2072 replies to this topic

[AplusWebMaster]

FYI...

Bogus ‘Intuit Software Order Confirmations’ lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Nov 30, 2012 - "Sticking to their well proven practice of systematically rotating impersonated brands, the cybercriminals behind a huge majority of the malicious campaigns that we’ve been profiling recently are once again impersonating Intuit in an attempt to trick its customers into clicking on links exposing them to the client-side exploits served by the BlackHole Exploit Kit...
Sample screenshot from the spamvertised email:
> https://webrootblog....its_malware.png
Sample spamvertised URL re-director: hxxp ://www.mysnap .com.tw/sites/default/files/upload.htm?RANDOM_CHARACTERS
Client-side exploits serving URL: hxxp ://moneymakergrow .ru:8080/forum/links/column.php
Malicious domain name reconnaissance:
moneymakergrow .ru – 202.180.221.186, AS24496; 203.80.16.81, AS24514; 207.126.57.208
Name server: ns1.moneymakergrow .ru – 62.76.178.233
Name server: ns2.moneymakergrow .ru – 132.248.49.112
Name server: ns3.moneymakergrow .ru – 84.22.100.108
Name server: ns4.moneymakergrow .ru – 65.99.223.24
... Although we couldn’t reproduce the client-side exploitation, we’ve already seen the majority of these malicious domains in previously profiled campaigns..."
___

Bogus ‘End of August Invoices’ emails serve malware and client-side exploits
- http://blog.webroot....-side-exploits/
Nov 30, 2012 - "Cybercriminals have recently launched yet another massive spam campaign attempting to trick users into clicking on malicious links or executing malicious attachments found in the spamvertised emails...
Sample screenshot of the spamvertised email:
> https://webrootblog....re_exploits.png
Sample detection rate for the malicious attachment: MD5: 8b194d05c7e7f96a37b1840388231791 * ... Trojan:Win32/Ransom
Sample client-side exploits serving URL: hxxp ://forumibiza .ru:8080/forum/links/column.php
Although we couldn’t obtain the actual payload, the gathered intelligence indicates that this is a campaign launched by the same group that we’ve been monitoring for a few weeks now, allowing us to more effectively expose their campaigns and protect Internet users...
Malicious domain name reconnaissance:
forumibiza.ru – 65.99.223.24, AS30496; 103.6.238.9, AS21125; 203.80.16.81, AS24514
Name server: ns1.forumibiza .ru – 62.76.186.190
Name server: ns2.forumibiza .ru – 84.22.100.108
Name server: ns3.forumibiza .ru – 50.22.102.132
Name server: ns4.forumibiza .ru – 213.251.171.30
... malicious domains also respond to the same IPs (65.99.223.24; 103.6.238.9; 203.80.16.81). We’ve already seen these in several previously profiled malicious campaigns..."
(More detail at the webroot URL above.)
* https://www.virustot...sis/1353823689/
File name: Invoices.exe
Detection ratio: 39/44
Analysis date: 2012-11-25
___

(Here they come...) Santa SCAMS...
- http://community.web...amta-claus.aspx
Nov 30, 2012 - "... detected a marked increase in spam emails seeking to exploit fans of the big man himself: Santa Claus... They claim to offer alternative services to ensure that your "little ones" receive personalized responses from Santa. As is often the case in today’s unsolicited email world, the links within these emails don’t take you to a reputable and Santa-approved communication facilitator. Rather than being prompted for personal details about your little ones (which in itself poses an interesting discussion of internet safety and the sharing of personal details with random websites) you’ll probably find that you’re either a winner, or a potential winner, of some new fruit-branded hardware. All you have to do is complete a survey or an affiliate offer...
> http://community.web...7360.santa1.png
... subject lines to catch your attention and elicit a response:
- Personal Letter From Santa For Your Child
- (A) Letter From Santa For Your Child
- Santa Claus Letters
- A personal letter from Santa for your little ones
- Custom Santa Letters
> http://community.web...7848.santa2.png
Clicking the "Click Here" links within many of these messages directs you to an official-looking web-browser opinion survey, tailored to the browser from which you are viewing the page: Simple browser detection and IP geolocation techniques are used to appear convincing.
Unfortunately, other than the opinion survey, the only personalized item you’re likely to receive from this point on is more spam, scams, or empty offers. No amount of form-filling, survey submissions, or offer completions are likely to result in the desired letter from Santa Claus. Therefore, if you are looking to assist Santa with his letter-sending duties, please stick to reputable organizations. Many charities, for example, provide this service legitimately..."
___

"Copies of Policies" SPAM / podarunoki .ru
- http://blog.dynamoo....darunokiru.html
30 Nov 2012 - "This spam leads to malware on podarunoki .ru:
Date: Fri, 30 Nov 2012 04:54:30 -0300
From: Jone Castaneda via LinkedIn [member@linkedin.com]
Subject: RE: Leonie - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Leonie Doyle,
==========
Date: Fri, 30 Nov 2012 02:32:21 -0400
From: sales1@[victimdomain].com
Subject: RE: Samson - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Samson Henry,

The malicious payload is at [donotclick]podarunoki .ru:8080/forum/links/column.php hosted on some familiar IP addresses which should be blocked if you can:
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)..."
___

iTunes SPAM / mokingbirdgives .org
- http://blog.dynamoo....rdgivesorg.html
30 Nov 2012 - "This fake iTunes spam leads to malware on mokingbirdgives .org:
From: iTunes itunes @new .itunes .com
To: purchasing [purchasing @victimdomain .com]
Date: 30 November 2012 17:02
Subject: Your receipt #16201509085048
Billed To:
%email%
Order Number: M1V008146011
Receipt Date: 30/11/2012
Order Total: $699.99
Billed To: Credit card
Item Number Description Unit Price
1 Postcard (View\Download )
Cancel order Not your order?Report a Problem $699.99
Subtotal: $699.99
Tax: $0.00
Order Total: $699.99
Please retain for your records.
Please See Below For Terms And Conditions Pertaining To This Order.
Apple Inc.
You can find the iTunes Store Terms of Sale and Sales Policies by launching your iTunes application and clicking on Terms of Sale or Sales Policies
FBI ANTI-PIRACY WARNING
UNAUTHORIZED COPYING IS PUNISHABLE UNDER FEDERAL LAW.
Answers to frequently asked questions regarding the iTunes Store can be found at http ://www.apple .com/support/itunes/store/
Apple ID Summary • Detailed invoice
Apple respects your privacy.
Copyright © 2011 Apple Inc. All rights reserved

The malicious payload is at [donotclick]mokingbirdgives .org/less/demands-probably.php (report here) hosted on 184.82.100.201 (HostNOC, US) along with the following domains which also appear to be malicious: ..."
(Long list at the dynamoo URL above..)

Edited by AplusWebMaster, 30 November 2012 - 07:43 PM.

[AplusWebMaster]

FYI...

Malicious email MMS targets mobile phone users
- http://community.web...hone-users.aspx
2 Dec 2012 - "... Websense... has detected a malicious spam campaign that tries to exploit customers of major mobile phone companies. Specifically, we have detected thousands of emails claiming users have received MMS content via email localized to Australian and German carriers late last week:
> http://community.web...s/3731.both.png
Because mobile phone use is an everyday activity, users could be tricked into opening and running attachments, especially those that appear to come from their carriers. Once the malware is launched, it connects to a list of remote servers to download more malicious binaries. What is interesting about these samples is that they are heavily encrypted and have many anti-debug tricks. Unlike other malware, this sample deploys several decryption phases before finally executing its malicious function. Even more interesting, it implements all its tricks, like decryption and patching, only in memory... It downloads malicious binaries from these remote servers:
> http://community.web..._downloader.jpg
173.254.28.81 ... During our analysis, some of the remote servers were still available, and the malicious binary files were still downloadable..."
___

More Wire Transfer SPAM / panamechkis .ru
- http://blog.dynamoo....amechkisru.html
3 Dec 2012 - "This fake wire transfer spam leads to malware on panamechkis .ru:
Date: Mon, 3 Dec 2012 11:34:38 +0330
From: HarrisonCrumm @ mail .com
Subject: RE: Wire Transfer cancelled
Dear Customers,
Wire transfer was canceled.
Rejected transfer:
FED NUMBER: 1704196955WIRE580676
Transaction Report: View
Federal Reserve Wire Network

The malicious payload is at [donotclick]panamechkis .ru:8080/forum/links/column.php hosted on:
113.197.88.226 (ULNetworks, Korea)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
Of these, 113.197.88.226 seems to be a new one which should be added to your blocklists."
___

GFI Labs Email Roundup for the Week
- http://www.gfi.com/b...for-the-week-4/
Dec 3, 2012 - "... noteworthy spam samples found and documented by our researchers in the AV Labs in our Tumblr page*..."
* http://gfisoftware.tumblr.com/
NY Better Business Bureau Attachment Spam - December 03, 2012
Malicious HP ScanJet Spam Continue - December 03, 2012
Malicious Wire Transfer Spam Continued - Dec 3, 2012
Account has been blocked - Dec 2, 2012
RapidFAX Spam - Dec 3, 2012
NACHA Spam: Your Direct Deposit software is out of date
eFax Corporate Message Spam - Nov 29, 2012
Malicious FedEx Spam Continues - Nov 24, 2012 ...
___


- http://www.ironport.com/toc/

- http://tools.cisco.c...Outbreak.x?i=77
Malicious Personal Pictures Attachment E-mail Messages - December 04, 2012
Fake Scanned Document E-mail Messages - December 04, 2012
Malicious Attachment E-mail Messages - December 04, 2012
Fake Picture Link E-mail Messages - December 04, 2012
Fake Tax Refund Notification E-mail Messages - December 04, 2012
Fake Credit Card Transaction Notification E-mail Messages - December 04, 2012
Malicious Personal Pictures Attachment E-mail Messages - December 04, 2012
Fake Scanned Document E-mail Messages - December 04, 2012
Malicious Attachment E-mail Messages - December 04, 2012
Fake Picture Link E-mail Messages - December 04, 2012
Fake Tax Refund Notification E-mail Messages - December 04, 2012
Fake Credit Card Transaction Notification E-mail Messages - December 04, 2012
Fake Scanned Document E-mail Messages - December 03, 2012
Fake ADP Digital Certificate Notification E-mail Messages - December 03, 2012
Fake Business Complaint E-mail Messages - December 03, 2012
Fake FedEx Shipment Notification E-mail Messages - December 03, 2012
Fake Xerox Scan Attachment E-mail Messages - December 03, 2012
Fake Picture Link E-mail Messages - December 03, 2012
Malicious Personal Pictures Attachment E-mail Messages - December 03, 2012
Fake Picture Posting Notification E-mail Messages - December 03, 2012
Fake Discount Purchases Notification E-mail Messages - December 03, 2012
Fake Telegram Notification E-mail Messages - December 03, 2012 ...

Edited by AplusWebMaster, 04 December 2012 - 02:08 PM.

[AplusWebMaster]

FYI...

Fake FedEx emails lead to malware
- http://blog.webroot....ead-to-malware/
Dec 4, 2012 - "At the end of October, a cybercriminal or group of cybercriminals launched three massive spam campaigns in an attempt to trick users into clicking on a deceptive link and downloading a malicious attachment. Upon execution, the malware phones back to the command and control servers operated by the party that launched it, allowing complete access to the infected PC. This time they didn’t try impersonating USPS, UPS or DHL, but FedEx...
Sample screenshot of the spamvertised email:
> https://webrootblog....lware.png?w=481
Second screenshot of a sample spamvertised email, again, part of the same campaign:
> https://webrootblog....plate.png?w=545
Third screenshot of a sample spamvertised email used in the campaign:
> https://webrootblog....plate.png?w=495
Sample detection rate for the first sample: MD5: 0e2e1ef473bb731d462fb1c8b3dd7089 * ... Trojan.Win32.Buzus.mruv
Upon execution, it phones back to the following URLs:
hxxp ://91.121.90.80 :8080/...
hxxp ://84.40.69.119 :8080/...
hxxp ://211.172.112.7 :8080/...
Sample detection rate for the second sample: MD5: ab25d6dbf9b041c0a7625f660cfa17aa ** ... Trojan-Dropper.Win32.Dapato.bxhg
Upon execution, it phones back to the following URLs:
hxxp //59.25.189.234 :8080/...
hxxp //140.135.66.217 :8080/...
hxxp //82.113.204.228 :8080/...
hxxp //59.126.131.132 :8080/...
None of these IPs currently respond to any specific domains, besides 59.126.131.132.
songwriter .tw is currently responding to 59.126.131.132 – Email: songwriter .tw@ gmail .com...
> https://webrootblog....rver.png?w=1024
The domain seems to be a legitimate Taiwanese songwriting company/individual, indicating that their server has been compromised and is currently used as command and control server.
Sample detection rate for the third sample: MD5: 252c797959273ff513d450f9af1d0242 *** ... TrojanDownloader:Win32/Kuluoz.B..."
* https://www.virustot...sis/1354489330/
File name: Postal_Receipt.exe
Detection ratio: 35/46
Analysis date: 2012-12-02
** https://www.virustot...sis/1354489404/
File name: Postal_Receipt1.exe
Detection ratio: 37/46
Analysis date: 2012-12-02
*** https://www.virustot...sis/1354489465/
File name: PostalReceipt2.exe
Detection ratio: 25/46
Analysis date: 2012-12-02
___

"ARK Bureau" fake job offer
- http://blog.dynamoo....-job-offer.html
4 Dec 2012 - "The ARK Architecture Bureau is a genuine company. This fake job offer is -not- from ARK Bureau, but is some sort of illegal activity such as money laundering.
From: Odette Holcomb [mailto:nbnian@esonchem.co.kr]
Sent: 03 December 2012 12:32
Subject: Help wanted.
POSITION: Customer Assistant
ABOUT COMPANY:
ARK Bureau has served hundreds of clients in the United Kingdom, Poland, France and Germany since 1998.
The firm was created by Lorinda Rogers, a young architect of Canadian origin. From its inception, ARK Bureau.s vision for design and construction was based on system approach, incorporating both building and landscape design. That philosophy has always meant the highest quality for our clients. That.s probably why ARK Bureau enjoys a strong loyalty from the past customers.
Now we have open vacancy in the U.S.: Customer Assistant
RESPONSIBILITIES:
- Process payments from customers;
- Filing invoices, statements and associated documents;
- Meet and exceed performance and time management goals;
- Other duties as required.
GENERAL SKILLS:
- High communication skills;
- Strong problem solving and planning skills;
- Experienced computer & internet user.
APPLY:
To apply please: arkbureaumanager @nokiamail .com

An alternative version uses the email address of arkbureau_manager@nokiamail.com. The two samples that I have seen have originating IP addresses of 174.52.171.8 (Comcast, US) and 109.173.54.245 (NCNET, Russia). You should give this fake company a wide berth unless you want to end up in serious trouble with law enforcement."
___

ADP SPAM / fsblimitedrun .pro
- http://blog.dynamoo....itedrunpro.html
3 Dec 2012 - "This fake ADP spam leads to malware on fsblimitedrun .pro:
From: ADP Transaction Status
Date: 3 December 2012 17:55
Subject: ADP Major Accounts Processed Case
Valued customer:
James lately covered Transaction at your account. Event # 433933082.
Case Caption: 6CO7
Incident Substantiation: Download
We at ADP obtain to create a personalized and client focused experience with every client interaction.
Please view transaction changed by visiting the link below.
Click here - ADP Major Accounts Operation Progress mentioned above
Best Wishes,
James Brooks
Vice President of Customer Care Department ADP
ADP Major Accounts
***Reminder***
Please remember to complete your Semi-Annual Service Quality Survey!
Our Goal is to ensure you are VERY SATISFIED with each interaction you have with our Service Associates and we ask that you consider your overall experience in the 6 months preceding your receipt of the survey. We strive to provide WORLD CLASS SERVICE and determine our success by your satisfaction with ADP's services.
**********
This e-mail was delivered from an robot account.
Please don't reply to this message. auomatic informational system unable to accept incoming email.

The malicious payload is at [donotclick]fsblimitedrun .pro/detects/survey_success-complete.php hosted on 41.215.225.202 (Essar Wireless Kenya Ltd) along with the following malicious domain: fdic-update-install .info . Blocking access to this IP address would probably be prudent.
___

"Scan from a Hewlett-Packard ScanJet" SPAM / somaliaonfloor .ru
- http://blog.dynamoo....anjet-spam.html
3 Dec 2012 "This fake printer spam leads to malware on somaliaonfloor .ru:
Date: Mon, 3 Dec 2012 09:25:59 -0600
From: Bebo Service [service@noreply.bebo.com]
Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet #3838
A document was scanned and sent to you using a Hewlett-Packard HP15310290
Sent to you by: ROSIO
Pages : 8
Filetype(s): Images (.jpeg) View
==========
Date: Mon, 3 Dec 2012 11:06:22 -0500
From: "service@paypal.com" [service@paypal.com]
Subject: Re: Fwd: Scan from a Hewlett-Packard ScanJet 33712789
A document was scanned and sent to you using a Hewlett-Packard HP8220647
Sent to you by: CLAUDIA
Pages : 7
Filetype(s): Images (.jpeg) View

The malicious payload is at [donotclick]somaliaonfloor .ru:8080/forum/links/public_version.php hosted on the same IPs used in this attack.
113.197.88.226 (ULNetworks, Korea)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)..."
___

"Most recent events on Facebook" SPAM / attachedsignup .pro
- http://blog.dynamoo....ebook-spam.html
4 Dec 2012 - "This fake Facebook spam leads to malware on Most recent events on attachedsignup .pro:
Date: Tue, 4 Dec 2012 15:19:16 +0100
From: " Facebook Security Team" [fractionallyb9 @hendrickauto .com]
Subject: Most recent events on Facebook
facebook
Hi [redacted],
You have closed your Facebook account. You can rebuild your account whenever you wish by logging into Facebook using your current login email address and password. Subsequently you will be able to take advantage of the site as usually.
Please use the link below to reactivate :
http://www.facebook.com/home.php
If this was you, please pass over this informer. If this wasn't you, please secure your account, as some outlaw person may be explore it.
Best regards, The FaceBook Team
Please note: Facebook will never ask for your personal data through email.
This message was sent to [redacted] from your profile details. Facebook, Inc., Attention: Department 437, PO Box 20000, Palo Alto, CA 96906

The malicious payload is at [donotclick]attachedsignup .pro/detects/links-neck.php (report here*) hosted on 41.215.225.202 (Essar Wireless Kenya Ltd) which also hosts the probably malicious domain sessionid0147239047829578349578239077 .pl..."
* http://wepawet.isecl...1...759&type=js
___

US Airways SPAM / attachedsignup .pro
- http://blog.dynamoo....dsignuppro.html
4 Dec 2012 - "This fake US Airways spam leads to malware on attachedsignup .pro:
From: US Airways - Booking [reservations@myusairways.com][
Date: 4 December 2012 14:30
Subject: US Airways online check-in.
You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying internationally). After that, all you have to do is print your boarding pass and go to the gate.
Purchase code: 183303
Check-in online: Online booking details
Payment method: Credit card
Money will be withdrawn in next 3 days
Voyage
5990
Departure city and time
Massachusets MA (DCA) 10:10 AM
Depart date: 12/05/2012
We takes care to protect your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.
US Airways, 145 W. Rio Salado Pkwy, Tempe, AK 93426 , Copyright US Airways , All rights reserved.

The payload and IP addresses are identical to this spam* doing the rounds today."
* http://blog.dynamoo....ebook-spam.html
___

Facebook "You have notifications pending" SPAM / francese .ru
- http://blog.dynamoo....ns-pending.html
4 Dec 2012 - "This fake Facebook spam leads to malware on francese.ru:
Date: Tue, 4 Dec 2012 03:38:42 +0000
From: KaseyElleman@victimdomain.com
Subject: You have notifications pending
facebook
Hi,
Here's some activity you may have missed on Facebook.
SALLIE FELIX has posted statuses, photos and more on Facebook.
Go To Facebook
See All Notifications
This message was sent to postinialerts@[redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

The malicious payload is at [donotclick]francese .ru:8080/forum/links/column.php hosted on the following IP addresses:
42.121.116.38 (Aliyun Computing Co, China)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks , US)
219.255.134.110 (SK Broadband, Korea)
Plain list for copy-and-pasting:
42.121.116.38
202.180.221.186
203.80.16.81
208.87.243.131
219.255.134.110 ..."

Edited by AplusWebMaster, 04 December 2012 - 09:42 AM.

[AplusWebMaster]

FYI...

Zbot sites to block 5/12/12
- http://blog.dynamoo....lock-51212.html
5 Dec 2012 - "These domains and IPs are involved in malware distribution, especially the Zbot trojan. Most are using the nameservers in the dnsnum10 .com domain, or are co-hosted on the same server and have malicious characteristics. I've come up with a recommended blocklist based on the characteristics on the netblocks in question. If you are based in Russia, Ukraine, Poland or Iran then you may want to review these carefully.
IP addresses and hosts
31.184.244.73 (TOEN Incorporated, UAE)
62.122.74.47 (Leksim, Poland)
77.72.133.69 (Colobridge, Germany)
78.46.205.130 (Hetzner, Germany)
78.140.135.211 (Webazilla, Gibraltar)
85.143.166.132 (PIRIX, Russia)
87.107.121.131 (Soroush Rasanheh Company Ltd, Iran)
91.211.119.56 (Zharkov Mukola Mukolayovuch, Ukraine)
91.231.156.25 (Sevzapkanat-Unimars, Russia)
91.238.83.56 (Standart LLC, Moldova)
146.185.255.161 (Sergeev Sergei Yurievich PE, Russia)
178.162.132.202 (Tower Marketing, Belize)
178.162.134.176 (Silin Vitaly Petrovich, Belarus)
188.93.210.28 (Hosting Service, Russia)
195.88.74.110 (Info Data Center, Bulgaria)
198.144.183.227 (Colocrossing, US)
... Recommended blocklist:
31.184.244.73
62.122.72.0/21
77.72.133.69
78.46.5.128/29
78.140.135.211
85.143.166.0/24
87.107.96.0/19
91.211.119.56
91.231.156.0/24
91.238.83.0/24
146.185.255.0/24
178.162.132.0/24
178.162.134.128/26
188.93.210.28
195.88.74.110
198.144.183.227 ..."
(More detail at the dynamoo URL above.)
___

BBB SPAM / leberiasun .ru
- http://blog.dynamoo....beriasunru.html
5 Dec 2012 - "This fake BBB spam leads to malware on leberiasun .ru:
Date: Wed, 5 Dec 2012 11:32:47 +0330
From: Bebo Service [service @noreply .bebo .com]
Subject: Urgent information from BBB
Attn: Owner/Manager
Here with the Better Business Bureau notifies you that we have received a complaint (ID 243917811)
from one of your customers with respect to their dealership with you.
Please open the COMPLAINT REPORT below to obtain more information on this matter and let us know of your point of view as soon as possible.
We are looking forward to your prompt reply.
Regards,
JONELLE Payne

The malicious payload is at [donotclick]leberiasun .ru:8080/forum/links/column.php (report here) hosted on the following IPs:
42.121.116.38 (Aliyun Computing Co, China)
202.180.221.186 (GNet, Mongolia)
208.87.243.131 (Psychz Networks, US)
219.255.134.110 (SK Broadband, Korea)..."

Edited by AplusWebMaster, 05 December 2012 - 12:20 PM.

[AplusWebMaster]

FYI...

SPAM gets Socl ...
- http://www.gfi.com/b...spam-gets-socl/
Dec 6, 2012 - "Microsoft have thrown open the gates to their new social network, Socl (which has a faint whiff of Pinterest about it and is also pronounced “social”. No, really). It didn’t take spammers very long to sink their claws in... we have all the Canadian Pharmacy spam you can eat...
> http://www.gfi.com/b...2/soclspam1.jpg
... links all currently lead to a page touting a 404 error... we can only hope Microsoft (will) have a Banhammer in place to deal with what will no doubt be a bump up in bad content as word of the latest social network to hit the ground running spreads across the news. We haven’t come across any Malware links yet, but as with Tumblr, Pinterest and Twitter end-users shouldn’t abandon common sense in favour of shiny, blinky things carrying a sting in the tail..."
___

Amazon SPAM / evokeunreasoning .pro
- http://blog.dynamoo....asoningpro.html
6 Dec 2012 - "A few different variants of this today, all pretending to be from Amazon and leading to malware on evokeunreasoning .pro:
Date: Thu, 6 Dec 2012 17:32:38 +0200
From: "Amazon . com" [digital-notifier@amazon.com]
Subject: Your Amazon.com order receipt.
Click here if the e-mail below is not displayed correctly.
Follow us:
Your Amazon.com Today's Deals See All Departments
Dear Amazon.com Member,
Thanks for your order, clongmore@arrowuk.com!
Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
Order Overview:
E-mail Address: [redacted]
Billing Address:
1113 4th Street
Fort North NC 71557-2319,,FL 67151}
United States
Phone: 1-491-337-0438
Order Grand Total: $ 50.99
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More
Order Summary:
Details:
Order #: C47-8578330-3362713
Subtotal of items: $ 50.99
------
Total before tax: $ 50.99
Tax Collected: $0.00
------
Grand Total: $ 50.00
Gift Certificates: $ 0.99
------
Total for this Order: $ 50.99
Find Great Deals on Millions of Items Storewide
We hope you found this message to be useful. However, if you'd rather not receive future e-mails of this sort from Amazon.com, please opt-out here.
2012 Amazon.com, Inc. or its affiliates. All rights reserved. Amazon, Amazon.com, the Amazon.com logo and 1-Click are registered trademarks of Amazon.com, Inc. or its affiliates. Amazon.com, 475 Larry Ave. N., Seattle, MI 83304-6203. Reference: 61704824
Please note that this message was sent to the following e-mail address: [redacted]

The malicious payload is at [donotclick]evokeunreasoning .pro/detects/slowly_apply.php but at the time of writing the domain does not seem to be resolving."
___

Phishing For Bank Account Information
- http://blog.webroot....nt-information/
Dec 6, 2012 - "... always on the look out for anything that looks ‘phishy’, even if it’s on your own personal time. Today, I opened my personal email to find this:
> https://webrootblog....1...w=413&h=444
Although the email looked very convincing, I don’t bank with Smile Bank so I knew something was up. Smile Bank is an actual bank based in the UK. The bad guys used a spoofed email address to make it look like it came from the legit Smile Bank domain smile.co.uk. If someone did bank with Smile Bank, I can see how they could easily be tricked. It’s the “Click here to proceed” link that gives the bad guys away. The link goes to a page hosted by pier3 .hk, which is a legitimate domain, but appears to be compromised with a simple HTM page that is a -redirect- to the real malicious site. The redirect sends you here:
> https://webrootblog....1...w=491&h=354
... This trick could easily be done with any large bank. Make sure to always be suspicious of any email claiming to be from your bank that -threatens- your account has been locked and insists that you need to enter your account information. Also, if the link to enter your account information isn’t to the URL of the bank it claims to be from, you know it’s malicious."
___

More "Copies of policies" SPAM / cinemaallon .ru
- http://blog.dynamoo....emaallonru.html
6 Dec 2012 - "This spam leads to malware on cinemaallon .ru:
Date: Thu, 6 Dec 2012 06:41:01 -0500
From: Isidro Pierre via LinkedIn [member @linkedin .com]
Subject: RE: ASHTON - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
ASHTON QUINONES,

The malicious payload is at [donotclick]cinemaallon .ru:8080/forum/links/column.php hosted on the following familiar IPs:
202.180.221.186 (Gnet, Mongolia)
208.87.243.131 (Psychz Networks, US)..."
___

Bogus ‘Facebook Account Cancellation Request’ emails serve client-side exploits and malware
- http://blog.webroot....ts-and-malware/
Dec 5, 2012 - "Facebook users, watch what you click on! Cybercriminals are currently mass mailing bogus “Facebook Account Cancellation Requests“, in an attempt to trick Facebook’s users into clicking on the malicious link found in the email. Upon clicking on the link, users are exposed to client-side exploits which ultimately drop malware on the affected host...
Sample screenshot of the spamvertised email:
> https://webrootblog....lware.png?w=629
... Sample client-side exploits served: CVE-2010-0188; CVE-2011-3544; CVE-2010-0840
Malicious domain name reconnaissance:
lakkumigdc .com – 68.168.100.135 – Email: dolphinkarthi @gmail .com
Name Server: NS1.MACROVIEWTECH .COM – 68.168.100.136
Name Server: NS2.MACROVIEWTECH .COM – 68.168.100.137
Domains responding to the same IP, including domains also registered with the same GMail account...
Upon successsful client-side exploitation, the campaign drops MD5: 8b3979c1a9c85a7fd5f8ff3caf83fc56 * ... PWS-Zbot.gen.aru
Upon execution, the sample creates the following file on the affected hosts:
%AppData%\Ixriyv\emarosa.exe – MD5: A33684FD2D1FA669FF6573921F608FBB
It also creates the following directories:
%AppData%\Ixriyv
%AppData%\Uxwonyl
As well as the following Mutex: Local\{7A4AAF46-5391-8FF9-A32F-78A34C8B50D7}
It then phones back to shallowave.jumpingcrab .com (93.174.95.78) on port 8012. Another similar subdomain on this host (takemeout.jumpingcrab .com), was also seen in a crowdsourced DDoS campaign in 2009..."
* https://www.virustot...36f00/analysis/
File name: 8b3979c1a9c85a7fd5f8ff3caf83fc56
Detection ratio: 3/46
Analysis date: 2012-12-03
___

eBay, PayPal SPAM / ibertomoralles .com
- http://blog.dynamoo....orallescom.html
6 Dec 2012 - "These spam messages lead to malware on ibertomoralles .com:
Date: Thu, 6 Dec 2012 13:12:16 -0600
From: "PayPal" [service @paypal .com]
Subject: Your Ebay.com transaction details.
Dec 5, 2012 09:31:49 CST
Transaction ID: U5WZP603SNLLWR5DT
Hello [redacted],
You sent a payment of $363.48 USD to Normand Akers.
It may take a several minutes for this transaction to appear in your transactions history.
Seller
Normand-Akers @aol .com
Instructions to seller
You haven't entered any instructions.
Shipping address - confirmed
Hyde Rd
Glendale SC 58037-0659
United States
Shipping details
The seller hasn't provided any shipping details yet.
Description Qty. Amount
NordicTrack Mini Cycle
Item# 118770508253 24 $363.48 USD
Shipping and handling $24.99 USD
Insurance - not offered ----
Total $363.48 USD
Payment $363.48 USD
Payment sent to Normand Akers
Receipt ID: D-69NQRGN113A3A9UQ3
Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.
Please do not reply to this message. auto informer system unable to accept incoming messages. For immediate answers to your issues, visit our Help Center by clicking "Help" located on any PayPal page.
PayPal Email ID PZ147
==========
Date: Thu, 6 Dec 2012 19:57:37 +0100
From: "PayPal" [noreply @paypal .com]
Subject: Your Paypal.com transaction confirmation.
Dec 5, 2012 09:50:54 CST
Transaction ID: 8P7D295HFIIIMUC4Q
Hello [redacted],
You done a payment of $894.48 USD to Carol Brewster.
It may take a few moments for this transfer to appear in your transactions history.
Merchant
Carol-Brewster @aol .com
Instructions to seller
You haven't entered any instructions.
Shipping address - confirmed
Pharetra Street
Manlius NY 74251-6442
United States
Shipping details
The seller hasn't provided any shipping details yet.
Description Qty. Amount
TaylorMade R11 Driver Golf Club
Item# 703099838857 54 $894.48 USD
Shipping and handling $14.49 USD
Insurance - not offered ----
Total $894.48 USD
Payment $894.48 USD
Payment sent to Carol Brewster
Receipt ID: H-K01U2WSTLZZMRAB90
Issues with this transaction?
You have 45 days from the date of the purchase to issue a dispute in the Resolution Center.
Please DO NOT reply to this message. auto-notification system can't accept incoming mail. For fast answers to your subjects, visit our Help Center by clicking "Help" located on any PayPal page.
PayPal Email ID P8695

The malicious payload is at [donotclick]ibertomoralles .com/detects/slowly_apply.php hosted on 59.57.247.185 (Xiamen JinLongLvXingChe, China). The following malicious domains also appear to be hosted on the same server..."
(More detail at the dynamoo URL above.)

Edited by AplusWebMaster, 06 December 2012 - 02:56 PM.

[AplusWebMaster]

FYI...

#1 malware threat - Blackhole exploit kits
- http://h-online.com/-1762913
5 Dec 2012 - "... according to Sophos*, 30.81% of sites hosting it are in the United States, which is followed by Russia at 17.88% and Chile at 10.77%. Sophos says that between October 2011 and March 2012, almost 30% of detected threats were either directly from Blackhole or diversions to Blackhole kits that had been rigged on formerly reputable sites... Sophos says that in 2012 the biggest problems were cloud services, the Bring Your Own Device (BYOD) movement, hacking of SQL databases, improving social engineering methods, and an increasing number of attacks on the Android mobile operating system. The latter has seen everything from SMS fraud, apparent botnets on phones, banking malware, and bogus or rogue applications from application stores..."
* http://www.sophos.co...le-exploit.aspx
Video - 3:02

Drive-by redirects and exploit sites - attack landscape on the net (graphic)
> http://www.h-online....iew=zoom;zoom=4

Defenses against the Blackhole exploit kit
>> https://en.wikipedia...ole_exploit_kit
" ... Make sure the browser, browser's plugins, and operating system are up to date..."

Test your browser here: https://browsercheck...m/?scan_type=js
___

- https://blogs.techne...Redirected=true
12 Nov 2012 - "... Blacole, a family of exploits used by the so-called Blackhole exploit kit to deliver malicious software through infected webpages, was the most commonly detected exploit family in the first half of 2012 by a large margin..."
> https://blogs.techne..._2D00_550x0.jpg
Vulnerabilities targeted by the Blacole exploit kit in 1Q12 and 2Q12
> https://blogs.techne..._2D00_550x0.jpg

Edited by AplusWebMaster, 08 December 2012 - 05:49 PM.

[AplusWebMaster]

FYI...

Malicious ‘Security Update for Banking Accounts’ emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Dec 7, 2012 - "Cybercriminals have recently launched yet another massive spam campaign attempting to trick e-banking users into thinking that their ability to process ACH transactions has been temporarily disabled. Upon clicking on the link found in the malicious email, users are exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....its_malware.png
Sample spamvertised compromised URLs:
hxxp ://promic .pl/page4.htm
hxxp ://promic .pl/rating.htm
Sample client-side exploits serving URLs:
hxxp ://bamanaco .ru:8080/forum/links/column.php
hxxp ://lentuiax .ru:8080/forum/links/column.php
Malicious domains reconnaissance:
bamanaco.ru – 82.165.193.26 (AS8560); 203.80.16.81 (AS24514); 216.24.196.66 (AS40676)
Name servers:
ns1.bamanaco .ru - 62.76.178.233
ns2.bamanaco .ru – 41.168.5.140
ns3.bamanaco .ru – 132.248.49.112
ns4.bamanaco .ru – 209.51.221.247
lentuiax .ru – 203.80.16.81 (AS24514)
Name servers:
ns1.lentuiax .ru – 62.76.178.233
ns2.lentuiax .ru – 41.168.5.140
ns3.lentuiax .ru – 132.248.49.112
ns4.lentuiax .ru – 209.51.221.247
Sample detection rate for the redirection script: MD5: 35e6ddb6ce4229d36c43d9d3ccd182f3 * ... Trojan-Downloader.JS.Iframe.dby.
Although we couldn’t reproduce the malicious exploitation taking place through bamanaco .ru and lentuiax .ru, we found out that, during the time of the attack, similar client-side exploit serving URls were also responding to the same IPs, leading us to the actual malicious payload found on two of these domains..."
(More detail available at the webroot URL above.)
* https://www.virustot...sis/1353822844/
File name: August.html
Detection ratio: 21/44
Analysis date: 2012-11-25
___

Fake PayPal Emails: Windows 8 and Vintage Photo Collections
- http://www.gfi.com/b...to-collections/
Dec 7, 2012 - "If you want to panic over a mysterious transaction on Ebay to the tune of $564.48 for a “Microsoft Windows 8 Pro Anytime Upgrade”, then this is probably the email you’ve been waiting for.
It reads:
You have made an Ebay.com purchase.
Hello [removed],
You sent a payment of $564.48 USD to [removed].
Microsoft Windows 8 Pro Anytime Upgrade
Item# 16 $564.48 USD
> http://www.gfi.com/b...12/ebaywin8.png
Clicking the link in the fake PayPal email will take end-users to the usual round of Cridex / Blackhole URLs. On a similar note, there’s an additional email floating around that claims you purchased 84 copies of “Vintage photo collection sexy college girls 1990s or 2000s”.
> http://www.gfi.com/b...2/ebaywin82.png
Last time we saw this one was back in June* where the tally was -23- ..."
* http://blog.dynamoo....arshipznet.html
___

iTunes "Christmas gift card" SPAM / api.myobfuscate .com / nikolamireasa .com
- http://blog.dynamoo....-gift-card.html
6 Dec 2012 - "Here's a malware-laden spam with a twist:
From: iTunes [shipping @new. itunes .com]
To: purchasing [purchasing @ [redacted]]
Date: 6 December 2012 20:59
Subject: Christmas gift card
Order Number: M1V7577311
Receipt Date: 06/12/2012
Shipping To: purchasing @[redacted]
Order Total: $500.00
Billed To: Hilary Shandonay, Credit card
Item Number Description Unit Price
1 Christmas gift card (View\Download ) $500.00
Subtotal: $500.00
Tax: $0.00
Order Total: $500.00
Please retain for your records.
Please See Below For Terms And Conditions Pertaining To This Order.
Apple Inc.
You can find the iTunes Store Terms of Sale and Sales Policies by launching your iTunes application and clicking on Terms of Sale or Sales Policies
FBI ANTI-PIRACY WARNING
UNAUTHORIZED COPYING IS PUNISHABLE UNDER FEDERAL LAW.
Answers to frequently asked questions regarding the iTunes Store can be found at http ://www.apple .com/support/itunes/store/
Apple ID Summary ??????????¬?‚?? Detailed invoice
Apple respects your privacy.
Copyright ??????‚?© 2011 Apple Inc. All rights reserved

In this case the link goes through a free web hosting site at [donotclick]longa-neara.ucoz .org which contains some heavily obfuscated javascript that eventually leads to a malicious landing page on [donotclick]nikolamireasa .com/less/demands-probably.php hosted on 188.93.210.133 (logol .ru, Russia). That IP hosts the following toxic domains that you should block:
nikolamireasa .com
portgazza. cu .cc
hopercac. cu .cc
hopercas. cu .cc
ukumuxur. qhigh .com
ymuvyjih.25u .com
... you might just want to cut your losses and block 188.93.210.0/23 too. Anyway, the curious thing is that the malicious javascript uses an intermediary obfuscation site called api.myobfuscate .com... if the bad guys have a use for it then you can bet they are probably about to abuse it in a big way. Both api.myobfuscate .com and www.myobfuscate .com are hosted on the same IP at 188.64.170.17 (also in Russia) which is part of a tiny netblock of 188.64.170.16/31 which you may as well block too. The 188.64.170.17 IP also contains the following domains which might also be abused in the same way:
htmlobfuscator .com
api.htmlobfuscator .com
htmlobfuscator .info
javascript-obfuscator .info
javascriptcompressor .info
javascriptcrambler .com
javascriptobfuscate .com
javascriptobfuscator .info
myobfuscate .com
api.myobfuscate .com
obfuscatorjavascript .com
api.obfuscatorjavascript .com
js.robotext .com
js.robotext .info
js.robottext .ru

In my opinion, obfuscating javascript is a really bad thing and there is no legitimate reason to use it. Blocking access to free-to-use obfuscation tools like this may run the risk of breaking some legitimate sites. But only if they have been coded by idiots."

- http://www.avgthreat...com/webthreats/
... last updated on Dec 08, 2012 GMT.
Viruses & Threats on the Rise
1) Cool Exploit Kit - 19.24% of all detections...
2) Blackhole Exploit Kit - 19.16% of all detections...
3) JavaScript Obfuscation - 12.70% of all detections...
___

AICPA SPAM / ibertomoralles .org
- http://blog.dynamoo....orallesorg.html
7 Dec 2012 - "I haven't seen fake AICPA spam like this for a while, it leads to malware on ibertomoralles .org:
From: AICPA [noreply@aicpa.org]
Date: 7 December 2012 16:55
Subject: Your accountant license can be cancelled.
You're receiving this information as a Certified Public Accountant and a member of AICPA.
Having any problems reading this email? See it in your favorite browser.
AICPA logo
Revocation of CPA license due to income tax fraud accusations
Dear AICPA participant,
We have been informed of your potential involvement in tax return swindle on behalf of one of your employers. In obedience to AICPA Bylaw Article 700 your Certified Public Accountant position can be discontinued in case of the aiding of filing of a phony or fraudulent income tax return for your client or employer.
Please be notified below and provide explanation of this issue to it within 14 work days. The rejection to provide elucidation within this time-frame would finish in decline of your Accountant status.
Delation.pdf
The American Institute of Certified Public Accountants.
Email: service @aicpa .org
Tel. 888.777.7077
Fax. 800.362.5066
===================
Date: Fri, 7 Dec 2012 18:31:58 +0100
From: "AICPA" [do-not-reply @aicpa .org]
Subject: Tax return assistance contrivance.
You're receiving this note as a Certified Public Accountant and a part of AICPA.
Having any problems reading this email? See it in your favorite browser.
Cancellation of Public Account Status due to tax return indictment
Respected accountant officer,
We have received a note of your presumable interest in income tax fraud for one of your clients. In concordance with AICPA Bylaw Article 600 your Certified Public Accountant status can be discontinued in case of the event of submitting of a fake or fraudulent income tax return on the member's or a client's behalf.
Please familiarize yourself with the complaint below and provide your feedback to it within 14 work days. The rejection to respond within this time-frame will result in end off of your CPA license.
Delation.doc
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

The malicious payload is at [donotclick]ibertomoralles.org/detects/five-wise_leads_ditto.php hosted on the same Chinese IP address of 59.57.247.185 as used in this spam yesterday*."
* http://blog.dynamoo....orallescom.html
___

BBB SPAM / ibertomoralles .org
- http://blog.dynamoo....orallesorg.html
"This bizarrely worded fake BBB spam leads to malware on ibertomoralles .org:
Date: Fri, 7 Dec 2012 18:43:08 +0100
From: "Better Business Bureau" [complaint @bbb .org]
Subject: BBB Complaint No.65183683
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau �
Start With Trust �
Fri, 7 Dec 2012
RE: Complaint N. 65183683
Hello
The Better Business Bureau has been booked the above said complaint from one of your purchasers in regard to their business relations with you. The detailed description of the consumer's disturbance are available visiting a link below. Please give attention to this point and let us know about your mind as soon as possible.
We amiably ask you to overview the GRIEVANCE REPORT to reply on this claim letter.
We are looking forward to your prompt reaction.
Faithfully yours
Natalie Richardson
Dispute Councilor
Better Business Bureau
3073 Wilson Blvd, Suite 600 Arlington, VA 28201
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
====================
Date: Fri, 7 Dec 2012 19:42:23 +0200
From: "Better Business Bureau" [noreply@bbb.org]
Subject: BBB Appeal No.05P610Q78
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau �
Start With Trust �
Fri, 7 Dec 2012
RE: Case # 05P610Q78
Hello
The Better Business Bureau has been filed the above said reclamation from one of your customers in respect of their dealings with you. The details of the consumer's disturbance are available at the link below. Please pay attention to this issue and notify us about your sight as soon as possible.
We politely ask you to visit the PLAINT REPORT to meet on this claim.
We are looking forward to your prompt reaction.
Yours respectfully
Dylan Peterson
Dispute Councilor
Better Business Bureau
3003 Wilson Blvd, Suite 600 Arlington, VA 25301
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This message was delivered to [redacted] Don't want to receive these emails anymore? You can unsubscribe
====================
From: Better Business Bureau [mailto:information@bbb.org]
Sent: Fri 07/12/2012 17:01
Subject: Better Business Beareau Pretension No.S8598593
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust
Fri, 7 Dec 2012
RE: Complaint N. S8598593
Valued client
The Better Business Bureau has been entered the above mentioned grievance from one of your clientes with reference to their dealings with you. The details of the consumer's worry are available at the link below. Please give attention to this problem and let us know about your opinion as soon as possible.
We pleasantly ask you to click and review the CLAIM LETTER REPORT to respond on this grievance.
We awaits to your prompt response.
WBR
Aiden Thompson
Dispute Advisor
Better Business Bureau
3003 Wilson Blvd, Suite 600 Arlington, VA 26701
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This letter was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The payload and IP addresses are exactly the same as the ones found in this spam run*."
* http://blog.dynamoo....orallesorg.html
___

Sendspace "You have been sent a file" SPAM / pelamutrika .ru
- http://blog.dynamoo....-file-spam.html
7 Dec 2012 - "This fake Sendspace spam leads to malware on pelamutrika .ru:
Date: Fri, 7 Dec 2012 10:53:57 +0200
From: Badoo [noreply @badoo .com]
Subject: You have been sent a file (Filename: [victimname]-64.pdf)
Sendspace File Delivery Notification:
You've got a file called [victimname]-792244.pdf, (337.19 KB) waiting to be downloaded at sendspace.(It was sent by CHASSIDY PROCTOR).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
----------------------------------------------------------------------
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

The malicious payload is at [donotclick]pelamutrika .ru:8080/forum/links/column.php hosted on the following familiar IP addresses which you should definitely try to block:
202.180.221.186 (GNet, Mongolia)
208.87.243.131 (Psychz Networks, US)"
___

Searching for “Windows Android Drivers” Leads to Malware and Bogus Google Play Markets
- http://www.gfi.com/b...e-play-markets/
7 Dec 2012 - "If you’re on the lookout for Android USB drivers for your Windows OS, be very careful. Such strings like “Windows Android Drivers” or combinations of these may bring up results that you would rather stay away from. Our researchers in the AV Labs have found this peculiar search result on Yahoo!... Visiting the Russian URL, bestdrivers(dash)11(dot)ru, automatically downloads a file called install.exe... Running the .exe file, which is a Trojan that we detect as Trojan.Win32.Generic!BT, allows it to modify the start page of the user’s IE browser to 94(dot)249(dot)188(dot)143/stat/tuk/187, a sign-up page for a Russian “escort” site. It does this so users are directed to the page by default whenever they open their IE browser..." (-aka- Hijacked...)
(More detail and screenshots at the gfi URL above.)
___

Christmas themed SCAMS on Facebook ...
- http://community.web...n-facebook.aspx
06 Dec 2012 - "... We spotted more than 3,000 unique URLs used for this scam on Facebook. The high variation is used by cyber criminals to assure persistence and redundancy in case some URLs or domains get blacklisted.
> http://community.web...k_5F00_xmas.jpg
... Here are some of the offending IP addresses found to be part of the scam infrastructure hosting the scam web sites:
208.73.210.147
213.152.170.193
184.107.164.158
216.172.174.53
199.188.206.214
198.187.30.161
198.154.102.28
68.168.21.68
198.154.102.29
174.132.156.176
198.154.102.27
88.191.118.153
208.91.199.252
We believe that this attack is now under control and is being successfully mitigated by Facebook. We're seeing a gradual decline in incidences, but it's safe to say that while it's declining it's still going strong..."

Edited by AplusWebMaster, 08 December 2012 - 03:33 PM.

[AplusWebMaster]

FYI...

Fake Sendspace SPAM "You have been sent a file" / anifkailood .ru:
- http://blog.dynamoo....space-spam.html
10 Dec 2012 - "This fake Sendspace spam leads to malware on anifkailood .ru:
Date: Mon, 10 Dec 2012 06:01:01 -0500
From: "Octavio BOWMAN" [AdlaiBaldacci @telefonica .net]
Subject: You have been sent a file (Filename: [redacted]-722.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-018.pdf, (767.2 KB) waiting to be downloaded at sendspace.(It was sent by Octavio BOWMAN).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

The malicious payload is at [donotclick]anifkailood .ru:8080/forum/links/column.php hosted on the following IPs:
202.180.221.186 (GNet, Mongolia)
212.162.52.180 (Secure Netz, Germany)
212.162.56.210 (Secure Netz, Germany)..."
___

Fake AICPA SPAM / eaglepointecondo .co
- http://blog.dynamoo....ntecondoco.html
10 Dec 2012 - "This fake AICPA spam leads to malware on eaglepointecondo .co:
Date: Mon, 10 Dec 2012 19:29:21 +0400
From: "AICPA" [alerts@aicpa.org]
Subject: Income fake tax return accusations.
You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having difficulties reading this email? Take a look at it in your browser.
Termination of Public Account Status due to income tax fraud allegations
Respected accountant officer,
We have received a denouncement about your probable interest in income tax return swindle for one of your customers. In concordance with AICPA Bylaw Head # 500 your Certified Public Accountant status can be revoked in case of the occurrence of submitting of a faked or fraudulent income tax return for your client or employer.
Please be notified below and provide explanation of this issue to it within 21 business days. The rejection to provide elucidation within this period would finish in end off of your CPA license.
SubmittedReport.doc
The American Institute of Certified Public Accountants.
Email: service @aicpa .org
Tel. 888.777.7077
Fax. 800.362.5066

The malicious payload is at [donotclick]eaglepointecondo .co/detects/denouncement-reports.php hosted on 59.57.247.185 in China, which has been used a few times recently* for malware distribution..."
* http://blog.dynamoo....q=59.57.247.185

> http://www.aicpa.org...lent-email.aspx

Your CPA License has -not- been revoked
- https://isc.sans.edu...l?storyid=14674
Last Updated: 2012-12-10 - "I have been seeing some e-mails hitting my spam traps today, warning me of my revoked CPA license. No, I am not a CPA. But the e-mails are reasonably well done, so I do think some CPAs may fall for them. At least they got the graphics nice and pretty, but the text could be better worded.
> https://isc.sans.edu...es/CPAEmail.png
The only clickable link is the "Delation.pdf" (maybe that should be deletion?). Upon clicking the link, we are send on the usual malware redirect loop:
The first stop is httx ://tesorogroup .com/components/com_ag_google_analytics2/taxfraudalert.html
It includes javascript and meta tag redirects to
httx ://eaglepointecondo. co/ detects /denouncement-reports.php
... which will test our browser for vulnerable plugins and try to run a java applet. Looks all very "standard". You may want to check your DNS server logs for anybody resolving tesorogroup.com or eaglepointecondo.co . The two host currently resolve to 64.15.152.49 and 59.57.247.185 respectively.
Wepawet does a nice job analysing the obfuscated java script:
http://wepawet.isecl...c...668&type=js ..."
___

Facebook SCAM goes wild - doubles over the weekend ...
- http://community.web...he-weekend.aspx
10 Dec 2012 - "Last week we wrote a blog* about a specific Facebook scam that appeared to spread rather aggresively... Websense.. detected that the scam has increased and multiplied over the weekend - particularly on Saturday where we saw the amount of unique URLs related to this scam double. This shows how cyber crooks time their attacks to times where users are more laid back and when the security community is less likely to alert users on this type of threat... The scam spreads using click-jacking techniques and employs a mass number of varied scam hosts by using the infrastructure of the legitimate service at freedns.afraid .org... A graph showing the volume of unique scam URLs vs. active URLs (available URLs) over the past few days:
> http://community.web...mas_5F00_23.jpg
Screenshot of the scam's main page:
> http://community.web...mas_5F00_24.jpg
How the scam looks like in Facebook's new feed. The scam uses varied sexual implied images and varied enticing wording to lure for user's clicks:
> http://community.web...mas_5F00_25.jpg

* http://community.web...n-facebook.aspx

Facebook Spam leverages/abuses Instagram App
- http://blog.trendmic...-instagram-app/
Dec 10, 2012 - "... social networking sites have been often used to proliferate malware. Just recently, we spotted a Facebook clickjacking attack that leverages and abuses Instagram to point users to malicious websites. Users encounter this threat by being tagged in a photo posted by one of their contacts on Facebook. The post states that users can know who visited their profile on Faceboofk and how often. It also includes a photo posted via Instagram. We noticed that the photo and the names used in the “Recent Profile Views” (see below) are used repeatedly for other attacks.
> http://blog.trendmic..._screenshot.gif
Should users decide to click the link, they are lead to a page with instructions on how to generate the verification code. Once done, a pop-up window appears, which is actually the Instagram for Facebook app asking users to click “Go to App” button. Once done, it -redirects- users to a page that looks like the Facebook Home page.
> http://blog.trendmic...ge_facebook.gif
... the address bar is different from the legitimate Facebook homepage. Users are then asked to copy and paste the malicious URL (which varies per user) in a certain dialog box and to click ‘continue’... the link so far gathered 825,545 clicks worldwide, mostly coming from the Philippines and India. The said link is attributed to the account maygup88, who is also responsible for other 130 domains blocked. This type of threat on Facebook has taken on different forms these past months, usually under the veil of popular brands such as Diablo 3 and iPad. It even expanded to other social networking sites like Pinterest and Tumblr, which only means one thing: users are still falling for these scams. With this in mind, users are advised to take precautionary steps such as double-checking the legitimacy of links and posts. And remember: just because a contact posted that link, it does not mean it’s safe..."
___

AICPA SPAM / eaglepointecondo .org
- http://blog.dynamoo....aicpa-spam.html
10 Dec 2012 - "Yet another fake AICPA spam run today with a slightly different domain from before, now on eaglepointecondo .org:
Date: Mon, 10 Dec 2012 18:51:38 +0100
From: "AICPA" [info@aicpa.org]
Subject: Tax return assistance fraud.
You're receiving this message as a Certified Public Accountant and a part of AICPA.
Having any issues reading this email? Overview it in your favorite browser.
Suspension of CPA license due to income tax indictment
Valued AICPA participant,
We have been notified of your potential participation in income tax refund shady transactions for one of your customers. In concordance with AICPA Bylaw Head # 740 your Certified Public Accountant status can be terminated in case of the act of submitting of a phony or fraudulent tax return for your client or employer.
Please be informed of the complaint below and respond to it within 7 work days. The refusal to respond within this period will finish in cancellation of your Accountant status.
Delation.pdf
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
===================
Date: Mon, 10 Dec 2012 14:50:40 -0300
From: "AICPA" [noreply@aicpa.org]
Subject: Your accountant license can be end off.
You're receiving this message as a Certified Public Accountant and a part of AICPA.
Having problems reading this email? Review it in your browser.
Suspension of Accountant status due to tax return fraud prosecution
Respected AICPA member,
We have received a complaint about your alleged participation in income tax return fraudulent activity for one of your employees. In accordance with AICPA Bylaw Section No. 500 your Certified Public Accountant license can be terminated in case of the event of presenting of a false or fraudulent tax return for your client or employer.
Please find the complaint below below and provide your feedback to it within 3 work days. The rejection to provide the clarifications within this time-frame would abide in end off of your Certified Accountant Career.
SubmittedReport.pdf
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

In this case the malicious payload is at [donotclick]eaglepointecondo .org/detects/denouncement-reports.php hosted on 59.57.247.185 in China, as with the earlier spam run today*."
* http://blog.dynamoo....ntecondoco.html
___

GFI Labs Email Roundup for the Week
- http://www.gfi.com/b...for-the-week-5/
Dec 10, 2012 - "... noteworthy email threats for the week of December 3 to 7:
- Phishers Target Wells Fargo Clients
- Message from the Department of Investigations
- Amazon eBook Spam in the Wild
- Spam from AICPA ...
(More detail and screenshots at the gfi URL above.)

Edited by AplusWebMaster, 10 December 2012 - 08:50 PM.

[AplusWebMaster]

FYI...

Fake Changelog SPAM / aseniakrol .ru
- http://blog.dynamoo....eniakrolru.html
11 Dec 2012 - "This spam leads to malware on aseniakrol .ru:
Date: Tue, 11 Dec 2012 10:46:43 -0300
From: Tarra Comer via LinkedIn [member @linkedin .com]
Subject: Re: Your Changelog UPDATED
Hi,
as promised your changelog - View
I. Easley

The malicious payload is at [donotclick]aseniakrol .ru:8080/forum/links/column.php hosted on a bunch of IPs that have been used for malware before:
202.180.221.186 (GNet, Mongolia)
212.162.52.180 (Secure Netz, Germany)
212.162.56.210 (Secure Netz, Germany)..."

[AplusWebMaster]

FYI...

Fake Sendspace emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Dec 12, 2012 - "Cybercriminals are currently attempting to trick hundreds of thousands of users into clicking on the malicious links found in the currently spamvertised -bogus- ‘Sendspace File Delivery Notifications‘. Upon clicking on any of the links found in the email, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Sample client-side exploits served: CVE-2010-0188
Upon successful client-side exploitation, the campaign drops MD5: 532bdd2565cae7b84cb26e4cf02f42a0 * ... Worm:Win32/Cridex.E
Once executed it creates %AppData%\kb00121600.exe on the affected system.
The sample also creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B
As well as the following Mutexes:
Local\XMM00000418
Local\XMI00000418
Local\XMRFB119394
Local\XMM000005E4
Local\XMI000005E4
Local\XMM0000009C
Local\XMI0000009C
Local\XMM000000C8
Local\XMI000000C8
It then phones back to hxxp ://210.253.102.95 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ and to hxxp ://123.49.61.59 :8080/AJtw/UCyqrDAA/Ud+asDAA/ ..."
(More detail at the webroot URL above.
* https://www.virustot...1eb2b/analysis/
File name: contacts.exe.x-msdownload
Detection ratio: 33/44
Analysis date: 2012-11-13
___

Fake Citibank SPAM / platinumbristol .net
- http://blog.dynamoo....bristolnet.html
12 Dec 2012 - "This fake Citibank spam leads to malware on platinumbristol .net:
From: citibankonline @serviceemail1 .citibank .com via pado .com .br
Date: 12 December 2012 15:38
Subject: Account Alert
Mailed-by: pado .com .br
Citi
Email Security Zone EMAIL SECURITY AREA
ATM/Credit card ending in: XXX7
Alerting System
Bill Payment
Ultimate Savings Account (USA) XXXXXXXXX2
Amount Debited: $2,973.22
Date: 12/12/12
Log In to Overview Transaction
Bill Payment
Ultimate Savings Account (USA) XXXXXXXXX2
Amount Credited: $.97
Date: 12/12/12
Visit this link to Overview Detailed information
ABOUT THIS MESSAGE
Please DO NOT reply to this message. auomatic informational system unable to accept incoming messages.
Citibank, N.A. Member FDIC.
Š 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
========================
From: citibankonline @serviceemail5 .citibank .com via clickz .com
Date: 12 December 2012 15:39
Subject: Account Notify
Mailed-by: clickz .com
Citi
Email Security Zone EMAIL SAFETY AREA
ATM/Debit card ending in: XXX7
Alerting System
Money Transfer Report
Savings Account XXXXXXXXX8
Amount Withdrawn: $3,620.11
Date: 12/12/12
Visit this link to Cancel Details
Money Transfer Report
Savings Account XXXXXXXXX8
Amount Withdrawn: $.38
Date: 12/12/12
Sign In to Overview Details
ABOUT THIS MESSAGE
Please Not try to reply to this message. automative notification system unable to accept incoming messages.
Citibank, N.A. Member FDIC.
© 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
========================
Date: Wed, 12 Dec 2012 23:16:15 +0700
From: alets-no-reply @serviceemail6 .citibank .com
Subject: Account Insufficient funds
EMAIL SAFETY ZONE
ATM/Debit card ending in: XXX0
Notifications System
Transaction Announcement
Ultimate Savings Account (USA) XXXXXXXXX4
Amount Debited: $4,222.19
Date: 12/12/12
Login to Abort Detailed information
Transaction Announcement
Ultimate Savings Account (USA) XXXXXXXXX4
Amount Credited: $.41
Date: 12/12/12
Go to web site by clicking here to See Operation
ABOUT THIS MESSAGE
Please Not try to reply to this message. automative notification system cannot accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
========================
Date: Wed, 12 Dec 2012 20:07:46 +0400
From: citibankonline @serviceemail8 .citibank .com
Subject: Account Operation Alert
EMAIL SECURITY ZONE
Credit card ending in: XXX0
Notifications System
Bill Payment
Ultimate Savings Account (USA) XXXXXXXXX3
Amount Credited: $5,970.51
Date: 12/12/12
Click Here to Review Transaction
Bill Payment
Ultimate Savings Account (USA) XXXXXXXXX3
Amount Withdrawn: $.11
Date: 12/12/12
Sign In to View Operation
ABOUT THIS MESSAGE
Please don't reply to this message. auomatic informational system cannot accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.

The malicious payload is at [donotclick]platinumbristol .net/detects/alert-service.php hosted on the same 59.57.247.185 IP address in China that has been used in several recent attacks. This is definitely an IP to block if you can.
I can see the following evil domains on that same server..."
(More detail at the dynamoo URL above.)

Edited by AplusWebMaster, 12 December 2012 - 11:46 AM.

[AplusWebMaster]

FYI...

Fake Citi Cards SPAM / 6.bbnface .com and 6.mamaswishes .com
- http://blog.dynamoo....acecom-and.html
13 Dec 2012 - "This fake Citi Cards spam leads to malware on 6.bbnface .com and 6.mamaswishes .com:
Date: Thu, 13 Dec 2012 11:59:33 +0300
From: Citi Cards [citicards @info .citibank .com]
Subject: Your Citi Credit Card Statement
Add citicards@info.citibank.com to your address book to ensure delivery.
Your Account: Important Notification
Your Citi Credit Card statement is ready to view online
Dear customer,
Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
Statement Date: December 13, 2012
Statement Balance: -$8,803.77
Minimum Payment Due: $750.00
Payment Due Date: Tue, January 01, 2013
Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
To set up alerts sign on to www.citicards.com and go to Account Profile.
Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to... Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
Should you want to contact us in writing concerning this email, please direct your correspondence to:
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at www.citicards.com and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
© 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
============================
Date: Thu, 13 Dec 2012 10:30:55 +0200
From: Citi Cards [citicards @info .citibank .com]
Subject: Your Citi Credit Card Statement
Add citicards@info.citibank.com to your address book to ensure delivery.
Your Account: Important Notification
Your Citi Credit Card statement is ready to view online
Dear customer,
Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
Statement Date: December 13, 2012
Statement Balance: -$5,319.77
Minimum Payment Due: $506.00
Payment Due Date: Tue, January 01, 2013
Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
To set up alerts sign on to www.citicards .com and go to Account Profile.
Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to... Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
Should you want to contact us in writing concerning this email, please direct your correspondence to:
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at www.citicards.com and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
© 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

The links in the email bounce through a legitimate hacked site, and in the samples I have seen end up on [donotclick]6.bbnface .com/string/obscure-logs-useful.php or [donotclick]6.mamaswishes .com/string/obscure-logs-useful.php both hosted on 173.246.102.223 (Gandi, US) which probably contains many other evil sites, so blocking that IP address would probably be prudent."
___

More "Copies of Policies" SPAM / awoeionfpop .ru:
- http://blog.dynamoo....eionfpopru.html
13 Dec 2012 - "This spam leads to malware on awoeionfpop .ru:
Date: Thu, 13 Dec 2012 09:08:32 -0400
From: "Myspace" [noreply @message .myspace .com]
Subject: Fwd: Deshaun - Copies of Policies
Unfortunately, I cannot obtain electronic copies of the SPII policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Deshaun ZAMORA,

The malicious payload is at [donotclick]awoeionfpop .ru:8080/forum/links/column.php hosted on the following IPs that I haven't seen before:
75.148.242.70 (Comcast Business, US)
91.142.208.144 (Axarnet, Spain)..."
(More dtail at the dynamoo URL above.)
___

Fake Citibank SPAM / eaglepointecondo .biz
- http://blog.dynamoo....tecondobiz.html
13 Dec 2012 - "This fake Citibank spam leads to malware on eaglepointecondo .biz:
Date: Thu, 13 Dec 2012 16:59:14 +0400
From: "Citi Alerts" [lubumbashiny63 @bankofdeerfield .com]
Subject: Account Operation Alert
EMAIL SAFETY AREA
ATM/Credit card ending in: XXX8
Notifications System
Wire Transaction Issued
Ultimate Savings Account (USA) XXXXXXXXX5
Amount Withdrawn: $4,564.61
Date: 12/12/12
Sign In to Abort Details
Wire Transaction Issued
Ultimate Savings Account (USA) XXXXXXXXX5
Amount Debited: $.24
Date: 12/12/12
Login to Overview Operation
ABOUT THIS MESSAGE
Please DO NOT reply to this message. auto-notification system can't accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
====================
From: Citibank - Alerts [mailto:enormityyf10 @iztzg .hr]
Sent: 13 December 2012 12:50
Subject: Account Operation Alert
Importance: High
EMAIL SAFETY AREA
ATM/Credit card ending in: XXX6
Notifications System
Bill Payment
Checking XXXXXXXXX7
Amount Withdrawn: $5,951.56
Date: 12/12/12
Visit this link to Cancel Detailed information
Bill Payment
Checking XXXXXXXXX7
Amount Debited: $.14
Date: 12/12/12
Login to Review Operation
ABOUT THIS MESSAGE
Please don't reply to this message. auto informer system unable to accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
====================
From: Citibank - Service [mailto:goaliesj79 @wonderware .com]
Sent: 13 December 2012 12:59
Subject: Account Alert
Importance: High
EMAIL SAFETY ZONE
ATM/Debit card ending in: XXX8
Alerting System
Withdraw Message
Savings Account XXXXXXXXX4
Amount Debited: $1,218.42
Date: 12/12/12
Login to Abort Operation
Withdraw Message
Savings Account XXXXXXXXX4
Amount Withdrawn: $.42
Date: 12/12/12
Sign In to Overview Operation
ABOUT THIS MESSAGE
Please DO NOT reply to this message. auto-notification system not configured to accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.

The malicious payload is on [donotclick]eaglepointecondo .biz/detects/operation_alert_login.php hosted on 59.57.247.185 in China, the same IP has been used several times for evil recently and you should block it if you can."

Edited by AplusWebMaster, 13 December 2012 - 11:48 AM.

[AplusWebMaster]

FYI...

Dexter malware targets POS systems...
- http://www.theregist...ts_pos_systems/
14 Dec 2012 - "You could be getting more than you bargained for when you swipe your credit card this holiday shopping season, thanks to new malware that can skim credit card info from compromised point-of-sale (POS) systems. First spotted by security firm Seculert*, the malware dubbed "Dexter" is believed to have infected hundreds of POS systems in 40 countries worldwide in recent months. Companies targeted include retailers, hotel chains, restaurants, and private parking providers. The US, the UK, and Canada top the list of countries where the malicious app has been found... Once the malware is installed on a POS system, it grabs the machine's list of active processes and sends them to a command-and-control server – a highly unusual step for POS malware, according to security researchers at Trustwave**..."
* http://blog.seculert...f-point-of.html

** http://blog.spiderla...ands-dirty.html
___

Something evil on 87.229.26.138
- http://blog.dynamoo....8722926138.html
14 Dec 2012 - "This seems to be a bunch of evil domains on 87.229.26.138 (Deninet, Hungary) being used in injection attacks. Possible payloads include Blackhole (for example*).
* http://urlquery.net/...t.php?id=406222
There are two sets of domains, .in domains being used by themselves and .eu domains being used with subdomains, listed below.
The registration details are probably fake, but for the record the .eu domains are registered to:
Juha Salonen
Lukiokatu 23
13430 Hameenlinna
Hameenlinna
Finland
salonen_juha @yahoo .com
The .in domains are registered to:
Puk T Lapkanen
Puruntie 33
LAPPEENRANTA
53200
FI
+358.443875638
puklapkanen @yahoo .com
If you can block the IP address then it will be the simplest option as there are rather a lot of domains here..."
(More detail at the dynamoo URL above.)
___

Fake Citibank SPAM / 4.whereintrentinoaltoadige .com
- http://blog.dynamoo....oaltoadige.html
14 Dec 2012 - "This fake Citibank spam leads to malware on 4.whereintrentinoaltoadige .com:
Date: Fri, 14 Dec 2012 13:54:14 +0200
From: Citi Cards [citicards @info .citibank .com]
Subject: Your Citi Credit Card Statement
Add citicards @info .citibank .com to your address book to ensure delivery.
Your Account: Important Notification
Your Citi Credit Card statement is ready to view online
Dear customer,
Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
Statement Date: December 13, 2012
Statement Balance: -$4,550.67
Minimum Payment Due: $764.00
Payment Due Date: Tue, January 01, 2013
Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
To set up alerts sign on to... and go to Account Profile.
Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to... Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
Should you want to contact us in writing concerning this email, please direct your correspondence to:
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at... and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
© 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
====================
Alternative mid-sections:
Statement Date: December 13, 2012
Statement Balance: -$8,902.58
Minimum Payment Due: $211.00
Payment Due Date: Tue, January 01, 2013
Statement Date: December 13, 2012
Statement Balance: -$9,905.95
Minimum Payment Due: $535.00
Payment Due Date: Tue, January 01, 2013

The malicious payload is at [donotclick]4.whereintrentinoaltoadige .com/string/obscure-logs-useful.php hosted on 198.74.54.28 (Linode, US)... malicious domains are also on the same server..."
(More detail at the dynamoo URL above.)
___

More Citibank SPAM / 6.bbnsmsgateway .com
- http://blog.dynamoo....gatewaycom.html
14 Dec 2012 - "This fake Citibank spam leads to malware on 6.bbnsmsgateway .com:
Date: Fri, 14 Dec 2012 19:27:56 +0530
From: Citi Cards [citicards @info.citibank .com]
Subject: Your Citi Credit Card Statement
Add citicards @info.citibank .com to your address book to ensure delivery.
Your Account: Important Notification
Your Citi Credit Card statement is ready to view online
Dear customer,
Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
Statement Date: December 13, 2012
Statement Balance: -$4,873.54
Minimum Payment Due: $578.00
Payment Due Date: Tue, January 01, 2013
Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
To set up alerts sign on to www.citicards.com and go to Account Profile.
Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to: http://www.email.citicards.com. Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
Should you want to contact us in writing concerning this email, please direct your correspondence to:
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at... and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
© 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

The malicious payload is at [donotclick]6.bbnsmsgateway .com/string/obscure-logs-useful.php hosted on 192.155.81.9 (Linode, US). There are probably some other bad domains on this server, so blocking access to that IP could be prudent."
___

Changelog SPAM / aviaonlolsio .ru
- http://blog.dynamoo....onlolsioru.html
14 Dec 2012 - "This fake Changelog spam leads to malware on aviaonlolsio .ru:
From: messages-noreply @bounce .linkedin .com [mailto :messages-noreply @bounce .linkedin .com] On Behalf Of Earlean Gardner via LinkedIn
Sent: 13 December 2012 20:22
Subject: Re: Changelog as promised (upd.)
Hi,
as promised - View
I. SWEET
====================
Date: Fri, 14 Dec 2012 05:22:54 +0700
From: "Kaiya HIGGINS" [fwGpEzHIGGINS @hotmail .com]
Subject: Re: Fwd: Changelog as promised(updated)
Hi,
as promised chnglog updated - View
I. HIGGINS

The malicious payload is at [donotclick]aviaonlolsio .ru:8080/forum/links/column.php hosted on the same IPs as used in this attack:
75.148.242.70 (Comcast Business, US)
91.142.208.144 (Axarnet, Spain)..."
___

Fake Chase emails lead to malware
- http://blog.webroot....ead-to-malware/
Dec 14, 2012 - "Cybercriminals are currently mass mailing tens of thousands of emails, impersonating Chase in an attempt to trick its customers into executing the malicious attachment found in the fake email. Upon execution, the sample downloads additional malware on the affected hosts, and opens a backdoor allowing the cybercriminals behind the campaign complete access to the host...
Sample screenshot of the spamvertised email:
> https://webrootblog....ring.png?w=1024
... the cybercriminal/cybercriminals behind it applied low QA (Quality Assurance) since the actual filename found in the malicious archive exceeds 260 characters, resulting in a failed extraction process on Windows hosts.
“C:\Users\Workstation\Desktop\Statement_random_number.pdf.zip: Cannot create Statement_ID_random_number.pdf.exe
Total path and file name length must not exceed 260 characters. The system cannot find the path specified.“
Sample detection rate for the spamvertised attachment: MD5: 676c1a01739b855425f9492126b34d23 * ... Trojan-PSW.Win32.Tepfer.cbrv.
Makes DNS request to 3.soundfactor .org, then it establishes a TCP connection with 184.184.247.60 :14511, as well as UDP connections to the following IPs:
184.184.247.60 :23089
99.124.198.193 :13197
78.93.215.24 :14225
68.167.50.61 :28650 ..."
(More detail at the webroot URL above.)
* https://www.virustot...sis/1355442736/
File name: Statement_ID.pdf.exe
Detection ratio: 42/46
Analysis date: 2012-12-13

Edited by AplusWebMaster, 14 December 2012 - 02:53 PM.

[AplusWebMaster]

FYI...

Pharma SPAM - pillscarehealthcare .com
- http://blog.dynamoo....recom-spam.html
17 Dec 2012 - "There has been a massive amount of pharma spam pointing to pillscarehealthcare .com over the past 48 hours or so. Here are some examples:
Date: Mon, 17 Dec 2012 02:47:56 +0000 (GMT)
From: "Account Info Change" [tyjinc @palmerlakearttour .com]
To: [redacted]
Subject: Updated information
Updated information
Hello,
The following information for your ID [redacted] was updated on 12/17/2012: Date of birth, Security question and answer.
If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password.
This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.
Thanks,
Customer Support
==================
Date: Mon, 17 Dec 2012 01:22:56 -0700
From: "Angela Snider" [directsales @tyroo .com]
To: [redacted]
Subject: Pending ticket status
Ticketing System
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or close the ticket here
Go To Profile
See All tickets
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.
==================
Date: Sat, 15 Dec 2012 21:37:47 -0700
From: "Alexis Houston" [cmassuda @agf .com .br]
To: [redacted]
Subject: Pending ticket notification
Ticketing System
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or report new ticket here
Go To Profile
See All tickets
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.
==================
Date: Sat, 15 Dec 2012 07:06:30 -0800
From: "Account Sender Mail" [daresco @excite .com]
To: [redacted]
Subject: Account is now available
Login unavailable due to maintenance ([redacted])
Hello,
Your Account is now available.
Our systems were unavailable due to maintenance and upgrading system. We apologizes for any inconvenience and appreciates the patience while this critical maintenance was performed. If you still face the problem then it would be better if you contact our team.
Access Your Account
Hope this information helps you.
Thanks,
Support team
==================
From: Kennedi Marquez [mailto:cwtroutn @naturalskincarereviews .info]
Sent: 17 December 2012 11:18
Subject: Updated information
Updated information
Hello,
The following information for your ID [redacted] was updated on 12/17/2012: Date of birth, Security question and answer.
If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password.
This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.
Thanks,
Customer Support

This appears to be punting fake drugs rather than malware. pillscarehealthcare .com is hosted on 95.58.254.74 (Kazakh Telecom, Kazakhstan). In my opinion blocking 95.58.254.0/24 will probably do you no harm. These other fake pharma web sites can be found on the same IP address..."
(More detail at the dynamoo URL above.)

[AplusWebMaster]

FYI...

Fake UPS/USPS SPAM / apensiona .ru
- http://blog.dynamoo....pensionaru.html
18 Dec 2012 - "Spammers often get UPS and the USPS mixed up. They're not the same thing at all. And this one throws FilesTube into the mix as well. Anyway, this fake UPS/USPS/ FilesTube spam leads to malware on apensiona .ru:
From: FilesTube [mailto: filestube @filestube .com]
Sent: 17 December 2012 06:01
Subject: Your Tracking Number H7300014839
USPS Customer Services for big savings!
Can't see images? CLICK HERE.
UPS - UPS TEAM 60 >>
Already Have an Account?
Enjoy all UPS has to offer by linking your My UPS profile to your account.
Link Your Account Now >>
UPS - UPS .com Customer Services
Good Evening, [redacted].
DEAR USER , Recipient's address is wrong
Track your Shipment now!
With Respect To You , Your UPS .com Customer Services.
Shipping | Tracking | Calculate Time & Cost | Open an Account
@ 2011 United Parcel Service of America, Inc. Your USPS .us Customer Services, the UPS brandmark, and the color brown are
trademarks of United Parcel Service of America, Inc. All rights reserved.
This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to
USPS Team marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.
Your USPS .us Customer Services, 8 Glenlake Parkway, NE - Atlanta, GA 30585
Attn: Customer Communications Department

The malicious payload is at [donotclick]apensiona .ru:8080/forum/links/column.php which is hosted on 217.112.40.69 (Utransit, claims to be from the UK but probably Russia). The following malicious domains are also on that IP address..."
(More detail at the dynamoo URL above.)
___

GFI Labs Email Roundup for the Week
- http://www.gfi.com/b...for-the-week-6/
Dec 18, 2012 - "... noteworthy email threats for the week... covering the dates of December 10 to 14...

“Mailbox Upgrade” Email is a Phish...
> http://gfisoftware.t...edentials-phish
... Malicious URLs: my3q .com/survey/458/webgrade2052/77717.phtml

Unsolicited “Adobe CS4 License” Leads to Malware...
> http://gfisoftware.t...se-spam-returns
... Malicious URLs: safeshopper .org.nz/redirecting.htm, happy-school .edu.pl/redirecting.htm, amnaosogo .ru:8080/forum/links/column.php...

Spammers Target Citibank Clients.
> http://gfisoftware.t...-statement-spam
... Malicious URLs... (See the gfisoftware.tumblr URL above.)
___

LinkedIn SPAM / apensiona .ru
- http://blog.dynamoo....pensionaru.html
18 Dec 2012 - "This fake LinkedIn spam leads to malware on apensiona .ru:
From: messages-noreply @bounce .linkedin .com on behalf of LinkedIn Connections
Sent: Tue 18/12/2012 14:01
Subject: Join my network on LinkedIn
LinkedIn
Hien Lawson has indicated you are a Friend
I'd like to add you to my professional network on LinkedIn.
- Hien Lawson
Accept
View invitation from Hien Lawson
WHY MIGHT CONNECTING WITH Hien Lawson BE A GOOD IDEA?
Hien Lawson's connections could be useful to you
After accepting Hien Lawson's invitation, check Hien Lawson's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.
2012, LinkedIn Corporation

The malicious payload is at [donotclick]apensiona .ru:8080/forum/links/column.php (the same payload as here*) although this time the IPs have changed to:
109.235.71.144 (Serveriai, Lithunia)
176.31.111.198 (OVH, France)
217.112.40.69 (Utransit , UK)
Here's a plain list if you want to block the lot:
109.235.71.144
176.31.111.198
217.112.40.69 ..."
* http://blog.dynamoo....pensionaru.html

Edited by AplusWebMaster, 18 December 2012 - 03:45 PM.

[AplusWebMaster]

FYI...

Fake AV - Malware sites to block 19/12/12
- http://blog.dynamoo....ock-191212.html
19 Dec 2012 - "This group of sites appears to be using a fake AV applications to download a malicious file scandsk.exe (report here*) via 79.133.196.103 (eTop, Poland) and 82.103.140.100 (Easyspeedy, Denmark) which then attempts to call home to 46.105.131.126 (OVH, Ireland).
* https://www.virustot...4bc70/analysis/
Detection ratio: 14/45
This is a screenshot of the fake AV in action:
> https://lh3.ggpht.co...1600/fakeav.png
From this point, the scandsk.exe gets download either through an exploit or social engineering. This executable looks like some sort of downloader, which attempt to pull down additional data from these non-responding domains:
report.q7ws17sk1ywsk79g .com
report.7ws17sku7myws931u .com
report.u79i1qgmywskuo9o .com
There's some sort of trickery here, perhaps it requires exactly the right kind of factors to hit a valid URL, the automated analysis tools are inconsistent... but seem to indicate a C&C on 46.105.131.126. This IP belongs to OVH (no surprises there) but seems to have been suballocated:
inetnum: 46.105.131.120 - 46.105.131.127
netname: marysanders1
descr: marysanders1net
country: IE
org: ORG-OH5-RIPE
admin-c: OTC9-RIPE
tech-c: OTC9-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered
I suspect that this whole block is being used for malicious purposes, 46.105.131.123 hosts a site called find-and-go .com registered in China which has been fingered as an attack site before... I would recommend blocking the entire 46.105.131.120/29 to be on the safe side. The infection sites are on 82.103.140.100 and 79.133.196.103, they make extensive use of subdomains of mooo .com, ez .lv and zyns .com. There are probably legitimate sites making use of these domains, but blocking them completely should give you few headaches. 79.133.196.103 is part of small block of IPs, 79.133.196.96/27, that I have seen malware on before, specifically 79.133.196.105 and 79.133.196.124. Blocking the entire /27 is probably a good idea.
Recommended blocklist:
46.105.131.120/29
82.103.140.100
79.133.196.97/27
mooo .com
ez .lv
zyns .com
Alternatively, these are some of the subdomains in use.. there are a lot of them, and probably more than I have listed here..."
(More detail at the dynamoo URL above.)
___

Fake Facebook SPAM / 46.249.58.211 and 84.200.77.218
- http://blog.dynamoo....8420077218.html
19 Dec 2012 - "There are various Facebook spams doing the rounds pointing to a variety of malware sites on 46.249.58.211 and 84.200.77.218, for example:
From: FB.Team
Sent: 19 December 2012 14:30
Subject: Re-activate account
Hi [redacted],
Your account has been blocked due to spam activity.
To verify account, please follow this link:
http ://www.facebook .com/confirmemail.php?e=[redacted]
You may be asked to enter this confirmation code: [redacted]
The Facebook Team
Didn't sign up for Facebook? Please let us know.

46.249.58.211 (Serverius Holding, Netherlands)...
84.200.77.218 (Misterhost, Germany)...
GFI has some more details on this one here*."
* http://gfisoftware.t...o-spam-activity
Your Facebook Account is Blocked due to Spam Activity
Dec 19, 2012
___

Fake ‘Change Facebook Color Theme’ events lead to rogue Chrome extensions
- http://blog.webroot....ome-extensions/
Dec 19, 2012 - "Cybercriminals have recently launched a privacy-violating campaign spreading across Facebook in an attempt to trick Facebook’s users into installing a rogue Chrome extension. Once installed, it will have access to all the data on all web sites, as well as access to your tabs and browsing history...
Sample screenshot of one of the few currently active Facebook Events promoting the rogue Chrome extension:
> https://webrootblog....nsion.png?w=702
The campaign is relying on automatically registered Tumblr accounts, where the actual redirection takes place. Users are exposed to the following page, enticing them into changing their Facebook color theme:
> https://webrootblog....1...w=477&h=289
Once users accept the EULA and Privacy Policy, they will become victims of the privacy-violating Chrome extension:
> https://webrootblog....1...w=555&h=355
... the cybercriminals behind the campaign not only hosted it on Amazon’s cloud, they also featured it in Chrome’s Web Store:
> https://webrootblog....1...w=614&h=324
In case users choose -not- to accept the EULA and the Privacy Policy, the cybercriminals behind the campaign will once again attempt to monetize the hijacked Facebook traffic by asking them to participate in surveys, part of CPA (Cost-Per-Action) affiliate network, earning -them- money:
> https://webrootblog....1...w=554&h=310
... Users are advised to be extra cautious when accepting EULAs and Privacy Policies, in particular when installing browser extensions that have the capacity to access sensitive and personally identifiable data on their PCs..."
___

Google Docs SPAM/PHISH...
- https://isc.sans.edu...l?storyid=14731
Last Updated: 2012-12-19 - "... Scams where the attacker's data-collection form resides at a Google Docs (now Google Drive) are especially difficult to warn users about. After all, the malicious webpage resides at the -trusted- google .com domain. The effect is especially severe for organizations using Google Apps as a collaboration platform... such scams aren't going away any time soon..."
> F-secure: http://www.f-secure....s/00002168.html
> GFI: http://www.gfi.com/b...-docs-phishing/
> Sophos: http://nakedsecurity...om-google-docs/
... Recipients who clicked the "CLICK HERE" link were directed to the following "IT HELPDESK SERVICE" page, which prompted for logon credentials that the attacker wanted to capture...
> https://isc.sans.edu...k-service-3.png
... The attacker was likely using a -compromised- Google Apps account of another organization to create a Google Docs spreadsheet and expose its data entry form... Avoid clicking on email links when you need to take important actions that require logging in. Relying on a previously-saved bookmark is safer..."
___

LinkedIn Spam: The Repeat
- http://www.gfi.com/b...pam-the-repeat/
Dec 19, 2012 - "Another slew of spam claiming to originate from LinkedIn has hit the wild Internet in less than 24 hours, according* to the real time recording and tracking of email threats by our researchers in the AV Labs.
* http://gfisoftware.t...on-spam-returns
... Here’s what the email looks like:
> http://www.gfi.com/b...dIn_1218-wm.png
From: {bogus email address}
To: {random}
Subject: Join my network on LinkedIn
Message body:
{redacted} has indicated you are a Friend
I’d like to add you to my professional network on LinkedIn.
[Allow button] View invitation from {redacted}
WHY MIGHT CONNECTING WITH {redacted} BE A GOOD IDEA?
{redacted} connections could be useful to you
After accepting {redacted} invitation, check {redacted} connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.
Clicking the Allow button or the link on the message body directs users to several Web pages of compromised sites, which all look like this:
> http://www.gfi.com/b...-wm-300x105.png
This page laced with the Blackhole Exploit Kit code then auto-redirects users to a Russian website where the Cridex info-stealer payload can be downloaded.
> http://www.gfi.com/b...-wm-300x131.png
when in doubt, users should simply visit their LinkedIn pages and check their profile mailbox for invites..."
___

Wire Transfer SPAM / angelaonfl .ru
- http://blog.dynamoo....gelaonflru.html
19 Dec 2012 - "This fake Wire Transfer spam leads to malware on angelaonfl .ru:
Date: Wed, 19 Dec 2012 11:26:24 -0500
From: "Myspace" [noreply @message .myspace .com]
Subject: Wire Transfer (3014YZ20)
Welcome,
Your Wire Transfer Amount: USD 45,429.29
Transfer Report: View
EULALIA Henry,
The Federal Reserve Wire Network

The malicious payload is at [donotclick]angelaonfl .ru:8080/forum/links/column.php hosted on the following IPs:
91.224.135.20 (Proservis UAB, Lithunia)
210.71.250.131 (Chunghwa Telecom, Taiwan)
217.112.40.69 (Utransit, UK)
The following domains and IPs are all related and should be blocked if you can:
91.224.135.20
210.71.250.131
217.112.40.69 ..."
(More detail at the dynamoo URL above.)
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Home > Security Intelligence Operations > Latest Threat Information > Threat Outbreak Alerts
Fake Order Request E-mail Messages - December 19, 2012
Fake Party Invitation E-mail Messages - December 19, 2012
Fake Sample Product Quote E-mail Messages - December 19, 2012
Fake Scanned Image E-mail Messages - December 19, 2012
Fake Unspecified E-mail Messages - December 18, 2012
Fake Payment Invoice E-mail Messages - December 18, 2012
Fake Funds Transfer Notification E-mail Message - December 18, 2012
Fake Airline Ticket Order Notification E-mail Messages - December 18, 2012
Fake Product Order Quotation Attachment E-mail Message - December 18, 2012
Fake Tax Invoice E-mail Messages - December 18, 2012
Fake Order Invoice Notification E-mail Messages - December 18, 2012
Fake Sales Request E-mail Messages - December 18, 2012 ...

Edited by AplusWebMaster, 19 December 2012 - 09:25 PM.