2072 replies to this topic

[AplusWebMaster]

FYI...

Fake pharmacy SPAM / accooma .org / classic-pharmacy .com
- http://blog.dynamoo....accoomaorg.html
6 April 2013 - "This scary looking spam is nothing more than an attempt to get you to click through to a fake pharmacy site:
Date: Mon, 9 Feb 2004 13:00:35 +0000 (GMT)
From: "Account Info Change" [info @virtualregistrar .com]
Subject: Updated information
Updated information
Hello,
The following information for your ID [redacted] was updated on 02/09/2012: Date of birth, Security question and answer.
If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately.
This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.
Thanks,
Customer Support

The link in the email goes to a landing page on accooma .org (184.82.155.18 - HostNOC, US) which clicks through to classic-pharmacy .com (184.82.155.20 - also HostNOC). These two IPs are very close together which indicates a bad block. There does not appear to be any malware involved (see here* and here**) and of course nobody has changed any details on your account. You can safely ignore these emails. A closer examination shows that HostNOC have suballocated 184.82.155.16/29 (184.82.155.16 - 184.82.155.23) to an unknown party... fake pharma sites are active in this range..."
(Long list at the dynamoo URL above.)
* http://urlquery.net/....php?id=1850413

** http://urlquery.net/....php?id=1850445

- https://www.google.c...c?site=AS:21788
"... over the past 90 days, 1069 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-04-06, and the last time suspicious content was found was on 2013-04-06... we found 227 site(s) on this network... that appeared to function as intermediaries for the infection of 981 other site(s)... We found 384 site(s)... that infected 1772 other site(s)..."
___

Fake Facebook pwd reset SPAM / accooma .org
- http://blog.dynamoo....r-password.html
6 April 2013 - "Another very aggressive spam run promoting accooma .org which is a fake pharma site..
Date: Sat, 6 Apr 2013 13:16:59 -0700 [16:16:59 EDT]
From: Facebook
Subject: Reminder: Reset your password
facebook
You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 2 ago.
This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.
If you have any other questions, please visit our Help Center.
Thanks,
The Facebook Team

The emails vary somewhat in content. I've received 60+ of these today to one email account alone, so this site is being pushed very hard indeed. Although the email is annoying, it does not seem to be harmful. For more details, see this earlier post* about another spam run for the same domain."
* http://blog.dynamoo....accoomaorg.html

Edited by AplusWebMaster, 06 April 2013 - 11:46 AM.

[AplusWebMaster]

FYI...

Fake Bank SPAM / ighjaooru .ru
- http://blog.dynamoo....ghjaooruru.html
8 Apr 2013 - "I've never heard of M&I Bank but this is quite an old school spam campaign that leads to malware on ighjaooru .ru:
Date: Mon, 8 Apr 2013 -01:41:06 -0800
From: Coral Randolph via LinkedIn [member @linkedin .com]
Subject: Re: Fwd: M&I Bank bankruptcy
Hi, bad news.
M&I Bank bankruptcy

The malicious payload is at [donotclick]ighjaooru .ru:8080/forum/links/column.php (report here*) hosted on a whole load of IPs:
72.167.254.194 (GoDaddy, US)
80.246.62.143 (Alfahosting, Germany)
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
72.167.254.194
80.246.62.143
91.191.170.26
93.187.200.250
94.103.45.34
208.94.108.238 ..."
* http://urlquery.net/....php?id=1885773
... Detected suspicious URL pattern... Blackhole 2 Landing Page 72.167.254.194
___

Fake obit SPAM / ighjaooru .ru
- http://blog.dynamoo....liefs-spam.html
8 April 2013 - "It didn't take long for the Margaret Thatcher themed malware to start after her death. This one leads to malware on ighjaooru .ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of Josefa Jimenez via LinkedIn
Sent: 08 April 2013 05:41
Subject: Fwd: Re: Kissinger: Thatcher's strong beliefs
Hi, bad news.
Kissinger: Thatcher's strong beliefs...

The payload and associated domains and IPs are exactly the same as used in this attack*."
* http://blog.dynamoo....ghjaooruru.html
___

Malicious NASA Asteroid Spam
- http://threattrack.t...a-asteroid-spam
8 April 2013 - "Subjects Seen:
Fwd: NASA plans to catch an asteroid
Typical e-mail details:
Hi, bad news.
NASA plans to catch an asteroid..."

Malicious URLs
worldtennisstars .ru/gakmail.htm
iztakor .ru:8080/forum/links/column.php

Screenshot: https://gs1.wac.edge...perr1qz4rgp.png
___

Bad News Spam
- http://threattrack.t...8/bad-news-spam
8 April 2013 - "Subjects Seen:

Fwd: Re: War with N. Korea
Re: Bank of America bankruptcy
Re: Fwd: Tax havens busted
Re: M&I Bank bankruptcy
Re: Fwd: Shedding light on ‘dark matter’
Typical e-mail details:
Hi, bad news.

<E-mail subject news story>

Malicious URLs
joanred.altervista .org/gakmail.htm
vtoto .ru/gakmail.htm
delta-mebel .by/gakmail.htm
ghostsquad.altervista .org/gakmail.htm
ighjaooru .ru:8080/forum/links/column.php
iztakor .ru:8080/forum/links/column.php

Screenshot: https://gs1.wac.edge...esX41qz4rgp.png

Edited by AplusWebMaster, 08 April 2013 - 10:13 AM.

[AplusWebMaster]

FYI...

Fake HP ScanJet SPAM / jundaio .ru
- http://blog.dynamoo....-jundaioru.html
9 Apr 2013 - "This fake printer spam leads to malware on jundaio .ru:
Date: Tue, 9 Apr 2013 10:07:40 +0500 [01:07:40 EDT]
From: Scot Crump [ScotCrump @hotmail .com]
Subject: Re: Scan from a Hewlett-Packard ScanJet #0437
Attachment: HP-ScannedDoc.htm
Attached document was scanned and sent
to you using a HP HPAD-400812P.
SENT BY : Scot S.
PAGES : 9
FILETYPE: .HTM [INTERNET EXPLORER/MOZILLA FIREFOX]

The attachment HP-ScannedDoc.htm leads to malware on [donotclick]jundaio .ru:8080/forum/links/column.php (report here*) hosted on:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
91.191.170.26
93.187.200.250
94.103.45.34
208.94.108.238 ..."
* http://urlquery.net/....php?id=1894750
... Detected live BlackHole v2.0 exploit kit 91.191.170.26

- http://nakedsecurity...c-with-malware/
April 4, 2013
___

Fake BoA Bill Payment SPAM / BILL_04092013_Fail.exe
- http://blog.dynamoo....ecent-bill.html
9 Apr 2013 - "This spam contains a attachment 04092013.zip which in turn contains a malicious file BILL_04092013_Fail.exe
Date: Tue, 9 Apr 2013 10:44:03 -0500 [11:44:03 EDT]
From: Bank of America [bill.payment @bankofamerica .com]
Subject: Unable to process your most recent Bill Payment
You have a new e-Message from Bank of America
This e-mail has been sent to you to inform you that we were unable to process your most recent payment of bill.
Please check attached file for more detailed information on this transaction.
Pay To Account Number: **********3454
Due Date: 05/01/2013
Amount Due: $ 508.60
Statement Balance: $ 2,986.26
IMPORTANT: The actual delivery date may vary from the Delivery By date estimate. Please make sure that there are sufficient available funds in your account to cover your payment beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.
If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.
We apologize for any inconvenience this may cause. .
Please do not reply to this message. If you have any questions about the information in this e-Bill , please contact your Bill Pay customer support . For all other questions, call us at 800-887-5749.
Bank of America, N.A. Member FDIC. Equal Housing Lender
Š2013 Bank of America Corporation. All rights reserved...

VirusTotal results are only 11/46*.
MD5: 3cb04da2747769460a7ac09d1be44fc6
SHA256: 141751e9ae18ec55c8cd71e2e464419f3030c21b21e3f0914b0b320adce3bf70
ThreatExpert reports** that the malware attempts to phone home to 64.34.70.31 and 64.34.70.32 (iDigital Internet Inc, Canada) and includes a keylogger."
* https://www.virustot...sis/1365522944/
File name: BILL_04092013_Fail.exe
Detection ratio: 11/46
Analysis date: 2013-04-09
** http://www.threatexp...a7ac09d1be44fc6

Screenshot: https://gs1.wac.edge...dYQ91qz4rgp.png
___

Malicious American Airlines Spam
- http://threattrack.t...n-airlines-spam
April 9, 2013 - "Subjects Seen:
Please download your ticket #[removed]
Typical e-mail details:
Customer Notification
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should Download It .

Malicious URLs
bikemania .org/components/.5wl0rb.php?request=ss00_323

Screenshot: https://gs1.wac.edge...hOy21qz4rgp.png
___

Fake LinkedIn SPAM / jonahgkio .ru
- http://blog.dynamoo....onahgkioru.html
9 Apr 2013 - "This fake LinkedIn spam leads to malware on jonahgkio .ru:
Date: Tue, 9 Apr 2013 10:03:31 -0300
From: "service @paypal .com" [service @paypal .com]
Subject: Join my network on LinkedIn
LinkedIn
Marcelene Bruno has indicated you are a Friend
I'd like to add you to my professional network on LinkedIn.
- Marcelene Bruno
Accept
View invitation from Marcelene Bruno
WHY MIGHT CONNECTING WITH Marcelene Bruno BE A GOOD IDEA?
Marcelene Bruno's connections could be useful to you
After accepting Marcelene Bruno's invitation, check Marcelene Bruno's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.
© 2012, LinkedIn Corporation

The link leads to a malicious payload on [donotclick]jonahgkio .ru:8080/forum/links/column.php which doesn't seem to be working at the moment. However, it is multihomed on some familiar looking IPs:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238 ..."
___

Fake Intuit SPAM / juhajuhaa .ru
- http://blog.dynamoo....uhajuhaaru.html
9 Apr 2013 - "This fake Intuit spam leads to malware on juhajuhaa .ru:
Date: Tue, 9 Apr 2013 11:21:18 -0430 [11:51:18 EDT]
From: Tagged [Tagged @taggedmail .com]
Subject: Payroll Account Holded by Intuit
Direct Deposit Service Informer
Communicatory Only
We cancelled your payroll on Tue, 9 Apr 2013 11:21:18 -0430.
Finances would be gone away from below account # ending in 6780 on Tue, 9 Apr 2013 11:21:18 -0430
amount to be seceded: 4053 USD
Paychecks would be procrastinated to your personnel accounts on: Tue, 9 Apr 2013 11:21:18 -0430
Log In to Review Operation
Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services

The link in the email goes through a legitimate but hacked site to a malware landing page at [donotclick]juhajuhaa .ru:8080/forum/links/column.php (report here*) hosted on some familiar-looking IP addresses that we saw earlier:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238 ...
* http://urlquery.net/....php?id=1900207
... Detected suspicious URL pattern... Blackhole 2 Landing Page 91.191.170.26

Screenshot: https://gs1.wac.edge...NPus1qz4rgp.png
___

Top porn sites lead to malware
- http://blog.dynamoo....to-malware.html
9 Apr 2013 - "... the greatest risk comes from external sites such as crakmedia .com (report*), trafficjunky .net (report**) and traffichaus .com (report***) plus several others. These too are intermediaries being abused by third parties.. but this is part of the problem with poorly regulated banner ads and traffic exchangers. Bad things slip into pages easily, and very few people want to kick up a fuss... If you are going to look at the shady side of the web, then it is very important to make sure that your system is fully patched... and a combination of Firefox + NoScript is very good at locking down your browser (note that this isn't really for novices). Logging in as something other than an administrator can also help to reduce the impact of malware.. and of course a good and up-to-date anti-virus or security package is essential."
(More detail at the dynamoo URL above.)
* http://www.google.co...e=crakmedia.com
** http://www.google.co...rafficjunky.net
*** http://www.google.co...traffichaus.com
___

"Your naked photos online" SPAM ...
- https://www.net-secu...ews.php?id=2460
Apr 9, 2013 - "Malware peddlers continue to use the old "your naked photos online" lure to trick users into following malicious links or downloading malicious attachments, warns Total Defense's* Alex Polischuk. The attached EPS00348.zip file contains an executable of the same name, and sports an icon depicting a natural landscape in order to trick the user into opening it. Unfortunately for those who do, the file is actually a backdoor Trojan that also has the ability to download additional malware onto the compromised computer, allowing the attackers to have total control of it and using it for their own malicious purposes. As always, users are advised -never- to follow links or download files contained in unsolicited emails - no matter the claims they contain and how urgent they sound."
* http://www.totaldefe...ysA-Trojan.aspx

Edited by AplusWebMaster, 10 April 2013 - 04:27 AM.

[AplusWebMaster]

FYI...

Massive Google scam sent by email to Colombian domains
- https://isc.sans.edu...l?storyid=15586
Last Updated: 2013-04-10 21:01:28 UTC - "... supposedly good news from a resume they sent to google looking for open positions:
> https://isc.sans.edu...ages/diary1.png
... The file referenced in the e-mail is zip compressed, MD5 4e85b6c9e9815984087f6722498a6dfc. Once uncompressed, you get document.exe, MD5 3e41ab7c70701452d046b93f764564ec. This file is widely recognized by VirusTotal with a 40/46 detection ratio. It is a mass mailer with backdoor capabilities. The mass mailer malware description can be found at http://home.mcafee.c...key=153521#none and the backdoor description can be found at http://home.mcafee.c...aspx?key=100938 ... people complained about very slow internet links without performing any download operations. If you were affected by this malware, please keep in mind the following recommendations:
- Do not *ever* open attachments from not reliable sources, specially zipped files that have inside exe files. Nothing good can come from it.
- Do not disable any security controls inside your computer like host IPS, antivirus and personal firewall. If you require to work with software that is blocked by any of these controls and there is no way no enable it through them, it is definitely something you should consider not to use.
- Malware can control your machine and handle your machine as desired, affecting confidentiality, integrity, availability, traceability and non repudiation of your information. Avoid performing actions that could materialize such risks like dealing with p2p software."
___

Malware sites to block 10/4/13
- http://blog.dynamoo....lock-10413.html
10 April 2013 - "These domains and IPs are associated with the Amerika gang and are related to this spam run*. Blocking them would be prudent.
46.4.150.96/27
46.161.0.235
93.170.130.241 ..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo....lware-spam.html
___

Fake credit line SPAM / judianko .ru
- http://blog.dynamoo....as-changed.html
10 April 2013 - "I haven't seen this one before. It leads to malware on judianko.ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn
Sent: 10 April 2013 14:24
Subject: Re: Your credit line percent was changed.
We apologize, but we must raise percent of your credit line up to 22,5%. We would be like to make it lower, but the situation on the market today is not so good, because of it we can not handle other way.
Under this link you can view a details about changing of contract

The link goes through a legitimate but hacked site to [donotclick]judianko .ru:8080/forum/links/column.php (report here*) hosted on:
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)
Blocklist:
185.5.185.129
188.65.178.27 ..."
* http://urlquery.net/....php?id=1915010
... Detected suspicious URL pattern... Blackholev2 redirection successful 188.65.178.27

Screenshot: https://gs1.wac.edge...79cq1qz4rgp.png
___

Fake BBB SPAM / jamiliean .ru
- http://blog.dynamoo....amilieanru.html
10 April 2013 - "This fake BBB spam leads to malware on jamiliean .ru:
From: Habbo Hotel [mailto:auto-contact @habbo .com]
Sent: 10 April 2013 00:17
Subject: Re: Better Business Bureau Complaint
Good afternoon,
Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 24941954)
from a customer of yours in regard to their dealership with you.
Please open the COMPLAINT REPORT attached to this email (Internet Exlporer file)
to view the details on this issue and suggest us about your position as soon as possible.
We hope to hear from you shortly.
Regards,
CHRISTI REAGAN
Dispute Counselor
Better Business Bureau

There is an attachment BBB-Complaint-US39824.htm with a malicious payload is at [donotclick]jamiliean .ru:8080/forum/links/column.php. Associated payload, IPs and domains are the same as this attack* also running today."
* http://blog.dynamoo....as-changed.html

Screenshot: https://gs1.wac.edge...6Jcz1qz4rgp.png
___

Fake Verizon Wireless SPAM / jamtientop .ru
- http://blog.dynamoo....mtientopru.html
10 Apr 2013 - "This fake Verizon Wireless spam leads to malware on jamtientop .ru:
Date: Wed, 10 Apr 2013 01:14:51 +0100 [04/09/13 20:14:51 EDT]
From: DorianBottom @hotmail .com
Subject: Verizon Wireless
IMPORTANT ACCOUNT NOTE FROM VERIZON WIRELESS.
Your acknowledgment message is issued.
Your account No. ending in 1332
Dear Client
For your accommodation, your confirmation letter can be found in the Account Documentation desk of My Verizon.
Please browse your informational message for more details relating to your new transaction.
Open Information Message
In addition, in My Verizon you will find links to information about your device & services that may be helpfull if you looking for answers.
Thank you for joining us. My Verizon is laso works 24 hours 7 days a week to assist you with:
Viewing your utilization
Upgrade your tariff
Manage Account Members
Pay for your bill
And much, much more...
© 2013 Verizon Wireless
Verizon Wireless | One Verizon Way Mail Code: 113WVC | Basking Ridge, MI 87325
We respect your privacy. Please browse our policy for more information

The link goes to a hacked legitimate site to a malicious landing page at [donotclick]jamtientop.ru:8080/forum/links/column.php (report here*) hosted on:
91.191.170.26 (Netdirekt, Turkey)
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)
Blocklist:
91.191.170.26
185.5.185.129
188.65.178.27 ..."
* http://urlquery.net/....php?id=1919123
... Detected suspicious URL pattern... Blackholev2 redirection 185.5.185.129

Screenshot: https://gs1.wac.edge...QaTS1qz4rgp.png

Edited by AplusWebMaster, 11 April 2013 - 09:57 AM.

[AplusWebMaster]

FYI...

Fake Changelog SPAM / juliaroberzs .ru
- http://blog.dynamoo....aroberzsru.html
11 Apr 2013 - "This spam leads to malware on juliaroberzs .ru:
Date: Thu, 11 Apr 2013 02:46:13 +0100
From: Mayola Phipps via LinkedIn [member@linkedin.com]
Subject: Re: changelog UPD.
Attachments: changelog.htm
Good morning,
as promised changelog is attached (Internet Explorer format)

The attachment changelog.htm leads to a malicious landing page at [donotclick]juliaroberzs .ru:8080/forum/links/column.php (report here*) hosted on some familiar IPs**:
91.191.170.26 (Netdirekt, Turkey)
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)
Blocklist:
91.191.170.26
185.5.185.129
188.65.178.27 ..."
* http://urlquery.net/....php?id=1927055
... Detected suspicious URL pattern... Blackhole 2 Landing Page
** http://blog.dynamoo....mtientopru.html
___

Malicious Xanga Spam
- http://threattrack.t...ious-xanga-spam
11 Apr 2013 - "Subjects Seen:
Gracelyn [removed] is your new friend!
Typical e-mail details:
Hey [removed]!
Now that you are friends with Gracelyn, you can:
• Share a memory of Gracelyn
• Post on Gracelyn’s Chatboard
• More…
Have fun!
The Xanga Team

Malicious URLs
degsme .lv/settingss.htm
janasika .ru:8080/forum/links/column.php

Screenshot: https://gs1.wac.edge...LAQw1qz4rgp.png
___

Fake UPS SPAM / juliamanako .ru
- http://blog.dynamoo....iamanakoru.html
11 Apr 2013 - "This fake UPS spam leads to malware on juliamanako .ru:
Date: Thu, 11 Apr 2013 11:58:33 -0300 [10:58:33 EDT]
From: Aida Tackett via LinkedIn [member@linkedin.com]
Subject: United Postal Service Tracking Nr. H9544862721
Your USPS CUSTOMER SERVICES for big savings! Can't see images? CLICK HERE.
UPS - UPS Customer Services
UPS UPS SUPPORT 56
UPS - UPS MANAGER 67 >> UPS - UPS SUPPORT 501
Already Have an Account?
Enjoy all UPS has to offer by linking your My UPS profile to your account.
Link Your Account Now >>
UPS - UPS Customer Services
Good day, [redacted].
DEAR CONSUMER , We were not able to delivery the postal package
Track your Shipment now!
Pack it. Ship ip. No calculating , UPS .com Customer Services.
Shipping Tracking Calculate Time & Cost Open an Account
@ 2011 United Parcel Service of America, Inc. USPS Customer Services, the UPS brandmark, and the color brown are
trademarks of United Parcel Service of America, Inc. All rights reserved.
This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to
USPS .COM marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.
USPS Services, 04 Glenlake Parkway, NE - Atlanta, GA 30324
Attn: Customer Communications Department

The link goes through a legitimate -hacked- site to a malicious landing page at [donotclick]juliamanako .ru:8080/forum/links/column.php hosted on:
91.191.170.26 (Netdirekt, Turkey)
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)
Blocklist:
91.191.170.26
185.5.185.129
188.65.178.27 ..."
___

Malicious QuickBooks Overdue Payment SPAM
- http://threattrack.t...ue-payment-spam
April 11, 2013 - "Subjects Seen:
Please respond - overdue payment
Typical e-mail details:
Please find attached your invoices for the past months. Remit the payment by 04/11/2013 as outlines under our “Payment Terms” agreement.
Thank you for your business,
Sincerely,
Rusty Coffey

Screenshot: https://gs1.wac.edge...Ri9P1qz4rgp.png

Also: http://security.intu.../alert.php?a=79
Last updated 4/11/2013

Edited by AplusWebMaster, 11 April 2013 - 03:17 PM.

[AplusWebMaster]

FYI...

Fake American Airlines emails lead to malware
- http://blog.webroot....ead-to-malware/
April 12, 2013 - "Cybercriminals are currently spamvertising tens of thousands of emails impersonating American Airlines in an attempt to trick its customers into thinking that they’ve received a download link for their E-ticket. Once they download and execute the malicious attachment, their PCs automatically join the botnet operated by the cybercriminal/gang of cybercriminals behind the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog....engineering.png
... Detection rate for the malicious executable: MD5: f17ee7f9a0ec3d7577a148ae79955d6a * ... Mal/Weelsof-D..."
(Long list of malware C&C IP's available at the webroot URL above.)
* https://www.virustot...7d3ac/analysis/
File name: f17ee7f9a0ec3d7577a148ae79955d6a
Detection ratio: 27/46
Analysis date: 2013-04-11
___

Chase Bank Credentials Phish
- http://threattrack.t...edentials-phish
April 12, 2013 - "Subjects Seen:
Chase Online: Site Maintenance Notification
Typical e-mail details:
Dear Customer:
As part of our commitment to protecting the security of your account, we routinely verify online profile details. We’re writing you to confirm your Chase account details.
Your account security is important to us, so we appreciate your prompt attention to this matter. Attached is a form to help complete this process. Download the form and follow the instructions.
We are here to assist you anytime. Your account security is our priority. Thank you for choosing Chase.
Sincerely,
Jennifer Myhre
Senior Vice President
Chase Consumer Banking

Malicious URLs
myasfalisi .gr/images/sampledata/chase.js

Screenshot: https://gs1.wac.edge...6iGe1qz4rgp.png
___

Malicious Wells Fargo Wire Transfer Spam
- http://threattrack.t...e-transfer-spam
April 12, 2013 - "Subjects Seen:
International Wire Transfer File Not Processed
Typical e-mail details:
We are unable to process your International Wire Transfer request due to insufficient funds in the identified account.
Review the information below and contact your Relationship Manager if you have questions, or make immediate arrangements to fund the account. If funds are not received by 04/12/2013 03:00 pm PT, the file may not be processed.
Please view the attached file for more details on this transaction.
Any email address changes specific to the Wire Transfer Service should be directed to Treasury Management Client Services at 1-800-AT-WELLS (1-800-289-3557).
Event Message ID: [removed]
Date/Time Stamp: Fri, 12 Apr 2013 12:44:47 -0500

Malicious URLs
94.32.66.114 /ponyb/gate.php
116.122.158.195 :8080/ponyb/gate.php
embryo-india .com/24gwq.exe

Screenshot: https://gs1.wac.edge...oQum1qz4rgp.png

Edited by AplusWebMaster, 12 April 2013 - 02:20 PM.

[AplusWebMaster]

FYI...

Malicious PayPal Receipt Spam
- http://threattrack.t...pal-recipt-spam
April 15, 2013 - "Subjects Seen:
Receipt for your PayPal payment to [removed]
Typical e-mail details:
Hello,
You sent a payment of $149.49 USD to [removed] ([removed])
Thanks for using PayPal. To see all the transaction details, log in to your PayPal account.
It may take a few moments for this transaction to appear in your account.

Malicious URLs
matsum .info/wp-content/plugins/akismet/wp-status.php?1HJN2KC56FN7C
lacunanotifies .net/closest/incomming_message.php

Screenshot: https://gs1.wac.edge...S1Ce1qz4rgp.png
___

Malicious USPS Delivery Failure Spam
- http://threattrack.t...ry-failure-spam
April 15, 2013 - "Subjects Seen:
USPS delivery failure report
Typical e-mail details:
Notification
Our company’s courier couldn’t make the delivery of package.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: [removed]
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
USPS Global.

Malicious URLs
116.122.158.195 :8080/ponyb/gate.php
serw.myroitracking .com/24gwq.exe

Screenshot: https://gs1.wac.edge...NDsw1qz4rgp.png
___

Bank of America Credentials Phish
- http://threattrack.t...edentials-phish
April 15, 2013 - "Subjects Seen:
Please confirm your information
Typical e-mail details:
We have decided to put an extra verification process to ensure your identity and your account security.
Please click here to continue the verification process and ensure your account security.

Malicious URLs
safe.bankofamerica .logon.canadapenfund.ca/ - 216.227.221.247*

Screenshot: https://gs1.wac.edge...toUs1qz4rgp.png

* http://urlquery.net/....php?id=2023194

Diagnostic page for AS15244 (ADDD2NET)
- https://www.google.c...c?site=AS:15244
"Of the 23067 site(s) we tested on this network over the past 90 days, 1138 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-04-15, and the last time suspicious content was found was on 2013-04-15... Over the past 90 days, we found 173 site(s) on this network... that appeared to function as intermediaries for the infection of 516 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 157 site(s)... that infected 602 other site(s)..."
___

Boston Marathon SPAM ...
- https://isc.sans.edu...l?storyid=15611
Apr 15, 2013 - "Please send any spam (full headers), URLs or other suspicious content scamming off Boston Marathon explosions to handlers@sans.org"
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake USPS Delivery Failure Notification E-mail Messages - 2013 Apr 15
Fake Tax Refund Notification E-mail Messages - 2013 Apr 15
Fake Product Quotation Document E-mail Messages - 2013 Apr 15
Fake Product Inquiry With Attached Sample Design E-mail Messages - 2013 Apr 15
Fake Portuguese Account Regularization Notification E-mail Messages - 2013 Apr 15
Fake Wire Transfer Notification E-mail Messages - 2013 Apr 15
Fake Western Union Money Compensation Notification E-mail Messages - 2013 Apr 15
Fake CashPro Online Digital Certificate Notification E-mail Messages - 2013 Apr 15
Fake Italian Malicious Link E-mail Messages - 2013 Apr 15
Fake Tax Return Submission Notification E-mail Messages - 2013 Apr 15
Fake Credentials Reset Notification E-mail - 2013 Apr 15
Fake Purchase Order Notification E-mail Messages - 2013 Apr 15
Fake Bill Notification E-mail Messages - 2013 Apr 15
Fake Document Sharing E-mail Messages - 2013 Apr 15
(Links and more detail at the cisco URL above.)

Edited by AplusWebMaster, 16 April 2013 - 03:28 AM.

[AplusWebMaster]

FYI...

Fake "Fiserv Secure Email Notification" spam
- http://blog.dynamoo....ation-spam.html
April 16, 2013 - "This spam has an encrypted ZIP file attached that contains malware. The passwords and filenames will vary.
From: Fiserv Secure Notification [mailto:secure.notificationi@fiservi.com]
Sent: Tue 16/04/2013 14:02
Subject: [WARNING : MESSAGE ENCRYPTED] Fiserv Secure Email Notification - CC3DK9WJW8IG0F5
You have received a secure message
Read your secure message by opening the attachment, Case_CC3DK9WJW8IG0F5.zip.
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - KsUs3Z921mA
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it.
To access from a mobile device, forward this message to mobile@res.fiserv.com to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.979.7673.
2000-2013 Fiserv Secure Systems, Inc. All rights reserved.

In the case of the sample I have seen, there is an attachment Case_CC3DK9WJW8IG0F5.zip which unzips using the supplied password to Case_Fiserv_04162013.exe (note the date is encoded into the filename).
At the time of writing, VirusTotal results are just 5/46*. The Comodo CAMAS report is here**, the ThreatExpert report here***... seems to be a Zbot variant.
The bad IPs involved are:
50.116.15.209 (Linode, US)
62.103.27.242 (OTEnet, Greece)
78.139.187.6 (Caucasus Online Ltd, Georgia)
87.106.3.129 (1&1, Germany)
108.94.154.77 (AT&T, US)
117.212.83.248 (BSNL Internet, India)
120.61.212.73 (MTNL, India)
122.165.219.71 (ABTS Tamilnadu, India)
123.237.187.126 (Reliance Communications, India)
176.73.145.22 (Caucasus Online Ltd, Georgia)
186.134.148.36 (Telefonica de Argentina, Argentina)
190.39.197.150 (CANTV Servicios, Venezuela)
195.77.194.130 (Telefonica, Spain)
199.59.157.124 (Kyvon, US)
201.211.224.46 (CANTV Servicios, Venezuela)
212.58.4.13 (Doruknet, Turkey)
Recommended blocklist:
korbi.va-techniker .de
mail.yaklasim .com
phdsurvey .org
vbzmiami .com
user1557864.sites.myregisteredsite .com
50.116.15.209
62.103.27.242
78.139.187.6
87.106.3.129
108.94.154.77
117.212.83.248
120.61.212.73
122.165.219.71
123.237.187.126
176.73.145.22
186.134.148.36
190.39.197.150
195.77.194.130
199.59.157.124
201.211.224.46
212.58.4.13 "
* https://www.virustot...sis/1366120267/
File name: Case_Fiserv_04162013.exe
Detection ratio: 5/46
Analysis date: 2013-04-16 13:51:07 UTC
** http://camas.comodo....a2e921c5b071764
*** http://www.threatexp...ce7562d7b0564f9
___

Malicious American Airlines Spam Continues
- http://threattrack.t...-spam-continues
April 16, 2013 - "Subjects Seen:
Your order has been completed
Order #[removed]
Typical e-mail details:
Customer Notification
Your bought ticket is attached to the letter as a scan document.
To use your ticket you should Download It .

Malicious URLs
caprica-toysncomics .com/components/.a9iifi.php?request=ss00_323
caprica-toysncomics .com/components/.a9iifi.php?ticket=844_220641690

Screenshot: https://gs1.wac.edge...uTUq1qz4rgp.png
___

Malicious NACHA, ACH Transfer Spam
- http://threattrack.t...h-trasnfer-spam
April 16, 2013 - "Subjects Seen:
Your ACH transfer
Typical e-mail details:
The ACH process (ID: [removed]), recently requested from your checking account (by you), was rejected by the recepient’s bank.

Malicious URLs
glanvillechiro .com/wp-content/themes/toolbox/achadetails.html
squirrelguide .com/complaints/was_government-devices.php

Screenshot: https://gs1.wac.edge...LxuS1qz4rgp.png
___

Fake Boston Marathon Scams - Update
- https://isc.sans.edu...l?storyid=15617
2013-04-16

Edited by AplusWebMaster, 16 April 2013 - 03:36 PM.

[AplusWebMaster]

FYI...

Fake Boston Marathon SPAM / askmeaboutcctv .com
- http://blog.dynamoo....outcctvcom.html
17 April 2013 - "This pretty shameful Boston marathon themed spam leads to malware on askmeaboutcctv .com:
Sample 1:
From: Graham Jarvis [mailto:alejandro.alfonzo-larrain @tctwest .net]
Sent: 17 April 2013 09:49
Subject: Video of Explosion at the Boston Marathon 2013
hxxp:||61.63.123.44/news .html
Sample 2:
From: Sally Rasmussen [mailto:artek33 @risd .edu]
Sent: 17 April 2013 09:49
To: UK HPEA 2
Subject: Aftermath to explosion at Boston Marathon
hxxp:||190.245.177.248/news .html

(Note that the payload links have been lightly obfuscated, don't click them).
If you click the link you see a set of genuine YouTube videos. However, the last one seems blank because it is in fact a malicious IFRAME to [donotclick]askmeaboutcctv .com/wmiq.html (report here*) which appears to be on a legitimate but hacked site. The server seems to be overloaded at the moment which is a good thing I suppose.
* http://urlquery.net/....php?id=2044081
... RedKit applet + obfuscated URL...
more sample subjects and links:
Subject: Video of Explosion at the Boston Marathon 2013
Subject: Aftermath to explosion at Boston Marathon
Subject: Explosion at Boston Marathon
Subject: Explosions at the Boston Marathon
[donotclick]46.233.4.113 /boston.html
[donotclick]37.229.92.116 /boston.html
[donotclick]188.2.164.112 /news.html
[donotclick]109.87.205.222 /news.html
I would advise blocking these IPs and domains. Be vigilant against this kind of attack, also bear in mind that the bad guys might try to exploit Margaret Thatcher's funeral and the London Marathon in the same way."

- http://blog.dynamoo....n-marathon.html
17 April 2013 - "Earlier today I reported some Boston Marathon themed spam and since then I have seen more malicious landing pages on -hacked- legitimate sites as follows (don't click those links, obviously):
hxxp :||46.233.4.113 /boston.html
96.125.163.122 (WebsiteWelcome.com, US) ...
hxxp :||190.245.177.248 /news.html
184.172.168.32 (WebsiteWelcome.com, US)...
hxxp :||95.87.6.156 /boston.html
50.22.194.64 (WebsiteWelcome.com, US)...
69.56.174.178 ...
This situation has been reported to HostGator / WebsiteWelcome who are investigating..."
(More detail at the dynamoo URL above.)

Sample screenshot: https://gs1.wac.edge...VPcg1qz4rgp.png
___

KELIHOS Worm Emerges, Takes Advantage of Boston Marathon Blast
- http://blog.trendmic...marathon-blast/
April 16, 2013 11:52 pm (UTC-7) - "... a spam outbreak of more than 9,000 Blackhole Exploit Kit spammed messages, all related to the said tragedy that killed at least three people and injured many more. Some of the spammed messages used the subjects “2 Explosions at Boston Marathon,” “Aftermath to explosion at Boston Marathon,” “Boston Explosion Caught on Video,” and “Video of Explosion at the Boston Marathon 2013" to name a few. Below is a spam sample she found:
> http://blog.trendmic..._blast_fig1.png
The spammed message only contains the URL... but once you click it, it displays a web page with an embedded video, supposedly from YouTube. At this point, users who click the link may have already downloaded malware unknowingly, aka drive-by-download attacks. Here’s a screenshot of the web page with the embedded video:
> http://blog.trendmic..._blast_fig2.png
... Aside from the spam sample discussed earlier, we also found that other platforms have also been exploited to spread similar threats. Malicious Tweets and links on free blogging platforms were also crafted just hours after the blast took place.
> http://blog.trendmic..._blast_fig6.png
... a cybercriminal’s work is never complete. Taking advantage of newsworthy events is indeed a cybercrime staple; each new scheme always seems to vary, which results in a never-ending cycle of malicious mischief."
___

Boston Marathon bombings used to spread malware
- https://www.net-secu...ews.php?id=2469
April 17, 2013 - "... the Boston Marathon bombings have become an effective lure in the hands of cyber scammers and malware peddlers. Kaspersky Lab researchers are warning about spam emails* offering nothing more than a simple link to a web page that contains URLs of non-malicious YouTube videos about the attacks. Unfortunately, after 60 seconds, another link is activated, and this one leads to a malicious executable:
> https://www.net-secu...xe-17042013.jpg
The file offered for download is a variant of the Tepfer info-stealer Trojan, which phones home to a number of IP addresses in Ukraine, Argentina and Taiwan... don't follow links or download files delivered via unsolicited emails or messages sent via popular social media sites and IM services. You're best bet is to check out reputable news sites for information."
* https://www.secureli...oston_Aftermath
___

Fake BBB SPAM / janariamko .ru
- http://blog.dynamoo....nariamkoru.html
17 Apr 2013 - "After a few quiet days on the RU:8080 spam front it has started again..
Date: Wed, 17 Apr 2013 20:18:14 +0800
From: "Better Business Bureau" [guttersnipeg792 @ema1lsv100249121 .bbb.org]
Subject: Better Business Beareau accreditation Terminated 64A488W04
Case N. 64A488W04
Respective Owner/Responsive Person:
The Better Business Bureau has been filed the above said reclamation from one of your clients with reference to their business relations with you. The information about the consumer's trouble are available at the link below. Please give attention to this matter and communicate with us about your opinion as soon as possible.
We graciously ask you to visit the COMPLAINT REPORT to respond on this reclamation. Click here to be taken directly to your report today:
bbb .org/business-claims/customercare/report-65896564
If you think you got this email by mistake - please forward this message to your principal or accountant
We are looking forward to your prompt answer.
Looking for info on additional ways your BBB Accreditation can boost your business? Visit the BBB SmartGuide.
Sincerely,
Gabriel Reyes - Online Communication Specialist
bbb.org - Start With Trust

The malicious payload is at [donotclick]janariamko.ru:8080/forum/links/public_version.php (report here*) hosted on the following IPs:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238 ..."
* http://urlquery.net/....php?id=2048054
... Blackholev2 redirection successful 93.187.200.250
___

Another BBB spam run / freedblacks .net
- http://blog.dynamoo....dblacksnet.html
17 Apr 2013 - "Another BBB spam run today, although this time not an RU:8080 spam we saw earlier but an "Amerika" spam run instead. Interestingly, both mis-spell "Beareau" which indicates they are using the same software, even if they are different gangs. The link in the email leads to malware on freedblacks .net.
Date: Wed, 17 Apr 2013 21:20:20 +0800 [09:20:20 EDT]
From: BBB [bridegroomc @m.bbb .org]
Subject: Better Business Beareau accreditation Cancelled P5088819
Case No. P5088819
Respective Owner/Responsive Person:
The Better Business Bureau has been registered the above said claim letter from one of your users as regards their business contacts with you. The information about the consumer's worry are available for review at a link below. Please pay attention to this issue and inform us about your sight as soon as possible.
We amiably ask you to click and review the APPEAL REPORT to respond on this claim letter. Click here to be taken directly to your report today:
http://www.bbb .org/business-claims/customercare/report-02111671
If you think you recieved this email by mistake - please forward this message to your principal or accountant
We are looking forward to your prompt answer.
Looking for info on additional ways your BBB Accreditation can boost your business? Visit the BBB SmartGuide.
Sincerely,
Ian Wilson - Online Communication Specialist
bbb.org - Start With Trust

The link goes to a legitimate hacked site and then to a malicious landing page at [donotclick]freedblacks.net/news/agency_row_fixed.php (report here*) hosted on the following IPs:
65.34.160.10 (Comcast, US)
94.249.206.117 (GHOSTnet, Germany)
155.239.247.247 (Centurion Telkom, South Africa)
173.234.239.60 (Nobis Technology Group, US)
Blocklist:
65.34.160.10
94.249.206.117
155.239.247.247
173.234.239.60 ..."
* http://wepawet.isecl...c...729&type=js
___

Fake CNN .com Boston Marathon SPAM / thesecondincomee .com
- http://blog.dynamoo....athon-spam.html
17 Apr 2013 - "This Boston Marathon themed spam leads to malware on thesecondincomee .com:
Example 1:
Date: Wed, 17 Apr 2013 10:32:18 -0600 [12:32:18 EDT]
From: CNN Breaking News [BreakingNews@mail.cnn.com]
Subject: Opinion: Boston Marathon Explosions - Obama Benefits? - CNN.com
CNN.com
Powered by
* Please note, the sender's email address has not been verified.
You have received the following link from BreakingNews @mail .cnn .com:
Click the following to access the sent link:
Boston Marathon Explosions - Obama Benefits? - CNN.com*
SAVE THIS link FORWARD THIS link
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here

Example 2:
Date: Wed, 17 Apr 2013 22:32:56 +0600
From: behring401 @mail .cnn .com
Subject: Opinion: Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com
Powered by
* Please note, the sender's email address has not been verified.
You have received the following link from BreakingNews @mail .cnn .com:
Click the following to access the sent link:
Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com*
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here

Screenshot: https://lh3.ggpht.co.../cnn-boston.png
The malicious payload is at [donotclick]thesecondincomee .com/news/agency_row_fixed.php hosted on:
94.249.206.117 (GHOSTnet, Germany)
155.239.247.247 (Centurion Telkom, South Africa)
173.234.239.60 (Nobis Technology Group, US)
The recommended blocklist is the same as used in this earlier attack*."
* http://blog.dynamoo....dblacksnet.html

Edited by AplusWebMaster, 17 April 2013 - 01:42 PM.

[AplusWebMaster]

FYI...

Malicious Texas Explosion SPAM
- http://blog.dynamoo....-near-waco.html
18 April 2013 - "As I suspected, this didn't take long. This spam is a retread of yesterday's Boston Marathon spam.
From: Maria Numbers [mailto:tjm7 @deco-club .ru]
Sent: 18 April 2013 11:51
To: UK HPEA 3
Subject: CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas
hxxp :||83.170.192.154 /news.html

At the moment the payload site is [donotclick]bigmovies777 .sweans .org/aoiq.html (report here* but site appears b0rked) but it seems to rotate every hour of so to a new domain. Almost all the domains I have seen are -hacked- legitimate sites hosted by WebsiteWelcome. If you click through you get five genuine embedded YouTube videos plus a malware IFRAME that looks a bit like this:
> https://lh3.ggpht.co...s-explosion.jpg
The Boston Marathon spam lead to a RedKit exploit kit, this probably does too. Given the ever-changing nature of the malware landing page, this one is rather difficult to stop. Advising your user population of the risk may be prudent.
Sample subjects:
CAUGHT ON CAMERA: Fertilizer Plant Explosion
CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas
Raw: Texas Explosion Injures Dozens
Texas Explosion Injures Dozens..."
* http://urlquery.net/....php?id=2061326
___

Malicious West, TX Exploison Spam
- http://threattrack.t...-exploison-spam
18 April 2013 - "Subjects Seen:
West Tx Explosion
Video footage of Texas explosion
Typical e-mail details:
182.235.147.164 /texas.html[/i]

Malicious URLs
182.235.147.164 /texas.html
78.90.133.133 /news.html

Screenshot: https://gs1.wac.edge...bBze1qz4rgp.png
___

Malicious Secure Message Spam
- http://threattrack.t...re-message-spam
18 April 2013 - "Subjects Seen:
New Secure Message Received from [removed]
Typical e-mail details:
Greetings [removed],
You have received a new secure message from [removed].
If you are using the Secure Message Plugin in Outlook Messamnger this message will be in your SecureMSG Folder.
If you are NOT using the Secure Message Plugin, you are able to view it at csiweb.com/[removed] to retrieve your secure message or to begin using the convenient Lotus Notes Plugin.
Thank You,
CSIeSafe

Malicious URLs
klamzi .hu/csisecurmsg.html?id=8757234110
sub.newwaysys .com/complaints/rush-lacked_whereby.php

Screenshot: https://gs1.wac.edge...LRZF1qz4rgp.png
___

Texas and Boston Blasts SPAM
- http://www.hotforsec...waves-5973.html
April 18, 2013 - "The blasts that killed 15 people and injured 160 at a Texas fertilizer plant yesterday triggered a global wave of malicious spam today, even as the internet is still infested with spam messages that exploit the Boston Marathon bombings to spread password-stealing malware... based on a sample pool of 2 million unsolicited e-mails, turned up hundreds of thousands of spam messages that had been altered at the last minute to promise breaking news, graphic videos and more related to the Boston Marathon attacks. In the spam wave, Bitdefender found spam harboring a component of the infamous Red Kit exploit pack. Threats downloaded by RedKit include Trojan.GenericKDZ.14575, a password stealer that grabs users’ account passwords. It also watches the network traffic of the infected machine by dropping three legitimate WinPcap components, some of which were reported to also steal bitcoin wallets and send e-mails. The same criminal group that launched the Boston spam has apparently changed the subject tag line to read: Fertilizer Plant Explosion Near Waco, Texas, Texas Explosion Injures Dozens, West Tx Explosion, Raw: Texas Explosion Injures Dozens, Caught on Camera: fertilizer Plant Explosion Near Waco, Texas. They replaced the ending of the malicious URL with “texas.html” but kept the e-mail format, the compromised domains, the modus operandi, and the RedKit.
Screenshot1: http://www.hotforsec...pam-Waves_1.png
... Users who click the URLs land on a website displaying YouTube videos on the Texas plant blast while, in the background, a component of RedKit downloads malicious software.
Screenshot2: http://www.hotforsec...Spam-Waves2.png
... be cautious and avoid opening e-mails promising exclusive videos about the blast – and never click on the included links..."
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake ADP Payroll Invoice Notification E-mail Messages - 2013 Apr 18
Fake Digital Certificate Notification E-mail Messages - 2013 Apr 18
Fake Lawsuit Documents Attachment E-mail Messages - 2013 Apr 18
Fake PayPal Notification E-mail Messages - 2013 Apr 18
Fake Payment Request Notice E-mail Messages on Messages - 2013 Apr 18
Fake Tax Document Submission Notification E-mail Messages - 2013 Apr 18
Malicious Attachment E-mail Messages - 2013 Apr 18
Scanned Document Attachment E-mail Messages - 2013 Apr 18
(Links and more detail available at the cisco URL above.)

Edited by AplusWebMaster, 19 April 2013 - 04:51 AM.

[AplusWebMaster]

FYI...

Fake Facebook scam leads to Fake Flash Player...
- http://blog.trendmic...ke-adobe-flash/
April 19, 2013 - "Besides the fake Facebook Profile Viewer ruse, we found another Facebook scam that lures users into downloading a fake Adobe Flash Player plugin. We noticed countless feeds pointing to a Facebook page with more than 90 million “likes”. For some, this huge number of Facebook likes may be enough for them to check the page out. It also means that the page is quite popular and may lead users into thinking that it is legitimate and harmless.
> https://blog.trendmi...bookprofile.png
... we verified that this 91 million Likes is not true at all and is merely a social engineering lure. Once users visit the page, they are instead lead to this site:
> http://blog.trendmic...cebook-page.jpg
From the looks of it, the page is supposed to host an Adobe Flash Player plugin (detected as TROJ_FAKEADB.US). If user downloads the plugin and is browsing the page via Google Chrome, the page will automatically close and a Chrome extension file is dropped. This extension file is detected as TROJ_EXTADB.US. Once installed, the malware will spam the same post using the affected user’s account (even tagging their friends in the message.) Also, TROJ_EXTADB.US was found to send and receive information from certain URLs... cybercriminals and other bad guys out there are using the platform to launch their schemes. From threats that may steal your credit card information to garden-variety scams, users must always be careful with their social media accounts. Always be wary when clicking links, even if they are from your contact or friends..."
___

Fake American Express SPAM / CD0199381.434469398992.zip
- http://blog.dynamoo....press-spam.html
19 Apr 2013 - "This fake American Express spam comes with a malicious attachment:
Date: Fri, 19 Apr 2013 08:29:52 -0500 [09:29:52 EDT]
From: "PAYVESUPPORT @AEXP .COM" [PAYVESUPPORT @AEXP .COM]
Subject: PAYVE - Remit file
Part(s): 2 CD0199381.434469398992.zip [application/zip]
A payment(s) to your company has been processed through the American Express Payment
Network.
The remittance details for the payment(s) are attached (CD0199381.434469398992.zip).
- The remittance file contains invoice information passed by your buyer. Please
contact your buyer
for additional information not available in the file.
- The funds associated with this payment will be deposited into your bank account
according to the
terms of your American Express merchant agreement and may be combined with other
American Express deposits.
For additional information about Deposits, Fees, or your American Express merchant
agreement:
Contact American Express Merchant Services at 1-800-528-8782 Monday to Friday,
8:00 AM to 8:00 PM ET. - You can also view PAYVE payment and invoice level details
using My Merchant Account/Online Merchant Services.
If you are not enrolled in My Merchant Account/OMS, you can do so at
www.americanexpress.com/mymerchantaccount
or call us at 1-866-220-6634, Monday - Friday between 9:00 AM-7:30 PM ET, and we'll
be glad to help you.
For quick and easy enrollment, please have your American Express Merchant Number,
bank account ABA (routing number)
and DDA (account number) on hand.
This customer service e-mail was sent to you by American Express. You may receive
customer service e-mails even if you have unsubscribed from marketing e-mails from
American Express.
Copyright 2013 American Express Company...

The is an attachment CD0199381.434469398992.zip containing a file CD0199381-04192013.exe [note the date is encoded in the file]. VirusTotal results for that file are just 6/46*. ThreatExpert reports** that the malware communicates with the following servers:
mail.yaklasim .com (212.58.4.13: Doruknet, Turkey)
autoservicegreeley .com (198.100.45.44: A2 Hosting, US)
This malware shares some characteristics with this attack***.
Blocklist:
198.100.45.44
212.58.4.13 ..."
* https://www.virustot...sis/1366379362/
File name: CD0199381-04192013.exe
Detection ratio: 6/46
Analysis date: 2013-04-19
** http://www.threatexp...4622e9e5277ffce
*** http://blog.dynamoo....ation-spam.html

Edited by AplusWebMaster, 19 April 2013 - 11:33 AM.

[AplusWebMaster]

FYI...

Twitter malware...
- https://www.trusteer...than-just-ideas
April 22, 2013 - "... With 288 million active users, Twitter is the world's fourth-largest social network. So it’s no surprise that Twitter is also being used for spreading malware... recently identified an active configuration of TorRAT targeting Twitter users. The malware launches a Man-in-the-Browser (MitB) attack through the browser of infected PCs, gaining access to the victim’s Twitter account to create malicious tweets. The malware, which has been used as a financial malware to gain access to user credentials and target their financial transactions, now has a new goal: to spread malware using the online social networking service. At this time the attack is targeting the Dutch market. However, because Twitter is used by millions of users around the world, this type of attack can be used to target any market and any industry. The attack is carried out by injecting Javascript code into the victim’s Twitter account page. The malware collects the user’s authentication token, which enables it to make authorized calls to Twitter's APIs, and then posts new, malicious tweets on behalf of the victim... This attack is particularly difficult to defend against because it uses a new sophisticated approach to spear-phishing. Twitter users follow accounts that they trust. Because the malware creates malicious tweets and sends them through a compromised account of a trusted person or organization being followed, the tweets seem to be genuine. The fact that the tweets include shortened URLs is not concerning: Twitter limits the number of characters in a message, so followers expect to get interesting news bits in the form of a short text message followed by a shortened URL. However, a shortened URL can be used to disguises the underlying URL address, so that followers have no way of knowing if the link is suspicious... it is quite possible that these URLs lead to malicious webpages. If so, when the browser renders the webpage’s content an exploit can silently download the malware to the user’s endpoint (a drive-by download)..."
___

Malicious DHL Spam
- http://threattrack.t...icious-dhl-spam
April 22, 2013 - "Subjects Seen:
Tracking Info
Shipping Detail
Order Detail
Typical e-mail details:
DHL Ship Shipment Notification
On April 18, 2013 a shipment label was printed for delivery.
The shipment number of this package is 81395268.
To get additional info about this shipment use any of these options:
1) Click the following URL in your browser:
2) Enter the shipment number on tracking page:
Tracking Page
For further assistance, please call DHL Customer Service.
For International Customer Service, please use official DHL site.

Malicious URLs
honoredstudents .org/images/index.php?info=841_139088422
eumpharma .com/images/index.php?get_info=ss00_323
sman4-tanjungpinang.sch .id/images/index.php?get_info=ss00_323

Screenshot: https://gs1.wac.edge...l9FL1qz4rgp.png
___

Malware sites to block 22/4/13
- http://blog.dynamoo....lock-22413.html
22 April 2013 - "These domains form part of a large Kelihos botnet described over at Malware Must Die* and which is related to the recent Boston Marathon** and Texas Fertilizer Plant spam*** runs. There are probably thousands of IP addresses, but so far I have identified just 76 domains that seem to be active (there are a large number of subdomains). Monitoring for these may reveal Kelihos activity on your network..."
(Long list at the dynamoo URL above.)

* http://malwaremustdi...-following.html

** http://blog.dynamoo....outcctvcom.html

*** http://blog.dynamoo....-near-waco.html
___

Telstra Bill Account Update Phishing Scam
- http://www.hoax-slay...hing-scam.shtml
April 22, 2013 - "... Detailed Analysis: This email, which purports to be from Australian telecommunications giant, Telstra, informs the recipient that the company was unable to process a recent bill payment. The email claims that, unless the account holder follows a link in the message to confirm and update billing information, his or her Telstra service may be interrupted. The email arrives complete with the Telstra logo and a seemingly genuine Telstra sender address. However, the email is certainly -not- from Telstra and the information about a payment problem is a lie. In reality, the email is a phishing scam designed to trick Telstra customers into handing over their personal and financial information to Internet criminals. The link in the phishing scam email is disguised to make it appear that it leads to the genuine Telstra site. The sender address of the email is also disguised in such a way that it appears to have originated from Telstra... Telstra (or BigPond) will -never- send customers unsolicited emails* requesting them to provide financial and personal information via links in the message..."
* https://help.telstra...tail/a_id/17020
___

Fake "Loss Avoidance Alerts" SPAM / tempandhost .com
- http://blog.dynamoo....lerts-spam.html
22 April 2013 - "I haven't seen this particular spam before. It leads to malware on tempandhost .com:
Date: Tue, 23 Apr 2013 05:41:32 +0900 [16:41:32 EDT]
From: personableop641 @swacha .org
Subject: 4/22/13 The Loss Avoidance Alerts that you requested are now available on the internet
Loss Avoidance Alert System
April 22, 2013
Loss Avoidance Report:
The Loss Avoidance Alerts that was processed are now available on a secure website at:
www.lossavoidancealert .org
http ://www.lossavoidancealert .org
Alerts:
CL0017279 – Sham Checks (ALL)
Note: If the Alert Number does not appear on the Home Page - just go to the top left Search Box,
enter the Alert Number and hit Go.
Thank you for your participation!
Loss Avoidance Alert System Administrator
This email is confidential and intended for the use of the individual to whom it is addressed. Any views or opinions presented are solely
those of the author and do not necessarily represent those of SWACHA-The Electronic Payments Resource. SWACHA will not be held
responsible for the information contained in this email if it is not used for its original intent. Before taking action on any information contained in this email, please consult legal counsel. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited.
If you received this email in error, please contact the sender.

Screenshot: https://lh3.ggpht.co...dance-alert.png

The link in the email appears to point to www.lossavoidancealert .org but actually goes through a legitimate -hacked- site (in this case [donotclick]samadaan .com/wp-content/plugins/akismet/swacha.html) to a landing page of [donotclick]tempandhost .com/news/done-heavy_hall_meant.php or [donotclick]tempandhost .com/news/done-meant.php (sample report here* and here**) which is.. err.. some sort of exploit kit or other. It doesn't seem to be responding well to analysis tools, which could either indicate overloading or some trickery, most likely something very like this***. Anyway, tempandhost .com is hosted on the following servers:
1.235.183.241 (SK Broadband Co Ltd, Korea)
46.183.147.116 (Serverclub.com, Netherlands)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea) ...
Blocklist:
1.235.183.241
46.183.147.116
155.239.247.247
202.31.139.173 ..."
* http://wepawet.isecl...6...636&type=js

** http://jsunpack.jeek...001b8fb3caafe11

*** http://urlquery.net/....php?id=2111319

Edited by AplusWebMaster, 22 April 2013 - 07:36 PM.

[AplusWebMaster]

FYI...

Fake DHL SPAM / DHL-LABEL-ID-2456-8344-5362-5466.zip
- http://blog.dynamoo....-8344-5362.html
23 Apr 2013 - "This fake DHL spam has a malicious attachment.
Date: Tue, 23 Apr 2013 12:21:40 +0800 [00:21:40 EDT]
From: Ramon Brewer - DHL regional manager [reports @dhl .com]
Subject: DHL DELIVERY REPORT NY73377
DHL notification
Our company’s courier couldn’t make the delivery of parcel.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: ETBAKPRSU3
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 15 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
DHL Global ...

Screenshot: https://lh3.ggpht.co.../s1600/dhl2.png

Attached is a ZIP file called DHL-LABEL-ID-2456-8344-5362-5466.zip which contains an executable DHL-LABEL-ID-2456-8344-5362-5466.exe. VirusTotal detections are patchy at 22/45*..."
(More detail at the dynamoo URL above.)
* https://www.virustot...sis/1366703919/
File name: DHL-LABEL-ID-2456-8344-5362-5466.exe
Detection ratio: 22/45
Analysis date: 2013-04-23

> http://camas.comodo....194ecd0257d185b
___

Something evil on 173.246.104.104
- http://blog.dynamoo....3246104104.html
23 April 2013 - "173.246.104.104 (Gandi, US) popped up on my radar after a malvertising attack apparently utilising a hacked OpenX server (I'm not 100% which one so I won't name names) and leading to a payload on [donotclick]laserlipoplasticsurgeon .com/news/pint_excluded.php (report here*).
Both VirusTotal** and URLquery* detect multiple malicious domains on this IP. It appears that the domains were originally legitimate, but it looks like they have been hijacked by the bad guys somehow... I recommend that you apply the following blocklist for the time being:
173.246.104.104
(More listed at the dynamoo URL above.)
* http://urlquery.net/....php?id=2122697
... Detected live BlackHole v2.0 exploit kit 173.246.104.104
- https://www.google.c...c?site=AS:29169

** https://www.virustot...04/information/
___

Fake CareerBuilder SPAM / CB_Offer_04232013_8817391.zip
- http://blog.dynamoo....ation-spam.html
23 Apr 2013 - "This fake CareerBuilder email has a malicious attachment containing malware.
Date: Tue, 23 Apr 2013 11:13:54 -0700 [14:13:54 EDT]
From: CareerBuilder [Herman_Gallagher @careerbuilder .com]
Subject: CareerBuilder Notification
Hello,
I am a customer service employee at CareerBuilder. I found a vacant position that you may be interested in based on information from your resume or a recent online submission you made on our site.
You can review the position on the CareerBuilder by downloading the attached PDF file.
Attached file is scanned in PDF format.
Adobe®Reader® can be downloaded from the following URL: http ://www.adobe .com
Best wishes in your job search !
Hal_Shields
Careerbuilder Customer Service Team
CareerBuilder ,5550-A Peachtree Parkway , Norcross, GA 30092

The attachment CB_Offer_04232013_8817391.zip contains a file called CB_Offer_04232013_8817391.exe with an icon designed to look like a PDF file. Note that the date is encoded into the file and future variants will have a different filename. VirusTotal detections are patchy*... I'm still waiting for some sort of analysis..
MD5 924310716fee707db1ea019c3b4eca56
SHA1 2d0d9c7da13f9ec9e4f49918ae99e9f17505a9cd
SHA256 e66a9c463e3f4eb4ca2994a29ec34e0a021ff2541f6a9647dfd3b9131ba38dd5 "
* https://www.virustot...38dd5/analysis/
File name: CB_Offer_04232013_8817391.exe
Detection ratio: 19/46
Analysis date: 2013-04-24

Edited by AplusWebMaster, 23 April 2013 - 07:35 PM.

[AplusWebMaster]

FYI...

Something evil on 151.248.123.170
- http://blog.dynamoo....8123170_24.html
24 April 2013 - "151.248.123.170 (Reg.Ru, Russia) is currently hosting a number of malicious sites being used in injection attacks (example 1*, example 2**). These domains appear to be almost all dynamic DNS domains which I would recommend blocking, I also recommend blocking the IP address. Trying to block individual domains would probably be ineffective.

Recommended blocklist:
151.248.123.170 ..."
(Long list at the dynamoo URL above.)

* http://urlquery.net/...1...4-24&max=50

** https://www.virustot...70/information/

- https://www.google.c...c?site=AS:39134
____

Fake American Express SPAM / SecureMail.zip
- http://blog.dynamoo....ss-spam_24.html
24 Apr 2013 - "Something bad happened to this spam on the way out from wherever spam emerges from. Still, it contains a malicious attachment which should be avoided.
Date: Wed, 24 Apr 2013 12:59:38 -0500 [13:59:38 EDT]
From: American Express [Christian_Frey @aexp .com]
Subject: Confidential - Secure Message from AMEX
Secure Message The security of your personal information is of the utmost importance to American Express, so we have sent the attached as a secure electronic file.
Note: The attached file contains encrypted data.
If you have any questions, please call us at 800-964-7890, option 3.
Representatives are available to assist you Monday through Thursday between 8:00 a.m. and
8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET. The information contained in this message may be privileged, confidential and protected from
disclosure. If the reader of this message is not the intended recipient, or an employee
or agent responsible for delivering this message to the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this communication is
strictly prohibited.
Thank you,
American Express 2012 American Express Company. All rights reserved...

The attachment SecureMail.zip contains a file called SecureMail.exe with a detection rate of 21/46* at VirusTotal. Comodo CAMAS doesn't tell us much** except that it seems to phone home to angels-mail .com and has the following checksums:
MD5 6870fd8fd2b2bedd83e218d9e7e4de8b
SHA1 4b7a2c0cee63634907c5ccc249c8cd4c0231f03a
SHA256 ac0368159001950e4f62e073a289113c2cab135af9ea0f48f5ca660fb2cb45e3
What about angels-mail .com then? Well, it looks like a legitimate domain hosted on 5.77.45.108 (eUKhost, UK). ThreatExpert gives a bit more information about the traffic, indicating a malicious web site operating on port 8080 on that server. However, the ThreatTrack sandbox comes up with the best analysis a copy of which can be found here [pdf***].
Recommended blocklist:
5.77.45.108
64.90.61.19
212.58.4.13 ..."
* https://www.virustot...sis/1366835710/
File name: SecureMail.exe
Detection ratio: 21/46
Analysis date: 2013-04-24
** http://camas.comodo....5ca660fb2cb45e3
*** http://www.dynamoo.c...8d9e7e4de8b.pdf

Screenshot: https://gs1.wac.edge...2Q8b1qz4rgp.png
___

"New Secure Message" spam / pricesgettos .info
- http://blog.dynamoo....gettosinfo.html
24 Apr 2013 - "This spam leads to malware on pricesgettos .info:
Date: Wed, 24 Apr 2013 16:41:50 +0100 [11:41:50 EDT]
From: Cooper.Anderson @csiweb .com
Subject: New Secure Message Received from Cooper.Anderson @csiweb .com
New Secure Message
Respective [redacted],
You have received a new secure message from Cooper.Anderson @csiweb .com.
If you are using the Secure Message Plugin in Lotus Notes this message will be in your SecureMessages Inbox.
If you are NOT using the Secure Message Plugin, you are able to view it by clicking [redacted] to retrieve your secure message or to begin using the convenient Lotus Notes Plugin.
Sincerely Yours,
CSIe

The link displayed in the email is -fake- and actually goes to a legitimate (but hacked) site and is then forwarded to the Blackhole payload site at [donotclick]pricesgettos .info/news/done-heavy_hall_meant.php (report here*) hosted on the following IPs:
1.235.183.241 (SK Broadband, Korea)
130.239.163.24 (Umea University, Sweden)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea)
203.64.101.145 (Taiwan Academic Network, Taiwan)
Blocklist:
1.235.183.241
130.239.163.24
155.239.247.247
202.31.139.173
203.64.101.145 ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/....php?id=2157408
... Detected live BlackHole v2.0 exploit kit 203.64.101.145

Edited by AplusWebMaster, 24 April 2013 - 04:02 PM.

[AplusWebMaster]

FYI...

Malicious Wire Transfer Spam
- http://threattrack.t...e-transfer-spam
25 Apr 2013 - "Subjects Seen:
Incoming Transactions Report
Typical e-mail details:
Incoming Transactions Report
An incoming money transfer has been received by your financial institution and the funds deposited to account.
Initiated By: Fiserv Inc.
Initiated Date & Time: Thu, 25 Apr 2013 06:13:22 -0800
Batch ID: 497
Please view the attached file to review the transaction details.

Malicious URLs
lipo-exdenver .com/ponyb/gate.php
lipo-exdallas .com/ponyb/gate.php
mail.yaklasim .com:8080/ponyb/gate.php
angels-mail .com:8080/ponyb/gate.php
serw.myroitracking .com/vHn3xjt.exe
pro-sb-immobilien .de/stdwR8gb.exe

Screenshot: https://gs1.wac.edge...dpru1qz4rgp.png
___

Malicious PayPal Password Reset Spam
- http://threattrack.t...word-reset-spam
25 April 2013 - "Subjects Seen:
Reset Yoyr PayPal Password
Typical e-mail details:
Your account would stay frozen untill password reset.
How to reset your PayPal password
Hello [removed],
To get back into your PayPal account, you’ll need to create a new password.
It’s easy:
Click the link below to open a secure browser window.
Confirm that you’re the owner of the account, and then follow the instructions.

Malicious URLs
iremadze .com/wp-content/themes/toolbox/breakingnews.html
it-academy-by-student07 .ru/wp-content/themes/toolbox/breakingnews.html
sub.bestquotesnsayings .com/complaints/or_knew-passed.php
sub.bestquotesnsayings .com/complaints/or_knew-passed.php?kdvawba=mlmr&nlmepj=lwuzwkh

Screenshot: https://gs1.wac.edge...jmCg1qz4rgp.png

Edited by AplusWebMaster, 25 April 2013 - 02:50 PM.