2072 replies to this topic

[AplusWebMaster]

FYI... multiple entries:

Share of malicious email by country
- http://www.h-online....iew=zoom;zoom=1
26 Oct 2012
___

Bogus Skype emails lead to malware...
- http://blog.webroot....ead-to-malware/
Oct 26, 2012 - "... millions of emails impersonating Skype, in an attempt to trick Skype users that their password has been successfully changed, and that in order to view their call history and change their account settings, they would need to execute the malicious attachment found in the emails...
Screenshot of the spamvertised email:
> https://webrootblog....pam_malware.png
Detection rate for the malicious attachment: MD5: 0e78d3704332c59b619f872fd6d33d25 * ... Trojan-Downloader.Win32.Andromeda.qw. Upon execution, the malware opens a backdoor allowing the cybercriminals behind the campaign complete access to the affected user’s host..."
* https://www.virustot...sis/1350584221/
File name: Skype_Password_inscturtions.pdf.exe
Detection ratio: 32/43
Analysis date: 2012-10-18
___

apl.de.ap SPAM
- http://blog.dynamoo....ldeap-spam.html
26 Oct 2012 - "I'm not really a fan of the Black Eyed Peas, so I'd never heard of apl.de.ap ( http://en.wikipedia.org/wiki/Apl.de.ap ) until I received this spam. I'm pretty sure that Mr ap isn't sending these out himself, but they're coming from a spammer in the UAE, a place which seems to be the spam capital of the middle east. Although those look like tinyurl links, they're not... they go through a redirector at ykadl .net on 109.236.88.71, the same IP used to send the spam... here's the spam in case you really want to buy tickets from a shady bunch of spammers (NOT)...
From: DNA alex @ ykadl .net
Date: 26 October 2012 04:48
Subject: Black Eyed Peas/ APL DE AP in Dubai
Signed by: ykadl.net
BLACK EYE PEAS founding member APL DE AP heads to Dubai
BLACK EYE PEAS founding member APL DE AP to Dubai for the first time.The internationally famed Black Eyed Peas rapper/DJ, who has won 7 Grammy Awards and sold over 70 million albums, will be the headliner performance at Nasimi Beach on Thursday 1st November.
Like his high school friend Will I Am, APL DE AP also DJ's with international bookings all around the globe including Ibiza, Cannes and London, recently headlining at Belgium's Tomorrowland Festival. The American-Philippines star headlines this event with support from Dion Mavath, local celebrity DJ Marwan Bliss/ 411, Mathew Charles and as well as a performance by Number One selling band Swickasswans.
APL DE AP and the other members of the Black Eyed Peas have been on a hiatus ..."
___

ADP SPAM / steamedboasting .info
- http://blog.dynamoo....astinginfo.html
26 Oct 2012 - "This fake ADP spam leads to malware on steamedboasting.info:
From: ClientService @adp .com
Sent: 26 October 2012 12:03
Subject: ADP Instant Notification
ADP Urgent Warning
Reference #: 31344
Dear ADP Client October, 25 2012
Your Transfer Summary(s) have been uploaded to the web site:
https ://www.flexdirect.adp .com/client/login.aspx
Please take a look at the following information:
• Please note that your bank account will be charged within 1 banking day for the amount(s) specified on the Statement(s).
•Please DO NOT reply to this message. automative notification system cannot accept incoming messages. Please Contact your ADP Benefits Specialist.
This note was sent to existing users in your company that approach ADP Netsecure.
As always, thank you for choosing ADP as your business companion!
Ref: 31344

The malicious payload is at [donotclick]steamedboasting .info/detects/burying_releases-degree.php, the initial redirection page has some Cloudflare elements on it which is a bit disturbing. steamedboasting .info is hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden).
This is an alternative variant with the same malicious payload:
Date: Fri, 26 Oct 2012 16:32:10 +0530
From: "noreply @adp .com"
Subject: ADP Prompt Communication
ADP Speedy Notification
Reference #: 27585
Dear ADP Client October, 25 2012
Your Transaction Statement(s) have been put onto the web site:
Web site link
Please see the following notes:
• Please note that your bank account will be charged-off within 1 banking business day for the amount(s) specified on the Protocol(s).
?Please do not reply to this message. automative notification system can't accept incoming mail. Please Contact your ADP Benefits Specialist.
This message was sent to operating users in your company that approach ADP Netsecure.
As always, thank you for choosing ADP as your business partner!
Ref: 27585 [redacted] ..."
___

"Your Photos" SPAM / manekenppa .ru
- http://blog.dynamoo....nekenpparu.html
26 Oct 2012 - "This fake "photos" spam leads to malware on manekenppa .ru:
From: Acacia @redacted .com
Sent: 26 October 2012 10:14
Subject: Your Photos
Hi,
I have attached your photos to the mail (Open with Internet Explorer).

In this case there is an attachment called Image_DIG691233.htm that leads to a malware laden page at [donotclick]manekenppa .ru:8080/forum/links/column.php hosted on some familiar looking IPs:
79.98.27.9 (Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
We've seen these IPs before and they are well worth blocking."

Edited by AplusWebMaster, 26 October 2012 - 03:09 PM.

[AplusWebMaster]

FYI...

Fake BT-Business emails lead to malware ...
- http://blog.webroot....ead-to-malware/
Oct 28, 2012 - "Over the past 24 hours, cybercriminals have been spamvertising millions of emails targeting customers of BT’s Business Direct in an attempt to trick its users into executing the malicious attachment found in the emails. Upon executing it, the malware opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain complete access to the affected host...
Screenshot of the spamvertised email:
> https://webrootblog....ail_malware.png
Detection rate for the malicious attachment: MD5: 8d0e220ce56ebd5a03c389bedd116ac5 * ... Trojan-Ransom.Win32.Gimemo.ashm ..."
* https://www.virustot...f7c48/analysis/
File name: 8D0E220CE56EBD5A03C389BEDD116AC5.fil
Detection ratio: 32/42
Analysis date: 2012-10-25
___

Fake Verizon Wireless emails serve client-side exploits and malware ...
- http://blog.webroot....ts-and-malware/
Oct 27, 2012 - "... For over a week now, cybercriminals have been persistently spamvertising millions of emails impersonating the company, in an attempt to trick current and prospective customers into clicking on the client-side exploits and malware serving links found in the malicious email. Upon clicking on any of the links, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Screenshot of the spamvertised email:
> https://webrootblog....its_malware.png
Spamvertised malicious URLs:
hxxp ://coaseguros .com/components/com_ag_google_analytics2/notifiedvzn.html;
hxxp ://clinflows .com/components/com_ag_google_analytics2/vznnotifycheck.html
Client-side exploits serving URL: hxxp ://strangernaturallanguage .net/detects/notification-status_login.php?mzuilm=073707340a&awi=45&dawn=04083703023407370609&iwnjdt=0a000300040002
Sample client-side exploits served: CVE-2010-0188
Upon successful client-side exploitation, the campaign drops MD5: b8d6532dd17c3c6f91de5cc13266f374 * ... Trojan-Spy.Win32.Zbot.fkth
Once executed, the sample phones back to tuningmurcelagoglamour .ru, tuningfordmustangxtremee .ru - 146.185.220.28, AS58014 ..."
* https://www.virustot...561f4/analysis/
File name: b8d6532dd17c3c6f91de5cc13266f374.malware
Detection ratio: 26/44
Analysis date: 2012-10-09 ..."

[AplusWebMaster]

FYI...

Fake British Airways emails serve malware
- http://blog.webroot....-serve-malware/
Oct 29, 2012 - "Cybercriminals are currently mass mailing millions of emails in an attempt to trick British Airways customers into executing the malicious attachment found in the spamvertised emails. Upon execution, the malware opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain complete control over the infected host...
Screenshot of the spamvertised email:
> https://webrootblog....ail_malware.png
Detection rate for the malicious attachment: MD5: 4a3a345c24fda6987bbe5411269e26b7 * ... Trojan-Downloader.Win32.Andromeda.aey..."
* https://www.virustot...a5c21/analysis/
File name: BritishAirways-eticket.pdf.exe
Detection ratio: 30/43
Analysis date: 2012-10-23
___

.com malware pretends to be naughty .com website
- http://blog.commtouc...ty-com-website/
Oct 28, 2012 - "... The email doesn’t include much text – simply asking that you 'Pay attention at the attach':
Screenshot: http://blog.commtouc...ick-blurred.jpg
... As shown in the screenshot it’s www .——-face .com. Those tempted to double-click the “link” in order to visit a porn site would find themselves attacked by malware."

Edited by AplusWebMaster, 29 October 2012 - 07:50 AM.

[AplusWebMaster]

FYI...

Bogus Facebook notifications serve malware
- http://blog.webroot....-serve-malware/
Oct 30, 2012 - "... cybercriminals spamvertised yet another massive email campaign, impersonating the world’s most popular social network – Facebook. It was similar to a previously profiled spam campaign imitating Facebook. However, in this case the cybercriminals behind it relied on attached malicious archives, compared to including exploits and malware serving links in the email...
Sample screenshot of the spamvertised email:
> https://webrootblog....ail_malware.png
Detection rate for the malicious archive: MD5: 0938302fbf8f7db161e46c558660ae0b * ... Trojan.Generic.KDV.753880; Trojan-Ransom.Win32.Gimemo.arsu. Upon execution, the sample opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain full access to the affected host..."
* https://www.virustot...sis/1350575670/
File name: FacebookPhoto_album.jpeg.exe
Detection ratio: 34/43
Analysis date: 2012-10-18
___

Blackhat SEO poisoning: Halloween tricks and holiday malware ...
- http://blogs.compute...lware-interview
Oct 29, 2012 - "... things like blackhat SEO poisoning to successfully infect devices. Blackhat SEO link poisoning, scams, tricks. Although the poisonous pranks and tainted tricks go far beyond Halloween, this seemed a great time to get insight into these trends as well as tips to avoid them. You might know about it, but how about your parents or other people who are not nearly so security-savvy? You might want to warn them that their simple searches could infect their computers... especially if you will be the one called upon to fix them for free ;-) ..."
(More detail at the URL above.)

Edited by AplusWebMaster, 30 October 2012 - 03:26 PM.

[AplusWebMaster]

FYI... multiple entries:

Twitter phish is selling drama
- http://www.gfi.com/b...-selling-drama/
Oct 30, 2012 - "... new phish in Twitter... you won’t miss it once you visit your direct message (DM) inbox. The message content can be any of the following:
- A horrible rumor is spreading about you
- A nasty rumor is spreading about you
- A terrible rumor is spreading about you
- You see this video of someone taping you? [URL redacted] creep
- Hey you hear about the gossip your mentioned in? it started some serious drama, it fired up a lot of people on [URL redacted] sNqp

Whatever the message, it carries a shortened URL that directs the recipient to the domain ivtwtter(dot)com once clicked. Fortunately, the domain is no longer active.
> http://www.gfi.com/b...itter-phish.png
Web browsers have also flagged the URL as a phishing site. If you receive any of these messages (or similar), the best way to handle it is to simply delete it from your DM inbox and warn your followers. In warning them, don’t copy and paste the entire message you received with the live link still in it — as some are prone to do — because this just increases the possibility of the nefarious link getting clicked..."
___

"Your Apple ID has been disabled" phish
- http://blog.dynamoo....bled-phish.html
31 Oct 2012 - "I've never seen one quite like this before, although it's not the first time I've seen Apple-themed scam emails...
From: Apple no_reply@macapple.com
Reply-To: no_reply@macapple.com
Date: 31 October 2012 06:08
Subject: Your Apple ID has been disabled
Apple ID Support
Dear [redacted] ,
This Apple ID has been disabled!
For your protection, your Apple ID ([redacted]) is automatically disabled. We detect unauthorized Login Attempts to your Apple ID from other IP Location. Please verify your identity today or your account will be disabled due to concerns we have for the safety and integrity of the Apple Community.
To verify your Apple ID, we recommend that you go to:
Verify Now >

The phish is hosted at [donotclick]app.apple .com.proiectmaxim .ro/id2/sign_in/login_ID&=/?&=?reactivate=[redacted] and it looks pretty convincing if you haven't spotted the Romanian domain name... It just goes to show that the bad guys will try to phish -anything- these days."
___

HP ScanJet SPAM / donkihotik .ru
- http://blog.dynamoo....nkihotikru.html
31 Oct 2012 - "This fake printer message leads to malware on donkihotik .ru:
Date: Wed, 31 Oct 2012 05:06:42 +0300
From: LinkedIn Connections
Subject: Re: Fwd:Scan from a HP ScanJet #26531
Attachments: HP-Scan-44974.htm
Attached document was scanned and sent
to you using a Hewlett-Packard Officejet PRO.
Sent: by Bria
Image(s) : 6
Attachment: Internet Explorer file [.htm]
Hewlett-Packard Officejet Location: machine location not set

The malicious payload is at [donotclick]donkihotik .ru:8080/forum/links/column.php which is hosted on the same IP addresses as this attack* yesterday."
* http://blog.dynamoo....fionadixru.html
"... some familiar IPs:
68.67.42.41 (Fibrenoire, Canada)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, United States)
Additional name server IPs:
50.22.102.132 (Softlayer, United States)
62.76.186.190 (Clodo-Cloud, Russia)
84.22.100.108 (Cyberbunker, Netherlands)
213.251.171.30 (OVH, France)
Plain list for copy-and-pasting:
50.22.102.132
62.76.186.190
68.67.42.41
84.22.100.108
203.80.16.81
209.51.221.247
213.251.171.30
manekenppa.ru
kiladopje.ru
lemonadiom.ru
finitolaco.ru
fidelocastroo.ru
ponowseniks.ru
dianadrau.ru
windowonu.ru
panalkinew.ru
fionadix.ru ..."
___

Steam phish steals more than credentials
- http://www.gfi.com/b...am-credentials/
Oct 31, 2012 - "... targeting players of the popular gaming platform, Steam. More than a year ago, Valve launched Steam Trading. The objective is to “allows you [the Steam account owner] to exchange In-game items and Gifts with everybody in the Steam Community.” It is a good move to get people within their large gaming community to engage with one another and form a bond of camaraderie. Upon its launch, Steam can only cater to a number of gamers. In particular, those who play Team Fortress 2, Portal, Spiral Knights, and other games from Three Rings and SEGA... phishing page that mimics the look and feel of the actual news page announcing the launch. The -bogus- page -baits- unknowing users with one free game this “Steam Happy Day”... at this time of writing Chrome flags the site as a phish... If you play Team Fortress 2, Portal, Spiral Knights plus other SEGA games on Steam and regularly trades items with other players, please avoid and block days(dot)steamgamesgift(dot)yzi(dot)me ... Be wary of free games and offers that would cost you more than you want to bargain for, especially if they’re hosted on dubious sites that use familiar strings in URLs you’d normally see in legitimate sites. To be safe, visit Steam directly* to double-check if they indeed have free offers..."
* http://store.steampowered.com/

Edited by AplusWebMaster, 31 October 2012 - 12:04 PM.

[AplusWebMaster]

FYI...

Bogus BofA ‘Online Banking Passcode Reset’ emails serve client-side exploits and malware
- http://blog.webroot....ts-and-malware/
Nov 1, 2012 - "Cybercriminals are currently mass mailing millions of emails, in an attempt to trick Bank of America customers into clicking on the exploit and malware-serving link found in the spamvertised email. Relying on bogus “Online Banking Passcode Changed” notifications and professionally looking email templates, the campaign is the latest indication of the systematic rotation of impersonated brands in an attempt to cover as many market segments as possible...
Screenshot of a sample spamvertised email:
> https://webrootblog....re_exploits.png
... Client-side exploits serving URL: hxxp ://the-mesgate .net/detects/signOn_go.php – 183.81.133.121, AS38442 ... Also responding to the same IP are the following malicious domains:
stafffire .net – 183.81.133.121, AS38442
hotsecrete .net – Email: counseling1 @ yahoo .com
formexiting .net – suspended domain
navisiteseparation .net – suspended domain ...
Related malicious domains responding the these IPs:
change-hot .net
locksmack .net
Money mule recruitment domains using the same IP as a mailserver:
aurafinancialgroup .com
epscareers .com
As you can see, this campaign is great example of the very existence of the cybercrime ecosystem. Not only are they spamvertising millions of exploits and malware serving emails, they’re also multitasking on multiple fronts, as these two domains are recruiting money mules to process fraudulently obtained assets from the affected victims..."
___

Discover card SPAM / netgear-india.net
- http://blog.dynamoo....r-indianet.html
1 Nov 2012 - "This fake Discover Card spam leads to malware on netgear-india .net:
From: Discover Account Notes [mailto:no-reply @ notify .discover .com]
Sent: Thu 01/11/2012 15:32
Subject: Great Details Changes in your Discover card Account Terms
Account Services | Customer Care Services
Account ending in XXX1
An substantial communication regarding latest Declined Transfers is waiting for you.
Log In to Read Information
Honored Discover Client,
There is an serious message waiting for you from Discover® card. Please read the message mindfully and keep it with your file.
To ensure optimal privacy, please log in to view your message at Discover.com.
Please click on this link if you have forgotten your UserID or Password.
Add information @ service .discover .com to your address book to ensure delivery of these notifications.
VITAL NOTE
This message was delivered to [redacted] for Discover debit card account number ending with XXX1.
You are receiving this e-mail because you have account at Discover.com.
Log in to change your e-mail address or overview your account e-mail options.
If you have any questions about your account, please Login to leave us a message securely and we would be glad to support you.
Please DO NOT reply to this message. auto informer system cannot accept incoming email.
DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.
Discover Banking Ltd.
P.O. Box 84265
Salt Lake City, SC 76433
2012 Discover Bank, Member FDIC
[redacted]
========
From: Discover Account Notes [mailto:donotreply @service .discover .com]
Sent: Thu 01/11/2012 16:36
Subject: Substantial Information about your Discover Account
Account Center | Customer Center
Account ending in XXX9
An significant message regarding latest Approved Activity is waiting for you.
Log In to Overview Details
Respective Cardholder,
There is an important message waiting for you from Discover® card. Please read the message carefully and keep it with your archive.
To ensure optimal privacy, please sign in to read your data at Discover.com.
Please visit discover .com if you have forgotten your Login ID or Password.
Add discover @ information .discover .com to your trusted emails to ensure delivery of these messages.
VITAL NOTIFICATION
This e-mail was sent to [redacted] for Discover card account No. ending with XXX9.
You are receiving this e-mail because you member of Discover.com.
Log in to change your e-mail address or view your account e-mail settings.
If you have any questions about your account, please Enter your account to leave us a message securely and we would be blissful to help you.
Please don't reply to this message. auto-notification system cannot accept incoming mail.
DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.
Discover Banking Llc.
P.O. Box 85486
Seashore City, NV 91138
2012 Discover Bank, Member FDIC
[redacted]

The malicious payload is at [donotclick]netgear-india .net/detects/discover-important_message.php hosted on 183.180.134.217 (RAT CO, Japan). The following domains are on that same IP, and judging by the registration details they should also be considered as malicious:
itracrions .pl
radiovaweonearch .com
steamedboasting .info
solla .at
netgear-india .net
puzzledbased .net
stempare .net
questionscharges .net
bootingbluray .net ..."
___

Hurricane Sandy SPAMs lead to survey scams
- http://nakedsecurity...o-survey-scams/
Nov 1, 2012 - "... we began to see the first online criminals trying to cash in on the interest in Hurricane Sandy. The good news is they are not trying to spread malware (yet), but the bad news is they are trying to take advantage of a natural disaster affecting millions. The subject lines of the scam messages -- "Sandy Got you down? We've got you covered!", "Don't let the storm ruin your diner plans" and "Avoid the Storm, Eat at chilis!" -- appear to be targeting people who may need to file insurance claims related to damages from the "super storm" and other people who are simply hungry. The bodies of the emails aren't terribly interesting, but every place in the message is a link to a site called "remain watery." The domain was registered on October 15th, clearly in anticipation of creating more victims from this crisis... For those who are affected by the hurricane, stay safe, stay secure, and don't fall for it. The last thing you need right now is another thing to worry about cleaning up after."
___

Hurricane Sandy pump and dump SPAM
- http://blog.commtouc...urricane-sandy/
Oct 31, 2012 - "... recipients are encouraged to buy into low-priced shares now that Hurricane Sandy has passed and trading has resumed.
> http://blog.commtouc...-stock-spam.jpg
... we see less topical spam than we used to. In the past spammers would use current events in subjects and in the text of emails to create interest and generate visits to pharmacy and replica websites..."

Edited by AplusWebMaster, 01 November 2012 - 04:13 PM.

[AplusWebMaster]

FYI...

Fake ADP SPAM emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Nov 2, 2012 - "... cybercriminals behind the recently profiled malicious campaign impersonating Bank of America, launched yet another massive spam campaign, this time targeting ADP customers. Upon clicking on the link found in the malicious email, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....its_malware.png
... Client-side exploits serving URL: hxxp ://reasonedblitzing .net/detects/lorrys_implication.php – 195.198.124.60, AS3301 – Email: monteene_forbrich8029@mauritius.com; hxxp ://nfcmpaa .info/detects/burying_releases-degree.php – 195.198.124.60, AS3301 – Email: nevein_standrin35 @ kube93mail .com...
Responding to the same IP are also the following malicious domains:
win8ss .com – Email: fermetnolega @ hotmail .com
legacywins .com – Email: fermetnolega @hotmail .com
openpolygons .net – Email: cordey_yabe139 @ flashmail .net
steamedboasting .info – Email: mauro_borozny655 @ medical .net.au
Name servers part of the campaign’s infrastructure:
Name Server: NS1.TOPPAUDIO .COM
Name Server: NS2.TOPPAUDIO .COM
We’ve already seen the same name servers used in the recently profiled “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware” malicious campaign. Clearly, the cybercriminal or gang of cybercriminals behind the campaign continue rotating the impersonated brands, next to using the same malicious infrastructure to achieve their objectives..."
___

Fake "Payroll Account Cancelled by Intuit" email
- http://security.intu.../alert.php?a=67
11/2/2012 - "People are receiving emails with the title "Notification Only: Payroll Account Cancelled by Intuit." Below is a copy of the email people are receiving.

Direct Deposit Service Informer
Informational Only
We processed your payroll on November 1, 2012 at 365 PM Pacific Time.
Money would be revoked from the Checking account number ending in: XXX3 on November 2, 2012.
total to be left: $2 465.98
Paychecks would be deferred to your workforce' accounts on: November, 2, 2012
Sign In to Overview Details
Funds are typically departed before business banking hours so please be sure you have enough Cash on the account by 12 a.m. on the date Funds are to be withdrawn.
Intuit must process your payroll by 4 p.m. Eastern time, two banking days before your paycheck date or your personnel will not be paid on time. QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services

This is the end of the fake email..."

- http://blog.dynamoo....icatesinfo.html
2 Nov 2012 - "... fake Intuit spam leads to malware on savedordercommunicates .info:
... Subject: Notification Only: Transaction Received by Intuit"...
The malicious payload is at [donotclick]savedordercommunicates .info/detects/bank_thinking.php hosted on 75.127.15.39 (New Wave NetConnect, US) along with another malicious domain of teamscapabilitieswhich .org. Blocking this IP would be wise."
___

Wire Transfer SPAM / webmoniacs .ru
- http://blog.dynamoo....bmoniacsru.html
2 Nov 2012 - "This fake wire transfer spam leads to malware on webmoniacs .ru:
Date: Fri, 2 Nov 2012 06:23:10 +0700
From: service @ paypal .com
Subject: RE: Wire Transfer cancelled
Dear Sirs,
The Wire transfer was canceled by the other bank.
Canceled transaction:
FED REFERENCE NUMBER: 628591160ACH34584
Transaction Report: View
The Federal Reserve Wire Network

The malicious payload is at [donotclick]webmoniacs .ru:8080/forum/links/column.php hosted on:
65.99.223.24 (RimuHosting, US)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
The following IPs and domain are all connected and should be blocked:
50.22.102.132
62.76.186.190
65.99.223.24
68.67.42.41
79.98.27.9
84.22.100.108
85.143.166.170
132.248.49.112
203.80.16.81
209.51.221.247
213.251.171.30
denegnashete .ru
dianadrau .ru
donkihotik .ru
fidelocastroo .ru
finitolaco .ru
fionadix .ru
forumibiza .ru
kiladopje .ru
lemonadiom .ru
manekenppa .ru
panacealeon .ru
panalkinew .ru
pionierspokemon .ru
ponowseniks .ru
rumyniaonline .ru
webmoniacs .ru
windowonu .ru ..."
___

Sandy storms inboxes
- http://www.symantec....-storms-inboxes
Nov. 2, 2012 - "... Sandy has now added spam to its list of misery... The top word combinations in message headlines are "hurricane – sandy", "coast – sandy", "sandy – storm", and "sandy – superstorm"...
> https://www.symantec.../images/444.png
... Message volume over a two-day period...
Typical spam attacks like "Gift card offer" and "Money making & Financial" spam are currently targeting the disaster... examples of subject lines seen in the spam messages:
- Help Sandy Victims and get $1000 for Best Buy!
- Sandy Strikes... [WARNING]
- Deposit Processing Open Today (Frankenstorm doesn't stop us)
... never donate money or buy products through wire transfer services or similarly untraceable methods of payment. Instead, reach out to the storm victims through legitimate and secure channels..."

- https://www.ic3.gov/...012/121101.aspx
Nov 1, 2012

Edited by AplusWebMaster, 04 November 2012 - 06:54 AM.

[AplusWebMaster]

FYI...

Malware... as a Vodafone MMS message
- http://h-online.com/-1743608
5 Nov 2012 - "The phone number from which the message was supposedly sent varies... Cyber criminals are currently spreading malware by sending a large number of email messages purporting to be from Vodafone's MMS gateway. These emails have the subject "You have received a new message" and claim that the recipient has been sent a picture message over MMS from a Vodafone customer. The Vodafone email address used and the supposed telephone number sending the messages varies*; even the country code is changed based on the location being targeted...
* http://www.h-online....iew=zoom;zoom=1
The messages say that a picture message is in the attached "Vodafone_MMS.zip" file. However, once unzipped, it only contains an executable named "Vodafone_MMS.jpg.exe" that will install malware onto a victim's system when launched... VirusTotal*... To avoid accidentally opening such files and becoming infected with malware, Windows users should also make sure that file name extensions are always shown**..."
* https://www.virustot...5f9a7/analysis/
File name: Vodafone_MMS.zip
Detection ratio: 11/43
Analysis date: 2012-11-05

** https://en.wikipedia...Security_issues
"... default behavior of Windows Explorer... is for filename extensions -not- to be shown... without alerting the user to the fact that (it may be) a harmful computer program..."
___

Wire Transfer & PayPal SPAM / forumibiza .ru
- http://blog.dynamoo....rumibizaru.html
5 Nov 2012 - "These two spam campaigns lead to malware on forumibiza .ru:
Date: Mon, 5 Nov 2012 12:54:44 +0530
From: Declan Benjamin via LinkedIn ...
Subject: Wire Transfer Confirmation (FED 27845UL095)
Good afternoon,
Your Wire Transfer Amount: USD 85,714.01
Wire Transfer Report: View
ELOISA STRICKLAND,
The Federal Reserve Wire Network
==============
From: JoyceMillwee @ mail .com
Sent: 05 November 2012 01:48
Subject: Welcome to PayPal - Choose your way to pay
Welcome
Hello [redacted],
Thanks for paying with PayPal.
We congratulate you with your first Paypal money transfer. But we have hold it for the moment because the amount is over the security borders of our rules.
Here is what we have on file for you. Take a second to confirm we have your correct information.
Email
[redacted]
Confirmation Code
5693-0930-8767-9350-6794
Transfer Information
Amount: 27380.54 $
Reciever: Gracia Cooley
E-mail: Gage97742 @[redacted] .com
Accept Decline
Help Center | Security Center
Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
Copyright 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.
PayPal Email ID PP6118

The malicious payload in both cases is [donotclick]forumibiza .ru:8080/forum/links/column.php hosted on the following IPs:
65.99.223.24 (RimuHosting, US)
103.6.238.9 (Universiti Putra, Malaysia)
203.80.16.81 (MYREN, Malaysia) ..."
___

Something evil on 31.193.12.3
- http://blog.dynamoo....n-31193123.html
4 Nov 2012 - "These are fake AVs and drive-by downloads mostly, some seem to promoted through low-grade banner ads, all hosted on 31.193.12.3 (Burstnet, UK**) and suballocated to:
person: Olexii Kovalenko
address: Pavlova, 15, Zaporozhye, Zaporozhye, 69000, Ua
phone: +1 570 343 2200
fax-no: +1 570 343 9533
nic-hdl: OK2455-RIPE
source: RIPE # Filtered
mnt-by: mnt-burst-au
mnt-by: mnt-burst-mu
The registration for the .asia and .eu domains is consistent in the ones I have checked:
Registrant ID:DI_23063626
Registrant Name: Javier
Registrant Organization: n/a
Registrant Address: Nevskaya street 41
Registrant Address2:
Registrant Address3:
Registrant City: Belgorad
Registrant State/Province: Belgorodskaya oblast
Registrant Country/Economy: RU
Registrant Postal Code:494980
Registrant Phone:+007.9487728744
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant E-mail:007uyfo007 @mail .ru

... I've broken the list into three parts, it's a bit messy sorry... this long list (too long to post here) contains other detected domains on the same IP. Frankly, blocking the IP address is the most easy option.. there are actually more domains than listed here and some are duplicated, but it's the best I could do at the moment. Many of these domains show as evil in Google's Safe Browsing Diagnostics (example*) and I can find -zero- legitimate domains on this IP..."
* https://www.google.c...=acutefile.asia

** https://www.google.c...c?site=AS:29550

** https://www.google.c...c?site=AS:51377
___

Fake statistics domains lead to malware
- http://blog.dynamoo....to-malware.html
5 Nov 2012 - "The following fake "statistics" domains lead to malware. All have been registered very recently in the past few days and are used as a redirector to other exploit kits. Perhaps they are actually performing black hat statistical tracking. Blocking them (or the associated IPs) would be wise.

bilingstats .org
bombast-atse .org
bombastatse .org
ceastats .org
colinstats .org
expertstats .org
informazionestatistica .org
melestats .org
nonolite .org
statisticaeconomica .org
statspps .org
superbombastatse .org
topbombastatse .org
ufficiostatistica .org

Hosting IPs:
31.193.133.212 (Simply Transit, UK)
91.186.19.42 (Simply Transit, UK)
95.211.180.143 (Leaseweb, Netherlands) ..."
___

Dynamic DNS sites you might want to block
- http://blog.dynamoo....ht-want-to.html
5 Nov 2012 - "These domains belong to ChangeIP .com, which I guess is a legitimate company providing Dynamic DNS services, but one that is being abused by the bad guys. These will be used with some random subdomain unless it's a corporate site (like ChangeIP .com itself) pointing to a random IP address somewhere.. so blocking IPs won't work here.
There are two versions of this list, one links through to the Google Safe Browsing diagnostics report in case you want to review them on a case-by-case basis before blocking them. The second one is a plain list of everything in case you want to block them completely. You might notice one of the domains is called b0tnet .com which is a peculiar name for a legitimate business to register..."
(More detail at the URL above.)

Edited by AplusWebMaster, 05 November 2012 - 02:18 PM.

[AplusWebMaster]

FYI...

Bogus USPS emails lead to malware
- http://blog.webroot....ead-to-malware/
Nov 6, 2012 - "... mass mailing millions of emails impersonating The United States Postal Service (USPS), in an attempt to trick its customers into downloading and executing the malicious .zip archive linked in the bogus emails. Upon execution, the malware opens a backdoor on the affected host, allowing the cybercriminals behind the campaign to gain complete control over the host...
Sample screenshot of the spamvertised email:
> https://webrootblog....pam_malware.jpg
Spamvertised compromised URL: hxxp ://www .unser-revier-bruchtorf-ost .de/FWUJKKOGMP.html
Actual malicious archive URL: hxxp ://www .unser-revier-bruchtorf-ost .de/Shipping_Label_USPS.zip
Detection rate: MD5: 089605f20e02fe86b6719e0949c8f363 * ... UDS:DangerousObject.Multi.Generic
Upon execution, the sample phones back to the following URLs...
(See the 1st webroot URL above - long list of IPs.) ... 64.151.87.152, 66.7.209.185, 173.224.211.194, 46.105.121.86, 222.255.237.132, 64.151.87.152, 79.170.89.209, 217.160.236.108, 88.84.137.174, 46.105.112.99, 50.22.136.150, 130.88.105.45, 91.205.63.194, 95.173.180.42, 217.160.236.108 ..."
* https://www.virustot...sis/1351876562/
File name: Shipping_Label_USPS.exe
Detection ratio: 5/44
Analysis date: 2012-11-02
___

SMS SPAM: "Records passed to us show you're entitled to a refund approximately £2130"
- http://blog.dynamoo....to-us-show.html
6 Nov 2012 - "More SMS spam from.. well, I think the ICO will shortly reveal who. It's not just a spam, but it's also a scam because the spammers are attempting to persuade you to make fraudulent claims. Not everyone is eligible for a PPI refund, and I'm certainly not.. no "records" exist, it's just a scammy sales pitch. Avoid.
Records passed to us show you're entitled to a refund approximately £2130 in compensation from mis-selling of PPI on your credit card or loan.Reply INFO or stop

In this case, the sender's number is +447585858897, although it will change as it gets blocked by the networks. If you get one of these, you should forward the spam and the sender's number to your carrier. In the case of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints."
___

Fake Apple "Account Info Change" SPAM / welnessmedical .com
- http://blog.dynamoo....hange-spam.html
6 Nov 2012 - "Not malware this time, but Pharma spam.. the links in this fake Apple message lead to welnessmedical .com.
From: Apple [ appleid @ id.arcadiadesign .it]
Sent: Tue 06/11/2012 18:30
Subject: Account Info Change
Hello,
The following information for your Apple ID [redacted] was updated on 11/06/2012:
Date of birth
Security question(s) and answer(s)
If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately by going to iforgot.apple.com.
To review and update your security settings, sign in to appleid.apple.com.
This is an automated message. Please do not reply to this email. If you need additional help, visit Apple Support.
Thanks,
Apple Customer Support
TM and copyright © 2012 Apple Inc. 1 Infinite Loop, MS 96-DM, Cupertino, CA 95014.
All Rights Reserved / Keep Informed / Privacy Policy / My Apple ID

The fake pharma site (welnessmedical.com) is hosted on 84.22.127.43 along with a bunch of other ones, plus some additional sites one IP over at 84.22.127.44... Oddly, 84.22.127.43 doesn't seem to be registered at RIPE. No matter, we know who the owner of 84.22.127.0 is.. our old friends Cyberbunker again, who have registered the block with fake details. How RIPE lets them get away with this I don't know. If you can, I recommend blocking the entire 84.22.96.0/19 range as almost everything here is pretty seedy. You can read more about Cyberbunker's very dark grey hat activities over at Wikipedia* if you want more information."
* http://en.wikipedia....iki/CyberBunker
___

Fake "Scan from a Xerox WorkCentre Pro" / peneloipin .ru
- http://blog.dynamoo....centre-pro.html
6 Nov 2012 - "This fake printer spam leads to malware on peneloipin .ru:
From: Keshawn Burns [mailto:MaribelParchment@hotmail.com]
Sent: 06 November 2012 05:09
Subject: Scan from a Xerox WorkCentre Pro #47938830
Please open the attached document. It was scanned and sent
to you using a Xerox WorkCentre Pro.
Sent by: Keshawn
Number of Images: 5
Attachment File Type: .HTML [Internet Explorer file]
Xerox WorkCentre Location: machine location not set

The attachment contains some obfuscated Javascript that redirects the visitor to a malicious payload on [donotclick]peneloipin .ru:8080/forum/links/column.php hosted on some IPs that have been used several times before for malware:
65.99.223.24 (RimuHosting, US)
103.6.238.9 (Universiti Putra, Malaysia)
203.80.16.81 (MYREN, Malaysia)
The following malicious domains are also hosted on the same servers:
forumibiza .ru
kiladopje .ru
donkihotik .ru
lemonadiom .ru
peneloipin .ru
panacealeon .ru
finitolaco .ru
fidelocastroo .ru
ponowseniks .ru
dianadrau .ru
panalkinew .ru
fionadix .ru ..."
___

Elections and shenanigans
- http://www.gfi.com/b...nd-shenanigans/
Nov 6, 2012 - "... Election Day... we’re not short of seeing shenanigans related to this big event that online criminals and scammers have been taking advantage of for months. What we have below are just some of what we found surrounding the elections. First off is a file that goes by the name election card1.exe, and it looks like this:
> http://www.gfi.com/b...ction-card1.png
This is actually a Trojan that VIPRE detects as Trojan.Win32.Rotinom.b (v). Once users double-click this file, it then modifies the affected system’s registry to enable its execution every system startup and hide file extensions among others. This file could be as a result of scammers hoping to capitalise on voters in cities who can’t physically go to polling stations to vote due to Hurricane Sandy but will resort to voting using email and/or fax. The nature of this threat cannot be more timely. We’ve also seen something called Romney_Obama_Focus_On_Key_States_on_Final_Lap.zip. When you take a look what’s inside the compressed file, here is what you’ll see:
> http://www.gfi.com/b.../2012/11/01.png
Another executable file that uses an icon of a different file, this time posing as a Microsoft Word document file. Funnily enough, when you do execute the file, it indeed calls on both MS Word and WordPad (just in case you don’t have the other) and then shows you a .DOC article about Mitt Romney and President Barrack Obama:
> http://www.gfi.com/b...2012/11/rom.png
The document is called Romney_Obama_Focus_On_Key_States_on_Final_Lap .doc, and it is embedded within the executable file. Criminals have been using this “sleight-of-hand” trick on their malware for a long time. They do this to make users believe that what downloaded is just a harmless document file, not knowing that the malware already made several modifications on their system before they even start to read the article. Of course, this trick only works if the “Hide file extension” advanced view setting is ticked. We’ve also seen a lot of legitimate web sites pages out there that use tags like “election” and “obama” that serve malicious codes (iframe tags leading to .ru websites and obfuscated JavaScript). Please be wary when you visit election-related sites.
> http://www.gfi.com/b...d-js-script.png
Finally, avid YouTube viewers should be wary of what they watch and of links associated with those clips. Some use the said social media site to lead users to download and install a movie player... (We’ve written about some of those “players”...).
> http://www.gfi.com/b...obama-20161.png
What you’ll see in the actual video is a clip taken from a segment of a television news channel where in a best-selling author talks about his documentary called 2016: Obama’s America, not the teaser clip of the movie that is normally put out when they entice viewers to watch the full version for free. Below the clip is a shortened URL linking to the download page of the said movie player. You must know that in order to watch the clip offered by the software, additional video software have to be downloaded... Let us be mindful of that for the next couple of days..."

Edited by AplusWebMaster, 06 November 2012 - 02:08 PM.

[AplusWebMaster]

FYI...

Fake ‘Fwd: Scan from a Xerox W. Pro’ emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Nov 7, 2012 - "... malicious cybercriminals spamvertise millions of emails attempting to trick end users into thinking that they’ve received a scanned document. Upon clicking on the links found in these emails, or viewing the malicious .html attachment, users are automatically exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit... The first is mimicking a Xerox Pro printer, and the second is claiming to be a legitimate Wire Transfer. Both of these campaigns point to the same client-side exploits serving URL, indicating that they’ve been launched by the same cybercriminal/gang of cybercriminals.
Sample screenshots of the spamvertised emails:
> https://webrootblog....its_malware.png
> https://webrootblog...._malware_01.png
... sample javascript obfuscation: MD5: 0a8a06770836493a67ea2e9a1af844bf * ... Mal/JSRedir-M
... dropped malware: MD5: 194655f7368438ab01e80b35a5293875 ** ... Trojan-Ransom.Win32.PornoAsset.avzz
panalkinew .ru responds to the following IPs – 203.80.16.81, AS24514; 209.51.221.247, AS10297; 213.251.171.30, AS16276 ..."
* https://www.virustot...1ea40/analysis/
File name: Scan_N13004.htm
Detection ratio: 24/44
Analysis date: 2012-11-05
** https://www.virustot...75ed8/analysis/
File name: d34c2e80562a36fb762be72e490b7793887c3192
Detection ratio: 25/43
Analysis date: 2012-11-01
___

Fake Intercompany Invoice SPAM / controlleramo .ru
- http://blog.dynamoo....voice-spam.html
7 Nov 2012 - "This fake invoice spam leads to malware on controlleramo .ru:
Date: Wed, 7 Nov 2012 07:29:44 -0500
From: LinkedIn [welcome@linkedin.com]
Subject: Re: Intercompany inv. from Beazer Homes USA Corp.
Attachments: Invoice_e49580.htm
Hi
Attached the corp. invoice for the period July 2012 til Aug. 2012.(Internet Explorer file)
Thanks a lot for supporting this process
Rihanna PEASE
Beazer Homes USA Corp.

The attachment contains obfuscated Javascript that attempts to direct the visitor to a malicious payload at [donotclick]controlleramo .ru:8080/forum/links/column.php hosted on:
103.6.238.9 (Universiti Putra, Malaysia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
These IP addresses have been used in several attacks recently, and you should block access to them if you can."
___

Phishers take aim at USAA
- http://www.gfi.com/b...ke-aim-at-usaa/
Nov 7, 2012 - "Customers of the United Services Automobile Association, or USAA, are confronted with a faceless threat and may likely find themselves within enemy territory... if they’re not careful enough. Our researchers in the AV Labs spotted a phishing attack aimed at USAA customers who are mainly military service members, veterans and their families. The attack starts with the following spam:
> http://www.gfi.com/b...SAACred_115.png
From: {random}
To: {random}
Subject: USAA – Account Security Update
Message body:
Dear Valued Customer,
We detected irregular activities on your USAA Internet Banking account. Your Internet banking account has been temporarily suspended for
your protection, you must verify this activity before you can continue using your Internet banking account with USAA Bank.
Please follow the reference link below to verify your account.
[ link ] Click here to verify [ / link]
Security advice : Always log-off completely your Internet banking account after using internet banking from a public places or computer for security
reasons.
Thank you,
USAA Internet Banking.

Once a recipient clicks Click here to verify, he/she is then taken to a legitimate-looking USAA login page... take note of the URL:
> http://www.gfi.com/b.../11/usaa011.png
This phishing page asks for a member’s Online ID, password and the PIN number of their USAA-issued credit or debit card, which the phishers made a compulsory detail to add on the login page. Note, however, that the actual USAA login page* does -not- ask for their members’ PINs. PIN numbers can personally identify individuals and their owners must only have sole knowledge of them. Members must never disclose them to any service provider or individual. Likewise, service providers must never ask for them (as proof of membership) nor store them in any form. Private citizens are also not safe from this phishing attack. Although USAA caters more to the military folks and their families, USAA has made available its online banking service to anyone, locally and internationally. USAA clients should be aware that phishing attacks are happening not just to online banking and e-commerce sites but also to financial services and insurance companies. We advise recipients of the phishing email to -delete- it from their inboxes..."
* https://www.usaa.com...ent_logon/Logon

>> https://www.usaa.com.....hishing email

>>> https://www.youtube....;v=KYiKATvQvWw#!

Edited by AplusWebMaster, 07 November 2012 - 11:42 AM.

[AplusWebMaster]

FYI...

Fake Discover Card emails serve client-side exploits and malware
- http://blog.webroot....ts-and-malware/
8 Nov 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating Discover, in an attempt to trick cardholders into clicking on the client-side exploits serving URLs found in the malicious emails. Upon clicking on the links, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit.
Sample screenshot of the spamvertised email:
> https://webrootblog....its_malware.png
... Sample detection rate for the dropped malware: MD5: 80601551f1c83ee326b3094e468c6b42 * ... UDS:DangerousObject.Multi.Generic
Upon execution, the sample phones back to 200.169.13.84 :8080/AJtw/UCyqrDAA/Ud+asDAA, AS21574
Client-side exploits serving domain reconnaissance:
teamscapabilitieswhich.org responds to 183.180.134.217, AS2519 – Email: anil_valiquette124 @ dawnsonmail .com
Name Server: NS1.CHELSEAFUN.NET – 173.234.9.89
Name Server: NS2.CHELSEAFUN.NET – 65.131.100.90
netgear-india .net – 183.180.134.217, AS2519
Name Server: NS1.TOPPAUDIO .COM - 91.216.93.61
Name Server: NS2.TOPPAUDIO .COM - 173.234.9.89 ..."
* https://www.virustot...50589/analysis/
File name: KB01474670.exe
Detection ratio: 4/44
Analysis date: 2012-11-02
___

getyourbet .org injection attack
- http://blog.dynamoo....ion-attack.html
8 Nov 2012 - "There seems to be an injection attack doing the rounds, the injected domain is getyourbet .org hosted on 31.184.192.237. The domain registration details are:
Registrant ID:TOD-42842658
Registrant Name:ChinSec
Registrant Organization:ChinSec
Registrant Street1:Beijing
Registrant Street2:
Registrant Street3:
Registrant City:Beijing
Registrant State/Province:BJ
Registrant Postal Code:519000
Registrant Country:CN
Registrant Phone:+86.5264337745
Registrant Phone Ext.:
Registrant FAX:+86.5264337745
Registrant FAX Ext.:
Registrant Email:chinseccdomains @ yahoo .com
The domain was created on 12th October. The IP address is in Russia (PIN-DEDICATEDSERVERS-NET).
This is a two stage attack, if getyourbet .org is called with the correct referrer parameters then the victim ends up at another server at 64.202.123.3 (Hostforweb, US) that tries to serve up a malicious payload. This server contains a bunch of subdomains from a hacked GoDaddy account.
pin.panacheswimwear .co.uk
physical.oneandonlykanuhura .com
pig.onmailorder .com
picture.onlyplussizes .com
person.nypersonaltrainers .com
pipe.payday-loanstoday .com
I've seen this sort of abuse of GoDaddy domains before, the main "www" domain resolves OK, but the subdomains get pointed elsewhere. There's either a problem with GoDaddy or this is done through a phish.
Anyway, block 64.202.123.3 and 31.184.192.237 if you can to prevent further attacks."

[AplusWebMaster]

FYI...

Fake Intuit emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Nov 9, 2012 - "Intuit users, beware! Cybercriminals are currently mass mailing millions of emails impersonating Intuit’s Direct Deposit Service, in an attempt to trick its users into clicking on the malicious links found in the legitimate-looking emails. Upon clicking on -any- of them, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....its_malware.png
... Detection rate for the dropped malware: MD5: ebe81fe9a632726cb174043f6ac93e46 * ... Trojan.Win32.Bublik.qqf
Client-side exploits serving domain reconnaissance:
savedordercommunicates.info – 75.127.15.39, AS36352 – Email: heike_ruigrok32 @ naplesnews .net
Name Server: NS1.CHELSEAFUN .NET – 173.234.9.89, AS15003 – also responding to the same IP is the following malicious name server: ns1.nationalwinemak .com
Name Server: NS2.CHELSEAFUN .NET – 65.131.100.90, AS209
We’ve already seen the -same- name servers used in the previously profiled “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware” malicious campaign, indicating that both of these campaigns are managed by the same malicious party.
Responding to the same IP (75.127.15.39) is also the following malicious domain:
teamscapabilitieswhich .org..."
* https://www.virustot...c1e14/analysis/
File name: download
Detection ratio: 29/44
Analysis date: 2012-11-08
___

Changelog SPAM / canadianpanakota .ru
- http://blog.dynamoo....panakotaru.html
9 Nov 2012 - "This spam leads to malware on canadianpanakota .ru:
Date: Fri, 9 Nov 2012 11:55:11 +0530
From: LinkedIn Password [password @ linkedin .com]
Subject: Re: Changlog 10.2011
Attachments: changelog4-2012.htm
Hello,
as promised changelog,(Internet Explorer File)

The attachment leads to a malicious payload at [donotclick]canadianpanakota .ru :8080/forum/links/column.php hosted on the following IPs:
120.138.20.54 (SiteHost, New Zealand)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
These IPs will probably be used in other attacks, blocking access to them now might be prudent. The following IPs and domains are all related:
120.138.20.54
202.180.221.186
203.80.16.81
canadianpanakota .ru
controlleramo .ru
donkihotik .ru
finitolaco .ru
fionadix .ru
forumibiza .ru
lemonadiom .ru
peneloipin .ru
moneymakergrow .ru ..."

Edited by AplusWebMaster, 09 November 2012 - 08:39 AM.

[AplusWebMaster]

FYI...

Fake American Express emails serve client-side exploits and malware...
- http://blog.webroot....ts-and-malware/
Nov 12, 2012 - "American Express cardholders, beware! Over the past week, cybercriminals mass mailed millions of emails impersonating American Express, in an attempt to trick its customers into clicking on the malicious links found in the emails. Upon clicking on any of the links, users are redirected to a malicious URL serving cllient-side exploits courtesy of the BlackHole Exploit Kit....
Sample screenshot of the spamvertised email:
> https://webrootblog....its_malware.png
... Malicious domain name reconnaissance:
stempare .net – 109.123.220.145, AS15685 – Email: rebe_bringhurst1228 @ i-connect .com
Name Server: NS1.TOPPAUDIO .COM – 91.216.93.61, AS50300 – Email: windowclouse @ hotmail .com
Name Server: NS2.TOPPAUDIO .COM – 29.217.45.138 – Email: windowclouse @ hotmail .com ...
Upon loading of the malicious URL, a malicious PDF file exploiting CVE-2010-0188 is used to ultimately drops the actual payload – MD5: c8c607bc630ee2fe6a8c31b8eb03ed43 * ... Trojan.Win32.Bublik.ptf...
Upon execution, the dropped malware requests a connection to 192.5.5.241 :8080 and then establishes a connection with 210.56.23.100 :8080/Ajtw/UCygrDAA/Ud+asDAA (AS7590, Commission For Science And Technology, Pakistan). The following domain responds to this IP: discozdata .org. It is currently blacklisted in 25 anti-spam lists. The following URLs are known to have (been) directly serving malicious content, and act as command and control servers in the past:
210.56.23.100 :8080/asp/intro.php
210.56.23.100 :8080/za/v_01_a/in ...
The last time we came across this IP (210.56.23.100), was in July 2012's analysis of yet another malicious campaign, this time impersonating American Airlines..."
* https://www.virustot...c6182/analysis/
File name: c8c607bc630ee2fe6a8c31b8eb03ed43
Detection ratio: 15/43
Analysis date: 2012-11-02
___

Cableforum.co .uk hacked?
- http://blog.dynamoo....ouk-hacked.html
12 Nov 2012 - "Cableforum.co .uk is a popular and useful UK site about digital TV and broadband. Unfortunately, the email address list has leaked out and is being used for spamming, for example:
NatWest : Helpful Banking
Dear Valued Member ;
To prevent unauthorized access to your accounts, your online service has been temporarily locked. No further log in attempts will be accepted.
This is a procedure that automatically occur when an invalid information is submitted during the log in process.
Please follow the provided steps below to confirm your identity
and restore your online access...
> https://lh3.ggpht.co...600/natwest.png
This is a standard NatWest phish. It doesn't originate from Cableforum.co.uk or its servers, but it is sent to an address ONLY used for Cableforum, so it must have leaked out somehow... Sadly, stuff like this happens to good websites... Clearly there has been a problem for several months, although it isn't clear when such an address leak occurred or what data was taken with it. You should always assume that the passwords have been compromised and change it, plus change it anywhere that you re-use the same password."

Edited by AplusWebMaster, 12 November 2012 - 09:04 AM.

[AplusWebMaster]

FYI...

Blackhole exploit kit - top threat by a large margin
- https://blogs.techne...ew-heights.aspx
12 Nov 2012 - "... exploit activity has increased substantially over the past year... large increases in HTML/JavaScript exploit activity and Oracle Java exploit activity are major contributors to this trend... the top threat family driving these detections is Blacole, also known as the “Blackhole” exploit kit. Blacole, a family of exploits used by the so-called Blackhole exploit kit to deliver malicious software through infected webpages, was the most commonly detected exploit family in the first half of 2012 by a large margin*. This kit can be bought or rented on hacker forums and through other illegitimate outlets. The kit consists of a collection of malicious webpages that contain exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components** ... In years past it was rare to see an exploit in the top ten list of threats for a country/region. In 2012-Q2 at least one exploit was in the top ten list of threats for 51 locations of the 105 countries/regions (49%) reported on in SIRv13***. Blacole is in the top ten lists of twenty-seven of these locations ..."

* https://blogs.techne...0-43/3683.2.jpg

** https://blogs.techne...0-43/6443.1.jpg

*** http://www.microsoft...at/default.aspx
___

New Java attack introduced into "Cool Exploit Kit"
- https://threatpost.c...loit-kit-111212
Nov 12, 2012 - "A new exploit has been found in the Cool Exploit Kit for a vulnerability* in Java 7 Update 7 as well as older versions, a flaw that’s been patched by Oracle in Java 7 Update 9. Cool Exploit Kit was discovered last month and is largely responsible for dropping the Reveton ransomware. A new Metasploit module was introduced last night by researcher Juan Vazquez, developer Eric Romang said. Romang, a frequent Metasploit contributor, suggested it’s likely the exploit has been in the wild for a period of time and has only now been integrated into an exploit kit... Researchers are concerned now that this exploit is in Cool Exploit Kit, it could find its way into the BlackHole Exploit Kit... Reveton is linked to the Citadel banking and botnet malware..."
* https://web.nvd.nist...d=CVE-2012-5076 - 10.0 (HIGH)

Edited by AplusWebMaster, 13 November 2012 - 05:49 AM.

[AplusWebMaster]

FYI...

Fake "Your flight" SPAM / monacofrm .ru
- http://blog.dynamoo....onacofrmru.html
13 Nov 2012 - "These spam email messages lead to malware on monacofrm .ru:
From: sales1 @victimdomain .com
Sent: 13 November 2012 04:04
Subject: Fwd: Your Flight A874-64581
Dear Customer,
FLIGHT NR: 1173-8627
DATE/TIME : JAN 27, 2013, 19:15 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 520.40 USD
Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.
NAOMI PATTON,
==========
From: messages-noreply @bounce .linkedin .com On Behalf Of LinkedIn
Sent: 13 November 2012 05:18
Subject: Re: Fwd: Your Flight A943-6733
Dear Customer,
FLIGHT NR: 360-6116
DATE/TIME : JAN 26, 2013, 14:12 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 997.25 USD
Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.
Adon Walton,
(...etc.)

The malicious payload is at [donotclick]monacofrm.ru:8080/forum/links/column.php hosted on the following IPs:
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
216.24.194.66 (Psychz Networks, US)
The Mongolian and Malaysian IPs have been used several times for malware attacks, 216.24.194.66 looks like a new one. Blocking them all would probably be prudent.

Added: There's a Wire Transfer SPAM using the same payload too:
From: Amazon.com / account-update @amazon .com
Sent: 13 November 2012 08:08
Subject: Fwd: Re: Wire Transfer Confirmation
Dear Bank Account Operator,
WIRE TRANSFER: FED8979402863338715
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.
___

Fake "End of Aug. Statmeent" SPAM / veneziolo .ru
- http://blog.dynamoo....enezioloru.html
13 Nov 2012 - "The spam never stops, this malicious email leads to malware at veneziolo .ru:
Date: Tue, 13 Nov 2012 12:27:15 -0500
From: Mathilda Allen via LinkedIn [member @linkedin .com]
Subject: Re: End of Aug. Statmeent required
Attachments: Invoices12-2012.htm
Good morning,
as reqeusted I give you inovices issued to you per sept. (Internet Explorer format)
Regards

The malicious payload is at [donotclick]veneziolo .ru:8080/forum/links/column.php hosted on the same IPs seen earlier today, the following IPs and domains are all related:
41.168.5.140, 62.76.46.195, 62.76.178.233, 62.76.186.190, 62.76.188.246, 65.99.223.24, 84.22.100.108, 85.143.166.170, 87.120.41.155, 91.194.122.8, 103.6.238.9, 120.138.20.54, 132.248.49.112, 202.180.221.186, 203.80.16.81, 207.126.57.208, 209.51.221.247, 213.251.171.30, 216.24.194.66 ..."

Edited by AplusWebMaster, 13 November 2012 - 05:58 PM.