2072 replies to this topic

[AplusWebMaster]

FYI...

Fake Verizon emails follow fake AT&T emails ...
- http://blog.commtouc...-emails-attack/
April 16, 2012 - "Less than 2 weeks ago we reported* the use of perfectly formatted AT&T Wireless emails that included multiple links to malware infested sites. These have now been followed up with similar emails – but the “carrier” has switched to Verizon Wireless...
> http://blog.commtouc...ource-email.jpg
... The Verizon emails also lead to sites hosting malware – although there are far fewer links in the email – and the same compromised site is used repeatedly in each email (in the AT&T attack, up to 9 different sites were used). The same gang appears to be behind both attacks since the link structure is identical:
<compromised domain>/<8 random numbers and letters>/index.html.
The same vulnerabilities are once again exploited via the scripts on the sites. The fully functional homepage of the compromised site is shown below."
> http://blog.commtouc...timate-site.jpg

* http://blog.commtouc...ink-to-malware/

[AplusWebMaster]

FYI...

CEIEC doc exploits ...
- http://www.shadowser...lendar/20120416
16 April 2012 - "In recent weeks thousands documents have been released online by a hacktivist going by the online moniker of "Hardcore Charlie." These documents appear to have potentially been sourced and possibly stolen from various businesses and governments in different countries including the United States, the Philippines, Myanmar, Vietnam, and others... the documents are purported to have been stolen by Hardcore Charlie from the Beijing based military contractor China National Import & Export Corp (CEIEC). If true, that would mean that the documents were stolen at least twice. These are allegations that CEIEC has strongly denied and condemned... one thing we do have are words of caution and some interesting information about a handful of the documents found in this dump. Within the document dump in a folder related to Vietnam are 11 malicious documents (8 unique) that exploit vulnerabilities (CVE-2010-3333 and CVE-2009-3129) in Microsoft Office to install malware. These documents installed four different types of backdoors that reported back to six distinct command and control servers. Two of the backdoors were unfamiliar two us and the other two were the well known Poison Ivy RAT and the Enfal/Lurid. At least one hostname could be tied back to a known set of persistent actors engaged in cyber espionage... At the time of this writing... hosts names resolve to 123.120.105.120... 112.112.147.16 and 222.172.238.174... The single Microsoft Excel exploit in the packet dropped malware that beaconed back to 64.56.70.254 and likely a variety of other embedded IP addresses... Two out of the nine unique samples installed the popular Poison Ivy RAT upon successful exploitation... Although many questions remain, the following facts are clear:
• A small subset of the documents contained in the purported CEIEC dump are malicious.
• These malicious documents drop a mix of malware families including Poison Ivy, Enfal/Lurid and two unnamed families.
• Some of the malware samples extracted from the CEIEC dump connect to infrastructure used in previous APT campaigns.
These documents just go to show that malicious files can end up pretty much anywhere. We are stating the obvious but remember to exercise caution when viewing files you downloaded from the Internet. Microsoft patched the two vulnerabilities used in these attacks quite some time ago. They patched CVE-2009-3129 with MS09-067 and CVE-2010-3333 with MS10-087. Malicious documents that exploit vulnerabilities in Microsoft Office, Adobe Acrobat [Reader], or components loaded by these pieces of software are still some of the most common ways in which cyber espionage attacks are conducted. Staying current with the latest versions and security patches for any software you run is highly recommended."

[AplusWebMaster]

FYI...

Trojan pilfers Hotel credit cards...
- https://www.trusteer...it-cards-hotels
April 18, 2012 - "Our intelligence center researchers recently uncovered a fraud “package” being sold in underground forums that uses a remote access Trojan to steal credit card information from a hotel point of sale (PoS) application. This scheme, which is focused on the hospitality industry, illustrates how criminals are planting malware on enterprise machines to collect financial information instead of targeting end users devices. In this particular scenario, a remote access Trojan program is used to infect hotel front desk computers. It then installs spyware that is able to steal credit card and other customer information by capturing screenshots from the PoS application. According the seller, the Trojan is guaranteed not to be detected by anti-virus programs... This fraud package is being offered for $280. The purchase price includes instructions on how to set-up the Trojan. The sellers even offer advice on how to use telephone social engineering techniques via VoIP software to trick front desk managers into installing the Trojan... criminals are increasingly expanding the focus of their attacks from online banking targets to enterprises..."

Edited by AplusWebMaster, 19 April 2012 - 06:53 PM.

[AplusWebMaster]

FYI...

Fake LinkedIn reminders connect with malware...
- http://blog.commtouc...with-malware-2/
April 19th, 2012 - "Phony LinkedIn invitations are not a new phenomenon. What tends to change is the underlying delivery method used for the malware distribution – In this case compromised websites that unknowingly host malicious scripts. The LinkedIn reminders that are included in the attack include several variables such as names, relationships, and the number of messages awaiting response. As usual the giveaway that something strange is occurring is the link...
> http://blog.commtouc...are-email-2.jpg
Recipients that click on the link reach a rather bland looking “notification” page that provides no further links or instructions...
> http://blog.commtouc...e-message-2.jpg
... In the background, several scripts seek out software with vulnerabilities that can be exploited including:
> Adobe reader and Acrobat:
http://web.nvd.nist....d=CVE-2010-0188 - 9.3 (HIGH)
> Microsoft Windows Help and Support Center in Windows XP:
http://web.nvd.nist....d=CVE-2010-1885 - 9.3 (HIGH) ..."

[AplusWebMaster]

FYI...

Fake Skype encryption software cloaks DarkComet Trojan
- http://blog.trendmic...rkcomet-trojan/
Apr 20, 2012 - "... We discovered a webpage that advertises a software that purports to provide encryption for Skype. This page is hosted in Syria... the same server that acted as a command-and-control (C&C) server for previous attacks. The webpage features an embedded YouTube video that claims to be from “IT Security Lab” and to encrypt voice communications... The downloaded file skype.exe, detected as BKDR_ZAPCHAST.HVN, is actually DarkComet version 3.3.... We were able to redirect the traffic in our test environment to confirm that it is indeed DarkComet... Note that Skype uses AES encryption on calls and instant messages, as well as its video conversations..."

[AplusWebMaster]

FYI...

Bogus Olympics email w/malware
- http://blog.trendmic...s-with-malware/
Apr 22, 2012 - "... recently, we found an Olympics scam in the form of a lottery that promises a free travel package to the event. Some online crooks, however, played it differently this time. Instead of the typical Olympic-related scams wherein users supposedly won tickets to the event, this scam arrives as spam disguised as an email advisory... this scam comes in the form of email messages that warn recipients of fake websites and organizations selling tickets to the London Olympics 2012. The mail contains the official logo of the event to possibly deceive users of its legitimacy. Included in the message is an attached .DOC file that lists these bogus ticket sellers. The attachment, however, is actually a malicious file detected by Trend Micro as TROJ_ARTIEF.ZIGS. The malware takes advantage of the RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333) to drop the backdoor BKDR_CYSXL.A. This backdoor may perform several malicious routines that include deleting and creating files and shutting down the infected system... As London Olympics 2012 draws near, we are expecting this type of threats to proliferate. Thus, users should make it a habit to check the legitimacy of -any- message before downloading the attachment or clicking links included in it..."

[AplusWebMaster]

FYI...

Facebook emails with malware attachments...
- http://blog.commtouc...it-to-me-today/
April 23rd, 2012 - "A series of emails with malware attachments have been widely distributed in the last few days. The emails alert the recipient about a picture of themselves (or an ex-girlfriend) that has been circulated online. The text from three of the messages is shown below:
> Sorry to disturb you , – I have a question- have you seen this picture of yours in attachment?? Three facebook friends sent it to me today… why did you put it online? wouldn’t it harm your job? what if parents see it? you must be way cooler than I thought about you man
> Hi there ,But I really need to ask you – is it you at this picture in attachment? I can’t tell you where I got this picture it doesn’t actually matter…The question is is it really you???.
> Sorry to disturb you , – I got to show you this picture in attachment. I can’t tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who’s that dude??.
... The “image” is attached to the emails for convenience and the filename in all samples was identical: “IMG0962.zip”. The unzipped file displays a PDF icon – which may confuse recipients whose computers do not display file extensions (the extension in this case is .exe)... detected attached malware within seconds of the start of the outbreak... the scale of the attack on Saturday – from 4am (Pacific Time) till 3am on Sunday morning... At its peak the attack averaged around 100,000 messages per second..."

Edited by AplusWebMaster, 23 April 2012 - 07:10 AM.

[AplusWebMaster]

FYI...

BoA phishing emails ...
- https://www.net-secu...ld.php?id=12788
23 April 2012 - "Fake warning emails are currently targeting Bank of America customers and asking them to update their account. With "Bank of America Warning : Error Statement" in the subject line, the vaguely credible HTML email states that the targets' "Bank of America account showed unusual activities this morning." "What to do next? Sign in now to verify your logon details," urges the email. Unfortunately, -all- the links included in the email take the recipients to a -spoofed- Bank of America website, where they are asked to sign in by entering their banking login details and are prompted to share additional personal and financial information in order to "verify" their accounts. "The care and detail with which the scam email has been created makes this phishing scam attempt a little more sophisticated than some other such attacks and may fool at least a few bank customers into supplying the requested details," Hoax-Slayer points out*. Users are advised to ignore the message and to always log in to their bank's website by entering its web address into the browser's address bar instead of following links included in email."
* http://www.hoax-slay...phishing-12.jpg

[AplusWebMaster]

FYI...

Phishing and malware meet Check Fraud
- https://www.trusteer...eet-check-fraud
April 24, 2012 - "... a SCAM in an underground forum that shows how data obtained through phishing and malware attacks can be used to make one of the oldest forms of fraud – check forging... The scam involves a criminal selling pre-printed checks linked to corporate bank accounts in the USA, UK and China. The criminal is selling falsified bank checks made with specialized printing equipment, ink and paper. For $5 each, he/she will supply checks that use stolen credentials (e.g. bank account) provided by the buyer. However, to purchase checks that use stolen credentials supplied by the counterfeiter the cost is $50 – a tenfold increase. This is a clear indicator that stolen credentials are a key enabler of check fraud. Check data fields include personal information (e.g. name, address and phone) and financial information (e.g. bank account, routing code and check number). To obtain all the required data fraudsters typically need to get their hands on a physical or scanned version of a real check in circulation. Many banking web sites provide access to scanned versions of paid and received checks. Online banking login credentials obtained through malware and phishing attacks can easily be used by fraudsters to access a victim’s account and collect all the required information to commit check fraud. In addition, before using the checks, fraudsters could potentially ensure account balance is sufficient to approve the transaction... Buyers are also encouraged to carry fake identification cards that match the stolen credentials on the check. The check counterfeiter offers to provide these as well. This is the latest example of the how criminals can use malware and phishing techniques to make traditional physical fraud schemes more effective..."

Edited by AplusWebMaster, 24 April 2012 - 12:42 PM.

[AplusWebMaster]

FYI...

SPAM Scams spoof Social Networking sites - peddle Malicious sites
- http://blog.trendmic...alicious-sites/
Appr 25, 2012 - "... email messages disguised as notifications from popular networking sites, in particular LinkedIn, foursquare, MySpace, and Pinterest. These spam contain links that direct users to -bogus- pharmaceutical or -fraud- sites. They also use legitimate-looking email addresses to appear credible to recipients. Using famous brands like these sites are effective in luring users to the scheme as this gives credence to an otherwise obvious scam... We uncovered spammed messages masked as notifications from Foursquare, a popular location-based social networking site... The first sample we found pretends to be an email alert, stating that someone has left a message for the recipient. The second message is in the guise of a friend confirmation notification... Both messages use the address noreply @foursquare .com in the ‘From’ field and bear a legitimate-looking MessageID. Similar to previous spam campaign using popular social networking sites, attackers here also disguised the -malicious- URLs... also spotted sample messages that are purportedly from LinkedIn and Myspace... we have identified that the senders’ info were forged. We also did not find any pertinent details that could identify these messages as legitimate LinkedIn and MySpace email notifications. These mails also used cloaked URLs that redirect to the fake site 'Wiki Pharmacy'... we found fake Pinterest email notifications that contain a URL, a purported online article on weight-loss. Users who click this link are instead lead to sites that were previously found to engage in fraud activities... Users are advised to always be cautious of dubious-looking messages and avoid clicking links or downloading the attachment included in these."

[AplusWebMaster]

FYI...

Blackhole obfuscated JavaScript
- https://isc.sans.edu...l?storyid=13051
Last Updated: 2012-04-25 11:44:21 UTC - "... Most of the current obfuscation methods make heavy use of objects and functions that are only present in the web browser or Adobe reader. Since it is unlikely that a JavaScript analysis engine on, for example, a web proxy anti-virus solution can duplicate the entire object model of Internet Explorer, the bad guys are hoping that automated analysis will fail, and their JavaScript -will- make it past the virus defenses to the user's browser, where it will run just fine. Often, this actually works. The current wave of Blackhole (Blacole) exploit kits are a good example - it took Anti-Virus a looong time to catch on to these infected web sites. Even today, the raw malicious JavaScript block full of exploit attempts comes back with only 14/41 on Virustotal*..."
* https://www.virustot...sis/1335349187/
File name: b.js
Detection ratio: 14/41
Analysis date: 2012-04-25 10:19:47 UTC

[AplusWebMaster]

FYI...

Yahoo phishing via compromised WordPress sites
- http://blog.commtouc...press-websites/
April 25, 2012 - "Yahoo users have been targeted in a phishing attack that starts with an “avoid account deactivation” email. Mousing over the link shows the non-Yahoo link – an easy way to know that something is amiss*...
* http://blog.commtouc...shing-email.jpg
... The phishing pages are very authentic looking. Once users have entered their login details (which are collected by the phisher), they are redirected to Yahoo Mail. A large number of compromised sites have been used to hide the phishing pages – all the samples collected by Commtouch Labs were based on WordPress**. In such cases the phishers seek out a particular plugin with a known vulnerability that can be repeatedly exploited on many sites..."
** https://wordpress.org/download/
April 20, 2012 - WordPress v3.3.2 released

[AplusWebMaster]

FYI...

Brazilian banking malware ...
- http://blog.spiderla...l-slacker-.html
26 April 2012 - "... part of a Brazilian phishing attack... VirusTotal reports... the sample as being detected by 5/42*... the malware is a straightforward PE executable that is made to look like a word document. In addition to being named boleto.doc.exe, the file also comes with a Microsoft Word icon
> http://npercoco.type...f6348970b-800wi
... This was actually one of the few instances where Google Translate failed... knowing the file size (1.5 MB) alone told me it was going to be packed with "goodies"... the malware is ensuring persistence by setting itself in the 'Run' registry key. This will cause the malware the run every time that user logs into their machine... look forward to the (hopefully) increased detection by antivirus in the coming days."
* https://www.virustot...0c5be/analysis/
File name: 188477e8f2a9523b0a001040982942ff9c5ba13c88b823d3b6a0b9f1d8b0c5be
Detection ratio: 5/42
Analysis date: 2012-04-26 15:31:50 UTC

[AplusWebMaster]

FYI...

BlackHole SPAM runs underway
- http://blog.trendmic...-runs-underway/
Apr 30, 2012 - "... high-volume spam runs that sent users to websites compromised with the BlackHole exploit kit... spam runs that were part of this investigation used the name of Facebook, and US Airways. Other spam runs involved LinkedIn, as well as USPS. The most recent campaign we’ve seen that was part of this wave of attacks used the name of CareerBuilder:
> http://blog.trendmic...ackhatspam1.jpg
> http://blog.trendmic...ckhatspam2a.jpg
... conclusions about these each of these attacks are broadly similar:
• Phishing messages using the names of various organizations spread via email to targets predominantly in the United States. The content of these phishing e-mails were practically indistinguishable from legitimate messages.
• Links in these messages led to multiple compromised websites that redirected the user to various malicious sites. Collectively, these compromised sites numbered in the thousands.
• Users were eventually directed to sites containing the Black Hole exploit kit.
... more than 2,000 distinct URLs used in this attack, distributed over 374 domains. On average, each compromised domain hosted 5 separate malicious landing pages... The goal of these attacks is to install ZeuS variants onto user systems..."

[AplusWebMaster]

FYI...

Service automates boobytrapping of Hacked Sites
- https://krebsonsecur...f-hacked-sites/
May 1, 2012 - "Hardly a week goes by without news of some widespread compromise in which thousands of Web sites that share a common vulnerability are hacked and seeded with malware... one aspect of these crimes that’s seldom examined is the method by which attackers automate the booby-trapping and maintenance of their hijacked sites... another aspect of the cybercriminal economy that can be outsourced to third-party services. Often known as “iFramers,” such services can simplify the task of managing large numbers of hacked sites that are used to drive traffic to sites that serve up malware and browser exploits... A huge percentage of malware in the wild today has the built-in ability to steal FTP credentials from infected PCs. This is possible because people who administer Web sites often use FTP software to upload files and images, and allow those programs to store their FTP passwords. Thus, many modern malware variants will simply search for popular FTP programs on the victim’s system and extract any stored credentials... Just as PC infections can result in the theft of FTP credentials, malware infestations also often lead to the compromise of any HTML pages stored locally on the victim’s computer. Huge families of malware have traditionally included the ability to inject malicious scripts into any and all Web pages stored on host machine. In this way, PC infections can spread to any Web sites that the victim manages when the victim unknowingly uploads boobytrapped pages to his Web site... the best way to avoid these troubles is to ensure that your system doesn’t get compromised in the first place. But if your computer does suffer a malware infection and you manage a Web site from that machine, it’s good idea to double check any HTML pages you may have stored locally and/or updated on your site since the compromise, and to change the password used to administer your Web site (using a strong password...)."