2072 replies to this topic

[AplusWebMaster]

FYI...

Fake LinkedIn SPAM / applockrapidfire .biz
- http://blog.dynamoo....pidfirebiz.html
18 March 2013 - "This fake LinkedIn spam leads to malware on applockrapidfire .biz:
From: David O'Connor - LinkedIn [mailto:kissp @gartenplandesign .de]
Sent: 18 March 2013 15:34
Subject: Join my network on LinkedIn
Importance: High
LinkedIn
REMINDERS
Invitation reminders:
From David O\'Connor (animator at ea)
PENDING MESSAGES
There are a total of 9 messages awaiting your response. Go to InBox now.
This message was sent to username @domain .com. Don't want to receive email notifications? Login to your LinkedIn account to Unsubscribe.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. c 2013, LinkedIn Corporation.

The link in the message goes through a legitimate hacked site to a malware landing page on [donotclick]applockrapidfire .biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here*) hosted on 78.46.222.237 (Hetzner, Germany). applockrapidfire .biz was registered just today to a presumably fake address...
URLquery detects traffic to these additional IPs that you might want to block too:
50.22.196.70 (Softlayer / Maxmind LLC, US)
66.85.130.234 (Secured Servers LLC / Phoenix NAP, US)
194.165.17.3 (ADM Service Ltd, Monaco)
The nameservers are NS1.QUANTUMISPS .COM (5.9.212.43: Hetzner, Germany) and NS2.QUANTUMISPS .COM (66.85.131.123: Secured Servers LLC / Phoenix NAP, US). quantumisps .com was registered to an anonymous person on 2013-03-15...
Recommended blocklist:
5.9.212.43
50.22.196.70
66.85.130.234
66.85.131.123
78.46.222.237
194.165.17.3
quantumisps .com
applockrapidfire .biz"
* http://urlquery.net/....php?id=1500577
... Detected live BlackHole v2.0 exploit kit
___

Fake DHL emails contain malware
- http://nakedsecurity...emails-malware/
March 18, 2013 - "... Online criminals have spammed out a large number of messages, claiming to come from DHL Express International, that are designed to install malware onto the computers of unsuspecting PC users. Here is what a typical example of an email spammed out in the attack looks like:
> https://sophosnews.f...3/dhl.jpg?w=640
Attached to the emails is a ZIP file, containing malware. The filename of the ZIP file can vary, but takes the form "DHL reportXXXXXX.zip" (where the 'X's are a random code)... Troj/BredoZp-S* ..."
* http://www.sophos.co...~BredoZp-S.aspx

Edited by AplusWebMaster, 19 March 2013 - 01:11 PM.

[AplusWebMaster]

FYI...

Fake "Statement Reqiured" SPAM / hiskintako .ru
- http://blog.dynamoo....iured-spam.html
19 Mar 2013 - "This -spam- leads to malware on hiskintako .ru:
Date: Tue, 19 Mar 2013 08:04:18 +0300
From: "package update Ups" [upsdelivercompanyb @ups .com]
Subject: Re: FW: End of Aug. Statement Reqiured
Attachments: Invoices-CAS9927.htm
Hi,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
Regards
-----------------------
Date: Tue, 19 Mar 2013 02:18:06 +0600
From: MyUps [ups-delivery-services @ups .com]
Subject: Re: FW: End of Aug. Stat. Required
Hi,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
Regards

The malicious payload is at [donotclick]hiskintako .ru:8080/forum/links/column.php (report here*) hosted on:
50.22.0.2 (SoftLayer, US)
89.110.131.10 (Netclusive, Germany)
132.230.75.95 (Albert-Ludwigs-Universitaet, Germany)
188.165.202.204 (OVH, France)
BLOCKLIST:
50.22.0.2
89.110.131.10
132.230.75.95
188.165.202.204
forumla .ru
gimiiiank .ru
giminanvok .ru
giminkfjol .ru
giminaaaao .ru
giimiiifo .ru
giliaonso .ru
forumny .ru
hiskintako .ru
gxnaika .ru
gulivaerinf .ru "
* http://urlquery.net/....php?id=1516090
... Detected live BlackHole v2.0 exploit kit 50.22.0.2
___

Squeak Data / squeakdata .com SPAM
- http://blog.dynamoo....tacom-spam.html
19 March 2013 - "... The email address they are sending to has been harvested, so you can be pretty sure that the mailing lists they sell are of very low quality. But there's a bit more to this spam than meets the eye..
From: Squeak Data [enquiries @squeakdata .com] via smtpguru .net
Date: 19 March 2013 13:35
Subject: Squeak Data
Signed by: smtpguru .net
Squeak Data - Qualified & Opted In Prospect Data
- At a fraction of the usual price. We own all the data we sell so we can keep our prices extremely competitive but still deliver on quality and service.
New January 2013 Opted In Business Database - contains over 437k records. This data set is completely new and unique to us. It has been strictly opted in at decision maker level. It contains SME businesses throughout the UK. Every record contains full information fields including a live and valid email address.
We are aware that much larger business databases are currently been offered. It takes a lot of hard work and man hours to produce a truly opted in and quality prospect list. Common sense must prevail and conclude that such large databases cannot possibly be opted in and are very old and tired.
We do not hold old and tired data. Our data is fresh, unique and will help you accomplish your new business targets.
Our data is sold with a 95% email delivery promise and on a multiple use basis...

The domain was registered on 2nd March, so it's only a few days old. But that email address looks familiar.. yes, this is Toucan UK who said last year that they were closing down their business. It turns out that this is a lie too. A brief bit of Googling also brings up this other spam where they are saying pretty much the same thing. It looks like they used to have a Twitter handle of @MoneyTreesData although that appears to have been nuked. Oh well.
Give these spammers a wide berth."
___

Fake Facebook SPAM / heelicotper .ru
- http://blog.dynamoo....licotperru.html
19 Mar 2013 - "This fake Facebook spam leads to malware on heelicotper .ru:
Date: Tue, 19 Mar 2013 08:37:37 +0200
From: Facebook [updateSIXQG03I44AX @facebookmail .com]
Subject: You have notifications pending
facebook
Hi,
Here's some activity you may have missed on Facebook.
TAMISHA Gore has posted statuses, photos and more on Facebook.
Go To Facebook
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

The malicious payload is at [donotclick]heelicotper .ru:8080/forum/links/column.php which isn't resolving at the moment, but was earlier hosted on:
50.22.0.2 (SoftLayer, US)
132.230.75.95 (Albert-Ludwigs-Universitaet, Germany)
188.165.202.204 (OVH, France)
The payload and associated IPs are the same as in this attack."
___

Malware spam: Cyprus banks...CNN.com / salespeoplerelaunch .org
- http://blog.dynamoo....banks-shut.html
19 Mar 2013 - "This topically themed (but fake) CNN spam leads to malware on salespeoplerelaunch .org:
Date: Tue, 19 Mar 2013 10:40:22 -0600
From: "CNN Breaking News" [BreakingNews@mail.cnn.com]
Subject: Opinion: Cyprus banks shut extended to Monday - CNN.com
Powered by
* Please note, the sender's email address has not been verified.
You have received the following link from BreakingNews @mail.cnn .com:
Click the following to access the sent link:
Cyprus banks shut extended to Monday - CNN.com*
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here

The malicious payload is at [donotclick]salespeoplerelaunch .org/close/printed_throwing-interpreting-dedicated.php (report here) hosted on 69.197.177.16 (WholeSale Internet, US).
Nameservers are NS1.DNSLVLUP.COM (5.9.212.43, Hetzner / Dolorem Ipsum Management Ltd, Germany) and NS2.DNSLVLUP.COM (66.85.131.123, Secured Servers LLC / Phoenix NAP, US)
Recommended blocklist:
salespeoplerelaunch .org
dnslvlup .com
69.197.177.16
5.9.212.43
66.85.131.123"

Scam of the day: More fake CNN e-mails
- https://isc.sans.edu...l?storyid=15436
Last Updated: 2013-03-19 17:37:08 UTC
> https://isc.sans.edu...s/cnncyprus.png

> http://wepawet.isecl...d...c22&type=js

Edited by AplusWebMaster, 19 March 2013 - 12:48 PM.

[AplusWebMaster]

FYI...

Fake USPS SPAM / himalayaori .ru
- http://blog.dynamoo....alayaoriru.html
20 March 2013 - "This -fake- UPS (or is it USPS?) spam leads to malware on himalayaori .ru. The malicious link is in an attachment called ATT17235668.htm. For some reason the only sample of the spam that I have is horribly mangled:
From: HamzaRowson @hotmail .com [mailto:HamzaRowson @hotmail .com]
Sent: 19 March 2013 23:40
Subject: United Postal Service Tracking Number H1338091657
Your USPS TEAM for big savings!
Can't see images? CLICK HERE.
UPS UPS SUPPORT 56 Not Ready to Open an Account? The UPS Store® can help with full service packing and shipping.
Learn More >> UPS - Your UPS Team
Good day, [redacted].
Dear User , Delivery Confirmation: Failed
Track your Shipment now!
With best regards , Your UPS Customer Services. Shipping Tracking Calculate Time & Cost
Open an Account @ 2011 United Parcel Service of America, Inc. USPS Team, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to USPS .us Customer Services marketing e-mail For information on UPS's privacy practices, please refer to UPS Privacy Policy. Your USPS .US, 5 Glenlake Parkway, NE - Atlanta, GA 30325
Attn: Customer Communications Department

Clicking on the attachment sends the intended victim to a malicious web page at [donotclick]himalayaori .ru:8080/forum/links/column.php (report here*), in this case via a legitimate hacked site at [donotlick]www.unisgolf .ch/report.htm but that is less important. himalayaori .ru is hosted on a couple of IPs that look familiar:
50.22.0.2 (SoftLayer, US)
188.165.202.204 (OVH, France)
Recommended blocklist:
50.22.0.2
188.165.202.204
himalayaori .ru
hentaimusika .ru
hiskintako .ru
gxnaika .ru
forumla .ru
gulivaerinf .ru
foruminanki.ru
forumny .ru ..."
* http://urlquery.net/....php?id=1525298
___

Fake Invoice SPAM / hifnsiiip .ru
- http://blog.dynamoo....ifnsiiipru.html
20 Mar 2013 - "This fake invoice spam leads to malware on hifnsiiip .ru:
Date: Wed, 20 Mar 2013 05:41:44 +0100
From: LinkedIn Connections [connections @linkedin .com]
Subject: Re: FW: End of Aug. Statement
Attachments: Invoices-AS9927.htm
Good morning,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
Regards

The attached Invoices-AS9927.htm file attempts to direct the victim to a malicious landing page [donotclick]hifnsiiip .ru:8080/forum/links/column.php (report here) hosted on:
50.22.0.2 (SoftLayer, US)
109.230.229.156 (High Quality Server, Germany)
188.165.202.204 (OVH, France)
Recommended blocklist:
50.22.0.2
109.230.229.156
188.165.202.204..."
(More at the dynamooo URL above.)
* http://urlquery.net/....php?id=1526708
... Detected suspicious URL pattern... Blackhole 2 Landing Page 188.165.202.204
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake FedEx Parcel Delivery Failure Notification E-mail Messages - 2013 Mar 20
Fake Electronic Payment Cancellation E-mail Messages - 2013 Mar 20
Fake Payment Transaction Notice E-mail Messages - 2013 Mar 19
Fake Wire Transfer Notification E-mail Messages - 2013 Mar 19
Fake Document Attachment E-mail Message - 2013 Mar 19
Fake CashPro Online Digital Certificate Notification E-mail Messages - 2013 Mar 18
Fake Order And Transfer Slip Notification E-mail Messages - 2013 Mar 18
Fake Payment Processing Notice E-mail Messages - 2013 Mar 18
Fake Purchase Order Payment Notification E-mail Messages - 2013 Mar 18
Fake Product Order E-mail Messages - 2013 Mar 18
Fake Online Purchase Receipt E-mail Messages - 2013 Mar 18
(More detail and links at the cisco URL above.)

Edited by AplusWebMaster, 20 March 2013 - 02:21 PM.

[AplusWebMaster]

FYI...

Fake NACHA SPAM / encodeshole .org
- http://blog.dynamoo....nacha-spam.html
21 March 2013 - "This fake NACHA spam leads to malware on encodeshole .org:
From: "Тимур.Родионов @direct.nacha .org" [mailto:biker @wmuttkecompany .com]
Sent: 20 March 2013 18:51
Subject: Payment ID 454806207096 rejected
Importance: High
Dear Sirs,
Herewith we are informing you, that your latest Direct Deposit payment (ID431989197078) was cancelled,due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::
Click here for more information
Please apply to your financial institution to get the necessary updates of the Direct Deposit software.
Best regards,
ACH Network Rules Department
NACHA - The Electronic Payments Association
10933 Sunrise Valley Drive, Suite 771
Herndon, VA 20190
Phone: 703-561-0849 Fax: 703-787-0548

The malicious payload is at [donotclick]encodeshole.org/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here*) hosted on 91.234.33.187 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine). The following suspect domains are on the same IP:
91.234.33.187
encodeshole .org
rotariesnotify .org
rigidembraces .info
storeboughtmodelers .info
* http://urlquery.net/....php?id=1536940
... Detected BlackHole v2.0 exploit kit URL pattern... Detected live BlackHole v2.0 exploit kit 91.234.33.187

- https://www.google.c...c?site=AS:56485
"... over the past 90 days, 54 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-03-21, and the last time suspicious content was found was on 2013-03-21... Over the past 90 days, we found 8 site(s) on this network... that appeared to function as intermediaries for the infection of 23 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 13 site(s)... that infected 30 other site(s)..."
___

Fake ScanJet SPAM / hillaryklinton .ru
- http://blog.dynamoo....et-spam_21.html
21 March 2013 - "This fake printer spam leads to malware on the amusingly-named hillaryklinton .ru:
From: messages-noreply@bounce .linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn Password
Sent: 21 March 2013 06:56
Subject: Scan from a Hewlett-Packard ScanJet #269644
Attached document was scanned and sent
to you using a Hewlett-Packard HP Officejet 6209P.
Sent by: SANDIE
Images : 1
Attachment Type: .HTM [INTERNET EXPLORER]
Hewlett-Packard Officejet Location: machine location not set

In this case there is an attachment called Scanned_Document.htm which leads to a malicious payload at [donotclick]hillaryklinton .ru:8080/forum/links/column.php (report here*) hosted on:
50.22.0.2 (SoftLayer, US)
62.75.157.196 (Inergenia, Germany)
109.230.229.156 (High Quality Server, Germany)
Blocklist:
50.22.0.2
62.75.157.196
109.230.229.156
foruminanki .ru
forumla .ru
forumny .ru
gulivaerinf .ru
gxnaika .ru
hanofk .ru
heelicotper .ru
hifnsiiip .ru
hillaryklinton .ru
himalayaori .ru
humalinaoo .ru
* http://urlquery.net/....php?id=1535161
... Detected suspicious URL pattern... Blackhole 2 Landing Page 109.230.229.156
___

Fake CNN emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/?
March 21, 2013 - "... thousands of malicious ‘CNN Breaking News’ themed emails... exploit-serving and malware-dropping links found within. Once users click on any of the links found in the bogus emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Malicious domain name reconnaissance:
webpageparking .net – 109.74.61.59; 24.111.157.113; 58.26.233.175; 155.239.247.247...
Responding to 24.111.157.113 ... malicious domains...
Upon successful clienet-side exploitation, the campaign drops MD5: 24d406ef41e9a4bc558e22bde0917cc5 * ... Worm:Win32/Cridex.E...
* https://www.virustot...289be/analysis/
File name: deskadp.dll
Detection ratio: 23/45
Analysis date: 2013-03-21 10:46
___

Fake "Data Processing Service" spam / airtrantran .com
- http://blog.dynamoo....rvice-spam.html
21 Mar 2013 - "This spam leads to malware on airtrantran .com
Date: Thu, 21 Mar 2013 15:55:22 +0000 [11:55:22 EDT]
From: Data Processing Service [customerservice @dataprocessingservice .com]
Subject: ACH file ID "973.995" has been processed successfully
Files Processing Service
SUCCESS Notification
We have successfully complete ACH file 'ACH2013-03-20-8.txt' (id '973.995') submitted by user '[redacted]' on '2013-03-20 23:24:14.9'.
FILE SUMMARY:
Item count: 21
Total debits: $17,903.59
Total credits: $17,903.59
For addidional info review it here

24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMnet, Malaysia)
109.74.61.59 (Ace Telecom, Hungary)
155.239.247.247 (Centurion Telkom, South Africa)
Blocklist:
24.111.157.113
58.26.233.175
109.74.61.59
155.239.247.247 ..."
___

Fake Facebook SPAM / scriptuserreported .org
- http://blog.dynamoo....eportedorg.html
21 Mar 2013 - "This Facebook spam has undergone some sort of failure during construction, revealing some of the secrets of how these messages are constructed. It leads to malware on scriptuserreported .org:
Date: Thu, 21 Mar 2013 10:56:28 -0500
From: Facebook [update+oi=MKW63Z @facebookmail .com]
Subject: John Jenkins commented photo of you.
facebook
John Jenkins commented on {l5}.
reply to this email to comment on this photo.
see comment
this message was sent to {mailto_username}@{mailto_domain}. if you don't want to receive these emails from facebook in the future, please unsubscribe.
facebook, inc., attention: department 415, po box 1000{digit}, palo alto, ca 9{digit}3{digit}

The malicious payload is at [donotclick]scriptuserreported .org/close/keys-importance-mention.php hosted on 5.39.37.31 and there are no surprises that this is OVH in France.. but wait a minute because this is in a little suballocated block thusly:
inetnum: 5.39.37.24 - 5.39.37.31
netname: n2p3DoHost
descr: DoHost n2 p3
country: FR ...
Let's start with the server at 5.39.37.31 which is distributing the Blackhole Exploit Kit (report here*). This server also hosts the following potentially malicious domains:
pesteringpricelinecom .net
resolveconsolidate .net
scriptuserreported .org
provingmoa .com
Go back a few IPs to 5.39.37.28 and there is are a couple of work-at-home scam sites:
workhomeheres01 .com
workhomeheres02 .com
There's also a work-at-home scam on 5.39.37.24:
makeworkhome12 .pl
5.39.37.26 appears to be hosting a control panel for the Neutrino Exploit kit:
myadminspanels .info
supermyadminspanels .info
So you can pretty much assume that 5.39.37.24/29 is a sewer and you should block the lot. Who is n2p3DoHost? Well, I don't know.. but there's one more clue at 5.39.37.29 which is the domain rl-host .net...
Does M. Queste own this /29? If he does, then it looks like he has some very bad customers..
Minimum blocklist:
5.39.37.31
pesteringpricelinecom .net
resolveconsolidate .net
scriptuserreported .org
provingmoa .com
Recommended blocklist:
5.39.37.24/29
makeworkhome12 .pl
myadminspanels .info
supermyadminspanels .info
workhomeheres01 .com
workhomeheres02 .com
rl-host .net
pesteringpricelinecom .net
resolveconsolidate.net
scriptuserreported .org
provingmoa .com"
* http://urlquery.net/....php?id=1539128
... Detected live BlackHole v2.0 exploit kit 5.39.37.31
___

Fake Changelog SPAM / hillairusbomges .ru
- http://blog.dynamoo....usbomgesru.html
21 Mar 2013 - "This fake changelog spam leads to malware on hillairusbomges .ru:
Date: Thu, 21 Mar 2013 03:01:59 -0500 [04:01:59 EDT]
From: LinkedIn Email Confirmation [emailconfirm @linkedin .com]
Subject: Re: Changelog Oct.
Good morning,
as prmised updated changelog - View
L. LOYD

The malicious payload is at [donotclick]hillairusbomges .ru:8080/forum/links/column.php (report here*) hosted on:
50.22.0.2 (Softlayer / Monday Sessions Media, US)
66.249.23.64 (Endurance International Group, US)
188.165.202.204 (OVH, France)
Blocklist:
50.22.0.2
66.249.23.64
188.165.202.204 ..."
* http://urlquery.net/....php?id=1540852
... Detected suspicious URL pattern... Blackhole 2 Landing Page 188.165.202.204

Edited by AplusWebMaster, 21 March 2013 - 09:59 PM.

[AplusWebMaster]

FYI...

Fake Zendesk SPAM / vagh .ru / pillshighest .com
- http://blog.dynamoo....t-security.html
22 Mar 2013 - "This unusual spam leads to a fake pharma site on pillshighest .com via vagh .ru and an intermediate -hacked- site.
Date: Fri, 22 Mar 2013 13:52:08 -0700
From: Support Team [pinbot @schwegler .com]
To: [redacted]
Subject: An important notice about security
We recently learned that the vendor we use to answer support requests and other emails (Zendesk) experienced a security breach.
We're sending you this email because we received or answered a message from you using Zendesk. Unfortunately your name, email address and subject line of your message were improperly accessed during their security breach. To help keep your account secure, please:
Don't share your password. We will never send you an email asking for your password. If you get an email like this, please let us know right away.
Beware of suspicious emails. If you get any emails that look like they're from our Support Team but don't feel right, please let us know - especially if they include details about your support request.
Use a strong password. If your password is weak, you can create a new one.
We're really sorry this happened, and we'll keep working with law enforcement and our vendors to ensure your information is protected.
Support Team
Questions? See our FAQ.
This email was sent to [redacted].
�2013 Zendesk, Inc. | All Rights Reserved
Privacy Policy | Terms and Conditions

There appears to be no malware involved in this attack. After the user has clicked through to the -hacked- site (in this case [donotclick]www.2001hockey .com/promo/page/ - report here*) the victim is -bounced- to [donotclick]vagh .ru on 193.105.210.212 (FOP Budko Dmutro Pavlovuch, Ukraine**) and then on to [donotclick]pillshighest .com on 91.217.53.30 (Fanjcom, Czech Republic).
Some IPs and domains you might want to block:
91.217.53.30
193.105.210.212 ..."
(More listed at the dynamoo URL above.)
* http://urlquery.net/....php?id=1547240
... RBN - Known Russian Business Network IP - 109.120.138.155***

** https://www.google.c...c?site=AS:57954

*** https://www.google.c...c?site=AS:30968

- http://nakedsecurity...ecurity-notice/
March 22, 2013
> https://sophosnews.f...otice.jpg?w=640
___

Fake ACH email - malware...
- http://www.hoax-slay...d-malware.shtml
March 22, 2013 - "Outline: Message purporting to be from the Automated Clearing House (ACH) claims that a file submitted by a user has been successfully processed and invites recipients to click a link to read more information about the large sum transactions listed....
Brief Analysis: The email is -not- from ACH and the transactions listed in the message are not genuine. The -link- in the email opens a compromised website that harbours information-stealing malware... Those who do click the link will be taken to one of several websites that harbour malware. Once downloaded, such malware can typically make connections with remote servers controlled by criminals, download and install further malware components and harvest personal and financial information from the infected computer.
Scammers have targeted the ACH and the entity's managing body NACHA for several years. Some have been malware attacks such as this one. Others have been phishing scams intent on tricking people into divulging their personal and financial information. The ACH is an official funds transfer system that processes large volumes of credit and debit transactions in the United States and this makes it an attractive target for scammers.
Neither ACH nor NACHA will ever send you an unsolicited email that asks you to open an attachment or follow a link and supply personal information. If you receive an email that claims to be from the ACH or NACHA, do not open any attachments that it may contain. Do not follow any links in the email. Do not reply to the email or supply any information to the senders."
___

Fake Wire Transfer SPAM / dataprocessingservice-alerts .com
- http://blog.dynamoo....singservic.html
22 Mar 2013 - "This fake Wire Transfer spam leads to malware on dataprocessingservice-alerts .com:
Date: Fri, 22 Mar 2013 10:42:22 -0600
From: support @digitalinsight .com
Subject: Terminated Wire Transfer Notification - Ref: 54133
Immediate Transfers Processing Service
STATUS Notification
The following wire transfer has been submitted for approval. Please visit this link to review the transaction details (ref '54133' submitted by user '[redacted]' ).
TRANSACTION SUMMARY:
Initiated By: [redacted]
Initiated Date & Time: 2013-03-21 4:00:46 PM PST
Reference Number: 54133
For addidional info visit this link

The payload is at [donotclick]dataprocessingservice-alerts .com/kill/chosen_wishs_refuses-limits.php (report here*) hosted on:
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMNet, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)
Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247 ..."
* http://urlquery.net/....php?id=1548528
... Detected live BlackHole v2.0 exploit kit 24.111.157.113
___

Fake Changelog SPAM / hohohomaza .ru
- http://blog.dynamoo....hohomazaru.html
22 Mar 2013 - "Evil changelog spam episode 274, leading to malware on hohohomaza .ru. Hohoho indeed.
Date: Fri, 22 Mar 2013 11:06:48 -0430
From: Hank Sears via LinkedIn [member @linkedin .com]
Subject: Fwd: Changelog as promised (upd.)
Hello,
as promised changelog - View
L. HENDRICKS

The malware landing page is at [donotclick]hohohomaza .ru:8080/forum/links/column.php hosted on:
50.22.0.2 (Softlayer / Monday Sessions Media, US)
66.249.23.64 (Endurance International Group, US)
80.246.62.143 (Alfahosting / Host Europe, Germany)
Blocklist:
50.22.0.2
66.249.23.64
80.246.62.143 ..."

Edited by AplusWebMaster, 23 March 2013 - 09:37 AM.

[AplusWebMaster]

FYI...

Fake BBC emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
March 25, 2013 - "Cybercriminals are currently spamvertising tens of thousands of malicious emails impersonating BBC News, in an attempt to trick users into thinking that someone has shared a Cyprus bailout themed news item with them. Once users click on any of the links found in the fake emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the fake BBC News email:
> https://webrootblog...._kit_cyprus.png
... Sample client-side exploits serving URL: hxxp ://crackedserverz .com/kill/larger_emergency.php – 155.239.247.247; 109.74.61.59; 24.111.157.113; 58.26.233.175 – Email: tellecomvideo1 @gmx .us...
Upon successful client-side exploitation the campaign drops MD5: 1d4aaaf4ae7bfdb0d9936cd71ea717b2 * ...Spyware/Win32.Zbot..."
(More detail at the webroot URL above.)
* https://www.virustot...f38c7/analysis/
File name: 1d4aaaf4ae7bfdb0d9936cd71ea717b2
Detection ratio: 23/45
Analysis date: 2013-03-21

- https://www.net-secu...ews.php?id=2444
25.03.2013
Fake: https://www.net-secu...us-fake-big.jpg
___

Fake Bank of America SPAM / PAYMENT RECEIPT 25-03-2013-GBK-74
- http://blog.dynamoo....receipt-25.html
25 Mar 2013 - "This spam comes with a malicious EXE file in the archive PAYMENT RECEIPT 25-03-2013-GBK-74.zip
Date: Mon, 25 Mar 2013 05:50:18 +0300 [03/24/13 22:50:18 EDT]
From: Bank of America [gaudilyl30 @gmail .com]
Subject: Your transaction is completed
Transaction is completed. $4924 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Payment receipt is attached.
*** This is an automatically generated email, please do not reply ***
Bank of America, N.A. Member FDIC. Equal Housing Lender Opens in new window
© 2013 Bank of America Corporation. All rights reserved

Opening the ZIP file leads to an EXE called PAYMENT RECEIPT 25-03-2013-GBK-74.EXE which has a pretty patchy detection rate on VirusTotal*. Comodo CAMAS detects traffic to the domains seantit .ru and programcam .ru hosted on:
59.99.226.54 (BSNL Internet, India)
66.248.200.143 (Avante Hosting Services / Dominic Lambie, US)
77.241.198.65 (VPSnet, Lithunia)
81.20.146.229 (GONetwork, Estonia)
103.14.8.20 (Symphony Communication, Thailand)
Plain list:
59.99.226.54
66.248.200.143
77.241.198.65
81.20.146.229
103.14.8.20 ..."
(More detail at the dynamoo URL above.)
* https://www.virustot...d755d/analysis/
File name: Loaf Harley Goals
Detection ratio: 22/46
Analysis date: 2013-03-25
___

Fake HP ScanJet SPAM / humaniopa .ru
- http://blog.dynamoo....umanioparu.html
25 Mar 2013 - "This fake printer spam leads to malware on humaniopa .ru:
Date: Mon, 25 Mar 2013 03:57:54 -0500
From: LinkedIn Connections [connections @linkedin .com]
Subject: Scan from a HP ScanJet #928909620
Attachments: Scanned_Document.htm
Attached document was scanned and sent
to you using a Hewlett-Packard HP Officejet 98278P.
Sent by: CHANG
Images : 5
Attachment Type: .HTM [INTERNET EXPLORER]
Hewlett-Packard Officejet Location: machine location not set

The attachment Scanned_Document.htm leads to malware on [donotclick]humaniopa .ru:8080/forum/links/column.php (report here*) hosted on:
66.249.23.64 (Endurance International Group, US)
72.11.155.182 (OC3 Networks, US)
72.167.254.194 (GoDaddy, US)
95.211.154.196 (Leaseweb, Netherlands)
Blocklist:
66.249.23.64
72.11.155.182
72.167.254.194
95.211.154.196 ..."
* http://urlquery.net/....php?id=1592330
... Detected suspicious URL pattern... Blackhole 2 Landing Page 95.211.154.196
___

Fake "Copies of policies" SPAM / heepsteronst .ru
- http://blog.dynamoo....steronstru.html
25 Mar 2013 - "This spam leads to malware on heepsteronst .ru:
Date: Mon, 25 Mar 2013 06:20:54 -0500 [07:20:54 EDT]
From: Ashley Madison [donotreply @ashleymadison .com]
Subject: RE: DEBBRA - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
DEBBRA Barnard,

The malicious payload is at [donotclick]heepsteronst .ru:8080/forum/links/column.php (report here*). The IP addresses used are the same ones as used in this attack**."
* http://urlquery.net/....php?id=1593558
... Detected suspicious URL pattern... Blackhole 2 Landing Page 72.167.254.194
** http://blog.dynamoo....umanioparu.html
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake Future of Digital Marketing Event Notification E-mail Message - 2013 Mar 25
Fake Product Order Shipping Documents E-mail Messages - 2013 Mar 25
Fake Online Dating Request E-mail Messages - 2013 Mar 25
Fake Product Sample Request E-mail Messages - 2013 Mar 25
Fake Product Order E-mail Message - 2013 Mar 25
Fake Quotation Request With Attached Sample Design Notification E-mail Messages - 2013 Mar 25
Fake Shipment Notification E-mail Messages - 2013 Mar 25
Fake Bank Repayment Information E-mail Messages - 2013 Mar 25
Fake Payment Transaction Notification E-mail Messages - 2013 Mar 25
(More detail and links at the cisco URL above.)

Edited by AplusWebMaster, 25 March 2013 - 03:14 PM.

[AplusWebMaster]

FYI...

Fake ADP emails lead to malware
- http://blog.webroot....ead-to-malware/
March 26, 2013 - "Over the past week, we intercepted a massive ‘ADP Payroll Invoice” themed malicious spam campaign, enticing users into executing a malicious file attachment. Once users execute the sample, it downloads additional pieces of malware on the affected host, compromising the integrity, and violating the confidentiality of the affected PC...
Sample screenshot of the spamvertised email:
> https://webrootblog....ader_botnet.png
Detection rate for the malicious attachment:
MD5: 54e9a0495fbd5c952af7507d15ebab90 * ... Trojan.Win32.FakeAV.qqdm
... Initiating the following TCP connections:
213.186.47.54 :8080
195.93.201.42 :80
216.55.186.239 :80
77.92.151.6 :80
66.118.64.208 :80 ...
Detection rates for the downloaded malware samples:
hxxp://infoshore.biz/cx5oMi.exe – MD5: 13eeca375585322c676812cf9e2e9789 ** ... Heuristic.LooksLike.Win32.Suspicious.B
hxxp://axelditter.de/w91qZ5.exe – MD5: 87c658970958bb5794354a91f8cc5a7d – detected by 18 out of 46 antivirus scanners as PWS:Win32/Zbot.gen!AM...
It then attempts multiple UDP connection attempts to the following IPs part of the botnet’s infrastructure:
109.162.153.126 :25603
81.149.242.235 :28768
88.241.148.26 :19376
78.166.167.62 :26509
88.232.36.188 :11389
80.6.67.158 :11016 ..."
(More detail at the webroot URL above.)
* https://www.virustot...sis/1363949422/
File name: ADP_Invoice.exe
Detection ratio: 24/46
Analysis date: 2013-03-22
** https://www.virustot...sis/1363952056/
File name: ADP_cx5oMi.exe
Detection ratio: 3/46
Analysis date: 2013-03-22
___

Fake NACHA SPAM / breathtakingundistinguished .biz
- http://blog.dynamoo....inguishedb.html
26 March 2013 - "This fake NACHA spam leads to malware on breathtakingundistinguished .biz:
From: "Гена.Симонов@direct .nacha .org" [mailto:corruptnessljx953 @bsilogistik .com]
Sent: 25 March 2013 22:26
Subject: Re: Your Direct Deposit disallowance
Importance: High
Attn: Accounting Department
We are sorry to notify you, that your latest Direct Deposit transaction (#963417979218) was disallowed,because your business software package was out of date. The detailed information about this matter is available in the secure section of our web site:
Click here for more information
Please consult with your financial institution to acquire the updated version of the software.
Yours truly,
ACH Network Rules Department
NACHA - The Electronic Payments Association
19681 Sunrise Valley Drive, Suite 275
Herndon, VA 20135
Phone: 703-561-1796 Fax: 703-787-1698

The malicious payload is at [donotclick]breathtakingundistinguished .biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here*) hosted on 62.173.138.71 (Internet-Cosmos Ltd., Russia). The following malicious sites are also hosted on the same server:
necessarytimealtering .biz
hitwiseintelligence .biz
breathtakingundistinguished .biz "
* http://urlquery.net/....php?id=1615815
... Detected BlackHole v2.0 exploit kit URL pattern... Detected live BlackHole v2.0 exploit kit 62.173.138.71
___

Fake DHL Spam / LABEL-ID-NY26032013-GFK73.zip
- http://blog.dynamoo....3-gfk73zip.html
26 Mar 2013 - "This DHL-themed spam contains a malicious attachment.
Date: Tue, 26 Mar 2013 17:27:46 +0700 [06:27:46 EDT]
From: Bart Whitt - DHL regional manager [reports @dhl .com]
Subject: DHL delivery report NY20032013-GFK73
Web Version | Update preferences | Unsubscribe
DHL notification
Our company’s courier couldn’t make the delivery of parcel.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: ETBAKPRSU3
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 15 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
DHL Global
Edit your subscription | Unsubscribe
> https://lh3.ggpht.co...k/s1600/dhl.png

Attached is a ZIP file called LABEL-ID-NY26032013-GFK73.zip which in turn contains LABEL-ID-NY26032013-GFK73.EXE (note that the date is encoded into the filename, so subsequent versions will change).
VirusTotal detections for this malware are low (7/46*). The malware resists analysis from common tools, so I don't have any deeper insight as to what is going on.
Update: Comodo CAMAS identified some of the phone-home domains which are the same as the ones used here**."
* https://www.virustot...sis/1364296589/
File name: LABEL-ID-NY26032013-GFK73.exe
Detection ratio: 7/46
Analysis date: 2013-03-26
** http://blog.dynamoo....receipt-25.html

Screenshot: http://threattrack.t...tification-spam
___

Fake eFax SPAM / hjuiopsdbgp .ru
- http://blog.dynamoo....iopsdbgpru.html
26 Mar 2013 - "This fake eFax spam leads to malware on hjuiopsdbgp.ru:
Date: Tue, 26 Mar 2013 06:23:36 +0800
From: LinkedIn [welcome @linkedin .com]
Subject: Efax Corporate
Attachments: Efax_Pages.htm
Fax Message [Caller-ID: 378677295]
You have received a 59 pages fax at Tue, 26 Mar 2013 06:23:36 +0800, (954)-363-5285.
* The reference number for this fax is [eFAX-677484317].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.

The attachment Efax_Pages.htm leads to a malicious payload at [donotclick]hjuiopsdbgp .ru:8080/forum/links/column.php (report here*) hosted on the following IPs:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
95.211.154.196 (Leaseweb, Netherlands)
Blocklist:
66.249.23.64
69.46.253.241
95.211.154.196 ..."
* http://urlquery.net/....php?id=1617697
... Detected suspicious URL pattern... Detected live BlackHole v2.0 exploit kit 95.211.154.196
___

Fake UPS SPAM / Label_8827712794 .zip
- http://blog.dynamoo....7712794zip.html
26 Mar 2013 - "This fake UPS spam has a malicious EXE-in-ZIP attachment:
Date: Tue, 26 Mar 2013 20:54:54 +0600 [10:54:54 EDT]
From: UPS Express Services [service-notification @ups .com]
Subject: UPS - Your package is available for pickup ( Parcel 4HS287FD )
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.
CONFIDENTIALITY NOTICE...

The attachment Label_8827712794.zip contains a malicious binary called Label_8827712794.exe which has a VirusTotal score of just 6/46*. ThreatExpert reports** that the malware is a Pony downloader which tries to phone home to:
aseforum.ro (199.19.212.149 / Vexxhost, Canada)
23.localizetoday.com (192.81.131.18 / Linode, US)
Assuming that all domains on those are malicious, this is a partial blocklist:
192.81.131.18
199.19.212.149
aseforum .ro
htlounge .com
htlounge .net
topcancernews .com
23.localizetoday .com
23.localizedonline .com
23.localizedonline .net"
* https://www.virustot...sis/1364312344/
File name: Label_8827712794.exe
Detection ratio: 6/46
Analysis date: 2013-03-26
** http://www.threatexp...e095b509d678f5e

Screenshot: http://threattrack.t...age-pickup-spam
___

Fake Wire Transfer SPAM / hondatravel .ru
- http://blog.dynamoo....datravelru.html
26 March 2013 - "This fake Wire Transfer spam leads to malware on hondatravel .ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn
Sent: 26 March 2013 11:52
Subject: Re: Wire Transfer Confirmation (FED_4402D79813)
Dear Bank Account Operator,
WIRE TRANSFER: FED68081773954793456
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious payload is at [donotclick]hondatravel .ru:8080/forum/links/column.php (report here*) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
These IPs were seen earlier with this attack**."
* http://urlquery.net/....php?id=1618697
... Detected suspicious URL pattern... Blackhole 2 Landing Page 66.249.23.64
** http://blog.dynamoo....iopsdbgpru.html

Screenshot: http://threattrack.t...ng-service-spam
___

Fake TRAFFIC TICKET SPAM / hondatravel .ru
- http://blog.dynamoo....datravelru.html
26 Mar 2013 - "I haven't seen this type of spam for a while, but here it is.. leading to malware on hondatravel .ru:
Date: Wed, 27 Mar 2013 04:24:14 +0330
From: "LiveJournal .com" [do-not-reply @livejournal .com]
Subject: Fwd: Re: NY TRAFFIC TICKET
New-York Department of Motor Vehicles
TRAFFIC TICKET
NEW-YORK POLICE DEPARTMENT
THE PERSON CHARGED AS FOLLOWS
Time: 2:15 AM
Date of Offense: 28/07/2012
SPEED OVER 50 ZONE
TO PLEAD CLICK HERE AND FILL OUT THE FORM

The malicious payload appears to be identical to this spam run* earlier today."
* http://blog.dynamoo....datravelru.html

Screenshot: http://threattrack.t...fic-ticket-spam

Edited by AplusWebMaster, 27 March 2013 - 12:45 PM.

[AplusWebMaster]

FYI...

Fake Airline E-ticket receipt SPAM / illuminataf .ru
- http://blog.dynamoo....ts-spam_27.html
27 Mar 2013 - "This fake airline ticket spam leads to malware on illuminataf .ru:
Date: Wed, 27 Mar 2013 03:23:05 +0100
From: "Xanga" [noreply @xanga .com]
Subject: British Airways E-ticket receipts
Attachments: E-Ticket-Receipt.htm
e-ticket receipt
Booking reference: JQ15191488
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services ...

The attachment E-Ticket-Receipt.htm leads to a malicious payload at [donotclick]illuminataf .ru:8080/forum/links/column.php (report here*) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
223.4.209.134 (Alibaba (China) Technology Co, China)
Blocklist:
66.249.23.64
69.46.253.241
223.4.209.134 ..."
* http://urlquery.net/....php?id=1633301
... Detected suspicious URL pattern... Blackhole 2 Landing Page 69.46.253.241
___

Fake NACHA SPAM / mgithessia .biz
- http://blog.dynamoo....thessiabiz.html
27 March 2013 - "This fake NACHA spam leads to malware on mgithessia .biz:
From: "Олег.Тихонов@direct .nacha .org" [mailto:universe87 @mmsrealestate .com]
Sent: 27 March 2013 03:25
Subject: Disallowed Direct Deposit payment
Importance: High
To whom it may concern:
We would like to inform you, that your latest Direct Deposit via ACH transaction (Int. No.989391803448) was cancelled,because your business software package was out of date. The details regarding this matter are available in our secure section::
Click here for more information
Please consult with your financial institution to obtain the updated version of the software.
Kind regards,
ACH Network Rules Department
NACHA - The Electronic Payments Association
11329 Sunrise Valley Drive, Suite 865
Herndon, VA 20172
Phone: 703-561-1927 Fax: 703-787-1894

The malicious payload is at [donotclick]mgithessia .biz/closest/repeating-director_concerns.php although I am having difficulty resolving that domain, however it appears to be on 46.4.150.118 (Hetzner, Germany) and the payload looks something like this*.
* http://urlquery.net/....php?id=1635808
... Detected live BlackHole v2.0 exploit kit 46.4.150.118
DNS services are provided by justintvfreefall .org which is also probably malicious. Nameservers are on 5.187.4.53 (Fornex Hosting, Germany) and 5.187.4.58 (the same).
Recommended blocklist:
46.4.150.118
5.187.4.53
5.187.4.58 ..."
___

Sendspace Spam
- http://threattrack.t.../sendspace-spam
27 March, 2013 - "Subjects seen: You have been sent a file (Filename: [removed].pdf)
Typical e-mail details:
Sendspace File Delivery Notification:
You’ve got a file called [removed].pdf, (625.62 KB) waiting to be downloaded at sendspace.(It was sent by CONCHA ).
You can use the following link to retrieve your file:
Download
Thank you,
Sendspace, the best free file sharing service.

Malicious URLs:
my311 .com/info.htm - 173.246.66.199
contentaz .com/info.htm - 66.147.244.103
illuminataf .ru:8080/forum/links/column.php - 69.46.253.241, 66.249.23.64, 140.114.75.84 ..."
Screenshot: https://gs1.wac.edge...8Kj91qz4rgp.png
___

Xerox WorkJet Pro Spam
- http://threattrack.t...orkjet-pro-spam
27 March 2013 - "Subjects seen:
Fwd: Fwd: Scan from a Xerox W. Pro #[removed]
Typical e-mail details:
A Document was sent to you using a XEROX WorkJet PRO
SENT BY : Anderson
IMAGES : 4
FORMAT (.JPEG) DOWNLOAD

Malicious URLs:
thuocdonga .com/info.htm - 66.147.244.103
ilianorkin .ru:8080/forum/links/column.php - 69.46.253.241, 66.249.23.64, 140.114.75.84
Screenshot: https://gs1.wac.edge...T7vs1qz4rgp.png

Edited by AplusWebMaster, 27 March 2013 - 07:52 PM.

[AplusWebMaster]

FYI...

Fake Xerox ptr SPAM / ilianorkin .ru
- http://blog.dynamoo....ianorkinru.html
28 March 2013 - "This fake printer spam leads to malware on ilianorkin .ru:
From: officejet @[victimdomain]
Sent: 27 March 2013 08:35
Subject: Fwd: Fwd: Scan from a Xerox W. Pro #589307
A Document was sent to you using a XEROX WorkJet PRO 481864299.
SENT BY : Omar
IMAGES : 9
FORMAT (.JPEG) DOWNLOAD

The malicious payload is at [donotclick]ilianorkin .ru:8080/forum/links/column.php (report here*) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)
Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84 ..."
* http://urlquery.net/....php?id=1652917
... Detected suspicious URL pattern... Blackhole 2 Landing Page 140.114.75.84

Screenshot: https://gs1.wac.edge...T7vs1qz4rgp.png
___

Fake Changelog SPAM / Changelog_Urgent_N992.doc.exe
- http://blog.dynamoo....n992docexe.html
28 March 2013 - "This fake "changelog" spam has a malicious attachment Changelog.zip which in turn contains a malware file named Changelog_Urgent_N992.doc.exe
From: Logistics Express [admin @ups .com]
Subject: Re: Changelog 2011 update
Hi,
as promised changelog,
Michaud Abran

VirusTotal* detects the payload as Cridex. The malware is resistant to automated analysis tools, but Comodo CAMAS reports** the creation of a file C:\Documents and Settings\User\Application Data\KB00085031.exe which is pretty distinctive. If your email filter supports it, I strongly recommend that you configure it to block EXE-in-ZIP files as they are malicious in the vast majority of cases."
* https://www.virustot...sis/1364462703/
File name: Changelog_Urgent_N992.doc.exe
Detection ratio: 18/46
Analysis date: 2013-03-28
** http://camas.comodo....9e26149e977eee6
___

Fake Facebook SPAM / ipiniadto .ru
- http://blog.dynamoo....piniadtoru.html
28 Mar 2013 - "The email address says Filestube. The message says Facebook. This can't be good.. and in fact this message just leads to malware on ipiniadto .ru:
Date: Thu, 28 Mar 2013 04:58:33 +0600 [03/27/13 18:58:33 EDT]
From: FilesTube [filestube @filestube .com]
Subject: You have notifications pending
facebook
Hi,
Here's some activity you may have missed on Facebook.
BERTIE Goldstein has posted statuses, photos and more on Facebook.
Go To Facebook
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

The malicious payload is at [donotclick]ipiniadto .ru:8080/forum/links/column.php (report here*) hosted on the same IPs as used in this attack**:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)
Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84 ..."
* http://urlquery.net/....php?id=1661788
... Detected suspicious URL pattern... Blackholev2 redirection 66.249.23.64
** http://blog.dynamoo....ianorkinru.html
___

Key Secured Message Spam
- http://threattrack.t...ed-message-spam
28 March 2013 - "Subjects seen:
Key Secured Message
Typical e-mail details:
You have received a Secured Message from:
[removed] @key .com
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - [removed]
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it.
This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from
disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender
immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.
If you have concerns about the validity of this message, please contact the sender directly. For questions about Key’s e-mail encryption service, please contact technical support at 888.764.0016.

Malicious URLs:
24.cellulazetrainingcenter .com/ponyb/gate.php
23.mylocalreports .info/ponyb/gate.php
htlounge .com:8080/ponyb/gate.php
rueba .com/eXkdB.exe
nikosst .com/yttur.exe
bmwautomotiveparts .com/kUXY.exe"
Screenshot: https://gs1.wac.edge...44wN1qz4rgp.png
___

ADP Netsecure Spam
- http://threattrack.t...-netsecure-spam
28 March 2013 - "Subjects seen:
ADP Immediate Notification
Typical e-mail details:
ADP Immediate Notification
Reference #: [removed]
Thu, 28 Mar 2013 -01:38:59 -0800
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
flexdirect .adp.com/client/login.aspx
Please see the following notes:
• Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
• Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!

Malicious URLs:
forum.awake-rp .ru/kpindex.htm
ipiniadto .ru:8080/forum/links/column.php
otrs.gtg .travel/kpindex.htm
ej-co .ru/kpindex.htm
w w w.ddanports .com/kpindex.htm
yunoksoo.g3 .cc/kpindex.htm
w w w.nzles .com/kpindex.htm
thewellshampstead .co.uk/kpindex.htm
Screenshot: https://gs1.wac.edge...agxw1qz4rgp.png

Fake ADP Spam / ipiniadto .ru
- http://blog.dynamoo....piniadtoru.html
28 Mar 2013 - "This fake ADP spam leads to malware on ipiniadto .ru:
Date: Thu, 28 Mar 2013 04:22:48 +0600 [03/27/13 18:22:48 EDT]
From: Bebo Service [service @noreply.bebo .com]
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 120327398
Thu, 28 Mar 2013 04:22:48 +0600
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www.flexdirect .adp .com/client/login.aspx
Please see the following notes:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 975316004
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.

The malicious landing page and recommended blocklist are the same as for this parallel attack* also running today."
* http://blog.dynamoo....piniadtoru.html

Edited by AplusWebMaster, 28 March 2013 - 03:02 PM.

[AplusWebMaster]

FYI...

Fake 'Overdue Payment' Spam
- http://threattrack.t...ue-payment-spam
March 29, 2013 - "Subjects seen:
Please respond - overdue payment
Typical e-mail details:
Please find attached your invoices for the past months. Remit the payment by 02/04/2013 as outlines under our “Payment Terms” agreement.
Thank you for your business,
Sincerely,
Caroline Givens

Malicious URLs:
24.cellutytelosangeles .com/ponyb/gate.php
24.cellutytela .com/ponyb/gate.php
topcancernews .com:8080/ponyb/gate.php
spireportal .net/L3ork1v.exe
ftp(DOT)riddlepress .com/bahpZsn6.exe
easy .com.gr/QpEQ.exe"
Screenshot: https://gs1.wac.edge...e7bS1qz4rgp.png

Fake Overdue payment SPAM / INVOICE_28781731.zip
- http://blog.dynamoo....yment-spam.html
29 Mar 2013 - "This spam comes with a malware-laden attachment called INVOICE_28781731.zip:
Date: Fri, 29 Mar 2013 10:33:53 -0600 [12:33:53 EDT]
From: Victor_Lindsey @key .com
Subject: Please respond - overdue payment
Please find attached your invoices for the past months. Remit the payment by 02/04/2013
as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Victor Lindsey
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY...

Unzipping the attachment gives a malware filed called INVOICE_28781731.exe with an icon to look like a PDF file. VirusTotal* detections are 16/46 and are mostly pretty generic. Comodo CAMAS reports** a callback to topcancernews .com hosted on 199.19.212.149 (Vexxhost, Canada) which is also being used in this malware attack***. Looking for that IP in your logs might show if any of your clients."
* https://www.virustot...sis/1364586082/
File name: INVOICE_28781731.exe
Detection ratio: 16/46
Analysis date: 2013-03-29
** http://camas.comodo....36ef091ee4c1a16
*** http://blog.dynamoo....7712794zip.html
___

Fake FlashPlayer/browser hijack in-the-wild
- http://blogs.technet...Redirected=true
26 Mar 2013 - "... The file had been distributed with the file name FlashPlayer.exe and not surprisingly, when executed, it shows the following GUI, partly written in Turkish:
> https://www.microsof...s/preflayer.jpg
... most users won’t realize that the program is going to change their browser’s start page. When hitting the button, this fake Flash Player installer downloads and executes a legitimate flash installer as FlashPlayer11.exe... It then changes the user’s browser start page. It changes the start page for the following browsers:
FireFox, Chrome, Internet Explorer, Yandex
... to one of the following pages:
hxxp ://www.anasayfada .net
hxxp ://www.heydex .com
These sites appear to be a type of search engine, but there are pop-up advertisements displayed on the pages, and there was an instance where I was redirected to a different page not of my choosing... Domain info...
hxxp ://www.anasayfada .net - 109.235.251.146
hxxps ://flash-player-download .com/ - 31.3.228.202
hxxp ://www.yonlen .net/ - 37.220.28.122
hxxp ://www.heydex .com - 188.132.235.218 [ now > 109.200.27.170 ]
It’s a fairly simple ruse – misleading file name, misleading GUI, deliberately inaccessible EULA... misleading file properties – and some of the files are even signed. And yet, we’ve received over 70,000 reports of this malware in the last week. Social engineering doesn’t have to be particularly sophisticated to be successful. So the message today is be wary. If you think something ‘feels’ wrong (like that missing scrollbar in the EULA) it may well be. Listen to those feelings and use them to protect yourself by saying 'no' to content you don't trust."

Edited by AplusWebMaster, 29 March 2013 - 10:47 PM.

[AplusWebMaster]

FYI...

Fake Facebook Security Check Page
- http://blog.trendmic...ity-check-page/
Mar 31, 2013 - "Facebook’s enduring popularity means that cybercriminals find it a tempting lure for their malicious misdeeds. A newly-spotted phishing scam is no exception. We came across a malware sample, which we detected as TSPY_MINOCDO.A. The goal is to -redirect- users who visit Facebook to a spoofed page, which claims to be a part of the social networking website’s security check feature, even sporting the tagline “Security checks help keep Facebook trustworthy and free of spam”. It does this by redirecting all traffic to facebook.com and www.facebook.com to the system itself (using the affected machine’s HOST file). This ensures that the user can never reach the legitimate Facebook pages. At the same time, the malware is monitoring all browser activity and redirects the user to the malicious site. Users eager to log into Facebook may fall victim to this ruse, taking the ‘security check’ for face value. This may result in them entering their details and thus exposing their credit card accounts to cybercriminal infiltration... we also discovered that that the malware performs DNS queries to several domain names. What this means that the people behind this are prepared for server malfunction and has a backup to continue stealing information. To stay safe and aware of these threats, always keep in mind that social networking websites would never ask for your credit card or online banking account details for verification..."

Screenshot: https://www.net-secu...b-sec-check.jpg
___

Fake Last Month Remit Spam
- http://threattrack.t...onth-remit-spam
Apr 1, 2013 - "Subjects seen:
FW: Last Month Remit
Typical e-mail details:
File Validity: 04/05/2013
Company : [removed]
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: ╘ Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls

Malicious URLs:
3ecompany .com:8080/ponyb/gate.php
24.chiaplasticsurgery .com/ponyb/gate.php
24.chicagobodysculpt .com/ponyb/gate.php
brightpacket .com/coS0GiKE.exe
extremeengineering .co.in/Vh3a9601.exe
CornwallCommuter .com/TLJrtcxA.exe

Screenshot: https://gs1.wac.edge...yvth1qz4rgp.png

Edited by AplusWebMaster, 02 April 2013 - 07:12 AM.

[AplusWebMaster]

FYI...

Fake Changelog emails lead to malware
- http://blog.webroot....ead-to-malware/
April 2, 2013 - "... recently intercepted a malicious spam campaign, that’s attempting to trick users into thinking that they’ve received a non-existent “changelog.” Once gullible and socially engineered users execute the malicious attachment, their PCs automatically become part of the botnet operated by the cybercriminal/gang of cybercriminals...
Sample screenshot of the spamvertised email:
> https://webrootblog....gelog.png?w=869
Detection rate for the malicious attachment:
MD5: e01ea945b8d055c5c115ab58749ac502 * ... Worm:Win32/Cridex.E.
Upon execution, the sample creates the following processess on the affected hosts:
C:\WINDOWS\system32\cmd.exe” /c “C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\exp1.tmp.bat
C:\Documents and Settings\<USER>\Application Data\KB00927107.exe
The following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B ...
It then phones back to hxxp://85.214.143.90 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ and to hxxp://91.121.90.92 :8080/AJtw/UCyqrDAA/Ud+asDAA/
We’ve already seen the same C&C (85.214.143.90) used in a previously profiled malicious campaign..."
(More detail at the webroot URL above.)
* https://www.virustot...sis/1364475932/
File name: LLSMGR.EXE
Detection ratio: 35/46
Analysis date: 2013-04-01

- https://www.google.c...ic?site=AS:6724 - 85.214.143.90

- https://www.google.c...c?site=AS:16276 - 91.121.90.92
___

Fake Sendspace SPAM / imbrigilia .ru
- http://blog.dynamoo....brigiliaru.html
2 Apr 2013 - "This fake Sendspace spam leads to malware on imbrigilia .ru:
Date: Tue, 2 Apr 2013 03:57:26 +0000
From: "JOSIE HARMON" [HARMON_JOSIE @hotmail .com]
Subject: You have been sent a file (Filename: [redacted]-7191.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-463168.pdf, (172.5 KB) waiting to be downloaded at sendspace.(It was sent by JOSIE HARMON).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service...

The malicious payload is at [donotclick]imbrigilia .ru:8080/forum/links/column.php (report here*) hosted on the same IPs used in this attack**:
80.246.62.143 (Alfahosting GmbH, Germany)
94.103.45.34 (ANKARAHOSTING, Turkey)
Blocklist:
80.246.62.143
94.103.45.34 ..."
* http://urlquery.net/....php?id=1757102
... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.103.45.34
** http://blog.dynamoo....uired-spam.html

Also: http://threattrack.t.../sendspace-spam
2 Apr 2013
Screenshot: https://gs1.wac.edge...EWUN1qz4rgp.png
___

Fake "End of Aug. Statement Required" SPAM / ivanovoposel .ru
- http://blog.dynamoo....uired-spam.html
2 April 2013 - "This spam leads to malware on ivanovoposel .ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply@bounce .linkedin .com] On Behalf Of LinkedIn
Sent: 02 April 2013 10:15
Subject: Re: FW: End of Aug. Statement Reqiured
Hallo,
as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).
Regards
SHONTA SCHMITT

Alternate names:
NORIKO Richmond
Raiden MORRISON
Attachments:
Invoice_U13726798 .htm
Invoice_U453718 .htm
Invoice_U913687 .htm
The attachment leads to malware on [donotclick]ivanovoposel .ru:8080/forum/links/column.php (report here*) hosted on:
80.246.62.143 (Alfahosting GmbH, Germany)
94.103.45.34 (ANKARAHOSTING, Turkey)
Blocklist:
80.246.62.143
94.103.45.34 ..."
* http://urlquery.net/....php?id=1751267
... Detected live BlackHole v2.0 exploit kit 94.103.45.34

Edited by AplusWebMaster, 02 April 2013 - 02:23 PM.

[AplusWebMaster]

FYI...

Something evil on 151.248.123.170
- http://blog.dynamoo....1248123170.html
3 April 2013 - "151.248.123.170 (Reg .ru, Russia) appears to be active in an injection attack at the moment. In the example I saw, the hacked site has injected code pointing to [donotclick]fdozwnqdb.4mydomain .com/jquery/get.php?ver=jquery.latest.js which then leads to a landing page on [donotclick]db0umfdoap.servegame .com/xlawr/next/requirements_anonymous_ordinary.php (report here*) which from the URL looks very much like a BlackHole Exploit kit. This server hosts a lot of sites using various Dynamic DNS domains. I would recommend blocking the Dynamic DNS domains as a block rather than trying to chase down these bad sites individually. In my experience, Dynamic DNS services are being abuse to such an extent that pre-emptive blocking is probably the safest approach..."
(Long list of recommended blocks at the dynamoo URL above.)
* http://urlquery.net/....php?id=1778882
___

Fake eFax SPAM / ivanikako .ru
- http://blog.dynamoo....vanikakoru.html
3 April 2013 - "This fake eFax spam leads to malware on ivanikako .ru:
From: Global Express UPS [mailto:admin @ups .com]
Sent: 02 April 2013 21:12
Subject: Efax Corporate
Fax Message [Caller-ID: 189609656]
You have received a 40 pages fax at Wed, 3 Apr 2013 02:11:58 +0600, (708)-009-8464.
* The reference number for this fax is [eFAX-698329221].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax Ž is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax Ž Customer Agreement.

The malicious payload is at [donotclick]ivanikako .ru:8080/forum/links/column.php (report here*) hosted on:
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
93.187.200.250
94.103.45.34
208.94.108.238 ..."
* http://urlquery.net/....php?id=1786247
... Detected suspicious URL pattern... Blackholev2 redirection 94.103.45.34

Screenshot: https://gs1.wac.edge...bN8o1qz4rgp.png
___

APT malware monitors mouse clicks to evade detection
- https://www.computer...researchers_say
April 2, 2013 - "... Called Trojan.APT.BaneChant, the malware is distributed via a Word document rigged with an exploit sent during targeted email attacks. The name of the document translates to "Islamic Jihad.doc." "We suspect that this weaponized document was used to target the governments of Middle East and Central Asia," FireEye researcher Chong Rong Hwa said Monday in a blog post*. The attack works in multiple stages. The malicious document downloads and executes a component that attempts to determine if the operating environment is a virtualized one, like an antivirus sandbox or an automated malware analysis system, by waiting to see if there's any mouse activity before initiating the second attack stage. Mouse click monitoring is not a new detection evasion technique, but malware using it in the past generally checked for a single mouse click... The rationale behind using this service is to bypass URL blacklisting services active on the targeted computer or its network... The backdoor program gathers and uploads system information back to a command-and-control server. It also supports several commands including one to download and execute additional files on the infected computers..."
* http://www.fireeye.c...use-clicks.html
April 1, 2013
___

Fake Wire Transfer e-mails
- http://tools.cisco.c...x?alertId=28112
2013 April 03 - "... significant activity related to spam e-mail messages that claim to contain a wire transfer notification for the recipient. The text in the e-mail message attempts to convince the recipient to open the attachment and view the final confirmation notice. However, the .zip attachment contains a malicious .scr file that, when executed, attempts to infect the system with malicious code. E-mail messages that are related to this threat (RuleID5193 and RuleID5193KVR) may contain the following files:
out going wire. pdf.zip
npxo.scr
Sales Contract Order.zip
DEDE.scr
The npxo.scr file in the out going wire. pdf.zip attachment has a file size of 509,199 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x2A41A06A00F4CF58485AF938F01B128D
The DEDE.scr file in the Sales Contract Order.zip attachment has a file size of 221,696 bytes. The MD5 checksum is the following string: 0x79274D0CFAC51906FAF8334952AF2734
The following text is a sample of the e-mail message that is associated with this threat outbreak:
Subject: Re: Out going wire transfer (High Priority)
Message Body:
We have just received instruction to process a wire transfer of $6,780 from your account. Please download/view the attachment for final confirmation and respond as quickly as possible.
Bank Wire Transfer Department.
-Or-
Subject: New Order
Message Body:
Dear Sir,We are currently running out of stock and would need urgent attentionEnclosed please find a new Order. Please send the delivery as quickly
as possible.Meanwhile, please send us the Invoice for endorsement.Best regards Krystyna..."

Edited by AplusWebMaster, 03 April 2013 - 04:09 PM.

[AplusWebMaster]

FYI...

- https://www.net-secu...ews.php?id=2455
4.04.2013 - "Malware activity has become so pervasive that organizations experience a malicious email file attachment or Web link as well as malware communication that evades legacy defenses up to once every three minutes, according to FireEye* ..."
* http://www.fireeye.c...eat-report.html

> https://www.net-secu...ye-042013-1.jpg
___

Fake "Bill Me Later" SPAM / PP_BillMeLater_Receipe04032013_4283422.zip
- http://blog.dynamoo....terreceipe.html
4 Apr 2013 - "This fake "Bill Me Later" spam comes with a malicious attachment:
Date: Wed, 3 Apr 2013 21:42:52 +0600 [04/03/13 11:42:52 EDT]
From: Bill Me Later [notification @billmelater .com]
Subject: Thank you for scheduling a payment to Bill Me Later
BillMeLater
Log in here
Your Bill Me Later� statement is now available!
Dear Customer,
Thank you for making a payment online! We've received your
Bill Me Later® payment of $1644.03 and have applied it to your account.
For more details please check attached file : PP_BillMeLater_Receipe04032013_4283422.zip
Here are the details:
Your Bill Me Later Account Number Ending in: 0014
You Paid: $1644.03
Your Payment Date*: 04/03/2013
Your Payment Confirmation Number: 228646660603545001
Don't forget, Bill Me Later is the perfect way to shop when you want more time to pay for the stuff you need. Plus, you can always find great deals and discounts at over 1000 stores. Watch this short, fun video to learn more.
BillMeLater
*NOTE: If your payment date is Saturday, or a holiday, it will take an additional day for the payment to appear on your account. However, you will be credited for the payment as of the payment date.
Log in at PayPal.com to make a payment
Questions:
Do not reply to this email. Please send all messages through the email form on our website. We are unable to respond to account inquiries sent in reply to this email. Bill Me Later is located at 9690 Deereco Rd, Suite 110, Timonium, MD 21093 Copyright 2012 Bill Me Later Inc.
Bill Me Later accounts are issued by WebBank, Salt Lake City Utah
PP10NDPP1

Screenshot: https://lh3.ggpht.co...ll-me-later.png

There is an attachment called PP_BillMeLater_Receipe04032013_4283422.zip which contains an executable file PP_BillMeLater_Receipe_04032013.exe (note that the date is encoded into the filename) which currently has a VirusTotal detection rate of just 26/46*. The executable is resistant to automated analysis tools but has the following fingerprint:
MD5: c93bd092c1e62e9401275289f25b4003
SHA256: ae5af565c75b334535d7d7c1594846305550723c54bf2ae77290784301b2ac29
Blocking EXE-in-ZIP files at your perimeter is an effective way of dealing with this threat, assuming you have the technology to do it."
* https://www.virustot...sis/1365065866/
File name: PP_BillMeLater_Receipe_04032013.exe
Detection ratio: 26/46
Analysis date: 2013-04-04
___

Fiserv Money Transfer Spam
- http://threattrack.t...y-transfer-spam
4 April 2013 - "Subjects seen:
Outgoing Money Transfer
Typical e-mail details:
An outgoing money transfer request has been received by your financial institution. In order to complete the money transfer please print and sign the attached form.
To avoid delays or additional fees please be sure Beneficiary Information including name, branch name, address, city, state, country, and RTN or SWIFT BIC Code is correct. For international Wires be sure you include the International Routing Code (IRC) and International Bank Account Number (IBAN) for countries that require it.
Thank you,
Joy_Farmer
Senior Officer
Cash Management Verification
Phone : [removed]
Email: [removed]

Malicious URLs
3ecompany .com:8080/ponyb/gate.php
23.wellness-health2day .com/ponyb/gate.php
23.ad-specialties .info/ponyb/gate.php
23.advertisingspecialties .biz/ponyb/gate.php
brightpacket .com/coS0GiKE .exe
u16432594.onlinehome-server .com/d8dTEXk.exe
thedryerventdude .com/2FKBSea .exe

Screenshot: https://gs1.wac.edge...RrN91qz4rgp.png
___

Bank of America Trusteer Spam
- http://threattrack.t...a-trusteer-spam
4 April 2013 - "Subjects seen:
New Critical Update
Typical e-mail details:
Valued Customer:
As part of our continued effort to enhance online banking safety, Bank of America announced late last year that it has partnered with Trusteer Rapport to add an additional layer of security to our eBusiness platform and we recommend that all of our online banking customers install the software.

Malicious URLs
23.proautorepairdenver .com/forum/viewtopic.php
23.onqdenver .net/forum/viewtopic.php
23.onqdenver .com/forum/viewtopic.php
3ecompany .com:8080/forum/viewtopic.php
dev2.americanvisionwindows .com/rthsWe.exe
adr2009 .it/R4eFC.exe
easy .com.gr/2YcB2jL.exe
konyapalyaco .net/F6pKX68j.exe
homepage.osewald .de/ynWx1.exe

Screenshot: https://gs1.wac.edge...bMm31qz4rgp.png
___

Fake "British Airways" SPAM / igionkialo .ru
- http://blog.dynamoo....ionkialoru.html
4 Apr 2013 - "This fake British Airways spam leads to malware on igionkialo .ru:
Date: Thu, 4 Apr 2013 10:19:48 +0330
From: Marleen Camacho via LinkedIn [member @linkedin .com]
Subject: British Airways E-ticket receipts
Attachments: E-Receipt.htm
e-ticket receipt
Booking reference: UMA7760047
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services
British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.
British Airways Plc is a public limited company registered in England and Wales. Registered number: 69315274. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.
How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.
If you require further assistance you may contact us
If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.

The attachment E-Receipt.htm leads to a malicious landing page at [donotclick]igionkialo .ru:8080/forum/links/column.php (report here*) hosted on:
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
93.187.200.250
94.103.45.34
208.94.108.238 ..."
* http://urlquery.net/....php?id=1805773
... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.103.45.34
___

Madi/Mahdi/Flashback OS X connected malware spreading through Skype
- http://blog.webroot....-through-skype/
April 4, 2013 - "Over the past few days, we intercepted a malware campaign that spreads through Skype messages, exclusively coming from malware-infected friends or colleagues. Once users click on the shortened link, they’ll be exposed to a simple file download box, with the cybercriminals behind the campaign directly linking to the malicious executable...
Sample screenshot of the campaign in action:
> https://webrootblog....engineering.png
Sample redirection chain: hxxp ://www.goo .gl/aMrTD?image=IMG0540250-JPG -> hxxp ://94.242.198.67/images.php -> MD5: f29b78be1cd29b55db94e286d48cddef * ... Gen:Variant.Symmi.17255.
More malware is known to have been rotated on the same IP... Upon execution, MD5: d848763fc366f3ecb45146279b44f16a phones back to hxxp ://xlotxdxtorwfmvuzfuvtspel .com/RQQgW6RRMZKWdj0xLjImaWQ9MjQ3NzA0MzA5MiZhaWQ9MzAyODcmc2lkPTQmb3M9NS4xLTMyluYwGI8j – 50.62.12.103. What’s so special about this IP (50.62.12.103) anyway? It’s the fact that it’s known to have been used as a C&C for the Madi/Mahdi malware campaign, as well as a C&C for the Flashback MAC OS X malware, proving that someone’s definitely multi-tasking..."
(More detail at the webroot URL above.)
* https://www.virustot...a3b91/analysis/
File name: reznechek.exe
Detection ratio: 27/46
Analysis date: 2013-04-03
___

Legal Case Spam
- http://threattrack.t...legal-case-spam
4 April 2013 - "Re: Our chances to win the case are better than ever.
Typical e-mail details:
We talked to the administration representatives, and if we acknowledge our minor defiance to improve their statistics, the major suit will be closed due to the lack of the government interest to the action. We have executed your explanatory text for the court. Please read it carefully and if anything in it seems unacceptable, let us know.
Speech.doc 332kb
With Best Wishes
Erica Bermudez

Malicious URLs
3ecompany .com:8080/ponyb/gate.php
lanos-info .ru/winadlor.htm

Screenshot: https://gs1.wac.edge...HXcK1qz4rgp.png
___

Pennie stock SPAM
- https://isc.sans.edu...l?storyid=15559
Last Updated: 2013-04-05 00:25:54 UTC - "Most of you will remember the pennie stock SPAM messages from a few years ago. The main aim of the game is to buy a bunch of pennie stock and then do a SPAM campaign to drive buying interest, artifically inflating the price of the stock. They sell and make their money. It may be a few cents per share, but if you own enough of it can be quite profitable. Most SPAM filters are more than capable of identifying and dumping this kind of SPAM. It looks however like it is becoming popular again...
News!!!
Date: Thursday, Apr 4th, 2013
Name: Pac West Equities, Inc.
To buy: P_WEI
Current price: $.19
Long Term Target: $.55
OTC News Subscriber Reminder!!! Releases Breaking News This
Morning!

What is old is new again..."

Edited by AplusWebMaster, 04 April 2013 - 08:45 PM.

[AplusWebMaster]

FYI...

Fake Legal SPAM / itriopea .ru
- http://blog.dynamoo....itriopearu.html
5 Apr 2013 - "This fake legal spam leads to malware on itriopea .ru:
Date: Thu, 4 Apr 2013 07:44:02 -0500
From: Malaki Brown via LinkedIn [member @linkedin .com]
Subject: Fwd: Our chances to gain a cause are better than ever.
We conversed with the administration representatives, and if we acknowledge our non-essential contempt for the sake of their statistics increase , the key suit will be closed due to the lack of the state interest to the action. We have executed your elucidative text for the court. Please read it carefully and if anything in it disagrees with you, let us know.
Speech.doc 458kb
With respect to you
Malaki Brown
==============
Date: Thu, 4 Apr 2013 05:37:47 -0600
From: Talisha Sprague via LinkedIn [member @linkedin .com]
Subject: Re: Fwd: Our chances to gain a suit are higher than ever.
We talked to the administration representatives, and if we admit our minor infringements for the sake of their statistics increase , the main cause will be closed due to the lack of the government interest to the proceedings. We have executed your explicatory text for the court. Please read it carefully and if anything in it dissatisfies you, advise us.
Speech.doc 698kb
With Best Regards
Talisha Sprague

The attachment Speech.doc leads to a malicious payload is at [donotclick]itriopea .ru:8080/forum/links/column.php (report here*) hosted on:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Turkey)
Blocklist (including active nameservers):
62.76.40.244
62.76.41.245
91.191.170.26
93.187.200.250
109.70.4.231
188.65.178.27
199.66.224.130
199.191.59.60
208.94.108.238 ..."
* http://urlquery.net/....php?id=1824890
... Detected suspicious URL pattern... Blackhole 2 Landing Page 93.187.200.250
___

Facebook Photo Share Spam
- http://threattrack.t...hoto-share-spam
5 Apr 2013 - "Subjects Seen:
[removed] shared photo of you.
Typical e-mail details:
[removed] commented on Your photo.
Reply to this email to comment on this photo.

Malicious URLs
barroj .info/images/cnnbrnews.html
craftypidor .info/complaints/arrangement-select.php

Screenshot: https://gs1.wac.edge...mG4I1qz4rgp.png
___

Fake Invoice SPAM / ijsiokolo .ru
- http://blog.dynamoo....jsiokoloru.html
5 Apr 2013 - "This fake invoice spam leads to malware on ijsiokolo .ru:
Date: Fri, 5 Apr 2013 07:57:37 +0300
From: "Account Services ups" [upsdelivercompanyb @ups .com]
Subject: Re: End of Aug. Statement Required
Attachments: Invoice_AF146989113.htm
Good morning,
I give you inovices issued to you per Feb. (Microsoft Internet Explorer format).
Regards
DAYLE PRIEST
===========
Date: Fri, 5 Apr 2013 07:56:53 -0300
From: "Tracking" [ups-account-services @ups .com]
Subject: Re: FW: End of Aug. Stat.
Hallo,
I give you inovices issued to you per Feb. (Microsoft Internet Explorer format).
Regards
Mariano LEE

The .htm attachment in the email leads to malware at [donotclick]ijsiokolo .ru:8080/forum/links/column.php (report here*) hosted on:
91.191.170.26 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Germany)
Blocklist:
91.191.170.26
208.94.108.238 ..."
* http://urlquery.net/....php?id=1829725
... Detected suspicious URL pattern... Blackhole 2 Landing Page 208.94.108.238
___

Fake "Copies of Policies" SPAM / ifikangloo .ru
- http://blog.dynamoo....ikanglooru.html
5 April 2013 - "This spam leads to malware on ifikangloo .ru:
From: KaelSaine @mail .com [mailto:KaelSaine @mail .com]
Sent: 05 April 2013 11:43
Subject: Fwd: LATONYA - Copies of Policies
Unfortunately, I cannot obtain electronic copies of the SPII policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
LATONYA Richmond,

The link in the email leads to a legitimate -hacked- site and then on to [donotclick]ifikangloo .ru:8080/forum/links/column.php (report here*) hosted on the same IPs used in this attack**:
91.191.170.26 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Germany)
Blocklist:
91.191.170.26
208.94.108.238 ..."
* http://urlquery.net/....php?id=1831322
... Detected suspicious URL pattern... Blackhole 2 Landing Page 208.94.108.238
** http://blog.dynamoo....jsiokoloru.html

Variation - same theme: http://threattrack.t...f-policies-spam
5 Apr 2013

Screenshot: https://gs1.wac.edge...LKJT1qz4rgp.png
___

Fake eFax Corpoprate Spam
- http://threattrack.t...corpoprate-spam
5 April 2013 - "Subjects Seen:
Corporate eFax message from Caller ID : “[removed]” - 3 page(s)
Typical e-mail details:
You have received a 3 page(s) fax at 2013-04-05 02:31:33 CST.
* The reference number for this fax is [removed].
View this fax using your PDF reader.
Click here to view this message
Please visit eFax .com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!

Malicious URLs
estherashe .com/winching/index.html
23.frameless-glass-shower-enclosures .com/forum/viewtopic.php
23.frameless-glass-shower-enclosures .com/adobe/update_flash_player.exe
23.garryowen .biz/adobe/
albenden .com/F2SyzQtn.exe
globalinfocomgroup .com/r18Lm7RJ.exe
209.164.63.90 /otQw.exe

Screenshot: https://gs1.wac.edge...jWsl1qz4rgp.png

Edited by AplusWebMaster, 05 April 2013 - 02:24 PM.