quietly running the programs on PCs they have already compromised. Affiliates are credited only for successful installations, via a unique and static affiliate code stitched into the installer programs and communicated back to the PPI service after each install..."
> Continued here: http://www.technolog...ng/37705/page1/

[AplusWebMaster]

FYI...

SPAM Fake UPS e-mails - spread fake anti-virus
- http://nakedsecurity...ake-anti-virus/
June 9, 2011 - "Email inboxes around the world are being spammed today with a malicious attack designed to infect Windows computers with a fake anti-virus attack. The emails claim to be notification from United Parcel Service (UPS) that a package is winging its way to your address. The cybercriminals behind the scheme hope that recipients will be intrigued enough to open the attached file, which can infect their computer with malware..."
(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

SpyEye targets airline - Bank Debit Cards...
- http://www.trusteer....t-card-payments
June 16, 2011 - "... a SpyEye configuration that targets users of two leading European airline travel Web sites: Air Berlin, the second largest airline in Germany (after Lufthansa) and AirPlus, the global provider of business travel services for companies. SpyEye exploits the user’s machine, not the websites, to carry out this fraud. The attack subjects are far from randomly selected, but are, we believe, carefully chosen for their criminal revenue potential. One site accepts debit card payments, while the other caters to business users... criminals targeting an Air Berlin traveller from these countries stand a good chance of obtaining the personal details of the user - including their date of birth, which is mandatory on the airline's site – as well as their bank account details... SpyEye is attempting to harvest confidential user information including username and password, and other data that is entered in the targeted web page. Since Air Berlin accepts bank debit card payments, the fraud potential is even more elevated... SpyEye injects code into the users' Web browser that claims to be an anti-fraud enhancement... In reality, of course, this is a cleverly-disguised attempt to -phish- user credentials from the unsuspecting customer of the AirPlus Web portal... traditional antivirus security mechanisms are largely unable to protect corporate users from becoming infected with SpyEye as it uses targeted reconnaissance combined with signature detection evasion techniques to get a foothold inside computers..."
(More detail available at the trusteer URL above.)

[AplusWebMaster]

FYI...

Exploit kit use on the rise
- http://research.zsca...xploit-kit.html
June 14, 2011 - "Exploit kits are becoming an increasingly popular means of spreading attacks... usage of the Blackhole exploit kit... targets multiple known vulnerabilities present in a victim's browser, increasing the probability of a successful compromise. Various exploit kits differ in the way they are packaged, designed and implemented. The most distinguishing factor among different exploit kits is how exploits are obfuscated, in order to bypass various security controls... noticed a significant increase in the usage of the Incognito exploit kit. Similar to the Blackhole exploit kit, Incognito also targets vulnerabilities in Java and Adobe products. Another item that stands out to differentiate among these exploit kits is the URL patterns used. Most of the time, the URL pattern remains same within a given exploit kit. A quick look at malwaredomainlist shows the usage of common patterns used in URLs associated with Incognito*... multi-level attacks targeted by exploit kits are becoming a favored choice of attackers these days. More importantly, the creation of automated tools to deliver these exploits, provides attackers with the opportunity to launch campaigns on a frequent basis, with limited technical knowledge."
(More detail at the zscaler URL above.)

Incognito exploit kit
* http://www.malwaredo...amp;quantity=50

Blackhole exploit kit
- http://www.malwaredo...amp;quantity=50

Phoenix exploit kit
- http://www.malwaredo...amp;quantity=50

Edited by AplusWebMaster, 17 June 2011 - 04:56 PM.

[AplusWebMaster]

FYI...

Fake job site SCAMS...
- http://blog.dynamoo....ljob-eucom.html
17 June 2011 - "... fake job domain used for contacting potential money laundering mules, this time totaljob-eu .com which is a part of this long-running scam*..."
* http://blog.dynamoo....abel/Lapatasker

- http://blog.dynamoo....and-espana.html
17 June 2011 - "... more fake domains in the long-running "Lapatasker" series... The registration details have changed... but otherwise this is the same old attempt to recruit people for money laundering. Avoid..."

[AplusWebMaster]

FYI...

Outlook phishing SPAM...
- http://nakedsecurity...hing-form-spam/
June 20, 2011 - "... Have you received a message telling you that your account needs to be reconfigured, and requesting that you enter your username and password?... If you do make the mistake of opening the attached file, you will be presented with a form which asks you for all the information a remote hacker would need to access your email account... Don't make it easy for the phishers, the spammers, the identity thieves and hackers to break into your online accounts..."

[AplusWebMaster]

FYI...

11 new exploit modules "for your pwning pleasure"
- http://h-online.com/-1265361
22 June 2011 - "The Metasploit Project has released version 3.7.2 of its exploit framework. According to the developers, the latest release of the open source penetration testing tool includes "eleven new exploit modules and fifteen post modules for your pwning pleasure"... Metasploit's hashdump capabilities now allow users to easily steal password hashes... developers note that they should also be "considerably easier to crack". A new cachedump module that allows users to steal Windows cached password hashes has also been added. Other changes include remote registry commands for Meterpreter and updates to the egghunter payload to help it bypass data execution prevention (DEP)..."

... of course, the "whitehats" won't be the only ones using it.

[AplusWebMaster]

FYI...

Facebook likejacking SCAMS
- http://techblog.avir...cking-scams/en/
June 27, 2011 - "A new series of likejacking scam are making large waves on Facebook. “Dad walks on Daughter… Embarrassing” is being sent in large numbers on Facebook... As soon as you click on the link, you must “LIKE” it and then you are -redirected- to a page where you have to repeat the experience. As unbelievable as it seems, I have seen people clicking more than once on the Like button with the hope that they will get to see the video... Another scam being sent is about an Italian TV star who seems to have problems with her dress... So, you clicked, now how to get rid of this embarrassing episode? You have to remove from your Wall the post, by clicking on the top right corner... nothing is free in the Internet, even if it seems so. Please think twice before clicking on some “interesting” pictures or videos."

[AplusWebMaster]

FYI...

XSS Attack on Sina MicroBlog
- http://community.web...-microblog.aspx
29 Jun 2011 - "... Sina Weibo is the most popular microblog service in China, with more than 100 million registered customers. Just yesterday (28 June), Sina Weibo was attacked through an XSS exploit: more than 30,000 high profile customers were affected and sent out messages containing a malicious link... Followers who click the malicious link are redirected to a page hosted on "weibo .com/pub/star", which contains an XSS exploit to allow the execution of malicious JavaScript from www .2kt .cn... Although no malicious software was installed in this campaign, Websense reminds customers to do a simple check before you click on any suspicious URL, even it comes from your best friends."

- http://nakedsecurity...ce-hit-by-worm/
June 30, 2011

- https://www.computer...er_like_service
June 30, 2011 - "... Affected posts displayed a malicious link with enticing messages like "Move a woman's heart with 100 lines of poetry" or "Software to listen to other people's phones." When the link was clicked, the user's own account would re-post and send out private messages circulating the malicious link again..."

Edited by AplusWebMaster, 30 June 2011 - 11:30 AM.

[AplusWebMaster]

FYI...

SPAM to avoid...
- http://sunbeltblog.b...m-to-avoid.html
June 29, 2011 - "...
1) "Facebook Survey Gift Invite"...
2) Paypal phish...
3) World of Warcraft phish mails..."

Social network SPAM growth...
- http://www.symantec....k-attacks-surge
June 29, 2011 - "... Spam attacks via social networks grew dramatically between April and June 2011. Over this period, we monitored and analyzed social network spam attacks that used three popular social networking sites — Facebook, Twitter, and YouTube... Most of the spam originates from botnets... Most of these IP addresses were blacklisted by reputation-based technology because of their spam involvement. Along with bot activity, some spam samples are seen to be sent through hijacked user accounts and fake social network accounts created by the spammers... Social network spam uses legitimate email notification templates from the social networking sites. The message alleges that the user has some unread messages or pending invites and a fake link is provided. The bogus link will direct users to a website that forces the download of malicious binaries, purports to be selling cheap enhancement drugs and replica products, pushes fake gambling casino sites, or advertises online adult dating sites, etc... The most common subject lines used in this case are as follows:
Subject: Hi, you have notifications pending
Subject: Oops.. You have notifications pending
Subject: Hi, You have 1 new direct message
Subject: You have 2 direct message on Twitter!
Subject: YouTube Administration sent you a message: Your video has been approved
Subject: YouTube Administration sent you a message: Your video on the TOP of YouTube
Subject: Direct message from [removed]
Subject: Warning: Your inbox is full, message not accepted
Subject: [removed] sent you a message on Facebook..."
(Screenshots available at the Symantec URL above.)
___

SPAM volume - charted July 2010 - June 2011
- http://krebsonsecuri...7/symspam11.jpg

Edited by AplusWebMaster, 01 July 2011 - 03:44 PM.