2072 replies to this topic

[AplusWebMaster]

FYI...

Fake ‘Citi Account Alert’ emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Dec 20, 2012 - "Cybercriminals are currently mass mailing hundreds of thousands of emails impersonating Citi, using -two- different professionally looking email templates. Upon clicking on any of the links found in the malicious emails, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the first spamvertised template:
> https://webrootblog....exploit_kit.png
Sample screenshot of the second spamvertised template:
> https://webrootblog....loit_kit_01.png
Sample client-side exploits serving URLs:
hxxp ://eaglepointecondo .biz/detects/operation_alert_login.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE.NET – 209.140.18.37 – Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE.NET – 211.27.42.138 – Email: solaradvent @yahoo .com
hxxp ://platinumbristol .net/detects/alert-service.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE.NET – 209.140.18.37 – Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE.NET – 211.27.42.138 – Email: solaradvent @yahoo .com
Upon successful client-side exploitation, the campaign drops MD5: b360fec7652688dc9215fd366530d40c * ... Worm:Win32/Cridex.E.
Once executed, the sample performs the following activities:
Accesses Firefox’s Password Manager local database
Creates a thread in a remote process
Installs a program to run automatically at logon
It creates the following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B
With the following value:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
KB00121600.exe = “”%AppData%\KB00121600.exe”"
It then creates the following Mutexes:
Local\XMM000003F8
Local\XMI000003F8
Local\XMRFB119394
Local\XMM000005E4
Local\XMI000005E4
Local\XMM0000009C
Local\XMI0000009C
Local\XMM000000C8
Local\XMI000000C8
It also drops the following MD5s:
MD5: 9e7577dc5d0d95e2511f65734249eba9
MD5: 61bb88526ff6275f1c820aac4cd0dbe9
MD5: b360fec7652688dc9215fd366530d40c
MD5: f6ee1fcaf7b87d23f09748cbcf5b3af5
MD5: d7a950fefd60dbaa01df2d85fefb3862
MD5: ed662e73f697c92cd99b3431d5d72091
It then phones back to 209.51.221.247/AJtw/UCyqrDAA/Ud+asDAA. We’ve already seen the same command and control server used in the following previously profiled malicious campaigns..."
* https://www.virustot...1fc10/analysis/
File name: readme.exe
Detection ratio: 32/45
Analysis date: 2012-12-20
___

Sendspace "You have been sent a file" SPAM / apendiksator .ru
- http://blog.dynamoo....-file-spam.html
20 Dec 2012 - "This fake Sendspace spam leads to malware on apendiksator .ru:
Date: Thu, 20 Dec 2012 09:25:36 -0300
From: "SHIZUKO Ho"
Subject: You have been sent a file (Filename: [redacted]-28.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-6110219.pdf, (286.58 KB) waiting to be downloaded at sendspace.(It was sent by SHIZUKO Ho).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.
===
Date: Thu, 20 Dec 2012 05:05:02 +0100
From: "GENNIE Hensley"
Subject: You have been sent a file (Filename: [redacted]-7123391.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-38335.pdf, (282.44 KB) waiting to be downloaded at sendspace.(It was sent by GENNIE Hensley).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

The malicious payload is at [donotclick]apendiksator .ru:8080/forum/links/column.php hosted on:
91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
210.71.250.131 (Chunghwa Telecom, Taiwan)
These IPs and domains are all related and should be blocked:
91.224.135.20
187.85.160.106
210.71.250.131
afjdoospf .ru
angelaonfl .ru
akionokao .ru
apendiksator .ru ..."
___

"New message" SPAM, fake dating sites and libertymonings .info
- http://blog.dynamoo....-sites-and.html
20 Dec 2012 - "This "New message" themed spam leads to both a fake anti-virus page and a Java exploit on the domains site-dating2012 .asia and libertymonings .info. There's some cunning trickery going on here too. First of all, let's start with some spam examples:
Date: Thu, 20 Dec 2012 20:50:17 -0200
From: "SecureMessage System" [2F5DEE622 @hungter .com]
Subject: New message
Click here to view the online version.
New private message from Terra Fisher received.
Total unread messages: 5
[ Read now ]
Copyright 2012 SecureMessage System. All rights reserved.
If you would like to update your profile or unsubscribe, please click here.
PLEASE DO NOT REPLY TO THIS MESSAGE.
If you require Technical Support, please check Support Center for information.
-------------------------
Date: Thu, 20 Dec 2012 20:36:14 -0200
From: "Secure Message" [82E8ACBD @lipidpanel .com]
Subject: New message
Click here to view the online version.
New private message from Josefina Albert received.
Total unread messages: 3
[ Read now ]
Copyright 2012 SecureMessage System. All rights reserved.
If you would like to update your profile or unsubscribe, please click here.
PLEASE DO NOT REPLY TO THIS MESSAGE.
If you require Technical Support, please check Support Center for information.

In these cases, the targets URLs are [donotclick]site-dating2012c .asia/link.php and [donotclick]site-dating2012 .asia/link.php both hosted on 46.249.42.161 (Serverius Holding, Netherlands) and pretty much the same as the ones found a couple of days ago hiding out on 46.249.58.211(also at Serverius Holding). These look like dating URLs, so you might assume that they are either a) a legitimate dating site or b ) just some dating spam rather than malware. In any case, appearances are deceptive and it leads to fake AV site that seems to be very similar to this one. The deception goes a little deeper, because the link.php pages even forward through a fake affiliate-style link such as [donotclick]best-dating2010 .info/?affid=00110&promo_type=5&promo_opt=1 before they get to the fake anti-virus page. The site also contains an apparent Java exploit that loads in from libertymonings .info on 84.200.77.218 (Misterhost, Germany) which was also used in this attack. The malicious code is found at the page [donotclick]libertymonings .info/index/zzz/?a=YWZmaWQ9MDAxMTA= which attempts to download a Java exploit from [donotclick]libertymonings .info/analizator_data/ztsvgnvlmhe-a.qsypes.jar which is pretty thinly detected according to VirusTotal*.
The following IPs and domains are all related and should be blocked if you can:
46.249.42.161
46.249.58.211
84.200.77.218..."
* https://www.virustot...sis/1356045558/
File name: ztsvgnvlmhe-a.qsypes.jar
Detection ratio: 6/45
Analysis date: 2012-12-20

Edited by AplusWebMaster, 20 December 2012 - 08:19 PM.

[AplusWebMaster]

FYI...

Malware sites to block 21/12/12
- http://blog.dynamoo....ock-211212.html
21 Dec 2012 - "There are a series of malware domains on 91.201.215.173 apparently using a Java and PDF exploit to infect visitors. The infection machanism appears to be coming from an unidentified ad running on the centerblog .net blogging system (I think specifically [donotclick]zezete2.centerblog .net/i-247-136-1356095651.html)
The malware URLs are quite lengthy and appear to be resistant to analysis, in the attack I have seen the following URLs were in use (don't visit these sites, obviously)
[donotclick]svwlekwtaign.avigorstats .pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t
[break]Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/
[donotclick]mcruxdufxwnp.avigorstats .pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t
[break]Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/
[break]indicated where I've added a linebreak to get it to fit on the page, remove that and the linebreak for a valid URL.
avigorstats .pro and its subdomains are hosted on 91.201.215.173 (PS Internet Company Ltd, Kazakhstan, but this is just the tip of a -huge- iceberg of malicious IPs and domains that are all interconnected.
Let's start with my personal recommended blockist. If you are in Russia or Ukraine then you might want to be a bit more conservative with the Russian netblocks and refer to the raw IP list below (there's one list with ISPs listed, one plain for for copy and pasting)..
Recommended blockist (annotated)...
Recommended blockist (Plain list)..."
(Too long to post here - see the dynamoo URL above - 'great list to use!)
___

Profile Spy...
- http://www.gfi.com/b...yan-apocalypse/
Dec 21, 2012 - "... Profile Spy, a once viral scam on Facebook and Twitter that entices users to check out who have been viewing their profiles. Today, on the eve of the rumored 'EoW', it has decided to rear its ugly head once more... the criminals behind it have used a number of tactics to make users hand over their credentials or give them money — like asking users to “Like” their page, answer surveys and copy and paste a code into the address bar. This time, the scammers have used a lot of elements in this effort. One is Facebook, the other two are Tumblr and the Google Chrome Web Store. This scam starts off as a Facebook event invitation spammed to random users who are part of the mark’s network, a social engineering tactic already done in the past. Since the “event” is public, anyone can visit the page if the URL is shared... Visiting any of the links on the comment posted on the page leads users to a Tumblr profile. Clicking “Get it here” then leads users to a similar looking page, which is using Amazon‘s web service, where they can download the Facebook Profile Spy v2.0 for the Google Chrome Internet browser... This rogue extension, once installed, is capable of doing three things: firstly, it updates the mark’s Facebook status by sharing an image and commenting on it — secondly, the extension displays a fake “security CAPTCHA check” pop-up window where the mark can fill in names of persons in his/her network. This then results in the creation of the Profile Spy “event” invitation... [UPDATE: Google has now taken down the Profile Spy page on the Chrome Web Store.] Watch that mouse pointer... careful where you direct and click it."
(Screenshots and more info available at the gfi URL above.)
___

Fake ‘Citi Account Alert’ emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Dec 21, 2012 - "Cybercriminals are currently mass mailing hundreds of thousands of emails impersonating Citi, using -two- different professionally looking email templates. Upon clicking on any of the links found in the malicious emails, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit...
Sample screenshot of the first spamvertised template:
> https://webrootblog....exploit_kit.png
Sample screenshot of the second spamvertised template:
> https://webrootblog....loit_kit_01.png
... Sample client-side exploits serving URLs:
hxxp ://eaglepointecondo .biz/detects/operation_alert_login.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE .NET – 209.140.18.37 – Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE .NET – 211.27.42.138 – Email: solaradvent @yahoo .com
hxxp ://platinumbristol .net/detects/alert-service.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE .NET – 209.140.18.37 – Email: solaradvent @yahoo.com
Name Server: NS2.AMISHSHOPPE .NET – 211.27.42.138 – Email: solaradvent @yahoo.com
Upon successful client-side exploitation, the campaign drops MD5: b360fec7652688dc9215fd366530d40c * ... Worm:Win32/Cridex.E.
Once executed, the sample performs the following activities:
Accesses Firefox’s Password Manager local database
Creates a thread in a remote process
Installs a program to run automatically at logon ...
Responding to 59.57.247.185 are also the following malicious domains..."
(More detail at the webroot URL above.)
* https://www.virustot...1fc10/analysis/
File name: readme.exe
Detection ratio: 32/45
Analysis date: 2012-12-20
___

‘Work at Home” scams impersonating CNBC spotted in the wild
- http://blog.webroot....ed-in-the-wild/
Dec 21, 2012 - "... a currently circulating “Work At Home” scam that’s successfully and professionally impersonating CNBC in an attempt to add more legitimacy to its market proposition – the Home Business System...
Sample screenshot of the spamvertised email impersonating CNBC:
> https://webrootblog....ome_scam_01.png
Sample screenshot of the fake CNBC news article detailing the success of the Home Business System:
> https://webrootblog....t_home_scam.png
No matter where you click, you’ll always be redirected to the Home Business System.
Sample bogus statistics sent by customers of the system:
> https://webrootblog....ome_scam_02.png
What’s particularly interesting about this campaign is the way the scammers process credit card details. They do it internally, not through a payment processing intermediary, using basic SSL encryption, featuring fake “Site Secured” logos, including one that’s mimicking the “VeriSign Secured” service. Although the SSL certificate is valid, the fact that they even require your CVV/CVV2 code, without providing adequate information on how they store and actually process the credit card numbers in their possession, is enough to make you extremely suspicious.
Sample spamvertised URLs:
hxxp ://5186d4d1.livefreetimenews .com/
hxxp ://5f4a8abae0.get-more-news .com/
Domains participating in the campaign:
worldnewsyesterday .com – Email: johnjbrannigan @teleworm .us
worldnewsimportant .com – Email: johnjbrannigan @teleworm .us
hbs-system .com – Email: cinthiaheimbignerupbg @hotmail .com
Historically, the following domains were also used in a similar fashion:
homeworkhere .com – Email: zoilaprni4d @yahoo .com
lastnewsworld .com – Email: shirleysmith57 @yahoo .com
homecompanysystem .com – Email: deloristrevertonef53 @yahoo .com
> https://webrootblog....ome_scam_04.png
Users are advised -not- to click on links found in spam emails, and to never entrust their credit card details to someone who’s spamvertising you using the services of some of the most prolific botnets currently online."

Edited by AplusWebMaster, 21 December 2012 - 08:02 PM.

[AplusWebMaster]

FYI...

"New message received" SPAM / siteswillsrockf .com and undering .asia
- http://blog.dynamoo....eived-spam.html
22 Dec 2012 - "This malicious spam run is part of this large cluster of malicious sites that I wrote about yesterday ( http://blog.dynamoo....ock-211212.html ).
Date: Sat, 22 Dec 2012 16:55:38 +0300
From: "Secure.Message" [FAA55EEEE @valencianadeparketts .es]
Subject: New message received
Click here to view the online version.
Hello [redacted],
You have 5 new messages.
Read now
Copyright 2012 SecurePrivateMessage. All rights reserved.
If you would like to update your profile or unsubscribe, please click here.
PLEASE DO NOT REPLY TO THIS MESSAGE.
If you require Technical Support, please check Support Center for information.

Unlike most recent campaigns where the first link in the email is a legitimate but hacked site, this one links directly to a malware server at [donotclick]undering .asia/link.php?login.aspx=[emailaddress]&id=[redacted] with a link that features the email address as part of the URL (presumably to confirm that the address is live). The next step is a redirector link at [donotclick]undering .asia/?affid=00110&promo_type=5&promo_opt=1 which loads a fake anti-virus page, and then it attempts to download a Java exploit from [donotclick]siteswillsrockf .com/?a=YWZmaWQ9MDAxMTA=
undering .asia is hosted on 46.249.42.161, and siteswillsrockf .com on 46.249.42.168. Seeing two malicious sites so closely together indicates that there is a problem with the netblock, so having a closer look at those IPs shows:
inetnum: 46.249.42.0 - 46.249.42.255 ...
The block 46.249.42.0/24 seems to have been suballocated to an unidentified customer of Serverius* who have a long history of badness in their IP ranges. Based on this, I would suggest that you add the 46.249.42.0/24 range to your blocklist to prevent other unidentified malicious servers in this block from being a problem.
There are lots of other suspect domains on these two IPs as well:
46.249.42.161 ...
46.249.42.168 ..."
(Too many to post here - see the dynamoo URL above for more detail.)
* https://www.google.c...c?site=AS:50673

[AplusWebMaster]

FYI...

Fake "SecureMessage" SPAM / infiesdirekt .asia, pacesetting .asia and siteswillsrockf .net
- http://blog.dynamoo....direktasia.html
23 Dec 2012 - "Another fake "SecureMessage" spam leading to malware, the same in principle to this spam run* and again hosted on the same Serverius-owned** IPs of 46.249.42.161 and 46.249.42.168. There are several variants of the spam, but they are all very similar and look something like this:
Date: Sun, 23 Dec 2012 14:26:32 +0530
From: "Secure.Message"
Subject: Alert: New message
Click here to view the online version.
Hello [redacted],
You have 4 new messages.
Read now
Copyright 2012 SecureMessage. All rights reserved.
If you would like to update your profile or unsubscribe, please click here.
PLEASE DO NOT REPLY TO THIS MESSAGE.
If you require Technical Support, please check Support Center for information.

... suspect that there is more malicious activity in the 46.249.42.0/24 range and blocking access to it would be a very good thing to do. These are the malicious domains that I can currently identify on those IPs..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo....eived-spam.html

** https://www.google.c...c?site=AS:50673

Edited by AplusWebMaster, 23 December 2012 - 10:36 PM.

[AplusWebMaster]

FYI...

Eastern bloc SPAM...
- http://blog.dynamoo....e-athiests.html
25 Dec 2012 - "... eastern bloc... spammers are sending out today.
Date: Tue, 25 Dec 2012 22:56:51 -0700
From: "Ticket Support"
Subject: Password Assistance
Thank you for your letter of Dec 25, your information arrived today.
Alright, here's the link to the site:
Proceed to Site
If we can help in any way, please do not hesitate to contact us.
Regards, Yuonne Ferro, Support Team manager.

Some variants of the body text:
- "Thank you for contacting us, your information arrived today."
- "Thank you for your letter regarding our products and services, your information arrived today."
- "Thank you for considering our products and services, your information arrived today."
Some alternative sender names: "Jonie Gunther", "Noreen Macklin", "Bonny Oconnell". The spamvertised site is hosted on 84.22.104.123, which is Cyberbunker*. Given their awful reputation, I am surprised that they haven't been de-peered. Yet. There's certainly nothing of value at all in the 84.22.96.0/19 range, blocking the whole lot will cause you no harm. These are the other spammy domains on the same IP..."
(More detail at the dynamoo URL above.)
* https://en.wikipedia...usiness_Network
"... a host of the infamous Russian Business Network cyber-crime gang..."

> https://www.google.c...c?site=AS:34109
___

Pharmaceutical scammers spamvertise YouTube emails - counterfeit drugs...
- http://blog.webroot....nterfeit-drugs/
Dec 25, 2012 - "Pharmaceutical scammers are currently spamvertising a YouTube themed email campaign, attempting to socially engineer users into clicking on the links found in the legitimately looking emails. Upon clicking on the fake YouTube personal message notification, users are -redirected- to a website reselling popular counterfeit drugs. The cybercriminals behind the campaign then earn revenue through an affiliate network...
Sample screenshot of the spamvertised email:
> https://webrootblog....1...w=373&h=244
Once users click on the link found in the email, they’re redirected to the following holiday-themed pharmaceutical web site:
> https://webrootblog....e_01.png?w=1009
Spamvertised URL: hxxp ://roomwithaviewstudios .com/inherits.html
Landing URL: hxxp ://canadapharmcanadian .net – 109.120.138.155
... fraudulent pharmaceutical sites have also been known to respond to the same IP (109.120.138.155)...
(More detail at the webroot URL above.)...

This isn’t the first time that we’ve intercepted attempts by pharmaceutical scammers to socially engineer potential customers into clicking on the links found in legitimately looking emails. In the past, we’ve found fake Google Pharmacies and emails impersonating YouTube and Twitter, as well as Facebook Inc., in an attempt to add more authenticity and legitimacy to their campaigns. We expect to see -more- of these campaigns in 2013, with a logical peak over the next couple of days, so watch what you click on, don’t enter your credit card details on websites found in spam emails, and never bargain with your health."
___

Fake E-billing SPAM / proxfied .net
- http://blog.dynamoo....roxfiednet.html
26 Dec 2012 - "There are various e-billing spam emails circulating today, pointing to malware on proxfied .net:
Date: Wed, 26 Dec 2012 18:49:37 +0300
From: alets-no-reply @customercenter .citibank .com
Subject: Your Further eBill from Citibank Credit Card
Member: [redacted]
Add alerts@ serviceemail2. citibank .com to your address book to ensure delivery.
Your Account: Important Warning
New eBill Available
Account Number: **************8
Due Date: 12/28/2012
Amount Due: 175.36
Minimum Amount Due: 175.36
How do I view this bill?
1. Sign on to Citibank Online using this link.
2. Use the Payments Menu to find the bill mentioned in this message.
3. Select View Bill to review your bill details. Select the icon to see your bill summary.
Please don't reply to this message.
If you have any questions about your bill, please contact Citibank Credit Card directly. For online payment questions, please choose Bill Payment from the menu.
E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its purpose is to help you examine that the e-mail was actually sent by Citibank. If you have questions, please visit our help center. To learn more about fraud, click "Security" at the bottom of the screen.
To set up alerts sign on by clicking this link and go to Account Profile.
I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
If you want to communicate with us in writing concerning this email, please direct your correspondence to:
Citibank Customer Care Service
P. O. Box 6200
Sioux Hills, SD 57870
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at by clicking this link and clicking on "Contact Us" from the "Help / Contact Us" menu.
2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
3843054050826645
1/LO/439463/221/1I/6H/EH/7126/SYSTEF1 /E5225514741628064/2187
====================
(More sample FAKE emails shown at the dynamoo URL above.)

The malicious payload is at [donotclick]proxfied.net/detects/inform_rates.php hosted on 59.57.247.185 in China (a well-known malware IP address) along with these following malicious domains:
sessionid0147239047829578349578239077 .pl
latticesoft .net
proxfied .net ..."
___

Fake NACHA SPAM / bunakaranka .ru:
- http://blog.dynamoo....akarankaru.html
26 Dec 2012 - "This fake ACH / NACHA spam leads to malware on bunakaranka .ru:
Date: Wed, 26 Dec 2012 06:48:11 +0100
From: Tagged [Tagged @taggedmail .com]
Subject: Re: Fwd: Banking security update.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department

The malicious payload is on [donotclick]bunakaranka .ru:8080/forum/links/column.php hosted on the following well-known IPs:
91.224.135.20 (Proservis UAB, Lithuania)
187.85.160.106 (Ksys Soluções Web, Brazil)
210.71.250.131 (Chunghwa Telecom, Taiwan)
Plain list:
91.224.135.20
187.85.160.106
210.71.250.131
Associated domains..."

Edited by AplusWebMaster, 26 December 2012 - 03:42 PM.

[AplusWebMaster]

FYI...

Fake Twitter DM emails leads to Canadian Pharma SPAM
- http://www.gfi.com/b...an-pharma-spam/
Dec 27, 2012 - "We’re seeing quite a few of these “Can I use your…” style messages arriving in mailboxes, taking the form of fake Twitter DM notifications. The most common fakeouts seem to be asking about videos and photographs.
> http://www.gfi.com/b...picpublish1.png
"Hello, Can i publish link to your photo on my web page?" Another one says:
"Hi. Can i publish link to your video on my home page?"
In both cases, the emails will lead end-users to sites that are most definitely not Twitter. Some of the URLs are offline, but here’s one that is still standing:
> http://www.gfi.com/b...picpublish2.jpg
Festive Pharma spam – probably not what you need in your post-Xmas stocking. Do your best to steer clear of these."
___

Fake British Airways E-ticket receipts serve malware
- http://blog.webroot....-serve-malware/
Dec 26, 2012 - "... Cybercriminals have resumed spamvertising fake British Airways themed E-receipts — we intercepted the same campaign back in October — in an attempt to trick its customers into executing the malicious attachment found in the emails...
Sample screenshot of the spamvertised email:
> https://webrootblog....lware.png?w=553
Sample detection rate for the malicious attachment:
MD5: b46709cf7a6ff6071a6342eff3699bf0 * ... Worm:Win32/Gamarue.I
Upon execution, it creates the following mutex on infected hosts: SHIMLIB_LOG_MUTEX
It also initiates POST requests to the following IP: 87.255.51.229/ff/image.php
As well as DNS requests to the following hosts:
zzbb45nnagdpp43gn56 .com – 87.255.51.229
a9h23nuian3owj12 .com – 87.255.51.229
zzbg1zv329sbgn56 .com – 87.255.51.229
http ://www.update .microsoft .com – 65.55.185.26
ddbbzmjdkas .us
ddbbzmjdkas .us
The IPs are currently sinkholed by Abuse.ch..."
* https://www.virustot...sis/1356554124/
File name: BritishAirways-eticket.exe
Detection ratio: 39/46
Analysis date: 2012-12-26
___

Fake ‘UPS Delivery Confirmation Failed’ emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Dec 27, 2012 - "... cybercriminals are currently mass mailing tens of thousands of emails impersonating UPS, in an attempt to trick users into clicking on the malicious links found in the legitimate-looking emails. Once they click on the links, they’re automatically exposed to the client-side exploits served by the BlackHole Exploit kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....t_kit.png?w=603
Sample spamvertised compromised URLs:
hxxp ://www.aberdyn .fr/letter.htm
hxxp ://www.aberdyn .fr/osc.htm
Sample client-side exploits serving URLs:
hxxp ://apendiksator .ru:8080/forum/links/column.php
hxxp ://sectantes-x .ru:8080/forum/links/column.php
Sample malicious payload dropping URL:
hxxp://sectantes-x .ru:8080/forum/links/column.php?uvt=0a04070634&wvqi=33&yrhsb=3307093738070736060b&vjppc=02000200020002
Client-side exploits served: CVE-2010-0188
Although we couldn’t reproduce the client-side exploitation taking place through these domains in the time of posting this analysis, we know that on 2012-09-27 one of the domains (sectantes-x .ru) also served client-side exploits, and dropped a particular piece of malware – MD5: 9f86a132c0a5f00705433632879a20b9 * ... Trojan-Ransom.Win32.PornoAsset.abup.
Upon execution, the sample phones back to the following command and control servers:
178.77.76.102 (AS20773)
91.121.144.158 (AS16276)
213.135.42.98 (AS15396)
207.182.144.115 (AS10297)
More MD5s are known to have phoned back to the same IPs..."
* https://www.virustot...59be3/analysis/
File name: e284d8a62b6d75b6818ed1150dde2a8bcc3489ee
Detection ratio: 27/42
Analysis date: 2012-09-30

[AplusWebMaster]

FYI...

Fake IRS SPAM / tv-usib .com
- http://blog.dynamoo....tv-usibcom.html
28 December 2012 - "This fake IRS spam leads to malware on tv-usib .com:
Date: Thu, 27 Dec 2012 22:14:44 +0400
From: Internal Revenue Service [information @irs .gov]
Subject: Your transaction is not approved
Your Income Tax outstanding transaction (ID: 3870703170305), recently ordered for processing from your checking account was rejected by Internal Revenue Service payment processing unit.
Canceled Tax transfer
Tax Transaction ID: 3870703170305
Rejection ID See details in the report below
Federal Tax Transaction Report tax_report_3870703170305.pdf (Adobe Acrobat Document)
Internal Revenue Service 3192 Aliquam Rd. Edmond 65332 Oregon

The malicious payload is at [donotclick]tv-usib .com/detects/property-mass-dollar_figure.php hosted on the well-known IP of 59.57.247.185 in China. The following malicious domains appear to be on that IP:
sessionid0147239047829578349578239077.pl
tv-usib .com
proxfied .net
timesofnorth .net
latticesoft .net ..."

[AplusWebMaster]

FYI...

Malware sites to block - 2 Jan 2013
- http://blog.dynamoo....block-2113.html
2 Jan 2013 - "The following sites and IPs seem to be active today, being pushed out by spam campaigns. I'll post email samples when I get them...
91.224.135.20
187.85.160.106
210.71.250.131
afjdoospf .ru
akionokao .ru
bilainkos .ru
bumarazhkaio .ru
bunakaranka .ru ..."
___

Malware sites to block - 2 Jan 2013 part II
- http://blog.dynamoo....13-part-ii.html
2 Jan 2013 - "Here's a bunch of malicious IPs and domains to block, mostly based on this in-depth research* at the Malware Must Die! blog.
* http://malwaremustdi...am-up-with.html
As far as I can see, the domains in use are exclusively compromised consumer PCs dotted around the globe, rather than compromised or evil web servers.. so the ISPs are pretty irrelevant in this case. This type of infected host has a relatively short shelf-life, possibly just a few days, so you may or may not want to add them to your blocklist.
IPs... Domains ..."
(Long list at the dynamoo URL above.)

[AplusWebMaster]

FYI...

Twitter Phish DMs: “This profile on Twitter is spreading nasty blogs around about you”
- http://www.gfi.com/b...ound-about-you/
Jan 4, 2013 - "... the following missive doing the rounds on Twitter via DMs on compromised accounts:
> http://www.gfi.com/b...1/twitspam1.jpg
There’s a number of URLs and fake logins being posted right now to users in a wide range of geographical locations, and it all comes down to Twitter phishing with at least one of the phish URLs being registered to an individual claiming to be located in Shanghai, China. That particular site - ivtvtter(dot)com – is currently offline (and also listed in Phishtank*)... attempting to login would result in a 404 error then a redirect to the real Twitter site to make everything look nice and legitimate. These types of Twitter scam come around often, and end-users should always be wary of “Have you seen this” style messaging from contacts..."
* http://www.phishtank...hish_id=1643038
___

Fake Ebay/Paypal emails lead to client-side exploits and malware
- http://blog.webroot....ts-and-malware/
Jan 4, 2013 - "Over the past 24 hours, cybercriminals have launched yet another massive spam campaign, this time impersonating both eBay and PayPal, in an attempt to trick their users into clicking on the client-side exploits and malware serving links found in the malicious emails...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Malicious domain names reconnaissance:
litefragmented .pro – 59.64.144.239 – Email: kee_mckibben0869 @macfreak .com
Name Server: NS1.CHELSEAFUN .NET
Name Server: NS2.CHELSEAFUN .NET...
... ibertomoralles .com – 59.57.247.185 – Email: rick.baxter @costcontrolsoftware .com
Name Server: NS1.SOFTVIK .NET – 84.32.116.189 – Email: farbonite @hotmail .com
Name Server: NS2.SOFTVIK .NET – 15.209.33.133 – Email: farbonite @hotmail .com ...
___

Fake 'bank reports' emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Jan 3, 2013 - "Cybercriminals are currently spamvertising tens of thousands of emails in an attempt to impersonate the recipients’ bank, tricking them into thinking that the Ministry of Finance in their country has introduced new rules for records keeping, and that they need to print and sign a non-existent document. Once users click on the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Malicious domain name reconnaissance:
apendiksator .ru – 91.224.135.20; 210.71.250.131; 187.85.160.106
Name server: ns1.apendiksator .ru – 62.76.186.24
Name server: ns2.apendiksator .ru – 110.164.58.250
Name server: ns3.apendiksator .ru – 42.121.116.38
Name server: ns4.apendiksator .ru – 41.168.5.140
Responding to the same IPs are also the following malicious domains part of the campaign’s infrastructure:
afjdoospf .ru – 91.224.135.20
angelaonfl .ru – 91.224.135.20
akionokao .ru – 91.224.135.20 ...
Although we couldn’t reproduce the malicious payload at apendiksator .ru, we found that the malicious payload served by immerialtv .ru (known to have responded to the same IP) is identical to the MD5: 83db494b36bd38646e54210f6fdcbc0d * ... VirTool:Win32/CeeInject. This MD5 was dropped in a previously profiled campaign..."
* https://www.virustot...d73da/analysis/
File name: cs8v0k.exe
Detection ratio: 34/42
Analysis date: 2012-06-20
___

Fake BBB (Better Business Bureau) emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Jan 2, 2013 - "Cybercriminals have recently launched yet another massive spam campaign, impersonating a rather popular brand used in a decent percentage of social engineering driven email campaigns – the BBB (Better Business Bureau). Once users click on any of the links in the malicious emails, they’re automatically exposed to the client-side exploits served by the BlackHole Exploit kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Malicious domain name reconnaissance:
tv-usib.com – 59.57.247.185 – Email: twine.tour1 @yahoo .com
Name Server: NS1.AMISHSHOPPE .NET - Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE .NET - Email: solaradvent @yahoo .com...
Upon successful client-side exploitation, the campaign drops MD5: 2646f13db754654aff315ff9da9fa911 * ... Worm:Win32/Cridex.E.
Upon execution, the sample phones back to: 94.73.129.120 :8080/rxrt0CA/hIvhA/K66fEB/ ..."
* https://www.virustot...01bff/analysis/
File name: KB00182962.exe
Detection ratio: 30/45
Analysis date: 2013-01-04
___

Fake Verizon Wireless emails serve client-side exploits and malware
- http://blog.webroot....ts-and-malware/
Jan 2, 2013 - "... yet another Verizon Wireless themed malicious campaign, enticing users to click on the malicious link found in the email. Once users click on the link, they’re automatically exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
Sample email subjects: Fresh eBill is Should Be Complete. From: Verizon Wireless; Your Recent eBill from Verizon Wireless...
Malicious domain name reconnaissance:
proxfied .net – 59.57.247.185 – Email: colorsandforms @aol .com
Name Server: NS1.AMISHSHOPPE .NET – Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE .NET – Email: solaradvent @yahoo .com ..."

Edited by AplusWebMaster, 04 January 2013 - 08:46 PM.

[AplusWebMaster]

FYI...

Fake O2 Shop emails - Phish ...
- http://www.gfi.com/b...le-phishy-bait/
Jan 7, 2013 - "... fake O2 Shop emails are in circulation at the moment, in the form of a “security update” asking for login credentials on the back of an “O2 account update” the recipient is supposed to have made. They’re pretty bare bones in terms of how they look, and you’ll notice that in the below example GMail flags it as spam so hopefully lots of other mail service providers will be doing the same thing.
> http://www.gfi.com/b...3/01/fakeo2.jpg
Dear User,
You can now check the progress of your account at My O2. Just go to [url removed] and enter your username and password. If you’ve forgotten these, we can send you a reminder here too. Once you’ve signed in, go to My account and follow the instructions.
Regards,
O2 Customer Service

As with so many of these fire and forget spam campaigns, the bulk of them seem to lead to currently AWOL phish pages so they’re likely being taken offline at a fair old pace... treat random mails asking for login credentials with large portions of suspicion, especially when – as above – they’re referencing changes made to your account that you haven’t actually made."

[AplusWebMaster]

FYI...

Malware sites to block 8/1/13
- http://blog.dynamoo....block-8113.html
8 Jan 2013 - "These IPs and domains appear to be active in malicious spam runs today:
41.168.5.140
42.121.116.38
62.76.186.24
82.165.193.26
91.224.135.20
110.164.58.250
187.85.160.106
210.71.250.131
belnialamsik .ru
Quite a few of these IPs have been used in multiple attacks, blocking them would be prudent.

Update: some sample emails pointing to a malicious landing page at [donotclick]belnialamsik .ru:8080/forum/links/column.php:
Date: Tue, 8 Jan 2013 10:05:55 +0100
From: Shavonda Duke via LinkedIn [member@linkedin.com]
Subject: Re: Fwd: Security update for banking accounts.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department
===
Date: Tue, 8 Jan 2013 01:31:43 -0300 [01/07/13 23:31:43 EST]
From: FilesTube [filestube @filestubecom]
Subject: Fwd: Re: Banking security update.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department
___

Fake "Federal ACH Announcement" SPAM / cookingcarlog .net
- http://blog.dynamoo....ement-spam.html
8 Jan 2013 - "This rather terse spam leads to malware on cookingcarlog .net:
From: Federal Reserve Services @ sys.frb .org [ACHR_59273219 @fedmail .frb .org]
Date: 8 January 2013 15:11
Subject: FedMail ®: Federal ACH Announcement - End of Day - 12/27/12
Please find the ACH Letter of Advice Reporting from the Federal Reserve System clicking here.

The link in the email goes to an exploit kit on [donotclick]cookingcarlog .net/detects/occasional-average-fairly.php (report here*) which is hosted on 89.207.132.144 (Snel Internet Services, Netherlands).
* http://wepawet.isecl...1...280&type=js

Added - a BBB spam is also doing the rounds with the same payload:
Better Business Bureau ©
Start With Trust �
Mon, 7 Jan 2013
RE: Case N. 54809787
[redacted]
The Better Business Bureau has been recorded the above said claim from one of your customers in respect to their dealings with you. The detailed description of the consumer's worry are available for review at a link below. Please pay attention to this issue and communicate with us about your judgment as soon as possible.
We pleasantly ask you to click and review the CLAIM REPORT to meet on this claim letter.
We are looking forward to your prompt response.
WBR
Mason Turner
Dispute Consultant
Better Business Bureau
Better Business Bureau
3063 Wilson Blvd, Suite 600 Arlington, VA 22701
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
___

Fake BBB SPAM / royalwinnipegballet .net
- http://blog.dynamoo....gballetnet.html
8 Jan 2013 - "This fake BBB spam leads to malware on royalwinnipegballet .net:
Date: Tue, 8 Jan 2013 19:18:34 +0200 [12:18:34 EST]
From: Better Business Bureau <information @bbb .org>
To: [redacted]Subject: BBB information regarding your customer's appeal ¹ 96682901
Better Business Bureau ©
Start With Trust ©
Mon, 7 Jan 2013
RE: Complaint # 96682901
[redacted]
The Better Business Bureau has been registered the above mentioned appeal from one of your clients as regards their business contacts with you. The details of the consumer's worry are available for review at a link below. Please give attention to this matter and notify us about your sight as soon as possible.
We graciously ask you to open the CLAIM REPORT to answer on this reclamation.
We are looking forward to your prompt answer.
Faithfully yours
Alex Green
Dispute Counselor
Better Business Bureau
3063 Wilson Blvd, Suite 600 Arlington, VA 27201
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This note was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
===
Date: Tue, 8 Jan 2013 19:12:58 +0200 [12:12:58 EST]
From: Better Business Bureau <donotreply @bbb .org>
Subject: Better Business Beareau Pretense ¹ C6273504
Priority: High Priority 1
Better Business Bureau ©
Start With Trust ©
Mon, 7 Jan 2013
RE: Issue No. C6273504
[redacted]
The Better Business Bureau has been registered the above said reclamation from one of your users in respect of their business contacts with you. The information about the consumer's anxiety are available visiting a link below. Please give attention to this problem and notify us about your mind as soon as possible.
We kindly ask you to overview the APPEAL REPORT to meet on this claim letter.
We are looking forward to your prompt rebound.
Yours respectfully
Julian Morales
Dispute Advisor
Better Business Bureau
3013 Wilson Blvd, Suite 600 Arlington, VA 20701
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The malicious payload is on [donotclick]royalwinnipegballet .net/detects/occasional-average-fairly.php hosted on 89.207.132.144 (Snel Internet, Netherlands) which was hosting another attack site this morning (so best blocked in my opinion)

[AplusWebMaster]

FYI...

Fake AICPA emails serve client-side exploits and malware
- http://blog.webroot....ts-and-malware/
Jan 9, 2013 - "... recently spamvertised campaigns impersonating the American Institute of Certified Public Accountants, also known as AICPA...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
Second screenshot of the spamvertised email from the same campaign:
> https://webrootblog....loit_kit_01.png
Sample subjects: Tax return assistance contrivance; Suspension of your CPA license; Revocation of your CPA license; Your accountant license can be end off; Your accountant CPA License Expiration...
Upon successful client-side exploitation, the campaign drops MD5: 5b7aafd9ab99aa2ec0e879a24610844a * ... Worm:Win32/Cridex.E.
Once executed, the sample performs the following actions:
Creates a batch script
Accesses Firefox’s Password Manager local database
Creates a thread in a remote process
Installs a program to run automatically at logon
It also drops the following MD5 on the affected hosts: MD5: 3e2df81077283e5c9d457bf688779773 ** ... PWS:Win32/Fareit.
It also phones back to the following C&C servers:
hxxp:// 69.64.89.82 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
132.248.49.112
173.192.229.36
64.120.193.112
89.221.242.217
174.143.174.136
209.51.221.247
We’ve also seen and profiled the same IP (132.248.49.112) in multiple previously analyzed malware campaigns..."
* https://www.virustot...e2e12/analysis/
File name: contacts.exe
Detection ratio: 31/45
Analysis date: 2012-12-18
** https://www.virustot...9d67d/analysis/
File name: exp3C6.tmp.exe
Detection ratio: 27/45
Analysis date: 2013-01-04
___

New Year, New Old Threats
- http://www.gfi.com/b...ew-old-threats/
Jan 9, 2013 - "... we have found an old Facebook scam, which dates back from two years ago, making rounds again and a spam-phishing ploy that is so 2007...
(Screenshots available at the gfi URL above.)
Previous versions of this scam usually asks visitors to click “Like” buttons for pages, a method usually employed for the purpose of increasing the popularity of pages and their monetary value once sold. For the scam to proliferate within the network, users are also asked to update their Facebook profile with the above status message and link. Some versions present either a list of surveys to fill in or a form where users can enter their mobile numbers; only this latest scam offers both... Our researchers in the AV Labs found an in-the-wild email spam leading to a phishing attack. It targets users of the open-source webmail application, SquirrelMail... The email is exactly as it was back in 2007, so any user can take their cues from the outdated versions of the app mentioned and the supposed solution to the issue the email is attempting to address... advice? Delete the spam at once."
___

Something evil on 173.246.102.246
- http://blog.dynamoo....3246102246.html
9 Jan 2013 - "173.246.102.246 (Gandi, US) looks like it is being used for exploit kits being promoted either through malvertising or through exploited OpenX ad servers. In the example I have seen, the malicious payload is at [donotclick]11.lamarianella .info/read/defined_regulations-frequently.php (report here*). These other domains appear to be on the same server, all of which can be assumed to be malicious:
11.livinghistorytheatre .ca
11.awarenesscreateschange .com
11.livinghistorytheatre .com
11.b2cviaggi .com
11.13dayz .com
11.lamarianella .info
11.studiocitynorth .tv
11.scntv .tv
These all appear to be legitimate but hijacked domains, you may want to block the whole domain rather than just the 11. subdomain."
* http://wepawet.isecl...1...3f1&type=js

> https://www.google.c...c?site=AS:29169
"... in the past 90 days. We found 67 site(s)... that infected 262 other site(s)..."
___

Fake ADP SPAM / demoralization .ru
- http://blog.dynamoo....lizationru.html
9 Jan 2013 - "This fake ADP spam leads to malware on demoralization .ru:
Date: Wed, 9 Jan 2013 04:23:03 -0600
From: Habbo Hotel [auto-contact @habbo .com]
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 948284271
Wed, 9 Jan 2013 04:23:03 -0600
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www .flexdirect .adp.com/client/login.aspx
Please see the following notes:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 703814359
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
� 2013 ADP, Inc. All rights reserved.

The malicious payload is at [donotclick]demoralization .ru:8080/forum/links/column.php hosted on the following IPs:
82.165.193.26 (1&1, Germany)
91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
The following IPs and domains are all related:
82.165.193.26
91.224.135.20
187.85.160.106
demoralization .ru
belnialamsik .ru
bananamamor .ru ..."
___

Fake BBB SPAM / hotelrosaire .net
- http://blog.dynamoo....rosairenet.html
9 Jan 2013 - "This fake BBB spam leads to malware on hotelrosaire .net:
Date: Wed, 9 Jan 2013 09:21:32 -0600 [10:21:32 EST]
From: Better Business Bureau <complaint @bbb .org>
Subject: BBB notification regarding your cliente's pretense No. 62850348
Better Business Bureau ©
Start With Trust �
Tue, 8 Jan 2013
RE: Complaint N. 62850348
[redacted]
The Better Business Bureau has been booked the above said complaint from one of your users in regard to their business contacts with you. The detailed description of the consumer's anxiety are available for review at a link below. Please give attention to this problem and inform us about your sight as soon as possible.
We pleasantly ask you to click and review the APPEAL REPORT to respond on this claim letter.
We awaits to your prompt reaction.
Yours respectfully
Liam Barnes
Dispute Consultant
Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 25501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
========
Date: Wed, 9 Jan 2013 23:21:42 +0800 [10:21:42 EST]
From: Better Business Bureau <donotreply @bbb .org>
Subject: BBB Complaint No. C1343110
Better Business Bureau ©
Start With Trust ©
Tue, 8 Jan 2013
RE: Case No. C1343110
[redacted]
The Better Business Bureau has been booked the above mentioned complaint from one of your clients as regards their business relations with you. The information about the consumer's anxiety are available for review at a link below. Please pay attention to this question and inform us about your glance as soon as possible.
We pleasantly ask you to overview the COMPLAINT REPORT to reply on this grievance.
We are looking forward to your prompt reaction.
Yours respectfully
Hunter Gomez
Dispute Counselor
Better Business Bureau
Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 22801
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The malicious payload is on [donotclick]hotelrosaire .net/detects/keyboard_ones-piece-ring.php hosted on 64.120.177.139 (HostNOC, US) which also hosts royalwinnipegballet .net which was seen in another BBB spam run yesterday."

>> https://www.google.c...c?site=AS:21788
"... in the past 90 days. We found 543 site(s).. that infected 5049 other site(s)..."

Edited by AplusWebMaster, 09 January 2013 - 11:21 AM.

[AplusWebMaster]

FYI...

Fake U.S Airways emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Jan 10, 2013 - "... On numerous occasions, we intercepted related campaigns attempting to trick customers into clicking on malicious links, which ultimately exposed them to the client-side exploits served by the latest version of the BlackHole Exploit Kit. Apparently, the click-through rates for these campaigns were good enough for cybercriminals to resume spamvertising related campaigns. In this post, I’ll profile the most recently spamvertised campaign impersonating U.S Airways...
Sample screenshot of the spamvertised email:
> https://webrootblog...._expoit_kit.png
... Malicious domain name reconnaissance:
attachedsignup .pro – 41.215.225.202 – Email: kee_mckibben0869 @macfreak .com
... Upon successful client-side exploitation, the campaign drops MD5: 6f51e309530f8900be935716c3015f58 * ... Worm:Win32/Cridex.E
The executable creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B
As well as the following mutexes:
Local\XMM000003F8
Local\XMI000003F8
Local\XMRFB119394
Local\XMM000005E4
Local\XMI000005E4
Local\XMM0000009C
Local\XMI0000009C
Local\XMM000000C8
Local\XMI000000C8
Once executed, the sample phones back to the following C&C servers:
180.235.150.72 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
174.143.174.136 :8080/AJtw/UCyqrDAA/Ud+asDAA/
We’ve already seen the same pseudo-random C&C phone back characters used... previously profiled malicious campaigns..."
* https://www.virustot...bd1fe/analysis/
File name: 6f51e309530f8900be935716c3015f58
Detection ratio: 24/46
Analysis date: 2012-12-07
___

Fake ADP SPAM / tetraboro .net and advertizing* .com
- http://blog.dynamoo....rtizingcom.html
10 Jan 2013 - "This fake ADP spam leads to malware on tetraboro .net. It contains some errors, one of which is the subject line just says "adp_subj" rather than having been filled out properly...
Date: Thu, 10 Jan 2013 17:48:09 +0200 [10:48:09 EST]
From: "ADPClientServices @adp .com" [ADPClientServices @adp .com]
Subject: adp_subj
ADP Urgent Note
Note No.: 33469
Respected ADP Consumer January, 9 2013
Your Processed Payroll Record(s) have been uploaded to the web site:
Click here to Sign In
Please take a look at the following details:
• Please note that your bank account will be debited within one banking day for the amount(s) specified on the Protocol(s).
Please don't reply to this message. auomatic informational system not configured to accept incoming mail. Please Contact your ADP Benefits Specialist.
This notification was sent to current clients in your company that approach ADP Netsecure.
As general, thank you for choosing ADP as your business butty!
Ref: 33469

The malicious payload is on [donotclick]tetraboro .net/detects/coming_lost-source.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). A quick look indicates a number of related malicious domains and IPs, including advertizing1 .com through to advertizing9 .com. All of these should be blocked.
5.135.90.19 (OVH, France - suballocated to premiervps.net, UK)
91.227.220.121 (VooServers, UK)
94.102.55.23 (Ecatel, Netherlands)
119.78.243.16 (China Science & Technology Network, China)
198.144.191.50 (New Wave Netconnect, US)
199.233.233.232 (Quickpacket, US)
203.1.6.211 (China Telecom, China)
222.238.109.66 (Hanaro Telecom, Korea)
Plain list:
advertizing1 .com
advertizing2 .com
advertizing3 .com
advertizing4 .com
advertizing5 .com
advertizing6 .com
advertizing7 .com
advertizing8 .com
advertizing9 .com
cookingcarlog .ne
hotelrosaire .net
richbergs .com
royalwinnipegballet .net
tetraboro .net
5.135.90.19
91.227.220.121
94.102.55.23
119.78.243.16
198.144.191.50
199.233.233.232
203.1.6.211
222.238.109.66 ..."

Edited by AplusWebMaster, 10 January 2013 - 11:51 AM.

[AplusWebMaster]

FYI...

Fake Chrome updates return ...
- http://www.gfi.com/b...updates-return/
Jan 11, 2013 - "... fake Chrome update websites leading to Malware – has returned...
> http://www.gfi.com/b...chromefake1.jpg
The design of the website is identical to the initial rollout, urging the end-user to “Update Google Chrome: To make sure that you’re protected by the latest security updates”. If you attempt to download the file while using Chrome, the following prompt appears...
> http://www.gfi.com/b...chromefake2.jpg
The file itself has been around for a while, being seen on around 14 or so websites since around October and is listed at Malwr.com which mentions attempts to access Firefox’s Password Manager local database – meanwhile, it’s listed on the comments section of VirusTotal* as being capable of stealing banking credentials. You’ll notice they mention Zeus – indeed, one of the DNS requests made is to a site by the Malware is related to ZBot / Blackhole exploit kit attacks. In fact, it seems to want to swipe information of a very similar nature to a ZBot infection from August of 2012 detailed on the ShadowServer Blog** (scroll down to the “data it tries to collect and steal”)... users of Chrome curious about updates should simply read the information on the relevant Google Chrome support page***".
* https://www.virustot...02439/analysis/

** http://blog.shadowse...-your-trackers/

*** https://support.goog...mp;answer=95414
___

Fake Changelog SPAM / dimanakasono .ru
- http://blog.dynamoo.....akasonoru.html
11 Jan 2013 - "This fake "Changelog" spam leads to malware on dimanakasono .ru:
From: Ashley Madison [mailto:donotreply @ashleymadison .com]
Sent: 10 January 2013 08:25
Subject: Re: Fwd: Changelog as promised(updated)
Hi,
changelog update - View
L. Cook

The malicious payload is at [donotclick]dimanakasono .ru:8080/forum/links/column.php hosted on the following IPs:
91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
212.112.207.15 (ip4 GmbH, Germany)
The following IPs and domains are related and should be blocked:
91.224.135.20
187.85.160.106
212.112.207.15
belnialamsik .ru
demoralization .ru
dimanakasono .ru
bananamamor .ru
___

Fake Intuit SPAM / dmeiweilik .ru
- http://blog.dynamoo....ntuit-spam.html
11 Jan 2013 - "This fake Intuit (or LinkedIn?) spam leads to malware on dmeiweilik .ru:
Date: Fri, 11 Jan 2013 06:23:41 +0100
From: LinkedIn Password [password @linkedin .com]
Subject: Payroll Account Holded by Intuit
Direct Deposit Service Informer
Communicatory Only
We cancelled your payroll on Fri, 11 Jan 2013 06:23:41 +0100.
Finances would be gone away from below account# ending in 0198 on Fri, 11 Jan 2013 06:23:41+0100
amount to be seceded: 8057 USD
Paychecks would be procrastinated to your personnel accounts on: Fri, 11 Jan 2013 06:23:41 +0100
Log In to Review Operation
Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services
=====
From: messages-noreply @bounce .linkedin.com [mailto:messages-noreply @bounce .linkedin.com] On Behalf Of Lilianna Grimes via LinkedIn
Sent: 10 January 2013 21:04
Subject: Payroll Account Holded by Intuit
Direct Deposit Service Informer
Communicatory Only
We cancelled your payroll on Fri, 11 Jan 2013 02:03:33 +0500.
• Finances would be gone away from below account # ending in 8913 on Fri, 11 Jan 2013 02:03:33 +0500
• amount to be seceded: 9567 USD
• Paychecks would be procrastinated to your personnel accounts on: Fri, 11 Jan 2013 02:03:33 +0500
• Log In to Review Operation
Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services

The malicious payload is at [donotclick]dmeiweilik .ru:8080/forum/links/column.php hosted on the same IPs as in this attack*:
91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
212.112.207.15 (ip4 GmbH, Germany)
The following IPs and domains are related and should be blocked:
91.224.135.20
187.85.160.106
212.112.207.15
belnialamsik .ru
demoralization .ru
dimanakasono .ru
bananamamor .ru
dmeiweilik .ru ..."
* http://blog.dynamoo....nakasonoru.html
___

Blackhole SPAM runs...
- http://blog.trendmic...-holiday-break/
Jan 11, 2013 - "... now that the holidays are over, cybercriminals behind BHEK campaigns are back again, this time spoofing companies like HP, Federal Reserve Bank*, and Better Business Bureau**. In particular, the Better Business Bureau BHEK spam** claims to be a complaint report and urges its recipients to click a link pointing to the said claim letter report. The links eventually lead to sites that host the Blackhole Exploit Kit... we are expecting that cybercriminals will prefer creating more toolkits rather than making new malware..."
* http://blog.trendmic...CH_bhekspam.jpg

** http://blog.trendmic...BB_BHEKspam.jpg

Edited by AplusWebMaster, 11 January 2013 - 02:03 PM.

[AplusWebMaster]

FYI...

Malware sites to block 14/1/13
- http://blog.dynamoo....lock-14113.html
14 Jan 2013 - "A couple of interesting* posts** over at Malware Must Die!*
* http://malwaremustdi...xploit-kit.html
** http://malwaremustdi...bfuscation.html
... showed some significant nastiness on a few IP ranges you might want to block. The IPs mentioned are:
1.243.115.140 (Aztek Ltd, Russia)
46.166.169.238 (Santrex, Netherlands)
62.76.184.93 (IT House / Clodo-Cloud, Russia)
I'll list the sites on these domains at the end of the post for readability. But in these cases, blocking just the single IPs is not enough as they reside in pretty evil netblocks which should be blocked altogether.
91.243.115.0/24 (Aztek Ltd) is part of this large collection of malware hosts. Perhaps not all sites in the network are malicious, but certainly a lot of them are. I would err on the side of caution and block access to all sites in this /24, legitimate or not.
46.166.169.0/24 (Santrex) is another horrible network. According to Google, out of 4604 tested sites in this block, at least 3201 (70%) are involved in malware distribution. There may be legitimate sites in this /24, but since customer service is allegedly atrocious then it's hard to see why they would stick around. Again, blocking this /24 is probably prudent.
62.76.184.0/21 (IT House / Clodo-Cloud) is quite a large range to block, but I have seen many malicious sites in this range, and like Aztek it is part of this large network of malware hosts and it has a poor reputation. This is only a part of this netblock, if you want to go further you could consider blocking 62.76.160.0/19.
These following domains are all connected to these two attacks..."
(Also a long list available at the dynamoo uRL above.)
___

Fake ADP emails lead to client-side exploits and malware
- http://blog.webroot....ts-and-malware/
14 Jan 2013 - "... cybercriminals have resumed spamvertising fake “ADP Immediate Notifications” in an attempt to trick users into clicking on the malicious links found in the emails. The links point to the latest version of the Black Hole Exploit Kit, and consequently, exploit CVE-2013-0422...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Malicious domain name reconnaissance:
tetraboro .net – 222.238.109.66 – Email: bannerpick45 @yahoo .com
Name Server: NS1.HOSTCLAM .NET – 50.115.163.10
Name Server: NS2.HOSTCLAM .NET – 90.167.194.23
Responding to 222.238.109.66 are also the following malicious campaigns part of the campaign:
royalwinnipegballet .net
advertizing9 .com
eartworld .net
hotelrosaire .net
Upon successful client-side exploitation, the campaign drops MD5: 5a859e1eff1ee1576b61da658542380d * ... Worm:Win32/Cridex.E.
The sample drops the following MD5 on the affected hosts:
MD5: 472d6e748b9f5b02700c55cfa3f7be1f ** ...PWS:Win32/Fareit
Once executed, it also phones back to the following command and control servers:
173.201.177.77
132.248.49.112
95.142.167.193
81.93.250.157 ..."
* https://www.virustot...83b3b/analysis/
File name: test29567554014546.bin
Detection ratio: 24/46
Analysis date: 2013-01-14
** https://www.virustot...6e596/analysis/
File name: file-5000060_exe
Detection ratio: 15/46
Analysis date: 2013-01-11
___

Fake ADP SPAM / dekamerionka .ru
- http://blog.dynamoo....merionkaru.html
14 Jan 2013 - "This fake ADP spam leads to malware on dekamerionka .ru:
Date: Mon, 14 Jan 2013 10:49:06 +0300
From: Friendster Games [friendstergames @friendster .com]
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 540328394
Mon, 14 Jan 2013 10:49:06 +0300
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www.flexdirect .adp.com/client/login.aspx
Please see the following notes:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 984259785
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.

The malicious payload is on [donotclick]dekamerionka.ru:8080/forum/links/column.php hosted on:
81.31.47.124 (Master Internet s.r.o / Petr Bydzovsky, Czech Republic)
91.224.135.20 (Proservis UAB, Luthunia)
212.112.207.15 (ip4 GmbH, Germany)
Plain list of IPs and domains involved:
81.31.47.124
91.224.135.20
212.112.207.15
dmeiweilik .ru
belnialamsik .ru
demoralization .ru
dumarianoko .ru
dimanakasono .ru
bananamamor .ru
dekamerionka .ru
___

Fake BBB SPAM / terkamerenbos .net
- http://blog.dynamoo....erenbosnet.html
14 Jan 2013 - "This fake BBB spam leads to malware on terkamerenbos .net:
Date: Mon, 14 Jan 2013 07:53:04 -0800 [10:53:04 EST]
From: Better Business Bureau [notify @bbb .org]
Subject: BBB Pretense ID 68C474U93
Better Business Bureau ©
Start With Trust ©
Mon, 14 Jan 2013
RE: Issue # 68C474U93
[redacted]
The Better Business Bureau has been booked the above said claim from one of your customers with regard to their business relations with you. The detailed description of the consumer's uneasiness are available at the link below. Please give attention to this subject and notify us about your mind as soon as possible.
We amiably ask you to click and review the CLAIM REPORT to meet on this complaint.
We are looking forward to your prompt reaction.
Best regards
Alexis Nguyen
Dispute Councilor
Better Business Bureau
Better Business Bureau
3033 Wilson Blvd, Suite 600 Arlington, VA 22701
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This note was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The malicious payload is at [donotclick]terkamerenbos .net/detects/pull_instruction_assistant.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). The following malicious sites are on the same server:
advertizing9 .com
alphabeticalwin .com
splatwetts .com
bestwesttest .com
eartworld .net
foxpoolfrance .net
hotelrosaire .net
linuxreal .net
tetraboro .net
royalwinnipegballet .net

Edited by AplusWebMaster, 14 January 2013 - 10:55 AM.