2072 replies to this topic

[AplusWebMaster]

FYI...

Fake Groupon email malware coupon
- http://blog.commtouc...oupon-with-you/
Aug 9, 2012 - "A recent collection of malware emails borrows heavily from authentic mailings sent out by Groupon and LinkedIn. The outbreak is different from the blended attacks that have featured regularly in the last few months since it relies on attached malware as opposed to a link to drive-by malware. Using email templates modeled on Groupon and LinkedIn increases the chances that recipients will consider the attachment genuine and worth opening. The example below shows a Groupon “deal” found by a friend. Recipients are invited to open the attachment to view the gift details and also to forward it on to friends. All the links within the “offer” point to genuine Groupon sites.
> http://blog.commtouc...ith-malware.jpg
The attached zip file unpacks to a file named “Coupon gift.exe”. Commtouch’s Antivirus identifies the malware as W32/Trojan3.DWY. The malware attempts to download and install files from several remote servers. Only 30% of the 41 engines on VirusTotal detected the malware within a few hours of the attack...
Email text:
Hi there!
You’re going to love it
We are glad to inform you that one of your friends has found a great deal on Groupon.com!
And even shared it with you!
Yeah! Now Groupon.com gives an opportunity to share a discount gift with a friend!
Enjoy your discount gift in the attachement and share it with one of your friend as well.
All the details in the file attached. be in a hurry this weekend special is due in 2 days!"

[AplusWebMaster]

FYI...

Fake AT&T email billing - serves exploits and malware
- http://blog.webroot....ts-and-malware/
August 10, 2012 - "... yet another massive spam campaign, this time impersonating AT&T’s Billing Center, in an attempt to trick end and corporate users into downloading a bogus Online Bill. Once gullible and socially engineered users click on any of the links found in the malicious emails, they’re automatically redirected to a Black Hole exploit kit landing URL, where they’re exposed to client-side exploits, which ultimately drop a piece of malicious software on the affected hosts...
Screenshot of the spamvertised email:
> https://webrootblog....its_malware.png
... Client-side exploits serving URL:
hxxp ://advancementwowcom .org/main.php?page=19152be46559e39d
Client-side exploits served: CVE-2010-1885
Upon successful client-side exploitation, the campaigns drops MD5: c497b4d6dfadd4609918282cf91c6f4e* on the infected hosts... as Trojan.Generic.KD.687203; W32/Cridex-Q. Once executed, the sample phones back to hxxp :// 87.204.199.100 :8080 /mx5/B/in/. We’ve already seen the same command and control served used in several malware-serving campaigns, namely, the Craigslist spam campaign, the PayPal spam campaign, the eBay spam campaign, and the American Airlines themed spam campaign... cybercriminals will continue rotating popular brands, introduce new email templates, and newly undetected pieces of malware..."
* https://www.virustot...dfa13/analysis/
File name: C497B4D6DFADD4609918282CF91C6F4E_100-about.exe
Detection ratio: 19/41
Analysis date: 2012-08-05

[AplusWebMaster]

FYI...

Olympic malware spread continues ...
- http://community.web...able-Sites.aspx
10 Aug 2012 - "... Websense... analyzed Twitter traffic based on popular Olympics-related terms, events, and athletes starting two days before the Opening Ceremony through August 8th... Looking more closely at the data, we found that a handful of Twitter feeds from certain athletes and teams were posting shortened URLs which redirected to Objectionable or Security categories, including Malicious Web Sites and Malicious Embedded Links:
> http://community.web..._2D00_550x0.jpg
... We took a sample set of 3600 of these, unshortened them, and analyzed the category breakdown:
> http://community.web.../1057.chart.jpg
..."

[AplusWebMaster]

FYI...

Fake Intuit emails ...
- http://security.intu.../alert.php?a=52
8/10/2012 - "People are receiving emails purportedly from Classmates.com with the title "Download your Intuit.com invoice." There is an attachment to the email. Below is the text of the email people are receiving, including the errors in the email:

"Dear Customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-040-6988 ($3.19/min).
ORDER INFORMATION
Please download your complete order id#6269722 from the attachment.(Open with Internet Explorer)"

This is the end of the fake email... Steps to Take Now:
. Do not click on the link in the email...
. Spoofed email address. Don't reply to unsolicited email and don't open email attachments...
. Fake link. When in doubt, never click on a link in an unsolicited or suspicious email..."

[AplusWebMaster]

FYI...

Phishing emails from "Nationwide" in circulation
- http://www.gfi.com/b...in-circulation/
August 13, 2012 - "There’s some Emails floating around right now claiming to be from Nationwide*. The first wants customers to “validate your internet banking profile”, with the aid of the following missive:
> http://www.gfi.com/b...nationphish.jpg
The second tries a different approach, claiming that they have “identified an unusual conflict between the customer number and profile details associated with your account”.
> http://www.gfi.com/b...ationphish2.jpg
The emails lead to various URLs which appear to have been compromised (including a Belarus human rights website and what appears to be an Indonesian news portal) playing host to pages asking for security information. Of the two, the human rights site appears to have been fixed but the dubious pages are still live on the Indonesian portal at time of writing.
http://www.gfi.com/b...ationphish3.jpg
Customers of Nationwide should treat -any- Emails asking to validate and/or confirm security information with the utmost suspicion and make a safety deposit in their spam folder."
* https://en.wikipedia...uilding_Society
"Nationwide Building Society is a British mutual financial institution..."

[AplusWebMaster]

FYI...

Insecure WordPress blogs... host Blackhole malware attack
- http://nakedsecurity...malware-attack/
August 10, 2012 - "... a major malware campaign, spread via spam email and compromised self-hosted WordPress blogs, which attempts to infect computers using the notorious Blackhole exploit kit. Be on your guard if you have received an email entitled "Verify your order", as links contained within the email could take you to a poisoned webpage, designed to install malware onto your PC.
Here's what a typical email looks like:
> https://sophosnews.f...mail1.jpg?w=640
Subject: Verify your order
Message body:
Dear [name],
please verify your order #[random number] at [LINK]
We hope to see you again soon!
The websites that are being linked to aren't ones that have been created by the malicious hackers. They are legitimate websites that are running a self-hosted installation of the popular WordPress blogging platform. (Note, this does not include the many millions of bloggers who use the WordPress.com service - the vulnerable sites are those where people have installed their own WordPress software). Unfortunately, some people haven't properly secured their sites - which has allowed malicious hackers to plant malicious code from the Blackhole exploit kit, and means that malware is now downloading onto innocent users' computers. Sophos products detect the malware as Troj/PDFEx-GD, Troj/SWFExp-AI, Mal/ExpJS-N and Troj/Agent-XDM. More and more of the attacks that we are intercepting involve the Blackhole exploit kit - recent examples include emails posing as traffic tickets from NYC, rejected wire transfer notifications and fake Facebook photo tag notifications. Remember to not just keep your anti-virus software up-to-date, but also to ensure that any software you run on your web server is also properly secured, and kept patched and current (that includes blogging software like WordPress and any plugins* that it might use)."

* http://forums.whatth...=...st&p=792022

Edited by AplusWebMaster, 13 August 2012 - 09:15 AM.

[AplusWebMaster]

FYI...

IRS SPAM campaign leads to BlackHole exploit kit
- http://blog.webroot....le-exploit-kit/
August 13, 2012 - "... cybercriminals launched yet another massive spam campaign, this time impersonating the Internal Revenue Service (IRS) in an attempt to trick tax payers into clicking on a link pointing to a bogus Microsoft Word Document. Once the user clicks on it, they are redirected to a BlackHole exploit kit landing URL, where they’re exposed to the client-side exploits served by the kit...
Screenshot of the spamvertised IRS themed email:
> https://webrootblog....exploit_kit.png
Once the user clicks on the link pointing to a Black Hole landing URL, he’s exposed to the following bogus “Page loading…” page:
> https://webrootblog....loit_kit_01.png
Client-side exploits served: CVE-2010-0188; CVE-2010-1885
... as you can see in the first screenshot, the cybercriminals behind the campaign didn’t bother to use the services of a “cultural diversity on demand” underground market proposition offering the ability to localize a message or a web site to the native language of the prospective victim, hence they failed to properly formulate their sentence, thereby raising suspicion in the eyes of the prospective victim..."

- https://www.virustot...sis/1343319131/
File name: IRS.html
Detection ratio: 2/41
Analysis date: 2012-07-26
- https://www.virustot...44557/analysis/
File name: 6d7b7d2409626f2c8c166373e5ef76a5.exe
Detection ratio: 30/41
Analysis date: 2012-08-04

[AplusWebMaster]

FYI...

Another Fake Intuit email: "Your order was shipped today"
> http://security.intu.../alert.php?a=53
[Last updated 8/14/2012 - "Fake email: "Your order was shipped today"
People are receiving emails with the title "Your order was shipped today." There are numerous messages in the email, including an offer to talk to a QuickBooks expert, the request to add a fake Intuit email to the user's address book, and the possibility to win a $30,000 small business grant. DO NOT click on any of these links. Below is the text portion of the email people are receiving. We have not included the graphic portion of the email which includes the fake links.

Dear Customer,
Great News! Your order, SBL46150408, was shipped today (see details below) and will arrive shortly. We hope that you will find that it exceeds your expectations. If you ordered multiple products, we may ship them in separate boxes (at no extra cost to you) to ensure the fastest possible delivery. We will Also provide you with the ability to track your shipments via the directions below.
Thank you for your order and we look forward to serving you again in the near future.

This is the end of the fake email. We have not included the graphics with the fake links in the information above. Steps to Take Now: Do not click..."]

JUST DELETE THE EMAIL if you get one, or 2 or 3... The only reason the hacks keep doing this is:
It works.

[AplusWebMaster]

FYI...

PDF reader exploits-in-the-wild ...
- http://blog.fireeye....an-myagent.html
2012.08.15 - "At FireEye we have been tracking a particular piece of malware we call Trojan.MyAgent for some time now. The malware is currently using email as its primary vector of propagation... We have seen different versions of this malware arriving as an exe inside a zipped file or as a PDF attachment... we have seen the malware get delivered as different files via email. The PDF version of the dropper uses fairly well known exploits. The JavaScript inside of the PDF checks the Adobe Reader version and launches the appropriate exploits... We have also observed versions of this malware loading other DLLs responsible for communicating with the command and control server. Despite the decent detection of some samples of this malware, the constant changes it makes to its intermediary stages to install the actual payload, puts it into the category of advanced malware."

[AplusWebMaster]

FYI...


- http://www.ironport.com/toc/
August 21, 2012

- http://tools.cisco.c...Outbreak.x?i=77
Fake UPS Payment Document Attachment E-mail Messages - August 21, 2012
Fake Payment Notification E-mail Messages - August 21, 2012
Fake DHL Express Tracking Notification E-mail Messages - August 21, 2012
Fake Tax Refund Statement E-mail Messages - August 20, 2012
Malicious Personal Pictures Attachment E-mail Messages - August 20, 2012
Fake Criminal Complaint E-mail Messages - August 20, 2012
Fake Product Photo Attachment E-mail Message - August 20, 2012
Fake Money Transfer Notification E-mail Messages - August 20, 2012
Fake Private Photo Disclosure E-mail Messages - August 20, 2012 ...
Fake Microsoft Security Update E-mail Messages- August 17, 2012 ...

[AplusWebMaster]

FYI...

F-secure Threat Report H1 2012
- https://www.f-secure...s/00002411.html
August 21, 2012 - "... criminals were still as busy as ever. Our report includes the following case studies:
• ZeuS & Spyeye
• Flashback
• Blackhole
• Mobile Threats
• Ransomware
• Rogueware
You can download the report from:
- http://www.f-secure....ort_H1_2012.pdf
"One of the most pervasive trends we saw in the computer threat landscape in the first half of 2012 was the expanding usage of vulnerability exploitation for malware distribution. This phenomenon is directly tied to the recent improvement in exploit kits - toolkits that allow malware operators to automatically create exploit code."

[AplusWebMaster]

FYI...

Fake Flash Player App is an SMS Trojan ...
- http://www.gfi.com/b...jan-and-adware/
August 22, 2012 - "Adobe marked August 15, 2012—exactly a week ago—as the last day when users could download and install Flash Player on their Android devices if they didn’t have it yet. The company made this announcement so they can focus on Flash on the PC browser and mobile apps bundled with Adobe AIR. This change in focus also meant that Adobe will no longer develop and support Flash on mobile browsers. Of course, it’s possible that some Android users have missed that deadline, so they venture on to other parts of the Internet in search of alternative download sites. It’s no surprise to see that Russian scammers have, indeed, set up websites to lure users into downloading a fake Flash Player onto their Android devices... As of this writing, we’ve seen -eight- sites using Adobe’s logos and icons—all are linking to the same variant of OpFake Trojan disguised as the legit Flash Player for Android. All the Russian sites used different file names for their .APK files but they’re the same malicious variant... You may come across other websites claiming to host the latest version of Flash Player. In that case, better to steer clear from them and download only from Google Play*."
* https://play.google....?...layer&hl=en
___

- http://blog.webroot....obe-flash-apps/
August 23, 2012

Edited by AplusWebMaster, 23 August 2012 - 08:59 PM.

[AplusWebMaster]

FYI...

Fake BlackBerry ID emails...
- http://community.web...ed-malware.aspx
22 Aug 2012 - "Websense... intercepted a malware campaign targeting Blackberry customers. These fake emails state that the recipient has successfully created a Blackberry ID. The messages then continue, "To enjoy the full benefits of your BlackBerry ID, please follow the instructions in the attached file." That, of course, is an attempt to lure victims into running the attached malware.
> http://community.web..._2D00_550x0.png
... The malicious email itself is a copy and paste of a legitimate email from Blackberry. And though the attachment indeed raises suspicion, there's no malicious or compromised URL in it. 17/36 AV engines identify the malware in VirusTotal*..."
* https://www.virustot...7b082/analysis/
File name: Hotel-Booking_Confirmation.exe
Detection ratio: 27/42
Analysis date: 2012-08-23 10:54:21 UTC
> http://community.web...threatscope.PNG
___

Bogus greeting cards serve exploits and malware
- http://blog.webroot....ts-and-malware/
August 21, 2012 - "Think you’ve received an online greeting card from 123greetings.com? Think twice! Over the past couple of days, cybercriminals have spamvertised millions of emails impersonating the popular e-card service 123greetings.com in an attempt to trick end and corporate users into clicking on client-side exploits and malware serving links, courtesy of the Black Hole web malware exploitation kit...
Screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Upon clicking on -any- of the links found in the malicious emails, users are exposed to the following bogus “Page loading…” page:
> https://webrootblog....loit_kit_01.png
... Client-side exploits served: CVE-2010-1885
Upon sucessful exploitation, the campaign drops MD5: 42307705ad637c615a6ed5fbf1e755d1 *...
Upon successful execution, the sample phones back to 87.120.41.155 :8080/mx5/B/in
More MD5s are known to have phoned back to the same command and control server... 87.120.41.155 is actually a name server offering DNS resolving services to related malicious and command and control servers... The second sample phones back to 87.204.199.100 :8080/mx5/B/in/ not surprisingly, we’ve already seen this command and control server used in numerous profiled campaigns..."
* https://www.virustot...0365f/analysis/
File name: 42307705ad637c615a6ed5fbf1e755d1
Detection ratio: 34/42
Analysis date: 2012-08-23 01:27:36 UTC

Edited by AplusWebMaster, 23 August 2012 - 12:03 PM.

[AplusWebMaster]

FYI...

Java 0-Day exploit-in-the-wild
- https://secunia.com/advisories/50133/
Last Update: 2012-08-28
Criticality level: Extremely critical
Impact: System access
Where: From remote ...
Solution Status: Unpatched
Software: Oracle Java JRE 1.7.x / 7.x
CVE Reference: http://web.nvd.nist....d=CVE-2012-4681 - 6.8
... vulnerability is confirmed in version 7 update 6 build 1.7.0_06-b24. Other versions may also be affected.
Solution: No official solution is currently available...
Reported as a 0-day.
Original Advisory:
http://blog.fireeye....t-over-yet.html

- https://isc.sans.edu...l?storyid=13984
Last Updated: 2012-08-27 20:29:15 UTC - "... targets Java 1.7 update 6, there is currently no patch available, the exploit has been integrated into the metasploit framework..."
- https://krebsonsecur...y-java-exploit/
August 27, 2012
- http://www.deependre...nformation.html
August 27, 2012 - "... currently being used in targeted attacks..."

- http://labs.alienvau...ed-in-the-wild/
August 27, 2012 - "... On the analyzed sample the payload is downloaded from ok.aa24 .net/meeting /hi.exe... The payload drops C:\WINDOWS\system32\mspmsnsv.dll (replace the file if present) and starts the Portable Media Serial Number Service. The malware connects to hello.icon .pk port 80. It seems to be a Poison Ivy variant. hello.icon .pk resolvs to:
223.25.233.244
223.25.233.0 – 223.25.233.255
8 to Infinity Pte Ltd ..."
> https://www.virustot...8200f/analysis/
File name: hi.exe
Detection ratio: 32/42
Analysis date: 2012-08-28 12:59:25 UTC

- https://www.virustot...8200f/analysis/
File name: hi.exe
Detection ratio: 36/42
Analysis date: 2012-08-29 10:55:45 UTC
___

- http://www.kb.cert.org/vuls/id/636312
Last revised: 28 Aug 2012 - "... Disabling the Java browser plugin may prevent a malicious webpage from exploiting this vulnerability..."

- http://www.symantec....y-cve-2012-4681
8.28.2012 - "... attackers have been using this zero-day vulnerability for at least five days, since August 22... we have confirmed that the zero-day vulnerability works on the latest version of Java (JRE 1.7), but it does -not- work on the older version JRE 1.6*..."

* http://forums.whatth...=...st&p=794621

Edited by AplusWebMaster, 29 August 2012 - 08:20 AM.

[AplusWebMaster]

FYI...

Java 0-day added to Blackhole Exploit Kit
- http://community.web...xploit-kit.aspx
28 Aug 2012 - "... exploit code for the Java vulnerability has been added to the most prevalent exploit kit out there; Blackhole... The Pre.jar file (VirusTotal link*) will use the new vulnerability to install the malware (VirusTotal link**) itself. In this particular attack it was a banking trojan as can be seen from our ThreatScope report(1)... A technical analysis of these two vulnerabilities is available at the blog Immunity Products in this post(2)."
* https://www.virustot...1f874/analysis/
File name: Pre.jar
Detection ratio: 17/42
Analysis date: 2012-08-29 10:43:59 UTC
** https://www.virustot...38137/analysis/
File name: about.exe
Detection ratio: 18/42
Analysis date: 2012-08-29 04:32:07 UTC
1) http://community.web...threatscope.png
2) http://immunityprodu...-2012-4681.html
___

- http://h-online.com/-1677789
29 August 2012 - "... Users who have a vulnerable version installed on their systems are advised to disable the browser plugin that provides Java support..."

- https://krebsonsecur...aged-two-flaws/
August 29, 2012 - "... If you want to test whether you’ve successfully disabled Java, check out Rapid7's page, http://www.isjavaexploitable.com/ ."

Edited by AplusWebMaster, 29 August 2012 - 09:26 AM.