2072 replies to this topic

[AplusWebMaster]

FYI...

Intuit "GoPayment" SPAM / simplerkwiks .net
- http://blog.dynamoo....erkwiksnet.html
5 Oct 2012 - "This fake "Intuit GoPayment" spam leads to malware on simplerkwiks .net:
Date: Fri, 5 Oct 2012 15:54:26 +0100
From: "Intuit GoPayment" [abstractestknos65@pacunion.com]
Subject: Welcome - you're been granted access for Intuit GoPayment Merchant
Greetings & Congrats!
Your GoPayment? statement for WALLET , DEVELOPMENTS has been issued.
Intuit Payment
Account No.: XXXXXXXXXXXXXX16
Email Address: [redacted]
NOTE : Additional charges for this service may now apply.
Next step: Confirm your User ID
This is Very Important lets you:
Manage your payment service in the Merchant Center
Review charges
Log In to other Intuit products you may use, like TurboTax, Quicken, and Intuit Payroll
The good news is you have active an existing Intuit account for your email address, You can use this ID for your payment service also, or enter a new one.
Verify UserID
Get started:
Step 1: If you have not still, download the Intuit application.
Step 2: Run the GoPayment app and sign in with the UserID (your email address) and Password you setup.
Easy Manage Your GoPayment System
The Intuit GoPayment Merchant Service Center is the website where you can learn a lot about GoPayment features, customize your sales receipt and add GoPayment users. You can also manage transactions, deposits and fees. Visit link and signin with your GoPayment Access ID (your email address) and Password.
For more information on how to get started using Intuit Merchant, including tutorials, FAQs and other resources, visit the Service Center at web site.
Please do not reply to this message. automative notification system not configured to accept incoming email.
System Terms & Agreements � 2012 Intuit, Inc. All rights reserved.

The malicious payload is at [donotclick]simplerkwiks .net/detects/congrats_verify-access.php hosted on 183.81.133.121 (Vodafone, Fiji) along with these other suspect domains:
addsmozy .net
officerscouldexecute .org
simplerkwiks .net
strangernaturallanguage .net
buzziskin .net
art-london .net "
___

UPS SPAM / minus.preciseenginewarehouse .com
- http://blog.dynamoo....rehousecom.html
5 Oct 2012 - "This fake UPS spam leads to malware on minus.preciseenginewarehouse .com:
From: "UPSBillingCenter" [512A03797@songburi.com]
Subject: Your UPS Invoice is Ready
This is an automatically generated email. Please do not reply to this email address.
Dear UPS Customer,
New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center
Please visit the UPS Billing Center to view and pay your invoice.
Discover more about UPS:
Visit ups .com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read Compass Online
© 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS

The malicious payload is at [donotclick]minus.preciseenginewarehouse .com/links/assure_numb_engineers.php hosted on 174.140.165.112 ... To be precise, the subdomains seem malicious, the domains themselves appear to be legitimate ones where the domain account has been hacked. Blocking 174.140.165.112 would be prudent."

[AplusWebMaster]

FYI...

Something evil on 5.9.188.54
- http://blog.dynamoo....on-5918854.html
7 Oct 2012 - "Here's a nasty bunch of sites being used in injection attacks, all hosted on 5.9.188.54:
nfexfkloawuqlaahsyqrxo.qlvyeviexqzrukyo.waw .pl
nqvzrpyoossmr.qlvyeviexqzrukyo.waw .pl
xfynhovgofzsqueuuprplvv.qlvyeviexqzrukyo.waw .pl
lgrfuqfwz.qlvyeviexqzrukyo.waw .pl
zlqfrypzqyubsedrzugeaf.urblvhnfxzrozzlz.waw .pl
qxggipnnfmnihkic .ru
mvuvchtcxxibeubd .ru
5.9.188.54 is a Hetzner IP address (no surprise there) suballocated to:
inetnum: 5.9.188.32 - 5.9.188.63
netname: LLC-CYBERTECH
descr: LLC "CyberTech"
country: DE ...
address: 125252 Moscow
address: RUSSIAN FEDERATION
... You might want to block the whole 5.9.188.32/27 range.. you should certainly block 5.9.188.54 if you can."

- http://centralops.ne...ainDossier.aspx
5.9.188.54
address: 125252 Moscow
address: RUSSIAN FEDERATION...
origin: AS24940

- http://google.com/sa...c?site=AS:24940
"... over the past 90 days, 5865 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... last time suspicious content was found was on 2012-10-07... we found 998 site(s)... that appeared to function as intermediaries for the infection of 12809 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 1752 site(s)... that infected 18780 other site(s)."

Edited by AplusWebMaster, 07 October 2012 - 08:55 PM.

[AplusWebMaster]

FYI...

Skype users targeted with Ransomware and Click Fraud
- http://www.gfi.com/b...nd-click-fraud/
Oct 8, 2012 - "The infection* that’s still spreading across users of Skype has taken an interesting twist: ransomware and click fraud. Skype users tempted to follow the latest set of infection links will end up with a zipfile on their PC. Here’s an example of the rogue links still being pinged around:
> http://www.gfi.com/b...kypevirus41.jpg
Clicking the link will download a zipfile, and running the executable inside will see the infected PC making waves with network traffic that wasn’t present when we tested the last executable...
> http://www.gfi.com/b...re4-300x152.jpg
After a while, a Java exploit will call down some fire from the sky (in the form of BlackHole 2.0) and the end-user will be horrified to see this:
> http://www.gfi.com/b...ptionScare1.jpg
... a typical Ransomware scare message that locks the user out of their data, encrypts the files and demands payment (via Moneypak) to the tune of $200. The IP address and geographical location is displayed in the bottom right hand corner, along with various threats related to the downloading of MP3s, illegal pornography, gambling and more besides. Ransomware is currently a big deal and not something an end-user really wants to have on their computer. Meanwhile, behind the scenes we have what looks like attempts at click fraud taking place behind the locked computer screen... in the space of 10 minutes, we recorded 2,259 transmissions(!)... to infect the computer, you’ll need to manually click the download link, open the zip and run the executable. On top of that, anybody trying to open the file who hasn’t switched off file security warnings will be told that “The publisher could not be verified, are you sure you want to run this software” so there’s plenty of chances to dodge this bullet..."
* http://www.gfi.com/b...to-skype-users/

[AplusWebMaster]

FYI...

Skype SPAM voicemail leads to Blackhole / Zeus attacks
- http://www.gfi.com/b...e-zeus-attacks/
Oct 10, 2012 - "... spam mail... claims to be a Skype Voicemail notification, for example:
> http://www.gfi.com/b...icemailscam.png
It reads as follows:
Hi there,
You have a new voicemail
Sign in to Skype to listen to the message.
If you no longer want to receive email alerts about new voicemails, unsubscribe now.
Talk soon,
The people at Skype

It looks pretty authentic, and will send curious clickers to URLs tied up in Blackhole / Zeus infections. On a related note, we’re also seeing Sprint Wireless and fake Facebook friend request spam doing much the same as the above so please be careful when wading through your inbox – there’s a fair amount of spam targeting users with exploits right now and it covers a wide range of subjects from payroll notifications and Craigslist adverts to UPS invoices and American Express payment receipts."

- http://pandalabs.pan...-and-messenger/
10/10/12
___

Skype Messages Spreading DORKBOT Variants
- http://blog.trendmic...rkbot-variants/
Oct 9, 2012

- http://blog.trendmic...-dorkbot-rises/
Oct 16, 2012 - "... spreading via Skype spammed messages... now reached (more than) 17,500 reported infections globally... DORKBOT is not primarily meant to steal information, but still has the capability to steal login credentials. It does this by hooking several APIs in popular web browsers. Among the sites monitored are Twitter, Facebook, Bebo, Friendster, Paypal, Netflix, and Sendspace. DORKBOT also check strings sent to monitored sites via HTTP POST, thus information in HTTP form files like passwords, usernames, and email addresses... DORKBOT downloads an updated copy of itself per day, which are typically undetected because they arrive with different packers. This is probably done to remain undetected on the infected system. With multiple dangerous routines and propagation methods well-fit into the common users’ typical online activities, DORKBOT is clearly a threat that users need to avoid and protect themselves from..."

- http://blog.spiderla...e-messages.html
12 Oct 2012
___

Rampaging Squirrel + Boyband = Twitter SPAM
- http://www.gfi.com/b...d-twitter-spam/
Oct 10, 2012 - "Yesterday I saw a news article that did a frankly amazing job of rendering the plight of a boyband member being attacked by a squirrel*, and mentioned it on Twitter. Within seconds, I was on the receiving end of some spam telling me I’d won a prize:
> http://www.gfi.com/b...10/1dirspam.jpg
Twitter users were spammed in groups, with the above account holding off on providing a URL to click. Instead, curious Tweeters would instead choose to visit the above account then click the URL in the profile – onedgiveaway(dot)com.
> http://www.gfi.com/b...10/2dirspam.jpg
“Congratulations 1D Fan! Please vote for your favourite 1D member below. To say thanks accept a free gift worth over $500
... I went for Liam Payne on the basis that he might be related to Max and ended up with the following survey page located at 1dviptickets(dot)com:
> http://www.gfi.com/b...10/3dirspam.jpg
... I came away with no free gift but lots of surveys (and a whole bunch of “Are you sure you want to go” style pop-ups while trying to leave the page) – nobody has “won” anything, it’s just some random fire-and-forget spam. At time of writing, the spam account is still active and blindfiring more messages to random Twitter users..."
* http://www.wandswort..._Park_squirrel/
___

Fake job offers - union-trans .com employment scam
- http://blog.dynamoo....yment-scam.html
10 Oct 2012 - "This fake job offer is for a "forwarding agent"... basically it's a parcel reshipping scam where goods bought with stolen credit cards are sent to the "agent's" home address, and then the "agent" forwards to stolen goods on to Eastern Europe or China or whatever. Of course, when the police catch on it's the "agent" who is in deep, deep trouble... There appear to be several scam domains in this same email. union-trans .com is hosted on 180.178.32.238 (Simcentric, Hong Kong)... Originating IP is 183.134.113.165 (Zhejiang Telecom, Ningbo, China)... Generally speaking, unsolicited job offers from out-of-the-way places are bad news and should be avoided."

Sprint SPAM / 1.starkresidential .net
- http://blog.dynamoo....dentialnet.html
9 Oct 2012 - "This fake Sprint spam leads to malware on 1.starkresidential .net...
The malicious payload is at [donotclick]1.starkresidential .net/links/assure_numb_engineers.php hosted on 74.207.233.58 (Linode, US)... appear to be malicious subdomains of legitimate hacked domains. If you can, you should block traffic to 74.207.233.58 to stop other malicious sites on the same server from being a problem."

"Biweekly payroll" SPAM / editdvsyourself .net
- http://blog.dynamoo....ourselfnet.html
9 Oct 2012 - "This fake payroll spam leads to malware on editdvsyourself .net...
The malicious payload is on [donotclick]editdvsyourself .net/detects/beeweek_status-check.php, hosted on the familiar IP address of 183.81.133.121 (Vodafone, Fiji)..."
___

Facebook Scam SPAM
- https://isc.sans.edu...l?storyid=14281
Last Updated: 2012-10-10 14:32:26 UTC - "... reports of Facebook Scam Spam... TinyURL has since taken down the redirect and classified it as Spam. However, the image (and others like it) still propagate by FB users clicking on the link. This type of scam is used mostly -without- the permission of the vendor noted, in this case Costco*. The idea is to entice the user to click so they get -redirected- to a site where the business model depends on traffic volume...
> https://isc.sans.edu...o-Scam-Spam.png
If you are a Facebook user, then please be wary of any offers that entice you to "click" to receive. It's a really bad practice. The holiday shopping season is beginning and these vectors are going to be heavily used by the scammers in the coming months."

Edited by AplusWebMaster, 16 October 2012 - 11:39 AM.

[AplusWebMaster]

FYI...

Malicious Presidential SPAM campaign has started...
- http://community.web...gn-started.aspx
10 Oct 2012 - "... Websense... has detected a spam campaign that tries to exploit recipients' interest in the current presidential campaign in the US. Specifically, we have detected thousands of emails with this kind of content:
> http://community.web..._2D00_550x0.png
... we are seeing an increasing number of spam campaigns with malicious links that lead to BlackHole exploit pages. This is also what happens with this campaign. If the recipient clicks on one of the links in the email, it starts a redirection flow which leads to URLs that host BlackHole exploit code. We simulated the recipient's experience with the support of the Fiddler tool, as shown below:
> http://community.web...30.sshot002.png
The pattern used strongly resembles the pattern used in other malicious, BlackHole-based spam campaigns, so we decided to investigate using a little set of samples from this campaign. The samples were chosen based on thousands of emails.
> http://community.web...06.sshot004.PNG
The links found in the spam emails usually has this kind of content:
> http://community.web...38.sshot005.PNG
The purpose of this flow as usual is to install malicious files. In this malicious SPAM campaign, we noticed low detected PDF, JAR and EXE files (used to compromise the victim systems). During our simulated user exeperience we have found the following involved files:
PDF - MD5: 69e51d3794250e3f1478404a72c7a309
JAR file - MD5: 03373056bb050c65c41196d3f2d68077
about.exe - MD5: 9223b428b28c7b8033edbb588968eaea ...
Each URL... contains a redirection payload that leads the victim to a malicious website that hosts BlackHole exploit kit 2.0 obfuscated code..."

- http://blog.trendmic...online-threats/
Update as of Oct 11, 2012 - "... email is supposedly from CNN and contains news stories about the election:
> http://blog.trendmic...10/cnn-spam.png
... instead of news articles, the links lead users to a variant of the ZeuS banking Trojan, delivered by the Blackhole exploit kit..."

- http://blog.trendmic...online-threats/
Oct 10, 2012 - "... This reinforces the fact that the bad guys have all the bases covered when it comes to exploiting popular events. Whoever wins come November 6th, end users will end up losing in one way or another if they’re not careful. So keep yourself informed. Get your news only from trusted sources, and make sure to have an Internet security solution installed on your devices."

- http://blog.eset.com...on-season-scams
Oct 12, 2012

Edited by AplusWebMaster, 14 October 2012 - 05:37 AM.

[AplusWebMaster]

FYI... Multiple entries:

LinkedIn SPAM / inklingads .biz
- http://blog.dynamoo....lingadsbiz.html
11 Oct 2012 - "The bad guys are very busy today with all sorts of spam campaigns, including lots of messages as below pointing to malware on
From: LinkedIn Notification [mailto:hewedngq6@omahahen.org]
Sent: 11 October 2012 15:59
Subject: LinkedIn Reminder
Importance: High
LinkedIn
REMINDERS
Invite events:
From Thaddeus Sosa ( Your servant)
PENDING EVENTS
There are a total of 3 messages awaiting your action. See your InBox immediately...

The malicious payload is on [donotclick]inklingads.biz/detects/invite-request_checking.php hosted on 183.81.133.121 (Vodafone, Fiji)"
___

ADP SPAM / 198.143.159.108
- http://blog.dynamoo....8143159108.html
12 Oct 2012 - "Yet -more- fake ADP spam (there has been a lot over the past 24 hours) is being pushed out. This time there's a malicious payload at [donotclick]198.143.159.108 /links/rules_familiar-occurred.php (Singlehop, US).
Avoid."
___

ADP SPAM / 4.wapin .in and 173.224.209.165:
- http://blog.dynamoo....m-4wapinin.html
11 Oct 2012 - "This fake ADP spam leads to malware on 4.wapin .in:
From: ADP.Security [mailto:5BC4F06B@act4kids.net]
Sent: 11 October 2012 14:22
Subject: ADP: Urgent Notification
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
If you have any questions, please contact your administrator for assistance.
----
Digital Certificate About to Expire...

The malicious payload is on [donotclick]4.wapin .in/links/assure_numb_engineers.php hosted on 198.136.53.39 (Comforthost, US).
Another variant of this goes to [donotclick]173.224.209.165/links/assure_numb_ engineers.php (Psychz Networks, US)"
___

ADP SPAM / 108.61.57.66
- http://blog.dynamoo....-108615766.html
11 Oct 2012 - "There's masses of ADP-themed spam today. Here is another one:
Date: Thu, 11 Oct 2012 14:53:17 -0200
From: "ADP.Message" [986E3877@dixys.com]
Subject: ADP Generated Message
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
If you have any questions, please contact your administrator for assistance.
---------------------------------------------------------------------
Digital Certificate About to Expire
---------------------------------------------------------------------
The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.
Days left before expiration: 3
Expiration date: Oct 14 23:59:59 GMT-03:59 2012
---------------------------------------------------------------------
Renewing Your Digital Certificate ...

In this case the malicious payload is at [donotclick] 108.61.57.66 /links/assure_numb_ engineers .php hosted by Choopa LLC in the US. The IP is probably worth blocking to be on the safe side."
___

Blackhole sites to block ...
- http://blog.dynamoo....ock-111012.html
11 Oct 2012 - "A bunch of sites are active today with the Blackhole exploit kit.. here are the ones seen so far:
183.81.133.121
198.136.53.39
173.255.223.77
64.247.188.141
inklingads .biz
The delivery mechanisms are fake LinkedIn and eFax messages. Block those IPs if you can.
___

"Copies of Policies" SPAM / windowsmobilever .ru
- http://blog.dynamoo....icies-spam.html
11 Oct 2012 - "This slightly odd spam leads to malware on windowsmobilever .ru:
Date: Thu, 11 Oct 2012 10:55:37 -0500
From: "Amazon.com" [account-update@amazon.com]
Subject: RE: DONNIE - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
DONNIE LOCKWOOD,
==========
Date: Thu, 11 Oct 2012 12:26:25 -0300
From: accounting@[redacted]
Subject: RE: MARGURITE - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
MARGURITE Moss

Anyone who clicks on the link will end up on an exploit kit at [donotclick]windowsmobilever .ru:8080/forum/links/column.php - hosted on:
68.67.42.41 (Fibrenoire , Canada)
203.80.16.81 (MYREN, Malaysia)
These two IPs are currently involved in several malicious spam runs and should be blocked if you can."
___

eFax SPAM / 173.255.223.77 and chase .swf
- http://blog.dynamoo....d-chaseswf.html
11 Oct 2012 - "Two different eFax spam runs seem to be going on at the same time:
' From: eFax Corporate [mailto:05EBD8C@poshportraits.com]
Sent: 11 October 2012 12:58
Subject: eFax notification
You have received a 50 page(-s) fax...'

' From: eFax.Corporate [mailto:2C4C2348@aieservices.com.au]
Sent: 11 October 2012 12:51
Subject: eFax: You have received new fax
You have received a 34 page(-s) fax...'

One leads to a malicious landing page at [donotclick]173.255.223.77 /links/assure_numb_engineers.php hosted by Linode in the US.
The other one is a bit odder, referring to a file called chase.swf on a hacked site. VT analysis shows just 1/44* which is -not- good..."
* https://www.virustot...97784/analysis/
File name: chase.swf-QrUTmm
Detection ratio: 1/40
Analysis date: 2012-10-11 13:04:39 UTC...

Edited by AplusWebMaster, 12 October 2012 - 06:05 AM.

[AplusWebMaster]

FYI...

Vodafone SPAM - emails serve malware
- http://blog.webroot....-serve-malware/
Oct 15, 2012 - "Cybercriminals are currently spamvertising millions of emails, impersonating Vodafone Europe, in an attempt to trick their customers into executing the malicious file attachment found in the email...
Sample screenshot of the spamvertised email:
> https://webrootblog....ail_malware.png
Detection rate: Vodafone_Account_Balance.pdf.exe – MD5: 8601ece8b0c79ec3d4396f07319bbff1 * ... Trojan-Ransom.Win32.PornoAsset.xen; Worm:Win32/Gamarue.F..."
* https://www.virustot...sis/1349008562/
File name: Your_Friend_New_photos-updates.jpeg.exe
Detection ratio: 36/43
Analysis date: 2012-09-30 15:01:54 UTC
___

Fake UPS emails - client-side exploits and malware
- http://blog.webroot....ts-and-malware/
Oct 15, 2012 - "... cybercriminals spamvertised millions of email addresses, impersonating UPS, in an attempt to trick end users into viewing the malicious .html attachment. Upon viewing, the file loads a tiny iFrame attempting to serve client-side exploit served by the latest version of the BlackHole Exploit kit, which ultimately drops malware on the affected host.
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Sample detection rate for a malicious .html file found in the spamvertised emails: UPS_N21489880.htm – MD5: 38a2a54d6e7391d7cd00b50ed76b9cfb * ... Trojan.Iframe.BCK; Trojan-Downloader.JS.Iframe.dbh
* https://www.virustot...9a453/analysis/
File name: java.jar
Detection ratio: 26/43
Analysis date: 2012-10-15
... currently responding to the following IPs – 84.22.100.108; 190.10.14.196; 203.80.16.81; 61.17.76.12; 213.135.42.98
... Related malicious domains part of the campaign’s infrastructure:
rumyniaonline .ru – 84.22.100.108
denegnashete .ru – 84.22.100.108
dimabilanch .ru – 84.22.100.108
ioponeslal .ru – 84.22.100.108
moskowpulkavo .ru – 84.22.100.108
omahabeachs .ru – 84.22.100.108
uzoshkins .ru – 84.22.100.108
sectantes-x .ru – 84.22.100.108
... Name servers part of the campaign’s infrastructure:
ns1.denegnashete .ru – 62.76.190.50
ns2.denegnashete .ru – 87.120.41.155
ns3.denegnashete .ru – 132.248.49.112
ns4.denegnashete .ru – 91.194.122.8
ns5.denegnashete .ru – 62.76.188.246
ns6.denegnashete .ru – 178.63.51.54 ..."
___

Rogue Bad Piggies ...
- http://blog.trendmic...ggies-versions/
Oct 15, 2012 - "... Right after reports of malicious Bad Piggies on Google Chrome webstore circulated, we found that certain developers also released their own, albeit rogue versions of the said gaming app. On the heels of Bad Piggies‘ launch last month, we saw rogue versions of the game on specific web pages hosted on Russian domains. However, these versions are -not- affiliated at all with the game. Based on our analysis, these apps are verified as malicious, specifically premium service abusers, which send SMS messages without user consent and leaves users with unnecessary charges... During our research, we used the keyword “Bad Piggies” and encountered 48 Russian domains. Among these sites is piggies-{BLOCKED}d .ru, which appears as an app download page.
> http://blog.trendmic...ies_website.jpg
... site offers the said app on different platforms. Instead of the actual Bad Piggies app, users instead download a malicious .APK file detected as ANDROIDOS_FAKEINST.A. Once installed, it creates a shortcut on the device’s homepage and sends SMS messages to specific numbers. As mentioned, these messages are sent without user consent and may cost users to pay extra for something they didn’t authorize... ANDROIDOS_FAKEINST.A has the ability to obfuscate its codes via inserting junk codes and encrypting the strings and decrypting it upon execution. It also replaces all class/method/field name with meaningless strings thus making analysis difficult... Bad Piggies is a spinoff of the highly popular Angry Bird franchise and its release enjoyed good coverage from popular media. Such is also the case with the malicious Instagram and Angry Birds Space... To victimize as many users as possible, shady developers and certain crooks created rogue versions to take advantage of these apps’ popularity and their media exposure. Russian domains also appear to be the favorite among rogue apps developers. Beginning this year up to July, we already blocked more than 6,000 mobile app pages hosted on .RU domains... an increase compared to last year’s 2,946 blocked sites. To lead users to these sites, the people behind these apps spread the links via forum, blog posts or email. To prevent downloading a fake (or worse, a malware disguised as an app) users should stick to legitimate app stores like Google Play..."
___

eBay phishers update branding...
- http://www.gfi.com/b...their-branding/
Oct 15, 2012 - "... be aware that not only have eBay updated their logo for the first time since 1995, some scammers have also been quick out of the blocks to rejig their phishing scams and paste in the new logo accordingly. Here’s a scammer who hasn’t quite grasped the concept of “You’re horribly outdated” yet:
> http://www.gfi.com/b...akebay_new2.jpg
... here’s a scammer who clearly keeps up with the news and probably owns a gold plated yacht and maybe a Unicorn as a result:
> http://www.gfi.com/b...akebay_new1.jpg
... It probably won’t be long before most (if not all) phishers start using the new logo, but for the time being at least some phish attempts will be a little easier to spot for the average end-user. Of course, avid eBay users can also visit their Security Center* and keep up to date with all the latest shenanigans."
* http://pages.ebay.co...nter/index.html ..."

Edited by AplusWebMaster, 15 October 2012 - 03:05 PM.

[AplusWebMaster]

FYI...

Wire Transfer SPAM / hotsecrete .net
- http://blog.dynamoo....secretenet.html
16 Oct 2012 - "This fake wire transfer spam leads to malware on hotsecrete .net:
From: Federal Information System [mailto:highjackingucaf10@atainvest.com]
Sent: 16 October 2012 15:59
Subject: Wire Transfer accepted
We have successfully done the following transfer:
________________________________________
Item #: 35043728
Amount: $16,861.99
To: Anthony Glover
Fee: 29.00
Send on Date: 10/16/2012
Service: Domestic Wire
________________________________________
If there is a problem with processing your request we would report to you both by email and on the Manage Accounts tab. You can always check your transfer status via this link Sincerely,
Federal Reserve Bank Automate Notify System
*********************************************
Email Preferences
This is a service warning from Federal Reserve Bank. Please note that you may receive notification note in accordance with your service agreements, whether or not you elect to receive promotional email.
=============================================
Federal Reserve Bank Email, 8th Floor, 170 Seashore Tryon, Ave., Charlotte, TX 89936-0001 Federal Reserve Bank.

The malicious payload is found at [donotclick]hotsecrete .net/detects/exclude-offices_details_warm.php hosted on 183.81.133.121 (Vodafone, Fiji) which is a well-known malicious IP address that you should block."
___

LinkedIn SPAM / 74.91.112.86
- http://blog.dynamoo....-749111286.html
16 Oct 2012 - "This fake LinkedIn spam leads to malware on 74.91.112.86:
From: LinkedIn.Invitations [mailto:1F31A2F6B@delraybeachhomesales.com]
Sent: 16 October 2012 13:50
To: [redacted]
Subject: New invitation is waiting for your response
Hi [redacted],
David sent you an invitation to connect 13 days ago. How would you like to respond?
Accept Ignore Privately
Hilton Suarez
Precision Castparts (Distributor Sales Manager EMEA)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA

The malicious payload is on [donotclick]74.91.112.86 /links/assure_numb_engineers.php hosted by Nuclearfallout Enterprises in the US (no surprises there)."
___

Facebook SPAM / o.anygutterkings .com
- http://blog.dynamoo....erkingscom.html
15 Oct 2012 - "This fake Facebook spam leads to malware on o.anygutterkings .com:
Date: Mon, 15 Oct 2012 20:02:21 +0200
From: "FB Account"
Subject: Facebook account
facebook
Hi [redacted],
You have blocked your Facebook account. You can reactivate your account whenever you wish by logging into Facebook with your former login email address and password. Subsequently you will be able to take advantage of the site as before
Kind regards,
The Facebook Team
Sign in to Facebook and start connecting ...
Please use the link below to resume your account ...
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

Other subjects are: "Account blocked" and "Account activated"
The payload is at [donotclick]o.anygutterkings .com/links/assure_numb_engineers.php hosted on 198.136.53.38 (Comforthost, US)..."

- http://www.gfi.com/b...-second-chance/
Oct 16, 2012 - "... another Blackhole-Zeus-related threat... ignore and delete this Facebook spam..."
> http://www.gfi.com/b.../10/FB_1015.png
___

Intuit SPAM / navisiteseparation .net
- http://blog.dynamoo....arationnet.html
15 Oct 2012 - "This fake Intuit spam leads to malware on navisiteseparation .net:
Date: Mon, 15 Oct 2012 15:20:13 -0300
From: "Intuit GoPayment" [crouppywo4@deltamar.net]
Subject: Welcome - you're accepted for Intuit GoPayment
Congratulations!
GoPayment Merchant by Intuit request for ONTIMEE ADMINISTRATION, Inc. has been ratified.
GoPayment
Account Number: XXXXXXXXXXXXXX55
Email Address: [redacted]
PLEASE NOTE : Associated charges for this service may be applied now.
Next step: View or confirm your Access ID
This is {LET:User ID lets you:
Review your payment service in the Merchant Center
Review charges
Log In to other Intuit products you may use, like TurboTax, Quicken, and Intuit Payroll
The good news is we found an existing Intuit account for your email address, You can use this ID for your payment service also, or enter a new one.
Verify Access ID
Get started:
Step 1: If you have not still, download the Intuit software.
Step 2: Launch the Intuit application and sign in with the Access ID (your email address) and Password you setup.
Easy Manage Your Intuit GoPayment Account
The GoPayment Merchant Service by Intuit Center is the web site where you can learn more about GoPayment features, customize your sales receipt and add GoPayment users. You can also view transactions, deposits and fees. Visit url and sign in with your GoPayment AccesID (your email address) and Password.
For more information on how to start using GoPayment Merchant by Intuit, including tutorials, FAQs and other resources, visit the Merchant Service Center at service link.
Please don't reply to this message. auto informer system unable to accept incoming messages.
System Terms & Agreements � 2008-2012 Intuit, INC. All rights reserved.

... Sample subjects:
Congrats - you're accepted for Intuit GoPayment Merchant
Congratulations - you're approved for Intuit Merchant
Congrats - you're approved for GoPayment Merchant
Welcome - you're accepted for Intuit GoPayment
The malicious payload is at [donotclick]navisiteseparation .net/detects/processing-details_requested.php hosted on 183.81.133.121 (Vodafone, Fiji). The good news is that the domain has been suspended by the registrar, but that IP address has been used many times recently and should be blocked if you can."
___

Copies of Policies SPAM / linkrdin .ru
- http://blog.dynamoo....linkrdinru.html
15 Oct 2012 - "Another "Copies of Policies" spam, this time leading to malware on linkrdin .ru:
From: [support@victimdomain.com]
Date: 15 October 2012 07:15
Subject: RE: SANTOS - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.

The malicious payload is on [donotclick]linkrdin .ru:8080/forum/links/column.php ... hosted on the same IPs as this spam:
68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (UAB Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia) ..."

Edited by AplusWebMaster, 16 October 2012 - 10:48 AM.

[AplusWebMaster]

FYI...

Fake American Airlines emails serve BlackHole Exploit kit ...
- http://blog.webroot....le-exploit-kit/
Oct 17, 2012 - "... cybercriminals launched yet another massive spam campaign, this time impersonating American Airlines in an attempt to trick its customers into clicking on a malicious link found in the mail. Upon clicking on the link, users are exposed to the client-side exploits served by the BlackHole Exploit Kit v2.0...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
Spamvertised compromised URL: hxxp ://malorita-hotel .by/wp-config.htm
Detection rate for a sample Java script redirection: American_Airlines.html – MD5: 7b23a4c26b031bef76acff28163a39c5* ...JS/Exploit-Blacole.gc; JS:Blacole-CF [Expl]
Sample client-side exploits serving URL: hxxp ://omahabeachs .ru:8080/forum/links/column.php
We’ve already seen the same malicious email used in the previously profiled “Cybercriminals impersonate -UPS-, serve client-side exploits and malware” campaign, clearly indicating that these campaigns are launched by the same cybercriminal/gang of cybercriminals..."
* https://www.virustot...sis/1349016199/
File name: American_Airlines.html
Detection ratio: 9/42
Analysis date: 2012-09-30
___

Fake Amazon emails serve BlackHole Exploit kit ...
- http://blog.webroot....ts-and-malware/
Oct 16, 2012 - "... cybercriminals have been spamvertising millions of emails impersonating Amazon.com in an attempt to trick customers into thinking that they’ve received a Shipping Confirmation for a Vizio XVT3D04, HD 40-Inch 720p 100 Hz Cinema 3D LED-LCD HDTV FullHD and Four Pairs of 3D Glasses. Once users click on -any- of the links found in the malicious email, they’re automatically exposed to the client-side exploits served by the latest version of the Black Hole Exploit kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Second screenshot of the spamvertised email impersonating Amazon.com Inc:
> https://webrootblog....loit_kit_01.png
Once users click on the links found in the malicious email, they’re presented with the following bogus “Page loading…” page:
> https://webrootblog....loit_kit_02.png
Sample subjects used in the spamvertised emails:
Re: HD TV Waiting on delivery Few hours ago;
Your HDTV Delivered Now;
Re: HDTV Processed Yesterday;
Re: Order Processed Today;
Your Order Approved Few hours ago ...
Sample detection rate for the malicious Java script: – Amazon.html – MD5: a8af3b2fba56a23461f2cc97a7b97830* ... JS/Obfuscus.AACB!tr; Trojan-Downloader.JS.Expack.ael
Once a successful client-side exploitation takes place, the BlackHole Exploit kit drops a malicious PDF file with MD5: 9a22573eb991a3780791a2df9c55ddab* that’s exploiting the CVE-2010-0188 vulnerability."
* https://www.virustot...sis/1349014600/
File name: Amazon.html
Detection ratio: 20/43
Analysis date: 2012-09-30
___

Spoofed WebEx, PayPal Emails lead to Rogue Flash Update
- http://blog.trendmic...e-flash-update/
Oct 16, 2012 - "... Last week, we received two spoofed emails that redirect users to a fake Adobe Flash Player update. These messages use different approaches to lure users into downloading the malicious file update_flash_player.exe (detected as TSPY_FAREIT.SMC).
The first email is disguised as a WebEx email containing an HTM attachment. Once users execute this attachment, they are led to a malicious site hosting TSPY_FAREIT.SMC. Employees may be trick into opening this as it appears to be an alert coming from a business tool they often use...
> http://blog.trendmic...Webex_email.jpg
The second sample, on the other hand, is a spoofed PayPal email that features transaction details.
> http://blog.trendmic...ishingemail.jpg
Curious users who click these details are then directed to the webpage hosting the rogue Flash update file... Once executed, TSPY_FAREIT.SMC drops a variant of the infamous banking malware ZeuS/ZBOT, specifically TSPY_ZBOT.AMM and TSPY_ZBOT.LAG. If you may recall, this malware family is known for its information theft routines. These variants are specifically crafted to steal online banking credentials such as usernames, passwords, and other important account details. These stolen information are then used to initiate transactions without users knowledge or are peddled in the underground market for the right price... The use of WebEx in these spoofed emails is also fishy (phishy?). WebEx is a popular business conference/meeting technology in the corporate world... We believe that the perpetrators of this threat are likely targeting businesses and employees...
Update... We observed a blackhole exploit kit (BHEK) spam run mimicking Facebook notification that leads to the site hosting another rogue Flash Player update (detected as TSPY_FAREIT.AMM) that drops ZeuS/ZBOT variants... expect that such spam runs won’t be fading soon... these attacks are continuing at full speed... users are advised to be continuously extra careful with clicking links on email messages."

Edited by AplusWebMaster, 17 October 2012 - 07:15 AM.

[AplusWebMaster]

FYI...

NY Traffic Ticket SPAM / kennedyana .ru
- http://blog.dynamoo....nnedyanaru.html
18 Oct 2012 - "This fake Traffic Ticket spam leads to malware on kennedyana .ru:
Date: Wed, 17 Oct 2012 03:59:44 +0600
From: sales1@[redacted]
To: [redacted]
Subject: Fwd: NY TRAFFIC TICKET
New-York Department of Motor Vehicles
TRAFFIC TICKET
NEW-YORK POLICE DEPARTMENT
THE PERSON CHARGED AS FOLLOWS
Time: 5:16 AM
Date of Offense: 21/01/2012
SPEED OVER 50 ZONE
TO PLEAD CLICK HERE AND FILL OUT THE FORM

The malicious payload is on [donotclick]kennedyana .ru:8080/forum/links/column.php hosted on the following IPs:
68.67.42.41 (Fibrenoire, Canada)
72.18.203.140 (Las Vegas NV Datacenter, US)
203.80.16.81 (MYREN, Malaysia) ..."
___

Fake Intuit 'Payroll Confirmation inquiry’ emails lead to the BlackHole exploit kit
- http://blog.webroot....le-exploit-kit/
Oct 18, 2012 - "...two consecutive massive email campaigns, impersonating Intuit Payroll’s Direct Deposit Service system, in an attempt to trick end and corporate users into clicking on the malicious links found in the mails. Upon clicking on -any- of links found in the emails, users are exposed to the client-side exploits served by the latest version of the BlackHole exploit kit...
Sample screenshot of the first spamvertised campaign:
> https://webrootblog....exploit_kit.png
Upon clicking on the links found in the malicious emails, users are exposed to the following bogus “Page loading…” screen:
> https://webrootblog....loit_kit_01.png
Screenshots of the second spamvertised campaign:
> https://webrootblog....loit_kit_02.png
... Both of these malicious domains use to respond to 183.81.133.121; 195.198.124.60; 203.91.113.6. More malicious domains part of the campaign’s infrastructure are known to have responded to the same IPs... Detection rate, MD5: 5723f92abf257101be20100e5de1cf6f * ... Gen:Variant.Kazy.96378; Worm.Win32.Cridex.js, MD5: 06c6544f554ea892e86b6c2cb6a1700c ** ... Trojan.Win32.Buzus.mecu; Worm:Win32/Cridex.B..."
* https://www.virustot...24bb3/analysis/
File name: contacts.exe
Detection ratio: 17/43
Analysis date: 2012-09-29
** https://www.virustot...2d907/analysis/
File name: virussign.com_06c6544f554ea892e86b6c2cb6a1700c.exe
Detection ratio: 33/43
Analysis date: 2012-10-19
___

Adbobe CS4 SPAM / leprasmotra .ru
- http://blog.dynamoo....rasmotraru.html
18 Oct 2012 - "This fake Adobe spam leads to malware on leprasmotra.ru:
Date: Thu, 18 Oct 2012 10:00:26 -0300
From: "service@paypal.com" [service@paypal.com]
Subject: Order N04833
Good morning,
You can download your Adobe CS4 License here -
We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.
Adobe Systems Incorporated

The malicious payload is at [donotclick]leprasmotra .ru:8080/forum/links/column.php hosted on:
72.18.203.140 (Las Vegas NV Datacenter, US)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, US)
Blocking access to those IPs is recommended."
___

LinkedIn SPAM / 64.111.24.162
- http://blog.dynamoo....6411124162.html
17 Oct 2012 - "This fake LinkedIn spam leads to malware on 64.111.24.162:
From: LinkedIn.Invitations [mailto:8B44145D0@bhuna.net]
Sent: 17 October 2012 10:06
Subject: New invitation is waiting for your response
Hi [redacted],
User sent you an invitation to connect 6 days ago. How would you like to respond?
Accept Ignore Privately
Alexis Padilla
C.H. Robinson Worldwide (Sales Director)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA

The malicious payload is at [donotclick]64.111.24.162 /links/assure_numb_engineers.php allocated to Data 102 in the US and then suballocated to:
network:Network-Name:Buzy Bee Hosting /27
network:IP-Network:64.111.24.160/27
network:IP-Network-Block:64.111.24.160 - 64.111.24.191
network:Org-Name:Buzy Bee Hosting
network:Street-Address:1451 North Challenger Dr
network:City:Pueblo West
network:State:CO
network:Postal-Code:81007
network:Country-Code:US
... Blocking the IP (and possibly the /27 block) is probably wise.
___

Amazon.com SPAM / sdqhfckuri .ddns.info and ultjiyzqsh .ddns.info
- http://blog.dynamoo....riddnsinfo.html
17 Oct 2012 - "This fake Amazon.com spam leads to malware on sdqhfckuri .ddns.info and ultjiyzqsh .ddns.info:
From: Amazon.Com [mailto:pothooknw@tcsn.net]
Sent: 17 October 2012 06:54
Subject: Your Amazon.com order of "Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch" has shipped!
Importance: High
Gift Cards
| Your Orders
| Amazon.com
Shipping Confirmation
Order #272-3140048-4213404
Hello,
Thank you for shopping with us. We thought you'd like to know that we shipped your gift, and that this completes your order. Your order is on its way, and can no longer be changed. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated delivery date is:
Tuesday, October 9, 2012
Your package is being shipped by UPS and the tracking number is 1ZX305712324670208. Depending on the ship speed you chose, it may take 24 hours for your tracking number to return any information.
Shipment Details
Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch
Sold by Amazon.com LLC (Amazon.com) $109.95
Item Subtotal: $109.95
Shipping & Handling: $0.00
Total Before Tax: $109.95
Shipment Total: $109.95
Paid by Visa: $109.95
Returns are easy. Visit our Online Return Center.
If you need further assistance with your order, please visit Customer Service.
We hope to see you again soon!
Amazon.com
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.

The malicious payload is at [donotclick]sdqhfckuri .ddns.info/links/calls_already_stopping.php or [donotclick]ultjiyzqsh .ddns.info/links/calls_already_stopping.php hosted on 37.230.117.4 (The First CJSC, Russia).
Added: snfgrhoykdcb.ddns.info and jdrxnlbyweco.ddns.info are also being used in this attack, although it they do not resolve at present.
Blocking .ddns.info and .ddns.name domains will probably not spoil your day. Blocking the 37.230.116.0/23 range might not either..."
___

Take a critical look at DNS blocking...
- http://h-online.com/-1731993
18 Oct 2012

Edited by AplusWebMaster, 19 October 2012 - 01:33 AM.

[AplusWebMaster]

FYI...

Fake Facebook direct messages - malware campaign ...
- http://blog.webroot....ed-in-the-wild/
Oct 19, 2012 - "... one of my Facebook friends sent me a direct message indicating that his host has been compromised, and is currently being used to send links to a malicious .zip archive through direct messages to to all of his Facebook friends...
Sample screenshot of the spamvertised direct download link:
> https://webrootblog....re_campaign.png
... All of these redirect to hxxp://74.208.231.61 :81/l.php – tomascloud .com – AS8560... user is exposed to a direct download link of Picture15 .JPG .zip.
Detection rate: MD5: dfe23ad3d50c1cf45ff222842c7551ae * ... Trojan.Win32.Bublik.iez; Worm:Win32/Slenfbot..."
* https://www.virustot...sis/1349355521/
File name: Picture15-JPG.scr
Detection ratio: 20/43
Analysis date: 2012-10-04 ..."
___

LinkedIn SPAM / cowonhorse .co
- http://blog.dynamoo....wonhorseco.html
19 Oct 2012 - "This fake LinkedIn spam leads to malware on cowonhorse .co:
From: LinkedIn.Invitations [mailto:4843D050@pes.sau48.org]
Sent: Fri 19/10/2012 10:29
Subject: Invitation
Hi [redacted],
User sent you an invitation to connect 6 days ago. How would you like to respond?
Accept Ignore Privately
Estelle Garrison
Interpublic Group (Executive Director Marketing PPS)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
==========
From: LinkedIn.Invitations [mailto:43DD0F0@cankopy.com]
Sent: Fri 19/10/2012 11:39
Subject: New invitation
Hi [redacted],
User sent you an invitation to connect 14 days ago. How would you like to respond?
Accept Ignore Privately
Carol Parks
Automatic Data Processing (Divisional Finance Director)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
==========
From: LinkedIn.Invitations [mailto:3A1665D92@leosanches.com]
Sent: Fri 19/10/2012 12:28
Subject: Invitation
Hi [redacted],
User sent you an invitation to connect 6 days ago. How would you like to respond?
Accept Ignore Privately
Rupert Nielsen
O'Reilly Automotive (Head of Non-Processing Infrastructure)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA

The malicious payload is on [donotclick]cowonhorse .co/links/observe_resources-film.php hosted on 74.91.118.239 (Nuclearfallout Enterprises, US). Nuclearfallout have hosted sites like this several times before..."
___

Fake Friendster emails lead to BlackHole exploit kit
- http://blog.webroot....le-exploit-kit/
19 Oct 2012 - "Cybercriminals are currently spamvertising millions of emails, impersonating Friendster, in an attempt to trick its current and prospective users into clicking on a malicious link found in the email. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the BlackHole exploit kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... sonatanamore .ru used to respond to the following IPs – 70.38.31.71; 202.3.245.13; 203.80.16.81; 213.251.162.65 ... Sample detection rate for the malicious iFrame loading script: friedster.html – MD5: c444036179aa371aebf9bae3e7cc5eef * ... Exploit.JS.Blacole; Trojan.JS.Iframe.acn
Upon successful client-side exploitation, the campaign drops MD5: 8fa93035ba01238dd7a55c378d1c2e40** on the affected host... Trojan-Ransom.Win32.PornoAsset.aeuz; Worm:Win32/Cridex.E
Upon execution, the sample phones back to 95.142.167.193 :8080/mx/5/A/in..."
* https://www.virustot...sis/1349356588/
File name: Friendster.html
Detection ratio: 12/43
Analysis date: 2012-10-04
** https://www.virustot...a690d/analysis/
File name: 8fa93035ba01238dd7a55c378d1
Detection ratio: 27/43
Analysis date: 2012-10-05
___

Cisco - Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake UPS Payment Document Attachment E-mail Messages - October 19, 2012
Fake Shipment Notification E-mail Messages - October 19, 2012
Fake Product Quote Request E-mail Messages - October 19, 2012
Fake Changelog E-mail Messages- October 19, 2012
Fake Xerox Scan Attachment E-mail Messages - October 19, 2012
Fake Bill Statement E-mail Messages - October 19, 2012
Fake Bank Transfer Receipt E-mail Messages - October 19, 2012
Fake Payment Slip E-mail Messages - October 19, 2012
Fake Money Transfer Receipt E-mail Messages - October 19, 2012
Fake Purchase Order Confirmation E-mail Messages - October 19, 2012
Fake FedEx Parcel Delivery Failure Notification E-mail Messages - October 19, 2012
Fake Portuguese Health Alert Notification E-mail Messages - October 19, 2012
Fake Payment Slip Confirmation E-mail Message - October 19, 2012 ...

Edited by AplusWebMaster, 20 October 2012 - 09:51 PM.

[AplusWebMaster]

FYI... multiple entries - SCAM-SPAM-and PHISH:

SCAM - worthless domain names: tsnetint .com and tsnetint .org
- http://blog.dynamoo....snetintorg.html
22 Oct 2012 - "Another episode in a long-running domain scam, which attempts to get you to buy worthless domain names by scaremongering. In this case the fake company is called "Kenal investment Co. Ltd" (there are several legitimate firms with a similar name). If you get one of these, ignore it and don't give the scammers any money.
The domains quoted are tsnetint .com and tsnetint .org and the originating IP is 117.27.141.168, all hosted in deepest China.
From: bertram @tsnetint .com
Date: 22 October 2012 06:02
Subject: Confirmation of Registration
(Letter to the President or Brand Owner, thanks)
Dear President,
We are the department of Asian Domain Registration Service in China. Here I have something to confirm with you. We formally received an application on October 19, 2012 that a company claimed Kenal investment Co. Ltd were applying to register "dynamoo" as their Net Brand and some domain names through our firm.
Now we are handling this registration, and after our initial checking, we found the name were similar to your company's, so we need to check with you whether your company has authorized that company to register these names. If you authorized this, we would finish the registration at once. If you did not authorize, please let us know within 7 workdays, so that we could handle this issue better. After the deadline we will unconditionally finish the registration for Kenal investment Co. Ltd. Looking forward to your prompt reply.
Best Regards,
Bertram Hong
Registration Dept.
Office:Tel: 86 2885915586 || Fax: +86 2885912116
Address:9/F Libao building No,62 Kehua North Road,Wuhou District,Chengdu City,China ..."
___

SPAM with .gov URLs
- http://www.symantec....s/spam-gov-urls
22 Oct 2012 Updated - "Symantec is observing an increase in spam messages containing .gov URLs. A screenshot of a sample message is below:
> https://www.symantec...../govURL 1.png
Traditionally, .gov URLs have been restricted to government entities. This brings up the question of how spammers are using .gov URLs in spam messages.
The answer is on this webpage:
1.USA.gov is the result of a collaboration between USA.gov and bitly.com, the popular URL shortening service. Now, whenever anyone uses bitly to shorten a URL that ends in .gov or .mil, they will receive a short, trustworthy 1.usa.gov URL in return.
... While this feature has legitimate uses for government agencies and employees, it has also opened a door for spammers. By using an open-redirect vulnerability, spammers were able to set up a 1.usa.gov URL that leads to a spam website.
Using the above example:
[http://]1.usa .gov/[REMOVED]/Rxpfn9
leads to
[http://]labor.vermont .gov/LinkClick.aspx?link=http://workforprofit.net/[REMOVED]/?wwvxo
which leads to
[http://]workforprofit .net/[REMOVED]/?wwvxo
The final spam page is a work-at-home scam website that has been designed to look like a financial news network website:
https://www.symantec...../govURL 2.png
To add legitimacy to the website, spammers have designed it so that other links, such as the menu bar at the top and other news articles (not shown in the above picture), actually lead to the financial news website that it is spoofing. However, the links in the article all lead to a different website where the spammer tries to make the sale:
> https://www.symantec...20thumbnail.png
USA.gov provides data created any time anyone clicks on a 1.usa.gov URL (link available on this webpage). Analysis of data from the last seven days shows that this trend began on October 12. As of October 18, 43,049 clicks were made through 1.usa.gov shortened URLs to these spam domains:
consumeroption .net
consumerbiz .net
workforprofit .net
consumeroptions .net
consumerlifenet .net
consumerbailout .net
consumerlifetoday .net
consumerneeds .net
consumerstoday .net
consumerlivestoday .net
> https://www.symantec...../govURL 4.png
... This chart shows the number of spam clicks made on a daily basis:
> https://www.symantec...../govURL 5.png
While taking advantage of URL shorteners or an open-redirect vulnerability is not a new tactic, the fact that spammers can utilize a .gov service to make their own links is worrisome. Symantec encourages users to always follow best practices and exercise caution when opening links even if it is a .gov URL."
___

Phish for regular Webmail Accounts
- https://isc.sans.edu...l?storyid=14356
Last Updated: 2012-10-22 - "I was looking through my spam folder today and saw an interesting phish. The phishing email is looking for email account information. Nothing new about that, except this one seemed to have a broad target range. Normally, these types of phishes are sent to .edu addresses not those outside of academia. From the email headers, this one was sent to the Handlers email which is a .org. A non-technical user, like many of my relatives, would probably respond to this. I could see this being successful against regular webmail users of Gmail, Hotmail, etc. especially if the verbiage was changed slightly. It could also be targeting those who may be enrolled in online universities... I have included the email below:

From: University Webmaster <university.m @usa .com>
Date: Fri, Oct 19, 2012 at 9:34 PM
Subject: Webmail Account Owner
To:
Dear Webmail Account Owner,
This message is from the University Webmail Messaging Center to all email account owners.
We are currently carrying out scheduled maintenance,upgrade of our web mail service and we are changing our mail host server,as a result your original password will be reset.
We are sorry for any inconvenience caused.
To complete your webmail email account upgrade, you must reply to this email immediately and provide the information requested below.
---
CONFIRM YOUR EMAIL IDENTITY NOW
E-mail Address:
User Name/ID:
Password:
Re-type Password:
---
Failure to do this will immediately render your email address deactivated from the University Webmail..."
___

"Copies of Policies" SPAM / fidelocastroo .ru
- http://blog.dynamoo....ocastrooru.html
22 Oct 2012 - "This spam leads to malware on fidelocastroo .ru:
Date: Mon, 22 Oct 2012 08:05:10 -0500
From: Twitter [c-FG6SPPPCGK63=D8154Z4.8N4-6042f@postmaster.twitter.com]
Subject: RE: Charley - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Charley HEALY,

The malicious payload is on [donotclick]fidelocastroo .ru:8080/forum/links/column.php hosted on the following IPs:
68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (Interneto Vizija, Lithunia)
190.10.14.196 (RACSA, Costa Rica)
202.3.245.13 (MANA, French Polynesia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, US)
Plain list for copy and pasting:
68.67.42.41
79.98.27.9
190.10.14.196
202.3.245.13
203.80.16.81
209.51.221.247
Blocking these IPs should prevent any other attacks on the same server."

Edited by AplusWebMaster, 22 October 2012 - 03:04 PM.

[AplusWebMaster]

FYI... mulitiple entries: PayPal-NACHA-inTuit SPAM:

Fake PayPal emails serve malware
- http://blog.webroot....-serve-malware/
Oct 23, 2012 - "... cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick its users into downloading and executing the malicious attachment found in the legitimate looking email...
Screenshot of the spamvertised email:
> https://webrootblog....ail_malware.png
Detection rate for the malicious archive: MD5: 9c2f2cabf00bde87de47405b80ef83c1 * ... Backdoor.Win32.Androm.fm. Once executed, the sample opens a backdoor on the infected host, allowing cybercriminals to gain complete control over the infected host..."
* https://www.virustot...sis/1350578639/
File name: Notification_payment_08_15_2012.exe
Detection ratio: 39/43
Analysis date: 2012-10-18
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake PayPal Account Verification E-mail Messages - October 22, 2012
Fake Payment Confirmation E-mail Messages - October 22, 2012
Fake Picture Link E-mail Messages- October 22, 2012
Fake Portuguese Loan Approval E-mail Messages - October 22, 2012
Malicious Personal Photograph Attachment E-mail Messages - October 22, 2012
Fake UPS Payment Document Attachment E-mail Messages - October 22, 2012
Fake FedEx Parcel Delivery Failure Notification E-mail Messages - October 22, 2012
Fake Changelog E-mail Messages - Updated October 22, 2012
Fake Purchase Order Confirmation E-mail Messages - October 22, 2012...
___

NACHA SPAM / bwdlpjvehrka.ddns .info
- http://blog.dynamoo....kaddnsinfo.html
23 Oct 2012 - "This fake NACHA spam leads to malware on bwdlpjvehrka.ddns .info:
Date: Tue, 23 Oct 2012 05:44:05 +0200
From: "noreply@direct.nacha.org"
Subject: Notification about the rejected Direct Deposit payment
Herewith we are informing you, that your most recent Direct Deposit via ACH transaction (#914555512836) was cancelled, due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::
Please contact your financial institution to acquire the new version of the software.
Sincerely yours
ACH Network Rules Department
NACHA | The Electronic Payments Association
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
Phone: 703-561-1100 Fax: 703-787-0996

The malicious payload is at [donotclick]bwdlpjvehrka.ddns .info/links/calls_already_stopping.php hosted on 78.24.222.16 (TheFirst-RU, Russia). Blocking this IP address would be a good move."
___

Intuit SPAM / montrealhotpropertyguide .com
- http://blog.dynamoo....tyguidecom.html
23 Oct 2012 - "This fake Intuit spam leads to malware on montrealhotpropertyguide .com:
Date: Tue, 23 Oct 2012 14:45:14 +0200
From: "Intuit QuickBooks Customer Service" [35378B458 @aubergedesbichonnieres .com]
Subject: Intuit QuickBooks Order
Dear [redacted],
Thank you for placing an order with Intuit QuickBooks!
We have received your payment information and it is currently being processed.
ORDER INFORMATION
Order #: 366948851674
Order Date: Oct 22, 2012
[ View order ]
Qty Item Price
1 Intuit QuickBooks Pro Download 2 2012 $183.96***
Subtotal:
Sales Tax:
Total for this Order: $183.96 $0.00 $183.96
*Appropriate credit will be applied to your account.
Please Note: Sales tax calculations are estimated. The final sales tax calculation will comply with local regulations.
NEED HELP?
Questions about your order? Please visit Customer Service.
Join Us On Facebook
Close More Sales
Save Time
Privacy | Legal | Contact Us | About Intuit
You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.
If you receive an email message that appears to come from Intuit but that you suspect is a phishing email, please forward it immediately to spoof @intuit .com. Please visit http ://security.intuit .com/ for additional security information.
Please note: This email was sent from an auto-notification system that cannot accept incoming email. Please do not reply to this message.
� 2012 Intuit Inc. or its affiliates. All rights reserved.

The malicious payload is on [donotclick]montrealhotpropertyguide .com/links/showed-clearest-about.php hosted on 64.111.26.15 (Data 102, US)."

Edited by AplusWebMaster, 23 October 2012 - 09:35 AM.

[AplusWebMaster]

FYI... multiple entries:

iPad SCAM ...
- http://www.gfi.com/b...s-to-ipad-scam/
Oct 24, 2012 - "We have been reading reports of malware and phishing attacks by means of suspicious direct messages to get user systems infected or have user information and credentials stolen, a ploy that is fast becoming common in the Twittersphere now more than ever. One GFI Labs blog reader gave us the heads up on the latest DM currently making rounds on Twitter. The message says:
did you see your pics with her facebook(dot)com/45569965114786…
Users who click the embedded link are led to a Facebook app page, which then executes a PHP script—
> http://www.gfi.com/b...und-traffic.png
... —before redirecting them to this:
> http://www.gfi.com/b...age-300x181.jpg
It appears to be a genuine Facebook event page; however, the URL has made obvious that it’s not at all related to the said social networking site.
Depending on where users are in the US and UK, they are led to either a survey scam page or a phishing page once they click - Click here.:
> http://www.gfi.com/b...cam-300x222.jpg
...
> http://www.gfi.com/b...age-300x285.png
... Others are redirected to this ad campaign page we’re probably familiar with:
> http://www.gfi.com/b...age-300x201.png
We have determined that more than 4,500 Internet users have visited the dodgy Facebook app page; however, it is unclear how many have fallen victim to these scams... quick reminder to our readers: think before you click..."
___

Contract SPAM / fidelocastroo .ru
- http://blog.dynamoo....ocastrooru.html
24 Oct 2012 - "This fake contact spam leads to malware on fidelocastroo .ru:
Date: Tue, 23 Oct 2012 12:33:51 -0800
From: "Wilburn TIMMONS" [HIWilburn@hotmail.com]
Subject: Fw: Contract from Wilburn
Attachments: Contract_Scan_DS23656.htm
Hello,
In the attached file I am transferring you the Translation of the Job Contract that I have just received today. I am really sorry for the delay.
Best regards,
Wilburn TIMMONS, secretary

The .htm attachment contains obfuscated javascript that attempts to direct the visitor to a malicious [donotclick]fidelocastroo .ru:8080/forum/links/column.php. This domain name has been used in several recent attacks and is currently multihomed on some familiar IP addresses:

202.3.245.13 (President of French Polynesia*)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)

* http://blog.dynamoo....-polynesia.html ..."
___

Bogus Windows License SPAM - in the Wild
- http://www.gfi.com/b...is-in-the-wild/
Oct 24, 2012 - "... Below is a screenshot of a new spam run in the wild... presents to recipients a very suspicious but very free license for Microsoft Windows that they can download. Sounds too good to be true? It probably is.
> http://www.gfi.com/b...022-300x124.png
From: {random email address}
Subject: Re: Fwd: Order N [redacted]
Message body:
Welcome,
You can download your Microsoft Windows License here -
Microsoft Corporation
Clicking the hyperlinked text leads recipients to a number of .ru websites hosting the file, page2.htm (screenshot below), which contains obfuscated JavaScript code that loads the Web page fidelocastroo(dot)ru(colon)8080/forums/links/column(dot)php.
> http://www.gfi.com/b...hole-300x83.png
This spam is a launchpad for a Blackhole-Cridex attack on user systems. This method is likewise being used by the most recent campaign of the “Copies of Policies” spam*, also in the wild..."
* http://gfisoftware.t...ies-of-Policies
___

Wire Transfer SPAM / ponowseniks .ru
- http://blog.dynamoo....owseniksru.html
24 Oct 2012 - "This fake wire transfer spam leads to malware on ponowseniks .ru:
Date: Wed, 24 Oct 2012 04:26:12 -0500
From: FedEx [info@emails.fedex.com]
Subject: Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 9649AA02)
Attachments: Report_Trans99252.htm
Dear Bank Operator,
WIRE TRANSFER: FEDW-30126495944197210
STATUS: REJECTED
You can find details in the attached file. (Internet Explorer format)

The .htm attachment attempts to redirect the user to a malicious page at [donotclick]ponowseniks .ru:8080/forum/links/column.php hosted on some familar IP addresses:
202.3.245.13 (President of French Polynesia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)"
___

BBB SPAM / samplersmagnifyingglass.net
- http://blog.dynamoo....ngglassnet.html
24 Oct 2012 - "This fake BBB spam leads to malware on samplersmagnifyingglass .net:
Date: Wed, 24 Oct 2012 22:10:18 +0430
From: "Better Business Bureau" [noreply@bbb.org]
Subject: Better Business Beareau Appeal #42790699
Attention: Owner/Manager
Here with the Better Business Bureau notifies you that we have been sent a claim (ID 42790699) from one of your consumers about their dealership with you.
Please view the CLAIMS REPORT down to view more information on this problem and suggest us about your point of view as soon as possible.
On a website above please enter your complain id: 42790699 to review it.
We are looking forward to hearing from you.
-----------------------------------
Faithfully,
Rebecca Wilcox
Dispute advisor
Better Business Bureau

The malicious payload is on [donotclick]samplersmagnifyingglass .net/detects/confirming_absence_listing.php hosted on 183.81.133.121, a familiar IP address belonging to Vodafone in Fiji that has been used several times before and is well worth blocking."

Edited by AplusWebMaster, 24 October 2012 - 02:36 PM.

[AplusWebMaster]

FYI... multiple entries:

Fake UPS emails serve malware ...
- http://blog.webroot....-serve-malware/
Oct 25, 2012 - "... cybercriminals launched yet another massive spam campaign, impersonating the United Parcel Service (UPS), in an attempt to trick its current and prospective customers into downloading and executing the malicious attachment found in the email. Upon execution, the malware opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain complete control over the victim’s host...
Screenshot of the spamvertised email:
> https://webrootblog....ail_malware.png
Detection rate for the malicious attachment: MD5: 0e78d3704332c59b619f872fd6d33d25 * ... Trojan-Downloader.Win32.Andromeda.qw.
* https://www.virustot...sis/1350581761/
File name: UPS_Delivery_Confirmation.pdf.exe
Detection ratio: 32/43
Analysis date: 2012-10-18
___

Fake Facebook emails lead to malware
- https://www.net-secu...ews.php?id=2302
25.10.2012 - "If you receive an email seemingly sent by Facebook, sharing an offensive comment that has seemingly been left on your Wall by an unknown user, please don't be tempted to follow the link.
> https://www.net-secu...ensive-scam.jpg
... If you do, you'll be -redirected- to a -fake- Facebook page hosting a malicious iFrame script that triggers the infamous Blackhole exploit kit, and if it finds a vulnerability to exploit, you will be automatically saddled with some or other malicious software. The attackers will try to hide the fact by automatically redirecting you to another legitimate Facebook page, belonging to a Facebook users that, according to Sophos*, does not seem to be related to the attack."
* http://nakedsecurity...malware-attack/
___

ADP SPAM / openpolygons .net
- http://blog.dynamoo....olygonsnet.html
25 Oct 2012 - "This fake ADP spam leads to malware on openpolygons .net:
From: warning@adp.com [mailto:warning@adp.com]
Sent: Thu 25/10/2012 16:42
Subject: ADP Instant Message
ADP Pressing Communication
Reference No.: 27711
Respected ADP Client October, 25 2012
Your Transaction Report(s) have been uploaded to the web site:
Click Here to access
Please overview the following information:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This email was sent to existing users in your company that access ADP Netsecure.
As general, thank you for using ADP as your business affiliate!
Ref: 27711
> https://lh3.ggpht.co...00/adp-spam.png

The malicious payload is at [donotclick]openpolygons .net/detects/lorrys_implication.php hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden) which is an IP address that has been seen before. That IP also hosts the fake AV application win8ss .com and another malware site of legacywins .com...
Plain list for copy-and-pasting:
195.198.124.60
openpolygons .net
win8ss .com
legacywins .com ..."
___

"End of Aug. Statement required" SPAM / kiladopje .ru
- http://blog.dynamoo....uired-spam.html
25 Oct 2012 - "This spam leads to malware on kiladopje .ru:
From: ZaireLomay@mail.com [mailto:ZaireLomay@mail.com]
Sent: 24 October 2012 20:58
Subject: Re: FW: End of Aug. Statement required
Hi,
as reqeusted I give you inovices issued to you per sept. (Internet Explorer format)
Regards

In this case, there's an attachment called Invoices-23-2012.htm with some obfuscated Javascript to direct visitors to a malware laden page at [donotclick]kiladopje .ru:8080/forum/links/column.php hosted on:
79.98.27.9 (Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
The following IPs and domains are all related and should be blocked if you can:
68.67.42.41, 72.18.203.140, 79.98.27.9, 84.22.100.108, 85.143.166.170, 132.248.49.112, 190.10.14.196, 202.3.245.13, 203.80.16.81, 209.51.221.247
fidelocastroo .ru
finitolaco .ru
kennedyana .ru
kiladopje .ru
lemonadiom .ru
leprasmotra .ru
ponowseniks .ru
secondhand4u .ru
windowonu .ru ..."
___

Vast email -malware- outbreaks – efaxCorporate and Xerox copiers
- http://blog.commtouc...-xerox-copiers/
Oct 25, 2012 - "... huge of amounts of email-attached malware distributed – all with an “office” theme. The attacks pushed the amount of email up by several hundred percent and totaled near five billion emails sent worldwide.
> http://blog.commtouc...24-Oct-2012.jpg
The first part of the day saw emails describing an attachment as being the scan from a Xerox Workcenter... Yesterday’s file was a zipped executable. The second part of the attack moved on to eFaxCorporate, announcing the arrival of a (21 page) fax message. Once again the attachment was an executable file pretending to be a PDF. The file is detected as W32/Trojan2.NTLB... The malware scans the infected system for FTP programs – no doubt looking for FTP credentials that can be stolen to access and compromise Web servers (which can then be used to serve malware links).
> http://blog.commtouc...Fax-message.jpg ..."

Edited by AplusWebMaster, 25 October 2012 - 05:42 PM.