2072 replies to this topic

[AplusWebMaster]

FYI...

HMRC phishing email and website
- http://securitylabs....lerts/3276.aspx
01.06.2009 - "Websense... has discovered a phishing site emulating the Web site belonging to HM Revenue & Customs (HMRC), the UK government's taxation authority. The fake site is hosted in Denmark and uses the same stylesheet and graphics as the real HMRC Web site. Recipients first receive an email advising them that they are due a tax refund. This email contains a link to the phishing Web site. The phishing site aims to collect personal information such as name, address, and credit card information. Upon submitting the data, the user is redirected to the real HMRC site. The sending of the email is very timely with certain HMRC deadlines for online applications of tax returns imminent (31st January 2009). Websense has advised HMRC of this threat..."

(Screenshot of the phishing email available at the Websense URL above.)

[AplusWebMaster]

FYI...

- http://blog.trendmic...icious-content/
Jan. 5, 2009 - "The LinkedIn professional networking site connects more than 30 million users from across many different industries. The advantages of maintaining a list of trusted business contacts for career planning purposes is not lost on LinkedIn’s users. The fostering of business relationships is further enhanced by features such as LinkedIn Answers and access from mobile devices... found some bogus LinkedIn profiles which contain links to malware, using the names and images of famous personalities such as:
* Beyoncé Knowles
* Victoria Beckham
* Christina Ricci
* Kirsten Dunst
* Salma Hayek
* Kate Hudson
... and several others. Malicious links contained in these bogus profiles lead browsers through a series of redirections, but ultimately to malware. Note that there are several routes this infection path may take..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

MLB.com pushing malware
- http://sunbeltblog.b...ng-malware.html
January 06, 2009 - "... stay away from this site until they get it cleaned up. We are seeing various mlb sites redirecting to fake antivirus scan. These are almost certainly being done by malilcious flash advertisements. Not the first time* it’s happened (courtesy of Innovative Marketing**)."
(Screenshot available at the URL above.)

* http://www.security-...ic.php?p=272589

** http://sunbeltblog.b...-continues.html

- http://www.theregist...aseball_threat/
8 January 2009 - "... Update: MLB spokesman Matthew Gould said the tainted ads were the result of an individual who claimed to sell ads through a company the website has done business with before. After the scam came to light, MLB officials discovered this individual had no affiliation with the company, which Gould declined to name because he says MLB is pursuing legal action. Gould said MLB officials believe the ads were taken down on Monday, less than 24 hours after going live. "As soon as we were made aware of the problem we removed the ad in all instances across our network," he said..." (Pop-up image for "Antivirus2009" shown at the URL above.)

Edited by AplusWebMaster, 09 January 2009 - 07:46 AM.

[AplusWebMaster]

FYI...

- http://www.shadowser...lendar.20090109
9 January 2009 - "...we have a bunch of new and interesting information on the trojan, much of which has come from a number of security researchers out there. However, we are just going to touch on the last item and give you an updated list of domains associated with Waledac. You are bound to see all kinds of great research and interesting findings from others on this soon. In the meantime, please use this information to protect your networks and proactively (and retroactively) block these hosts. The following are a list of domains known to be associated with Waledac. Most of these domains have been seen in the wild and may be posted elsewhere. However, we want to provide our research that we have collected ourselves in a central spot for anyone to see and share.
Please DO NOT visit these domains as they are distributing malware both through the files they are peddling and via exploits.
Waledac Domain Listing (several new ones since our 12-31 post):
bestchristmascard .com
bestmirabella .com
bestyearcard .com
blackchristmascard .com
cardnewyear .com
cheapdecember .com
christmaslightsnow .com
decemberchristmas .com
directchristmasgift .com
eternalgreetingcard .com
freechristmassite .com
freechristmasworld .com
freedecember .com
funnychristmasguide .com
greatmirabellasite .com
greetingcardcalendar .com
greetingcardgarb .com
greetingguide .com
greetingsupersite .com
holidayxmas .com
itsfatherchristmas .com
justchristmasgift .com
lifegreetingcard .com
livechristmascard .com
livechristmasgift .com
mirabellaclub .com
mirabellamotors .com
mirabellanews .com
mirabellaonline .com
newlifeyearsite .com
newmediayearguide .com
newyearcardcompany .com
newyearcardfree .com
newyearcardonline .com
newyearcardservice .com
smartcardgreeting .com
superchristmasday .com
superchristmaslights .com
superyearcard .com
themirabelladirect .com
themirabellaguide .com
themirabellahome .com
topgreetingsite .com
whitewhitechristmas .com
worldgreetingcard .com
yourchristmaslights .com
yourdecember .com
yourmirabelladirect .com
yourregards .com
youryearcard .com

Related Exploit Domains (no new ones listed):
seocom .name
seocom .mobi
seofon .net
Please feel free to distribute the above list as you see fit..."

[AplusWebMaster]

FYI...

- http://www.us-cert.g..._email_messages
January 9, 2009 - "US-CERT is aware of public reports of malicious code circulating via spam email messages related to the Israel/Hamas conflict in Gaza. These messages may contain factual information about the conflict and appear to come from CNN. Additionally, the messages indicate that additional news coverage of the conflict can be viewed by following a link provided in the email body. If users click on this link, they are redirected to a bogus CNN website that appears to contain a video. Users who attempt to view this video will be prompted to update to a new version of Adobe Flash Player in order to view the video. This update is -not- a legitimate Adobe Flash Player update; it is malicious code. If users download this executable file, malicious code may be installed on their systems..."

- http://www.rsa.com/b...ry.aspx?id=1416
(Screenshot at the RSA URL above.)

Edited by AplusWebMaster, 09 January 2009 - 04:35 PM.
Added link to RSA screenshot...

[AplusWebMaster]

FYI...

Yandex used in SPAM redirects
- http://sunbeltblog.b...-redirects.html
January 11, 2009 - "We’re seeing a fair number of pages on Narod (a service by that provides free web hosting, from Yandex, the Russian search engine). These are used for both redirects to malware, as well as redirects in spam... Administrators would be well advised to simply block any email or web traffic with narod .ru ."

[AplusWebMaster]

FYI...

Malware directed at Classmates Online...
- http://securitylabs....Blogs/3279.aspx
01.14.2009 - "Websense... noticed that a campaign against Classmates Online, Inc had broken out. We observed that thousands of URLs were registered in one day to spread the worm. The newly-registered URLs were unusually long, had several subdomains, and always contained some specific words such as process, multipart and so on... The new campaign was spread by email. The malicious email contained a link to a video invitation to reunite high school classmates and celebrate Classmates Day 2009. When the email recipient viewed the invitation, they downloaded a worm named Adobe_Player10.exe. This could fool a user into thinking they needed the latest version of the Adobe Player, prompting them to run the executable... the main purpose of this worm was to steal user information and send it to a server located in the Ukraine. The address of the server was hardcoded in the worm. The worm did a lot of work, including dropping a driver file to hide itself, injecting itself into every process, downloads and so on. It collected several kinds of information, including details about POP3, IMAP, ICQ, FTP, and certification from the user's MY certificate store, which is used to store trusted sites and personal certificates... The worm injected itself in every process. The injected code would enum a module of the process, and then hook some APIs into the module..."

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

Spam, Phishing, and Malware related to Presidential Inauguration
- http://www.us-cert.g...malware_related
January 15, 2009 - "US-CERT has received reports of an increased number of phishing sites and spam related to the upcoming Presidential Inauguration. US-CERT reminds users that phishing and spamming campaigns often coincide with highly publicized events...
US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:
• Install antivirus software, and keep the virus signatures up to date.
• Do not follow unsolicited links and do not open unsolicited email messages.
• Use caution when visiting untrusted websites..."

- http://blog.trendmic...s-sites-abound/
Jan 18, 2009

- http://www.f-secure....s/00001585.html
January 17, 2009 - "...All the links point to a file called speech.exe, which is a Waledec malware variant..."

- http://blog.trendmic...guration-scams/
January 16, 2009

Edited by AplusWebMaster, 19 January 2009 - 07:22 AM.
SSDD links...

[AplusWebMaster]

FYI...

3322 .org
- http://isc.sans.org/...ml?storyid=5710
Last Updated: 2009-01-19 12:01:36 UTC - "...adding the 3322-dot-org domain to your block list would be a good idea. As you can tell from this diary* that we published in 2007, it is by far not the first time that this domain shows up on our malware radar ..."
* http://isc.sans.org/...ml?storyid=3266

[AplusWebMaster]

FYI...

More Prez SPAM...
- http://www.theregist...ware_spam_scam/
19 January 2009

- http://preview.tinyurl.com/79ay3a
17 January 09 (PandaLabs blog) - "Today we discovered a botnet controlled, fast-flux operated malware campaign impersonating the United States President-elect Barack Obama’s website. The fake website looks just like the real thing and attempts to bait viewers into clicking a story entitled, “Barack Obama has refused to be a president”. When the user clicks on the link, the malware (W32\Iksmas.A.worm) begins to download all of the necessary files needed to host the fake site on the victims computer... The attack appears to have originated from China as the domains were purchased from a Chinese domain registrar called XINNET TECHNOLOGY CORPORATION. Xinnet has a history of abuse problems and we have contacted them to remove the domain names... The file names of the malware are:
• doc.exe , statement.exe , obamaspeech.exe , blog.exe , barack.exe , usa.exe , baracknews.exe , pdf.exe, news.exe , obamasblog.exe , barakblog.exe , statement.exe , president.exe , obamanews.exe ..."

[AplusWebMaster]

FYI...

Inauguration Themed Waledac - New Tactics & New Domains
- http://www.shadowser...lendar.20090119
January 19, 2009 - "...the Inauguration of Barack Obama and the Waledac trojan has been in full swing attempting to take advantage of the event. Since late last week the trojan has been blasting its way across the Internet with e-mails attempting to bring unwitting users to a page that looks a lot like the official Barack Obama website. The page is updated each day to appear to have a new blog entry... As always do NOT visit these domains as they are malicious and hosting exploit code... Click here* for a full listing of Waledac domains that we are aware of - this link will be updated as we get them. Your best bet is to block these domains or otherwise avoid them..."
* http://www.shadowser...dac_domains.txt

Edited by AplusWebMaster, 20 January 2009 - 12:41 PM.

[AplusWebMaster]

FYI...

Phishing Alert - Canada Revenue Agency
- http://securitylabs....lerts/3282.aspx
01.20.2009 - "Websense... has discovered phishing sites spoofing the Web site belonging to Canada Revenue Agency (CRA), the Canadian government’s taxation authority. The fake site is hosted in Germany and uses the same stylesheet and graphics as the real CRA Web site. The phishing site aims to collect personal information such as the victim’s social insurance number, full name, address, date of birth, mother’s maiden name, and credit card information. Upon submitting the data, the user is redirected to the real CRA site. This campaign is timed to coincide with the upcoming CRA deadline for online tax return applications..."

[AplusWebMaster]

FYI...

United Airlines - e-mail scam malware attack
- http://www.sophos.co...malware-attack/
January 19, 2009 - "Last week... spammers were sending out emails posing as messages from Northwest Airlines*. The attached file was not an electronic airline ticket of course, but a Trojan horse designed to infect your computer. As anticipated, the hackers have made a simple switch - changing the bait from a Northwest Airlines email to one claiming to come from United Airlines, and spoofing the email address tickets@united .com ... As before, opening the ZIP file is a very bad idea. Although it’s understandable that you might panic into thinking that your credit card has been debited without your permission, for a flight you don’t want or need, you should be cynical enough to smell this for what it is - a dirty rotten scam designed to infect your personal computer."
* http://www.sophos.co...malware-attack/

(Screenshots available at both URLs above.)

Video: http://www.sophos.co...alware-campaign

[AplusWebMaster]

FYI...

Valentine SPAM already!...
- http://blog.trendmic...es-to-spam-you/
Jan. 26, 2009 - "Holidays and popular annual events as a social engineering tool in spamming is a signature Storm technique. The following spammed email message should then cement WALEDAC’s association with the said bot giant...
Spammed Valentine’s greetings.
These messages flood inboxes weeks before Valentine’s day, also typical of previous Storm spam runs. Clicking on the link redirects a user to a site with a heart images. When this page is clicked, the user is prompted to download a file, malicious of course, detected by Trend Micro as WORM_WALEDAC.AR... Beside the social engineering techniques used in email, following are the similar methods applied by this worm family:
• Fast-flux networks and several different name servers used per domain
• Files names ecard.exe and postcard.exe
• In some instances, the installation of rogue antispyware ..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Fed Reserve Bank phish-about-phish
- http://www.hoax-slay...am-emails.shtml
28 January 2009 - "Email purporting to be from the Federal Reserve Bank claims that U.S. Treasury Department has imposed restrictions on federal wire transfers due to a widespread phishing attack... Email is -not- from the Reserve Bank - Links lead to bogus websites... The FDIC published an alert* about the scam..."
* http://www.fdic.gov/...09/sa09020.html
FDIC: SA-20-2009 January 15, 2009