2072 replies to this topic

[AplusWebMaster]

FYI...

Fake QuickBooks update email ...
- http://security.intu.../alert.php?a=54
8/28/2012 - "People are receiving emails with one of the following titles: "Important QuickBooks Update, "QuickBooks Security Update," "Urgent: QuickBooks Update," and "QuickBooks Update: Urgent." There is a link in the email.DO NOT click on the link.
Below is the text of the email people are receiving, including the errors in the email.

'You will not be able to access your Intuit QuickBooks without updated Intuit Security Tool (IST) after 31th of August, 2012.
You can update Intuit Security Tool here.
After a successful download please run the setup for an automatic installation, then login to Intuit Quickbooks online to check that it is working properly.'

This is the end of the -fake- email..."

- http://blog.webroot....serving-emails/
August 29, 2012 - "... millions of emails impersonating Intuit Market, in an attempt to trick end and corporate users into clicking on the malicious links found in the emails. Upon clicking on them, users are exposed to the client-side exploits served by the Black Hole web malware exploitation kit..."

[AplusWebMaster]

FYI...

Java v7u7 / v6u35 released
- http://forums.whatth...=...st&p=796322
August 30, 2012
___

- http://www.symantec....attack-campaign
Update August 30, 2012 - "... using a Java zero-day, hosted as a .jar file on websites, to infect victims... attackers have been using this zero-day for several days since August 22... resolves to 223.25.233.244. That same IP was used by the Nitro attackers back in 2011..."

- http://blog.trendmic...d-java-zero-day
Aug 30, 2012

- http://nakedsecurity...ited-tax-email/
August 30, 2012
- http://nakedsecurity...fixes-for-java/
August 30, 2012
___

Java 0-day exploit on 100+ sites serving malware
- https://www.computer...s_serve_malware
August 29, 2012 - "... Websense... had found more than 100 unique domains serving the Java exploit. "The number is definitely growing...and because Blackhole has an updatable framework and already has a foothold on thousands of sites, we anticipate that the number of sites compromised with this new zero-day will escalate rapidly in the coming days"... Yesterday, Michael Coates, Mozilla's director of security assurance, urged Firefox users to disable the browser's Java plug-in because Oracle has not issued fixes... Mozilla has the ability to add extensions or plug-ins to the Firefox add-on blocklist if they cause significant security or performance issues. Firefox automatically queries the blocklist and notifies users before disabling the targeted add-ons..."
___

- http://web.nvd.nist....d=CVE-2012-4681 - 9.3 (HIGH)
Last revised: 08/29/2012 - "... as exploited in the wild in August 2012..."

- http://h-online.com/-1677789
29 August 2012 - "... Users who have a vulnerable version installed on their systems are advised to disable the browser plugin that provides Java support..."

- https://krebsonsecur...aged-two-flaws/
August 29, 2012 - "... If you want to test whether you’ve successfully disabled Java, check out Rapid7's page, http://www.isjavaexploitable.com/ ."

- http://www.darkreadi...le/id/240006469
Aug 29, 2012

Edited by AplusWebMaster, 31 August 2012 - 10:05 AM.

[AplusWebMaster]

FYI...

Fake UPS SPAM links to malware
- http://blog.webroot....-serve-malware/
August 31, 2012 - "Cybercriminals are currently mass mailing millions of emails impersonating the United Parcel Service (UPS) in an attempt to trick users into downloading and executing the malicious file hosted on a compromised web site...
Sample screenshot of the spamvertised email:
> https://webrootblog....pam_malware.png
... location of the malicious archive: buzzstar .co .uk/Label_Copy_UPS.zip
The malware has a MD5: b702590c01f76f02e2d8d98833d1c95f * ...
* https://www.virustot...eaefb/analysis/
File name: file-4438621_exe
Detection ratio: 20/25
Analysis date: 2012-08-31 02:25:37 UTC

Fake Paypal SPAM links to malware
- http://blog.webroot....-serve-malware/
August 30, 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick PayPal users into executing the malicious attachment found in the emails. Using ‘Notification of payment received‘ subjects, the campaign is relying on the end user’s gullibility in an attempt to infect them with malware. Once executed, it grants a malicious attacker complete control over the victim’s PC...
Sample screenshot of the spamvertised email:
> https://webrootblog....ion_malware.png
... The malware has a MD5: 9c2f2cabf00bde87de47405b80ef83c1 * ...
* https://www.virustot...7d67a/analysis/
File name: smona_1f5f4cb69a892d0bc2e8d6bf17de2087517a7a336523b44536c9b7385c07d67a.bin
Detection ratio: 37/42
Analysis date: 2012-08-29 08:33:11 UTC

[AplusWebMaster]

FYI...

Fake MS email phish delivers Zeus via Java vuln ...
- https://isc.sans.edu...l?storyid=14020
Last Updated: 2012-09-01 - "Thanks to Susan Bradley for reporting this to ISC.
We're receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences.
The legitimate version of this email is specific to a services agreement seen here*, per a change to Microsoft services as of 27 AUG. The evil version of this email will subject victim to a hyperlink that will send them to a Blackhole-compromised website, which will in turn deliver a fresh Zeus variant... (evil) email including the following header snippet:
Received: from [101.5.162.236] ([101.5.162.236]) by
inbound94.exchangedefender .com (8.13.8/8.13.1) with ESMTP id q7VFDPjO029166
A legitimate header snippet:
Received: from smtpi.msn .com ([65.55.52.232]) by COL0-MC3-F43.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900)
101.5.162.236 is in China, 65.55.52.232 is Microsoft. The legitimate email will include a hyperlink for http://email.microso...s15.C.KK.DlNkNK , which points to the above mentioned services agreement.
(Obfuscated to protect the innocent): The phishing mail will instead include a hyperlink to the likes of allseasons****.us, radiothat****.com, and likely a plethora of others. I assessed radiothat****.com and was redirected to 209.x.y.14 which is running the very latest Blackhole evil as described on 28 AUG by Websense in this post**.
Source code review of the web page served included <applet/code="ndshesa.ndshesf"/archive="Leh.jar"><param/nam=123 name=uid value="N013:011:011:04:037:061:061:047:034:076:074:0102:076:074:
047:047:047:074:067:053:061:04:074:04:013:04:075:054:071:034:067:053:
034:034:02:065:071:034"/></applet>
The VirusTotal link for Leh.jar is here(3), and the VirusTotal link for the Zeus variant offered is here(4)...
Contemplate disabling Java (5) until the -next- update(6) is released..."

* http://windows.micro...vices-agreement

** http://community.web...xploit-kit.aspx

3) https://www.virustot...58bc9/analysis/
File name: Leh.jar
Detection ratio: 8/42
Analysis date: 2012-09-01 05:28:51 UTC

4) https://www.virustot...sis/1346461231/
File name: updateflashplayer.exe
Detection ratio: 6/42
Analysis date: 2012-09-01 01:00:31 UTC

5) http://krebsonsecuri...om-the-browser/

6) https://isc.sans.edu...l?storyid=14017
___

101.5.162.236
101.5.0-255.*
inetnum: 101.5.0.0 - 101.5.255.255
netname: TSINGHUA-CN
country: CN
origin: AS4538
http://www.google.co...ic?site=AS:4538
... 231 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-09-02, and the last time suspicious content was found was on 2012-09-02... We found 27 site(s)... that infected 743 other site(s).
___

- https://krebsonsecur...aged-two-flaws/
"... If you want to test whether you’ve successfully disabled Java, check out Rapid7's page, http://www.isjavaexploitable.com/ ."

Edited by AplusWebMaster, 02 September 2012 - 06:12 AM.

[AplusWebMaster]

FYI...

Fake ‘Amazon order’ email exploits recent Java vuln ...
- http://community.web...nerability.aspx
03 Sep 2012 - "... Websense... has detected a new malicious email campaign purporting to be an order verification email from Amazon directing victims to a page containing the recent Java exploit. If successful, this exploit could allow the cyber-criminals behind this campaign to deliver further malicious payloads to the victim’s machine which, for example, could lead to the exfiltration of personal and financial data. Oracle have released an out-of-band patch for this Java vulnerability (Oracle release Java 1.7.0_07 to fix CVE-2012-4681*)... On 1st September, Websense... intercepted over 10,000 malicious emails with the subject ‘You Order With Amazon.com’ enticing the recipient to ‘click here’ to verify a fictitious order as shown in this sample:
> http://community.web..._2D00_550x0.jpg
Once the victim has clicked the link, they are redirected to an obfuscated page hosting the Blackhole Exploit Kit... an analysis of this file can also be found on VirusTotal**..."

* http://community.web...-2012-4681.aspx

** https://www.virustot...58bc9/analysis/
File name: 9c5abf8889c34b3a36c6699b40ef6717c95ac6e1
Detection ratio: 12/42
Analysis date: 2012-09-03

[AplusWebMaster]

FYI...

Another round of "Spot the Exploit E-Mail"
- https://isc.sans.edu...l?storyid=14029
Last Updated: 2012-09-04 - "We have come to expect quality phishing/fake email work these days...
> https://isc.sans.edu.../amexemail1.png
> https://isc.sans.edu.../amexemail2.png
> https://isc.sans.edu.../amexemail3.png
... javascript will then -redirect- the user to one of these two IP addresses:
96.47.0.163, 108.178.59.26
both IP addresses yield heavily obfuscated javascript. The wepawet analysis can be found here:
- http://wepawet.isecl...3...29c&type=js
It appears to be the usual "what vulnerable plugin are you running today?" javascript."
___

Fake Google email contains a trojan ...
- http://h-online.com/-1698349
04 Sep 2012 - "Unknown attackers are attempting to persuade email recipients to open attachments that contain a trojan by claiming to be from The Google Accounts Team. A new email supposedly from "accounts-noreply @google .com" with the subject "Suspicious sign in prevented" is being sent en masse -claiming- that a hijacker has attempted to access the mail recipient's Google Account. The message says that the sign-in attempt was prevented but asks users to refer to the attached file for details of the attempted intrusion. However, instead of containing information such as the IP address of the log-in attempt, the attached zip file contains a Windows executable file that will install a trojan onto a victim's system. While Google does sometimes send emails like this to users, they -never- contain attachments; users that receive such an email are advised to delete them. According to VirusTotal*, the trojan is currently only detected by just half of 42 anti-virus programs..."
* https://www.virustot...cc23a/analysis/
File name: Google_Accounts_Alert-3944-J5I-4169.zip
Detection ratio: 21/42
Analysis date: 2012-09-04 09:25:32 UTC
___

Fake ‘Wire Transfer Confirmation’ emails lead to Black Hole exploit kit ...
- http://blog.webroot....le-exploit-kit/
Sep 4, 2012 - "Over the past 24 hours, cybercriminals started spamvertising millions of emails impersonating the United Parcel Service (UPS) in an attempt to trick end and corporate users into previewing a malicious .html attachment. Upon previewing it, a tiny iFrame attempts to contact a client-side exploits serving a landing URL, courtesy of the Black Hole web malware exploitation kit.
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Sample exploits served: CVE-2010-0188; CVE-2010-1885
Upon successful client-side exploitation, the campaign drops MD5: 7fe4d2e52b6f3f22b2f168e8384a757e * ..."
* https://www.virustot...3fd00/analysis/
File name: 7fe4d2e52b6f3f22b2f168e8384a757e
Detection ratio: 32/42
Analysis date: 2012-08-28
___

Fake LinkedIn spam leads to malware ...
- http://blog.dynamoo....785926-and.html
4 Sep 2012 - "This fake LinkedIn spam leads to malware on 108.178.59.26 and myasuslaptop .com:

Date: Tue, 04 Sep 2012 10:43:03 +0100
From: "noreply" [noreply@linkedin.com]
Subject: Link LinkedIn Mail
LinkedIn
REMINDERS
Invitation reminders:
• From Charlie Alexander (Mexico Key Account Director at Quanta)
PENDING MESSAGES
• There are a total of 5 messages awaiting your response. Visit your InBox now.
Don't want to receive email notifications? Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2012, LinkedIn Corporation.

The malicious payload (report here*)..."
* http://wepawet.isecl...8...065&type=js
Detection results
Detector Result
Jsand 2.3.4 malicious
In particular, the following URL was found to contain malicious content:
hxxp :// 108.178.59.26 /bv6rcs3v1ithi.php?w=6de4412e62fd13be
Exploits
Name Description Reference
HPC URL Help Center URL Validation Vulnerability CVE-2010-1885 ...

... My personal preference with any emails purporting to be from LinkedIn is to block them at the perimeter. As far as most businesses are concerned it is simply a playground for recruiters trying to poach your staff."

Edited by AplusWebMaster, 04 September 2012 - 10:32 AM.

[AplusWebMaster]

FYI...

Fake 'QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit
- http://blog.webroot....le-exploit-kit/
Sep 5, 2012 - "... cybercriminals behind the recently profiled ‘Intuit Marketplace’ themed campaign resume impersonating Intuit, with a newly launched round consisting of millions of Intuit themed emails. The theme this time? Convincing users that in order to access QuickBooks they would have to install the non-existent Intuit Security Tool. In reality though, clicking on the links points to a Black Hole exploit kit landing URL that ultimately drops malware on the affected hosts...
Screenshot of a sample spamvertised email:
> https://webrootblog....exploit_kit.png
... Client-side exploits serving URL: hxxp ://roadmateremove .org /main.php?page=9bb4aab85fa703f5 - 89.248.231.122; 208.91.197.27
... Name servers part of the campaign’s infrastructure:
ns1.chemrox .net – 208.91.197.27; 173.234.9.17
ns2.chemrox .net – 7.25.179.23
Upon successful client-side exploitation, the campaign drops MD5: f621be555dc94a8a370940c92317d575 * ...
* https://www.virustot...38137/analysis/
File name: f621be555dc94a8a370940c92317d575
Detection ratio: 33/42
Analysis date: 2012-09-01
...Once executed, the sample phones back to 87.120.41.155 :8080/mx5/B /in. We’ve already seen the same command and control IP used in the following previously profiled malicious campaigns..."

[AplusWebMaster]

FYI...

Bogus greeeting card emails serve exploits and malware
- http://blog.webroot....ts-and-malware/
Sep 6, 2012 - "Remember the recently profiled 123greetings .com themed malicious campaign? It appears that over the past 24 hours, the cybercriminals behind it have resumed spamvertising millions of emails pointing to additional compromised URLs in a clear attempt to improve their click-through rates...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Detection rate for a sample Java script redirection: MD5: 75e030e741875d29f12b179f2657e5fd* – ... Trojan.JS.Iframe.aby; Trojan.Webkit!html
Upon successful client-side exploitation, the campaign drops MD5: 864e1dec051cbd800ed59f6f91554597** – ... W32/Yakes.AP!tr
Once executed, the malware phones back to 216.38.12.158 :8080/mx/5/B/in... Another domain is known to have been responding to the same IP in the past..."
* https://www.virustot...sis/1346492654/
File name: greetings.html
Detection ratio: 5/42
Analysis date: 2012-09-01
** https://www.virustot...b1ffc/analysis/
File name: 97273d9507c8d78679c8cdf591715760aef0c59c
Detection ratio: 24/42
Analysis date: 2012-09-03

[AplusWebMaster]

FYI...

$100 billion in losses to cybercrime ...
- http://h-online.com/-1701983
6 Sep 2012 - "According to Symantec's 2012 Norton Cybercrime Report*, worldwide, private individuals have suffered approximately $100 billion (more than £69 billion at the current exchange rate) in financial losses as a result of cybercrime. In the period from July 2011 to July 2012, losses averaged $197 (£124) per victim. A total of 556 million adults are reported to have fallen victim to malware, phishing or similar virtual crimes. The report claims that there are 1.5 million victims of cybercrime each day, or about 18 per second. The security specialist's report also states that two-thirds of internet users have been caught out by cybercriminals at some point in their lives, and almost half (46%) were victims during the period covered by the report... Around 40% of people don't use complex passwords or don't change their passwords regularly. There appears to be a clear trend of cybercriminals targeting social networks and mobile devices, with around 20% of users having suffered losses as a result of such attacks. The study also claims that 15% of social media accounts have been compromised and that 10% of users have fallen for fake links and scams on social networks. A total of 75% of those surveyed believe that cybercriminals are increasingly targeting social networking services. Losses within the EU are reported to amount to $16 billion (over £10 billion). China emerges as the country whose citizens have suffered the greatest financial loss – $46 billion (nearly £29 billion) – while Russia has the largest number of victims, with 92% of users surveyed in the country having experienced problems with cybercrime. The report surveyed more than 13,000 online adults aged 18-64 in 24 different countries."
* http://www.symantec....rid=20120905_02
Sept. 5, 2012
___

- http://yro.slashdot....but-just-as-bad
Sep 6, 2012
> http://blogs.cio.com...mages-disappear

Edited by AplusWebMaster, 07 September 2012 - 12:04 PM.

[AplusWebMaster]

FYI...

FedEx spam ...
- http://blog.dynamoo....gallerynet.html
7 Sep 2012 - "Two fake FedEx campaigns... with different payload sites of dushare .net and gsigallery .net. In the first case, the malicious payload is... (report here*) hosted on 203.91.113.6 (G Mobile, Mongolia). In the second case the payload is... (report here**) also hosted on 203.91.113.6..." (More detail at the URL above.)
* http://wepawet.isecl...9...407&type=js
Detector Result
Jsand 2.3.4 malicious
** http://wepawet.isecl...7...935&type=js
Detector Result
Jsand 2.3.4 malicious

- http://google.com/sa...gsigallery.net/
"Site is listed as suspicious... The last time Google visited this site was on 2012-09-07, and the last time suspicious content was found on this site was on 2012-09-07. Malicious software includes 9 trojan(s), 1 scripting exploit(s)..."
- http://google.com/sa...te=dushare.net/
"Site is listed as suspicious... The last time Google visited this site was on 2012-09-07, and the last time suspicious content was found on this site was on 2012-09-07. Malicious software includes 2 trojan(s), 1 scripting exploit(s)..."
___

- http://blog.dynamoo....monahannet.html
7 Sep 2012 - "... fake FedEx spam leads to malware on studiomonahan .net... The malicious payload is... (report here*) hosted on 206.253.164.43 (Hostigation, US)...
(More detail at the URL above.)
* http://wepawet.isecl...7...943&type=js
Detector Result
Jsand 2.3.4 malicious

Edited by AplusWebMaster, 08 September 2012 - 10:33 AM.

[AplusWebMaster]

FYI...

Fake BBB email phish/Spam leads to malware
- https://isc.sans.edu...l?storyid=14053
Last Updated: 2012-09-09 - "We received another piece of spam... pretending to be from the Better Business Bureau. Analysis of the file transferred (W6w8sCyj.exe) from prog .it appears to be a piece of malware (Win32/Cridex.Q) use to communicates via SSL with a C&C server... List of domains/IP to watch for and block:
ajaxworkspace .com, prog .it, la-liga .ro, ejbsa .com .ar, technerds .ca, 108.178.59.12
The email looks like this:

Better Business Bureau©
Start With Trust©
Sat, 08 Sep 2012 01:54:02 +0700
RE: Case # 78321602 <hxxp [:]//prog .it/EH564Bf/index.html>
Dear Sirs,
The Better Business Bureau has got the above mentioned complaint from one of your customers concerning their business relations with you. The details of the consumer's concern are contained in attached document. Please give attention to this case and advise us of your opinion as soon as possible. We encourage you to open the COMPLAINT REPORT to answer on this complaint.
We look forward to your prompt response.
Faithfully yours,
Ann Hegley
Dispute Counselor
Better Business Bureau

[1] http://anubis.isecla...amp;format=html
[2] http://wepawet.isecl...b...082&type=js
[3] http://wepawet.isecl...0...182&type=js
[4] http://wepawet.isecl...7...422&type=js
[5] https://www.virustot...b9187/analysis/
File name: vt_20541851.@
Detection ratio: 3/42
Analysis date: 2012-09-08
[6] http://www.microsoft.....=Win32/Cridex

[AplusWebMaster]

FYI...

Fake US Airways email spam ...
- http://blog.dynamoo....usgrovenet.html
11 Sep 2012 - "A couple of samples of a fake US Airways spam email leading to malware on blue-lotusgrove .net:

Date: Tue, 11 Sep 2012 15:32:42 -0300
From: "US Airways - Reservations" [reservations @myusairways .com]
Subject: Please confirm your US Airways online registration...

Date: Tue, 11 Sep 2012 23:29:14 +0700
From: "US Airways - Reservations" [intuitpayroll @e.payroll.intuit .com]
Subject: US Airways online check-in...

The malicious payload is at [donotclick]blue-lotusgrove .net/main.php?page=559e008e5ed98bf7 (report here*) hosted on 203.91.113.6 (G Mobile, Mongolia), the same IP used in this attack**... domains on the same server... can all be considered to be malicious...
(More detail/URL list at the dynamoo URL above.)
* http://wepawet.isecl...d...149&type=js
Detector Result
Jsand 2.3.4 malicious

** http://blog.dynamoo....gallerynet.html
___

- http://security.intu.../alert.php?a=57
Last updated 9/13/2012

[AplusWebMaster]

FYI...

Fake ADP emails, voice mail notifications lead to Blackhole Exploit Kit
- http://community.web...xploit-kit.aspx
13 Sep 2012 - "Since Blackhole Exploit Kit 2.0* was recently introduced, we wanted to give our readers a few examples of how they might get exposed to this threat through email. Websense... has recently intercepted a few malicious email campaigns that try to lure the victims to Web pages that host this popular exploit kit... One posed as voice mail notifications from Microsoft Exchange servers, another mimicked ADP invoice reminders, and a third thanked the recipient for signing up for a premium service of accountingWEB.com... A lot of the email messages pretend to come from trusted sources (well-known establishments, or the victim's own infrastructure), and try to catch the reader off-guard by focusing their attention on something urgent, like money matters... The malicious emails contain links that redirect to Blackhole pages with new obfuscation, but we don't think these are Blackhole 2.0. We suspect it won't be long, though, until we come across similar campaigns that use the new version. ADP is one the largest names in payroll services... Here's an example marked as high priority, with the subject line "ADP Invoice Reminder":
> http://community.web...P_5F00_blur.jpg
... one of the possible redirection paths:
hxxp ://allbarswireless .com/HXwcDdQ/index.html
hxxp ://ash-polynesie .com/AjVSXvus/js.js
hxxp ://108.60.141.7 /tfvsfios6kebvras .php?r=dwtd6xxjpq8tkatb
hxxp ://108.60.141.7 /links/ differently-trace.php ...
Here's a different lure - emails pretending to come from the victim's Exchange server, telling them that they have new voice mail. The text invites the reader to click the link: "Double click on the link to listen the message." Subject lines include "Voice Mail from NNN-NNN-NNNN (NN seconds)":
>
http://community.web..._5F00_blur1.jpg
... redirection chain here is similar:
hxxp ://www.tryakbar .com/tLbM3r/index.html
hxxp ://sportmania .so/JP3q2538/js.js
hxxp ://173.255.221.74 /tfvsfios6kebvras .php?r=rs3mwhukafbiamcm ...
Another scheme thanks the user for signing up for a premium service. Subject lines include "Thank you for activating paid services":
> http://community.web...b_5F00_blur.jpg
Different redirection chain, but the landing page hosts Blackhole, with a very familiar path:
hxxp ://www.svstk. ru/templates/beez/check.php
hxxp ://bode-sales .net/main.php?page=3c23940fb7350489
And finally, the familiar theme of FDIC notifications claiming your wire transfer ability was suspended. Subject lines include "You need a new security version," "Suspended transactions," and "Urgent! You must install a new security version!"
> http://community.web...C_5F00_blur.jpg
Here again, simple redirection leads to typical "/main.php?page=" type URLs.
hxxp ://kahvikuppi .org/achsec.html
hxxp ://afgreenwich .net/main.php?page=0f123fe645ddf8d7
Note that as part of the update to Blackhole 2.0, we are much more likely to see URLs like those used in the first two examples, rather than the latter two, due to the dynamic URL generation capability."
* http://community.web...tes-to-2-0.aspx

- https://isc.sans.edu...l?storyid=14098
2012-09-14

ADP spam ...
- http://blog.dynamoo....4624937122.html
13 Sep 2012 - "... fake ADP spam tries to load malware from 46.249.37.122... After clicking the link bouncing through a couple of redirectors, the victim ends up at [donotclick]46.249.37.122 /links/systems-links_warns.php which appears to be generating a 404 error (although it could be fake). This could be a legitimate but hacked server as it is also the IP address for a proxy service called dutchprox.com. In any case, you might decide you want to block the IP just in case."

- http://www.bbb.org/b.../scamalert1.jpg
Sep 12, 2012
___

- http://blog.commtouc...are-campaign-2/
Sep 13, 2012

Edited by AplusWebMaster, 17 September 2012 - 06:19 AM.

[AplusWebMaster]

FYI...

Fake Fedex email invoice leads to BlackHole Exploit kit
- http://blog.webroot....le-exploit-kit/
Sep 14, 2012 - "... cybercriminals have launched yet another massive spam run, this time impersonating FedEx in an attempt to trick its customers into clicking on a malware and exploits-serving URL found in the malicious email...
Screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Sample client-side exploits serving URLs: hxxp ://studiomonahan .net/main.php?page=2bfd5695763b6536 (200.42.159.6, AS10481; 206.253.164.43, AS6921); hxxp ://gsigallery .net/main.php?page=2bfd5695763b6536 (208.91.197.54, AS40034)
Sample client-side exploits served: CVE-2010-1885
Detection rate for a sample Java script redirector: MD5: 32a74240c7e1a34a2a8ed8749758ef15* ...
JS/Iframe.FR; Trojan-Downloader.JS.Iframe.dbe; JS/Exploit-Blacole.hd
Upon successful client-side exploitation, the campaign drops MD5: f9904f305de002ad5c0ad4b4648d0ca7** ... Trojan.Win32.Obfuscated.aopm; Worm:Win32/Cridex.E
... and MD5: 0e2c968865d34c8570bb69aa6156b915*** Worm.Win32.Cridex.jb
The first sample phones back to 195.111.72.46 :8080/mx/5/B/in/ (AS1955) and to 87.120.41.155 :8080/mx/5/B/in (AS13147), and the second sample initiates DNS queries to droppinlever .pro; lambolp700tuning .ru and it also produces TCP traffic to 146.185.220.32 on port 443, as well as to 192.5.5.241 again on port 443.
... We’ve already seen numerous malicious campaigns phoning back one of these command and control servers, 87.120.41.155 :8080/mx/5/B/in in particular..."
* https://www.virustot...sis/1347545788/
File name: Fedex.html
Detection ratio: 8/41
Analysis date: 2012-09-13
** https://www.virustot...29ba0/analysis/
File name: f9904f305de002ad5c0ad4b4648d0ca7.malware
Detection ratio: 30/42
Analysis date: 2012-09-13
*** https://www.virustot...a4a47/analysis/
File name: a36fc381c480e4e7ee09c89d950195c2
Detection ratio: 24/42
Analysis date: 2012-09-11

Edited by AplusWebMaster, 15 September 2012 - 04:44 PM.

[AplusWebMaster]

FYI...

Multiple fake emails/SPAM lead to malware...

"Photos" Spam...
- http://blog.dynamoo....areuomopru.html
18 Sept 2012 14:43 - "This spam leads to malware ondiareuomop .ru:
From: Carleen Garrett
Sent: Tuesday, September 18, 2012 3:17:33 PM
Subject: Photos
Hi,
as promised your photos - hxxp ://flyershot .com/gallery.htm
The payload is at [donotclick]diareuomop .ru:8080/forum/links/column.php hosted on the following IPs: 50.56.92.47, 203.80.16.81, 46.51.218.71
These IPs are a subset of the ones found here*. Block 'em if you can."

Fake Intuit email/Spam...
* http://blog.dynamoo....neloffceru.html
17 Sept 2012 22:41 - "This fake Intuit.com spam attempts to load malware from kerneloffce .ru:
Date: Mon, 17 Sep 2012 08:54:50 -0600
From: "Mason Jordan" [LillieRoell@digitalnubia.com]
Subject: Your Intuit.com software order.
Attachments: Intuit_Order_A49436.htm
Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-130-1601 ($4.79/min).
ORDER INFORMATION
Please download your complete order id #1197744 from the attachment.(Open with Internet Explorer)
2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.
The malicious payload is at kerneloffce .ru:8080/forum/links/column.php which was hosted on 46.51.218.71 (Amazon, Ireland) until it got nuked..."
> http://google.com/sa...kerneloffce.ru/
"Site is listed as suspicious - visiting this web site may harm your computer... the last time suspicious content was found on this site was on 2012-09-17. Malicious software includes 1 trojan(s)... this site has hosted malicious software over the past 90 days. It infected 4 domain(s)..."

Fake IRS email/Spam...
- http://blog.dynamoo....cachingnet.html
17 Sept 2012 22:30 - "This spam leads to malware on virtual-geocaching .net:
Date: Mon, 17 Sep 2012 11:28:14 -0600
From: Internal Revenue Service [tangierss4 @porterorlin .com]
Subject: IRS report of not approved tax transfer
Your State Tax transfer (ID: 30062091798009), recently sent from your checking account was returned by Internal Revenue Service payment processing unit.
Not Accepted Tax transaction
Tax Transaction ID: 30062091798009
Reason of rejection See details in the report below
Federal Tax Transaction Report tax_report_30062091798009.doc (Microsoft Word Document)
Internal Revenue Service 3192 Aliquam Rd. Davis 71320 VA
The malicious payload is at [donotclick]virtual-geocaching .net/main.php?page=7de3f5c4200c896e (report here) on 203.91.113.6 (G Mobile, Mongolia) as used in this recent attack and several others..."
> http://google.com/sa...geocaching.net/
"Site is listed as suspicious - visiting this web site may harm your computer... the last time suspicious content was found on this site was on 2012-09-17. Malicious software includes 57 trojan(s), 8 exploit(s), 3 scripting exploit(s)..."

Fake IRS email/Spam...
- http://blog.dynamoo....ummwrapnet.html
17 Sept 2012 16:06 - "This fake IRS spam leads to malware on thebummwrap .net:
From: Internal Revenue Service [mailto:fascinatesh07 @deltamar .net]
Sent: 17 September 2012 15:30
Subject: Your federal tax transaction has been not accepted
Your State Tax transaction (ID: 60498447771657), recently initiated from your bank account was canceled by The Electronic Federal Tax Payment System.
Not Accepted Tax transaction
Tax Transaction ID: 60498447771657
Rejection code See details in the report below
Income Tax Transaction Report tax_report_60498447771657.doc (Microsoft Word Document)
Internal Revenue Service Ap #822-9450 Cum Avenue Edmond 33020 MI
The malicious payload is at [donotclick]thebummwrap .net/main.php?page=7de3f5c4200c896e hosted on 203.91.113.6 (G Mobile Mongolia) which has been used several times recently for evil purposes..."
___

- http://tools.cisco.c...Outbreak.x?i=77
Last Updated September 18, 2012

Edited by AplusWebMaster, 18 September 2012 - 09:24 AM.