2072 replies to this topic

[AplusWebMaster]

FYI...

Fake USPS SPAM / LABEL-ID-56723547-GFK72.zip
- http://blog.dynamoo....spam-label.html
26 Apr 2013 - "This fake USPS message has a malicious attachment:
Date: Fri, 26 Apr 2013 12:46:25 +0400 [04:46:25 EDT]
From: USPS client manager Lelia Holden [reports @usps .com]
Subject: USPS delivery failure report
Priority: High Priority 1
Notification
Our company’s courier couldn’t make the delivery of package.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: UGL38SHK4T
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
USPS Global.

There is an attachment LABEL-ID-56723547-GFK72.zip which in turn contains an executable file LABEL-ID-56723547-GFK72.exe which is designed to look like a PDF file. VirusTotal results are a pretty poor 7/46*.
The malicious binary has the following checksums:
MD5 df81b21e9526c571d03bc1fb189f233c
SHA1 dd2fe390e3f16a7f12786799af927f62df6754c4
SHA256 db001675033574e5291b1717b7b704d43d9bd676604b623f781d2f4cde60590a
Comodo CAMAS reports** some very unusual behaviour around LDAP registry keys, not present in the Anubis report*** or ThreatExpert report****."
* https://www.virustot...sis/1366967613/
File name: LABEL-ID-56753547-GFK72.exe
Detection ratio: 7/46
Analysis date: 2013-04-26
** http://camas.comodo....81d2f4cde60590a

*** http://anubis.isecla...amp;format=html

**** http://www.threatexp...03bc1fb189f233c
___

Something evil on 193.107.16.213 / Ideal Solution Ltd
- http://blog.dynamoo....6213-ideal.html
26 April 2013 - "193.107.16.213 is a web server run by Ideal Solution Ltd in the Seychelles. It contains many malware sites that should be blocked, and you might well want to consider blocking the entire 193.107.16.0/22 (193.107.16.0 - 193.107.19.255) range. VirusTotal detects a number of malicious sites on this server (see report*) but blocking access to this IP address is probably the easiest approach. However there seems to be very little of value in the whole /22 and I have personally had it blocked for some months with no ill effects. The sites that I can identify, their MyWOT ratings and Google prognosis can be download from here [csv**]. Use this data as you see fit..."
(More detail at the dynamoo URL above.)
* https://www.virustot...22/information/

** http://www.dynamoo.c...al-solution.csv

- https://www.google.c...c?site=AS:58001
___

Something evil on 199.71.212.122
- http://blog.dynamoo....9971212122.html
26 April 2013 - "199.71.212.122 is an IP address belonging to Psychz Networks in the US. It hosts a number of sites with malware on them according to VirusTotal* and URLquery**. Some of the malicious domains were recently hosted on this IP. I suspect that there are alot more domains than the ones listed on this server, blocking access to it is probably the best approach..."
* https://www.virustot...22/information/

** http://urlquery.net/...1...4-26&max=50

- https://www.google.c...c?site=AS:40676
___

Malicious PayPal Dispute Spam
- http://threattrack.t...al-dispute-spam
26 April 2013 - "Subjects Seen:
Resolution of case #[removed]
Typical e-mail details:
Our records indicate that you never responded to requests for additional
information about this claim. We hope you review the attached file and solve the situation amicably.
For more details please see the attached file (Case_[removed].zip)
Sincerely,
Protection Services Department

Malicious URLs
angels-mail .com:8080/ponyb/gate.php
mail.yaklasim .com:8080/ponyb/gate.php
palmspringsvacationhomerentals .com/ponyb/gate.php
palmspringsvacationrentalshomes .com/ponyb/gate.php
techsolbowling .com/Ff1.exe

Screenshot: https://gs1.wac.edge...56WK1qz4rgp.png
___

Fake BoA malicious SPAM
- http://blog.webroot....-serve-malware/
April 26, 2013 - "Relying on tens of thousands of fake “Your transaction is completed” emails, cybercriminals have just launched yet another malicious spam campaign attempting to socially engineer Bank of America’s (BofA) customers into executing a malicious attachment. Once unsuspecting users do so, their PCs automatically join the botnet operated by the cybercriminal/gang of cybercriminals operating it, leading to a successful compromise of their hosts...
Sample screenshot of the spamvertised email:
> https://webrootblog....otnet.png?w=869
Detection rate for the malicious executable: MD5: c671d0896a2412b42e1abad4be9d43a8 * ...Trojan-Spy.Win32.Zbot.kulh.
... phones back to... C&Cs servers..."
(Long IP list at the webroot URL above.)
* https://www.virustot...3f838/analysis/
File name: Mnvw57ch.exe
Detection ratio: 32/46
Analysis date: 2013-04-26

Edited by AplusWebMaster, 26 April 2013 - 04:31 PM.

[AplusWebMaster]

FYI...

Multiple Facebook SCAMS ...
- http://www.hoax-slay...ewer-scam.shtml
April 30, 2013 - "Outline: Message being spammed across Facebook claims that users can follow a link to install an app that allows them to check who has been viewing their profile.
Brief Analysis: The message is an attempt to trick Facebook users into relinquishing control of their Facebook accounts to Internet scammers by submitting their Facebook authentication token. The scammers will use the compromised accounts to launch further spam and scam campaigns in the names of their victims. Any message that claims that you can install an app to see who has viewed your profile is likely to be a scam. Do not click on any links in these messages...
Detailed Analysis: This message, which is currently appearing on Facebook, claims that users can check out who has been viewing their Facebook profiles by clicking a link and installing a new app.
However, the message is a scam designed to trick users into temporarily handing control of their Facebook accounts to online scammers. Those who click the link will first be taken to a Facebook page with further "instructions" for procuring the app:
> http://www.hoax-slay...ewer-scam-1.jpg
If victims follow the link on the page, they will next be taken to a second page that falsely claims that Facebook is now required to show users who has been viewing their profile:
> http://www.hoax-slay...ewer-scam-2.jpg
Next, victims are taken to a "security check" and told that they must generate an "age verification code" before proceeding:
> http://www.hoax-slay...ewer-scam-3.jpg
Users will then receive the following instructions:
> http://www.hoax-slay...ewer-scam-4.jpg
Folllowed by this:
> http://www.hoax-slay...ewer-scam-5.jpg
... by pasting the "age verification" code as instructed, users are in fact giving the scammers access to their Facebook accounts, including their Friends list. The code is the victim's Facebook authentication token, which can then be used by the criminals to temporarily hijack the Facebook account. The compromised accounts are then used to distribute more of the same scam messages on Facebook... victims will be taken onward to various bogus survey pages and enticed to participate, supposedly as a further prerequisite to getting the promised profile viewer app... In reality, the profile viewer app does not exist... Some versions use the promise of a profile viewer to lead victims directly to a scam survey page. Other versions try to trick users into first installing a rogue Facebook application that will send spam and scam messages to all of their friends.
Do not trust any message that claims that you can click a link and install an app to see who has viewed your profile. If you receive such a message, delete it."
___

UK banks targeted with Trojans and social engineering
- https://www.net-secu...ews.php?id=2477
April 30, 2013 - "... Trusteer’s security team recently analyzed a Ramnit variant that is targeting a UK bank with a clever one-time password (OTP) scam. The malware stays idle until the user successfully logs into their account, at which time it presents them with one of the following messages:
> https://www.net-secu...er-042013-1.jpg
- or:
> https://www.net-secu...er-042013-2.jpg
While the user is reading the message, Ramnit connects to its command and control server and obtains the details of a designated mule account. This is followed by the initiation of a wire transfer to the money mule. But, there is still one more obstacle in the way of the malware – to complete the transaction a One Time Password (OTP) must be entered by the user. To overcome this requirement Ramnit displays the following message:
> https://www.net-secu...er-042013-3.jpg
The temporary receiver number in the message is in fact the mule’s account number. The user then receives the SMS and thinking that he must complete the “OTP service generation”, enters their OTP. By entering the OTP, the user unknowingly enables the malware to complete the fraudulent transaction and finalize the payment to the mule account. This is yet another example of how well designed social engineering techniques help streamline the fraud process... the authors most likely used ‘find and replace’ to switch the two words that resulted in the grammatical mistake “a option.” Nevertheless, by changing multiple entries in the FAQ section Ramnit* demonstrates that its authors did not leave anything to chance – even if the victim decides to go the extra step, Ramnit is already there..."

* http://www.trusteer....nancial-malware
___

Malicious PDFs on the rise
- http://blog.trendmic...fs-on-the-rise/
Apr 29, 2013 - "... we continue to see CVE-2012-0158 in heavy use, we have noticed increasing use of an exploit for Adobe Reader (CVE-2013-0640)... files used dnsport.chatnook .com, inter.so-webmail .com, and 223.25.242.45 as their command-and-control servers... Our research indicates that attackers engaged in APT campaigns may have adapted the exploit made infamous by the MiniDuke campaign and have incorporated it into their arsenal. At the same time, we have found that other APT campaigns seem to have developed their own methods to exploit the same vulnerability. The increase in malicious PDF’s exploiting CVE-2013-0640 may indicate the start of shift in APT attacker behavior away from using malicious Word documents that exploit the now quite old CVE-2012-0158."
(More detail at the trendmicro URL above.)

- https://blogs.techne...Redirected=true
29 Apr 2013
Graph: https://www.microsof..._exploits/2.png
___

Phish target Apple IDs
- http://blog.trendmic...-phishing-bait/
Apr 30, 2013 - "Phishers appear to have concentrated their fire on a relatively new target: Apple IDs. In recent days, we’ve seen a spike in phishing sites that try to steal Apple IDs... Technically, the sites were only compromised, but not hacked (as the original content was not modified). It’s possible, however, that the sites may be hacked or defaced if the site stays compromised... the directory contains pages that spoof the Apple ID login page fairly closely:
> http://blog.trendmic.../fake_apple.jpg
We’ve identified a total of 110 compromised sites, all of hosted at the IP address 70.86.13.17, which is registered to an ISP in the Houston area. Almost all of these sites have not been cleaned:
> http://blog.trendmic...13/04/chart.png
The graph above shows the increase in phishing sites targeting Apple IDs. We’ve seen attacks targeting not only American users, but also British and French users. Some versions of this attack ask not only for the user’s Apple ID login credentials, but also their billing address and other personal and credit card information. It will eventually result in a page that states that access has been restored, but of course the information has been stolen. One can see in the sample page below how it asks for credit card information:
> http://blog.trendmic...credit_card.jpg
Users may be redirected to these phishing sites via spam messages that state that the user’s account will expire unless their information is subject to an “audit”, which not only gets users to click on the link, it puts them in a mindset willing to give up information.
> http://blog.trendmic.../apple_mail.jpg
One way to identify these phishing sites, is that the fake sites do not display any indications that you are at a secure site (like the padlock and “Apple Inc. [US]” part of the toolbar), which you can see in this screenshot of the legitimate site:
> http://blog.trendmic...4/legitsite.jpg
The screenshot above is from Chrome, but Internet Explorer and Firefox both have similar ways to indicate secure sites. For the phishing messages themselves, legitimate messages should generally have matching domains all around – where they were sent from, where any links go to, etcetera. Mere appearance of the email isn’t enough to judge, as very legitimate-looking emails have been used maliciously. We also encourage users to enable the two-factor authentication that Apple ID recently introduced, for added protection..."
___

Something evil on 96.126.108.132
- http://blog.dynamoo....6126108132.html
30 April 2013 - "These sites are on (or are likely to be created on) 96.126.108.132 (Linode, US) which is a known malware server [1] [2] [3]. Blocking this IP would be wise. Some of the domains are rather.. unusual ..."
(Long list at the dynamoo URL above.)
1) https://www.virustot...32/information/

2) https://palevotracke...=96.126.108.132

3) http://support.clean...=96.126.108.132
___

Fake "Requested Reset of Yoyr PayPal Password" SPAM / frustrationpostcards .biz
- http://blog.dynamoo....l-password.html
29 Apr 2013 - "This fake PayPal spam leads to malware on frustrationpostcards .biz:
Date: Mon, 29 Apr 2013 13:22:03 -0500
From: "service @paypalmail .com" [chichisaq0 @emlreq.paypalmail .com]
Subject: Requested Reset of Yoyr PayPal Password
Your account will stay on hold untill password reset.
How to reset your PayPal password
Hello [redacted],
To get back into your PayPal account, you'll have to create a new password.
It's easy:
Click the link below to open a secure browser window.
Confirm that you're the owner of the account, and then follow the instructions.
Reset your password now
If you didn't requested help with your password, let us know immediately. Reporting it is important because it helps us prevent fraudsters from stealing your information.
Help Center | Security Center
Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
Copyright © 2013 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95132.
PayPal Email ID 2A7X1

The link goes through a legitimate but hacked site to land on a malicious payload at [donotclick]frustrationpostcards .biz/news/institutions-trusted.php (report here*) hosted on the following IPs:
82.236.38.147 (PROXAD Free SAS, France)
83.212.110.172 (Greek Research and Technology Network, Greece)
130.239.163.24 (Umea University, Sweden)...
Blocklist:
82.236.38.147
83.212.110.172
130.239.163.24 ..."
* http://urlquery.net/....php?id=2230181

Screenshot: https://www.net-secu...ke-30042013.jpg
___

Fake Microsoft Security Scam
- http://blog.webroot....-security-scam/
April 30, 2013 - "... we have seen an increase in fake Microsoft scams, which function by tricking people into thinking that their PC is infected. With these types of scams there are a number of things to remember.
1. Microsoft will never call you telling you that your PC is infected
2. Never allow strangers to connect to your PC
3. Do not give any credit card info to somebody claiming to be from Microsoft...
The current scam will display a webpage that is very similar to the one in Figure 1. There are a number of ways to figure out that this is a false alert. The first is that it’s a website message and not a program; the second is that the location of the web site will be a random string of letters.
1) https://webrootblog....owser_alert.jpg
More details: These websites will normally only stay active for 24-48hrs before they are pulled down. The websites’ primary function is to get you to run a “removal tool” called “security cleaner”. This file is the infection and, if ran, will infect the PC and start displaying pop-ups (like the one in Figure 2).
2) https://webrootblog....3/04/fakeav.jpg
... Infection detected:
c:\users\owner\appdata\local\microsoft\windows\temporary internet files\content.ie5\wckxi56g\security_cleaner[1].exe

MD5: 68D9F9C6741CCF4ED9F77EE0275ACDA9 * ... Virus Total... a number of infections that would have been prevented if Windows was up to date. Microsoft is constantly updating Windows to patch various security updates..."
* https://www.virustot...b0a29/analysis/
File name: qdg.exe
Detection ratio: 28/46
Analysis date: 2013-04-27

Link: http://www.microsoft...acy/msname.aspx
___

Fake Wire Transfer SPAM / Payment reeceipt.exe / 78.139.187.6
- http://blog.dynamoo....2-canceled.html
30 Apr 2013 - "This fake wire transfer spam comes with a malicious attachment:
Date: Tue, 30 Apr 2013 15:27:44 -0500 [16:27:44 EDT]
From: Federal Reserve [alerts @federalreserve .gov]
Subject: Your Wire Transfer 82932922 canceled
The Wire transfer , recently sent from your bank account , was not processed by the FedWire.
Transfer details attached to the letter.
This service is provided to you by the Federal Reserve Board. Visit us on the web at website
To report this message as spam, offensive, or if you feel you have received this in error, please send e-mail to email address including the entire contents and subject of the message. It will be reviewed by staff and acted upon appropriately

In this case there is an attachment PAYMENT RECEIPT 30-04-2013-GBK-75.zip which contains a malicious executable crafted to look like a Word document called Payment reeceipt.exe . This executable has a so-so VirusTotal detection rate of 29/46*.
The malware has the following checksums according to Comodo CAMAS**:
Size 371712
MD5 0a3723483e06dcf7e51073972b9d1ef3
SHA1 293735a9fdc7e786b12c2ef92f544ffc53a0a0e7
SHA256 0eb5dd62e32bc6480bae638967320957419ba70330f0b9ad5759c2d3f25753dd
Anubis has a pretty detailed report*** of what this malware does. In particular, you might want to monitor network traffic to and from 78.139.187.6 (Caucasus Online, Georgia) which seems to be a C&C server. This IP has also been seen here****. There are several other IPs involved, but these look like DSL subscribers with dynamic address, so probably a part of a botnet. For the sake of completeness they are:
64.231.249.250
69.183.226.70
78.139.187.6
81.133.189.232
123.237.234.67 ...."
* https://www.virustot...sis/1367354089/
File name: Payment reeceipt.exe
Detection ratio: 29/46
Analysis date: 2013-04-30
** http://camas.comodo....759c2d3f25753dd
*** http://anubis.isecla...amp;format=html

**** http://blog.dynamoo....ation-spam.html

Edited by AplusWebMaster, 30 April 2013 - 05:07 PM.

[AplusWebMaster]

FYI...

Malicious ADP Delivery Notice Spam
- http://threattrack.t...ery-notice-spam
3 May 2013 - "Subjects Seen:
ADP Chesapeake - Package Delivery Confirmation
Typical e-mail details:
This message is to notify you that your package has been processed and is on schedule for delivery from ADP.
Here are the details of your delivery:
Package Type: QTR/YE Reporting
Courier: UPS Ground
Estimated Time of Arrival: Monday, 1:00pm
Tracking Number (if one is available for this package): [removed]
Details: Click here to overview and/or modify order
We will notify you via email if the status of your delivery changes.
Access these and other valuable tools at support.ADP.com:
Payroll and Tax Calculators
Order Payroll Supplies, Blank Checks, and more
Submit requests online such as SUI Rate Changes, Schedule Changes, and more
Download Product Documentation, Manuals, and Forms
Download Software Patches and Updates
Access Knowledge Solutions / Frequently Asked Questions
Watch Animated Tours with Guided Input Instructions
Thank You,
ADP Client Services
support.ADP .com

Malicious URLs
technotkan .kz/templates/ja_purity_ii/adp_dpack.html
sub.mumbailocaltraintimetable .net/ensure/indeed-called_risk_omits.php
sub.mumbailocaltraintimetable .net/ensure/indeed-called_risk_omits.php?hyobrlhz=kniez&vvhxv=nle
sub.mumbailocaltraintimetable .net/ensure/indeed-called_risk_omits.php?df=1g:1i:2v:32:1f&ne=1g:2w:2w:1h:1g:1j:1l:1h:2v:30&h=1f&ug=q&tr=s&jopa=3366088

Screenshot: https://gs1.wac.edge...fPsL1qz4rgp.png
___

Something evil on 173.255.200.91
- http://blog.dynamoo....7325520091.html
3 May 2013 - "173.255.200.91 (Linode, US) is exhibiting the characteristics of the Neutrino Exploit kit* [see URLquery** and VirusTotal reports***). Attempts to analyse the malware seem to be generating 404 errors, but this could simply be a defensive mechanism by the malware on the server. I can see... domains on the server, ones flagged by Google for malware... I would recommend blocking all domains on this server... or simply block the IP address..."
* http://malware.dontn...xploit-kit.html

** http://urlquery.net/...2...5-03&max=50

*** https://www.virustot...91/information/
___

Malicious US Airways Spam
- http://threattrack.t...us-airways-spam
2 May 2013 - "Subjects Seen:
US Airways online check-in.
Typical e-mail details:
You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you’re flying internationally). After that, all you need to do is print your boarding pass and go to the gate.

Malicious URLs
concaribe .com/images/wp_pageid.html?id=516047FC45UOYFC8AVC60VIQ
yob.newwaysys .com/ensure/origin-want_require.php?jnlp=e3ca9e7968
yob.newwaysys .com/ensure/origin-want_require.php?bnddxr=nlbaicu&zvgibtad=tqu
yob.newwaysys .com/ensure/origin-want_require.php?qf=1i:1f:32:33:2v&ge=32:1i:30:2v:1o:32:1m:1o:1l:1n&i=1f&wl=j&rw=r&jopa=2959383

Screenshot: https://gs1.wac.edge...ilQn1qz4rgp.png
___

Malicious Citibank Paymentech Attachment Spam
- http://threattrack.t...attachment-spam
2 May 2013 - "Subjects Seen:
Merchant Statement
Typical e-mail details:
" Attached is your Citibank Paymentech electronic Merchant Billing Statement. If you need help, please contact your Account Executive or call Merchant Services at the telephone number listed on your statement. PLEASE DO NOT RESPOND BY USING REPLY. This email is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech. Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech’s or the Merchant’s email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly. ————— Learn more about Citibank Paymentech Solutions, LLC payment processing services at citibank.com. ————— THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer.

Malicious URLs
Spam contains a malicious attachment.

Screenshot: https://gs1.wac.edge...SQsp1qz4rgp.png
___

Fake LinkedIn SPAM / guessworkcontentprotect .biz
- http://blog.dynamoo....protectbiz.html
2 May 2013 - "This fake LinkedIn email leads to malware on guessworkcontentprotect .biz:
From: LinkedIn Invitations [giuseppeah5 @mail.paypal .com]
Date: 2 May 2013 16:49
Subject: LinkedIn inviation notificaltion.
LinkedIn
This is a note that on May 2, Lewis Padilla sent you an invitation to join their professional network at LinkedIn.
Accept Lewis Padilla Invitation
On May 2, Lewis Padilla wrote:
> To: [redacted]
> I'd like to join you to my professional network on LinkedIn.
> Lewis Padilla
You are receiving Reminder emails for pending invitations. Unsubscribe.
© 2013 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA.

The malicious payload is at [donotclick]guessworkcontentprotect .biz/news/pattern-brother.php (report here*) hosted on:
82.236.38.147 (PROXAD Free SAS, France)
83.212.110.172 (Greek Research and Technology Network, Greece)
130.239.163.24 (Umea University, Sweden)
203.190.36.201 (Kementerian Pertanian, Indonesia)
Blocklist:
82.236.38.147
83.212.110.172
130.239.163.24
203.190.36.201 ..."
* http://urlquery.net/....php?id=2293535

Edited by AplusWebMaster, 03 May 2013 - 07:50 PM.

[AplusWebMaster]

FYI...

Mother’s Day SPAM ...
- http://www.symantec....it-mother-s-day
6 May 2013 - "... Spam messages related to Mother’s Day have begun flowing into the Symantec Probe Network. Clicking the URL contained in the spam message automatically -redirects- the recipient to a website containing a bogus Mother’s Day offer upon completion of a -fake- survey.
> https://www.symantec.....mothers 1.png
Once the survey is completed, a page is then displayed asking the user to enter their personal information in order to receive the -bogus- offer.
> https://www.symantec.....mothers 2.png
Next...
> https://www.symantec.....mothers 3.png
... Symantec is observing an increase in spam volume related to Mother’s Day, which can be seen in the following graph.
> https://www.symantec.....mothers 5.png
... use caution when receiving unsolicited or unexpected emails. We are closely monitoring Mother’s Day spam attacks to ensure that readers are kept up to date with information on the latest threats..."

- https://www.bbb.org/...ay-email-scams/
May 6, 2013

- http://mashable.com/...ay-email-scams/
2013-05-01

Edited by AplusWebMaster, 07 May 2013 - 04:35 AM.

[AplusWebMaster]

FYI...

AutoIt malware - 188.161.9.226 ...
- http://blog.trendmic...e-and-toolsets/
May 6, 2013 - "... In addition to tools being found on sites like Pastebin and Pastie, we are also seeing a tremendous increase in the amount of malware utilizing AutoIt as a scripting language. One piece of malware that was found in the wild was particularly interesting. This malware is a variant of the popular DarkComet RAT – utilizing AutoIt. This variant runs a backdoor on the victim machine and communicates outbound to a nefarious host at shark18952012.no-ip .info (188.161.9.226 at the time of writing) over port 1604... In addition to this malware’s outbound communication, it also modifies the local software firewall policies to disable them, in addition to installing itself at startup for persistency... Upon execution of the malware, it immediately disables the Windows Firewall. After disabling the firewall, the malware then disables the ability to get into the registry of Windows to view or undo the changes performed... As scripting languages like AutoIt continue to gain popularity, we expect more of these types of malware to make a migration to using them. The ease of use and learning, as well as the ability to post code easily to popular dropsites make this a great opportunity for actors with nefarious intentions to propagate their tools and malware. We recommend continuing to update your Anti-Virus signatures as well as consider blocking access to Pastebin, Pastie and other code dropsites on your corporate network where applicable."
___

Something evil on 151.248.123.170 Part III
- http://blog.dynamoo....0-part-iii.html
7 May 2013 - "I've covered 151.248.123.170 (Reg.ru, Russia*) a couple of times in the past month [1] [2], and it's still actively pushing out malware via dynamic DNS domains, many of which are injection attacks on hacked sites. There are hundreds or possibly thousands of malicious domains on this IP. Blocking them individually is likely to be problematic, the best approach is to block all traffic to 151.248.123.170 or to the Dynamic DNS domains involved.. although this might potentially block access to some legitimate sites..."

1) http://blog.dynamoo....8123170_24.html

2) http://blog.dynamoo....1248123170.html

* https://www.google.c...c?site=AS:39134
___

Fake Citibank ‘Merchant Billing Statement’ emails lead to malware
- http://blog.webroot....ead-to-malware/
May 7, 2013 - "Over the past 24 hours, we’ve intercepted yet another spam campaign impersonating Citibank in an attempt to socially engineer Citibank customers into thinking that they’ve received a Merchant Billing Statement. Once users execute the malicious attachment found in the fake emails, their PCs automatically join the botnet operated by the cybercriminal/cybercriminals...
Sample screenshot of the spamvertised email:
> https://webrootblog....nets_trojan.png
Detection rate for the malicious executable: MD5: 75a666f81847ccf7656790162e6a666a * ... Trojan-Spy.Win32.Zbot.lcnn..."
(More detail at the webroot URL above.)
* https://www.virustot...sis/1367618876/
File name: Kwmfd2.exe
Detection ratio: 33/46
Analysis date: 2013-05-05

Edited by AplusWebMaster, 07 May 2013 - 08:50 AM.

[AplusWebMaster]

FYI...

Fake Amazon.com SPAM / ehrap .net
- http://blog.dynamoo....m-ehrapnet.html
8 May 2013 - "This fake Amazon spam leads to malware on ehrap .net:
Date: Tue, 7 May 2013 22:54:26 +0100 [05/07/13 17:54:26 EDT]
From: "Amazon.com" [drudgingb50@m.amazonmail.com]
Subject: Your Amazon.com order confirmation.
Thanks for your order, [redacted]!
Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
Order Information:
E-mail Address: [redacted]
Billing Address:
216 CROSSING CRK N
GAHANNA
United States
Phone: 1-747-289-5672
Order Grand Total: $ 53.99
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More
Order Summary:
Details:
Order #: I12-4392835-6098844
Subtotal of items: $ 53.99
Total before tax: $ 53.99
Tax Collected: $0.00
Grand Total: $ 50.00
Gift Certificates: $ 3.99
Total for this Order: $ 53.99
The following item is auto-delivered to your Kindle or other device. You can view more information about this order by clicking on the title on the Manage Your Kindle page at Amazon.com.
Mockingjay (The Final Book of The Hunger Games) [Kindle Edition] $ 53.99
Sold By: Random House Digital, Inc.
Give Kindle books to anyone with an e-mail address - no Kindle required!
You can review your orders in Your Account. If you've explored the links on that page but still have a question, please visit our online Help Department.
Please note: This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.
Thanks again for shopping with us.
Amazon.com
Earth's Biggest Selection
Prefer not to receive HTML mail? Click here

The link in the email goes through a legitimate hacked site and ends up on [donotclick]ehrap .net/news/days_electric-sources.php (report here*) hosted on (or with nameservers on) the following IPs:
85.41.88.24 (Telecom Italia, Italy)
98.210.212.79 (Comcast, US)
140.121.140.92 (TANet, Taiwan)
178.175.140.185 (Trabia-Network, Moldova)
197.246.3.196 (The Noor Group, Egypt)
216.70.110.21 (Media Temple, US)
The domains involved indicate that this is the gang behind what I call the Amerika series of spam emails.
Blocklist:
85.41.88.24
98.210.212.79
140.121.140.92
178.175.140.185
197.246.3.196
216.70.110.21 ..."
* http://urlquery.net/....php?id=2377955
___

Fake AV and ransomware combo
- https://www.net-secu...ews.php?id=2486
8 May 2013 - "Ransomware and fake antivirus solutions are well-known threats, but a deadly fraudulent combination of the two has been recently spotted... The software - dubbed "Secure Bit" - first tries to convince the victims that the "security level" of their computer is low and instructs them to call for support so that the “threats” it has "found" can be removed. The claim is accompanied with a pop-ups that lists a great number of them. But if the victims don't do as they are told after a period of time, the fake AV turns nasty (well, nastier), and locks the computer screen. The victims can't do anything on their machine, and they are again told to contact the given phone number in order to regain control of it. The phone call reveals that it will cost the victims $49.99 to do that, and Total Defense's Tsahi Carmona warns* that many users may not recognize it's a scam and may pay the ransom..."
* http://www.totaldefe...secure-bit.aspx
"... This anti-virus software pretender combines two methods of fraud – the fake anti-virus software and a malware that supposedly locks the screen in order to make the victim pay money to unlock. After the user installs this free “anti-virus” software it immediately notifies that the security level of the computer is low and which they need to call for support to address the found “threats”..."
___

Fake Amazon emails lead to malware...
- http://blog.webroot....ts-and-malware/
May 8, 2013 - "... Cybercriminals are currently mass mailing tens of thousands of fake Amazon “You Kindle E-Book Order” themed emails in an attempt to trick Kindle users into clicking on the malicious links found in these messages. Once they do so, they’ll be automatically exposed to the client-side exploits served by the Black Hole Exploit Kit, ultimately joining the botnet operated by the cybercriminal/cybercriminals that launched the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog....1...w=650&h=486
... MD5 for the Java exploit: MD5: c9bc87eef8db72f64bac0a72f82b04cf * ... HEUR:Exploit.Java.CVE-2012-0507.gen
MD5 for the PDF exploit: MD5: 53c90140fde593713efe6298547ff205 ** ...Exploit:Win32/CVE-2010-0188
Upon successful client-side exploitation, the campaign drops MD5: 330ad00466bd44a5fb2786f0f5e2d0da *** ...Trojan.Win32.Reveton.a (v).
... phones back to:
85.214.143.90
130.79.80.40
213.199.201.180
46.51.189.229
91.121.30.185
89.110.148.213
81.17.22.14
88.119.156.20
161.53.184.3
94.23.6.95
88.191.130.98 /J9/vp/EGa+AAAAAA/2MB9vCAAAA ..."
(More detail at the webroot URL above.)
* https://www.virustot...sis/1367968246/
File name: days_electric-sources.php
Detection ratio: 5/46
Analysis date: 2013-05-07
** https://www.virustot...sis/1367968346/
File name: Kindle.pdf
Detection ratio: 26/46
Analysis date: 2013-05-07
*** https://www.virustot...27274/analysis/
File name: sndrec32.exe
Detection ratio: 16/46
Analysis date: 2013-05-08
___

Malicious Better Business Bureau Spam
- http://threattrack.t...ess-bureau-spam
8 May 2013 - "Subjects Seen:
Better Business Beareau Complaint ID [removed]
Typical e-mail details:
The Better Business Bureau has been entered the above mentioned complaint from one of your users in regard to their business contacts with you. The information about the consumer’s concern are available at the link below. Please give attention to this point and notify us about your belief as soon as possible.
We kindly ask you to open the RECLAMATION REPORT to answer on this claim.
We are looking forward to your prompt response.
WBR
Colton Reed
Dispute Advisor
Better Business Bureau

Malicious URLs
stopwulgaryzmom .pl/bbb_view_compl.html?complain=DFMI30GA2_80VJA8
pub.mumbailocaltraintimetable .net/ensure/misuse-restrict-systems_properties.php

Screenshot: https://gs1.wac.edge...fiSm1qz4rgp.png

Edited by AplusWebMaster, 08 May 2013 - 05:28 PM.

[AplusWebMaster]

FYI...

Fake Citibank SPAM / Statement ID 64775-4985.doc
- http://blog.dynamoo....75-4985doc.html
9 May 2013 - "This fake Citibank spam contains a malicious Word document that leads to malware.
Date: Thu, 9 May 2013 01:22:21 +0200 [05/08/13 19:22:21 EDT]
From: CITIBANK [noreply @citybank .com]
Subject: Merchant Statement
Enclosed DOC is your Citibank Paymentech electronic Merchant Billing Statement. If you need help, please contact your Account Executive or call Merchant Services at the telephone number listed on your statement. PLEASE DO NOT RESPOND BY USING REPLY. This email is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech. Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech's or the Merchant's email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly. ---------- Learn more about Citibank Paymentech Solutions, LLC payment processing services at Citibank. ---------- THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer.

The attached document Statement ID 64775-4985.doc contains an exploit (analysis pending) with a VirusTotal detection rate of just 10/46*. It appears to exploit a flaw in the RTF converter... making sure that your copy of Microsoft Office is up-to-date and fully patched will help to mitigate against this sort of threat."
* https://www.virustot...f9347/analysis/
File name: Statement ID 64775-4985.doc
Detection ratio: 10/46
Analysis date: 2013-05-09

Update: another version is using the filename Statement ID 4657-345-347-0332.doc. It looks like it is exploiting CVE-2012-0158* aka MS12-027.
* https://web.nvd.nist...d=CVE-2012-0158 - 9.3 (HIGH)
Last revised: 03/07/2013
___

Fake Traffic Ticket serves malware
- http://blog.webroot....-serve-malware/
9 May 2013 - "Cybercriminals are currently spamvertising tens of thousands of -bogus- emails impersonating New York State’s Department of Motor Vehicles (DMV) in an attempt to trick users into thinking they’ve received an uniform traffic ticket, that they should open, print and send to their town’s court. In reality, once users open and execute the malicious attachment, their PCs will automatically join the botnet operated by the cybercriminal/cybercriminals behind the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog....1...w=423&h=290
Detection rate for the malicious executable: MD5: 247c67cb99922fd4d0e2ca5d6976fc29 * ... Trojan-Spy.Win32.Zbot.lhim..."
(More detail available at the webroot URL above.)
* https://www.virustot...a43b1/analysis/
File name: Unihl.exe
Detection ratio: 30/45
Analysis date: 2013-05-08

Edited by AplusWebMaster, 09 May 2013 - 12:52 PM.

[AplusWebMaster]

FYI...

Malicious Facebook Friend Notification Spam
- http://threattrack.t...tification-spam
9 May 2013 - "Subjects Seen:
[removed] wants to be friends on Facebook
Typical e-mail details:
[removed] wants to be friends with you on Facebook Facebook.

Malicious URLs
web.jen-pages .de/fbreq.html
job.bgita .ru/fbreq.html
yup.mumbailocaltraintimetable .net/ensure/specified_drop_similarly.php?jnlp=7ad5b52a64
yup.mumbailocaltraintimetable .net/ensure/specified_drop_similarly.php?zvvsj=edwwqnl&wit=tjm
yup.mumbailocaltraintimetable .net/ensure/specified_drop_similarly.php?mf=1i:1f:32:33:2v&le=1m:2v:31:1k:2w:1k:1h:2v:1l:1j&u=1f&yj=i&cp=j&jopa=5216591

Screenshot: https://gs1.wac.edge...oht71qz4rgp.png
___

Something evil on 151.248.123.170, Part IV
- http://blog.dynamoo....70-part-iv.html
10 May 2013 - "Here are some additional malicious domains from a very evil malware server on 151.248.123.170 (Reg.ru, Russia)... you can download a full list of everything that I can find here** [.txt]. This server is currently being used as the payload for injection attacks. Blocking the IP address is the obvious solution, or you could block the Dynamic DNS domains listed here*..."
* http://blog.dynamoo....0-part-iii.html

** http://www.dynamoo.c...248-123-170.txt
___

USAA Credentials Phish
- http://threattrack.t...edentials-phish
10 May 2013 - "Subjects Seen:
Important Message From Usaa
Typical e-mail details:
Dear Valued Customer,
We have created new dedicated security servers to keep all our
online banking customers account safe and secure. This is server< /span>
has been tested,now we are asking all our online banking customers
to register for the new security server to keep them safe.
To register for this new security server quickly click on the button
below to complete registration immediately.
Click Here To Register
We hope you find our Internet Banking service easy and convenient to use.
Yours sincerely
USAA,
Digital Banking Director

Malicious URLs
sehyup .com/08_dev/board/file/bbs_notice/vi.htm
philanthropyexpert .org/rear/index.html

Screenshot: https://gs1.wac.edge...LK0n1qz4rgp.png
___

Phone phish ...
- https://www.ic3.gov/...013/130508.aspx
May 08, 2013 - "The Internet Crime Complaint Center has received numerous reports of phishing attacks targeting various telecommunication companies' customers. Individuals receive automated telephone calls that claim to be from the victim's telecommunication carrier. Victims are directed to a phishing site to receive a credit, discount, or prize ranging from $300 to $500. The phishing site is a replica of one of the telecommunication carrier's sites and requests the victims' log-in credentials and the last four digits of their Social Security numbers. Once victims enter their information, they are -redirected- to the telecommunication carrier’s actual website. The subject then makes changes to the customer's account.
The IC3 urges the public to be cautious of unsolicited telephone calls, e-mails and text messages, especially those promising some type of compensation for supplying account information. If you receive such an offer, verify it with the business associated with your account before supplying any information. Use the information supplied on your account statement to contact the business."

Edited by AplusWebMaster, 11 May 2013 - 05:20 AM.

[AplusWebMaster]

FYI...

Something evil on 188.241.86.33
- http://blog.dynamoo....1882418633.html
13 May 2013 - "188.241.86.33 (Megahost, Romania) is a malware server currently involved in injection attacks, serving up the Blackhole exploit kit, Zbot and a side order of Cdorked [1] [2]. This IP hosts a variety of domains, some of which are purely malicious, some of which are hijacked subdomains of legitimate ones. Blocking the IP address is the easiest approach..."
(More detail at the dynamoo URL above.)

1) http://urlquery.net/...8...5-13&max=50

2) https://www.virustot...33/information/
___

Browser extension hijacks Facebook profiles
- https://blogs.techne...Redirected=true
10 May 2013 - "We have received reports about a wave of malicious browser extensions trying to hijack Facebook profiles. This threat was first discovered in Brazil. We detect it as Trojan:JS/Febipos.A. The malware is a malicious browser extension specifically targeting Chrome and Mozilla Firefox..."
- http://h-online.com/-1861398
13 May 2013 - "... The trojan extensions themselves monitor users' browser activity to see if they are logged into Facebook and then retrieve a configuration file from a site, disguised as a .php file, which contains commands for the extension. The extension is able to like pages, share pages, post, join groups, invite friends to groups, chat to friends or comment on posts... Microsoft recommends that users review their installed extensions..."
___

Fake BoA Paymentech Malicious Word Doc Attachment Spam
- http://threattrack.t...icious-word-doc
13 May 2013 - "Subjects Seen:
BOA Merchant Statement
Typical e-mail details:
Attached (DOC|WORD file|document|file) is your Bank of America Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Bank of America Paymentech.
Bank of America Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Bank of America Paymentech’s or the Merchant’s email service or otherwise. Bank of America Paymentech recommends that Merchants continue to monitor their statement information regularly.

Spam contains malicious attachment.

Screenshot: https://gs1.wac.edge...dxu51qz4rgp.png
___

Malicious Citibank Secure Message Spam
- http://threattrack.t...re-message-spam
13 May 2013 - "Subjects Seen:
You have received a secure message
Typical e-mail details:
Read your secure message by opening the attachment, securedoc.html You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
First time users - will need to register after opening the attachment.
About Email Encryption - citi .com/citi/citizen/privacy/email.htm

Malicious URLs
mail.yaklasim .com:8080/forum/viewtopic.php
116.122.158.195 :8080/forum/viewtopic.php
vulcantire .net/forum/viewtopic.php
westautorepair .com/forum/viewtopic.php
metroimport-tires .com/forum/viewtopic.php
iis1.ontera .net/AUWY5Z.exe

Screenshot: https://gs1.wac.edge...XmUI1qz4rgp.png
___

Fake AMEX SPAM / SecureMail.zip
- http://blog.dynamoo....-from-amex.html
13 May 2013 - "This fake Amex email has a malicious attachment:
Date: Tue, 14 May 2013 01:34:36 +0600 [15:34:36 EDT]
From: American Express [Jarvis_Randall @aexp .com]
Subject: Confidential - Secure Message from AMEX
Secure Message
The security of your personal information is of the utmost importance to American Express, so we have sent the attached as a secure electronic file.
Note: The attached file contains encrypted data.
If you have any questions, please call us at 800-748-8515, option 0. Representatives are available to assist you Monday through Thursday between 8:00 a.m. and 8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.
The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
Thank you,
American Express
2012 American Express Company. All rights reserved.

There is an attachment SecureMail.zip which in turn contains an executable file SecureMail .exe which has an icon designed to look like a PDF file. VirusTotal results for the malware are just 15/46*. Comodo CAMAS reports the following characteristics and also a connection to a known malware C&C server mail.yaklasim .com on 212.58.4.13 (DorukNet, Turkey).
Size 137216
MD5 20de8bad8bf8279e4084e9db461bd140
SHA1 caacc00d68f41dad9b1abb02f9e243911f897852
SHA256 18e2fc0b9386cadc31fb15cb38d9fa5d274f42b8127b349a14c962329b691ee7
The ThreatTrack report*** also shows a connection to 212.58.4.13 as well as 62.233.104.156 (IOMART, UK) and several other IPs that may form part of a botnet. Blocking EXE-in-ZIP files at the perimeter is a good move if you can do it.
Blocklist:
mail.yaklasim .com
212.58.4.13
62.233.104.156 ..."
* https://www.virustot...sis/1368476716/
File name: SecureMail.exe
Detection ratio: 15/46
Analysis date: 2013-05-13

** http://camas.comodo....4c962329b691ee7

*** http://www.dynamoo.c...9db461bd140.pdf

Edited by AplusWebMaster, 13 May 2013 - 04:53 PM.

[AplusWebMaster]

FYI...

Fake BoA SPAM / RECEIPT428-586.doc
- http://blog.dynamoo....erica-spam.html
14 May 2013 - "This fake Bank of America message has a malicious Word document attached:
Date: Tue, 14 May 2013 10:16:05 +0500 [01:16:05 EDT]
Subject: Your transaction is completed
Transaction is completed. $51317477 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt of payment is attached.
*** This is an automatically generated email, please do not reply ***
Bank of America, N.A. Member FDIC. Equal Housing Lender Opens in new window
© 2013 Bank of America Corporation. All rights reserved

The attached document is RECEIPT428-586.doc which contains a CVE-2012-0158 / MS12-027 exploit, so a fully patched Windows system should be immune. Further analysis is pending, but the payload is likely to be P2P / Gameover Zeus as found in this attack*. VirusTotal detections stand at just 11/46**. Further analysis is pending.
* http://blog.dynamoo....75-4985doc.html

** https://www.virustot...3e356/analysis/
File name: RECEIPT428-586.doc
Detection ratio: 18/43
Analysis date: 2013-05-14
___

Something evil on 94.242.198.16
- http://blog.dynamoo....9424219816.html
14 May 2013 - "I'm not entirely sure what this is, I think it's an injection attack leading to a malware server on 94.242.198.16 (Root SA, Luxemburg) which is using various stealth techniques to avoid detection. This is what I'm seeing.. code is getting injected into sites referring to [donotclick]fryzjer .me/hpoxqnj.php (report*) or [donotclick]stempelxpress .nl/vechoix.php (report**) which (if called in the correct way) tries to forward the victim to
[donotclick]ice.zoloni-kemis .info/lyxtp?ftqvixid=94764 or [donotclick]ice.zoloni-kemis .info/lifym?ftypyok=947645 hosted on 94.242.198.16.

VirusTotal reports this as a bad IP***, and out of several domains associated with this IP, almost all are red-flagged by Google for malware. The site contains several subdomains of the following domains.. I would recommend the following blocklist:
94.242.198.16
integrate-koleiko .com
integrate-koleiko .org
integrate-koleiko .net
muroi-uroi-loi .info
muroi-uroi-loi .org
muroi-uroi-loi .net
zoloni-kemis .info ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/....php?id=2455754

** http://urlquery.net/....php?id=2455905

*** https://www.virustot...16/information/

- https://www.google.c...ic?site=AS:5577
"... over the past 90 days, 50 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-05-14, and the last time suspicious content was found was on 2013-05-14... Over the past 90 days, we found 30 site(s) on this network... that appeared to function as intermediaries for the infection of 131 other site(s)... We found 282 site(s)... that infected 4631 other site(s)..."
___

Malicious Dun and Bradstreet Compliant Spam
- http://threattrack.t...-compliant-spam
14 May 2013 - "Subjects Seen:
FW : Complaint - [removed]
Typical e-mail details:
Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
In the interest of time and good customer relations, please provide the DnB with written verification of your position in this matter by May 18, 2013. Your prompt response will allow DnB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.
The Dun & Bradstreet develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.
We encourage you to print this complaint (attached file), answer the questions and respond to us.
We look forward to your prompt attention to this matter.

Malicious URLs
mail.yaklasim .com:8080/forum/viewtopic.php
116.122.158.195 :8080/forum/viewtopic.php
hurricanestormsavings .com/ponyb/gate.php
hurricanestrengthsavings .com/ponyb/gate.php
62.233.104.156 /tHjefFt.exe

Screenshot: https://gs1.wac.edge...lB071qz4rgp.png

Edited by AplusWebMaster, 14 May 2013 - 01:04 PM.

[AplusWebMaster]

FYI...

Fake ‘Free Media Player’ via rogue ‘Adobe Flash Player HD’ ad ...
- http://blog.webroot....-advertisement/
May 15, 2013 - "Our sensors just picked up a rogue advertisement served through the Yieldmanager ad network, which exposes users to fake Adobe Flash Player HD ads, ultimately dropping a copy of the potentially unwanted application (PUA)/adware, known as Somoto Better Installer...
Sample screenshot of the actual advertisement:
> https://webrootblog....omoto.png?w=869
... once users click, they’re presented with a rogue Free Media Player page, instead of of a Adobe Flash Player HD themed page. Users who fall victim to the social engineering scam will end up installing multiple potentially unwanted applications... Landing domain:
hxxp ://www.softigloo .com – 78.138.105.151. Responding to the same IP is also the following typosquatted domain – hxxp ://down1oads .com...
Detection rate for the sampled malware:
MD5: 3ee49800cc3c2ce74fa63e6174c81dff * ... Somoto BetterInstaller; Adware.Somoto
MD5: b57cc4b5aecd69eb57063f4de914d4dd ** ... Somoto BetterInstaller; TROJ_GEN.F47V0429 ...
And initiates the following TCP connections:
78.138.97.8 :80
54.239.158.55 :80
78.138.127.129 :80
54.239.158.183 :80
54.239.158.247 :80
78.138.127.7 :80
The affiliate network participant that’s abusing the Yieldmanager ad network is currently earning revenue through the Somoto’s BetterInstaller PPI (Pay-Per-Install) revenue sharing network..."
(More detail at the websense URL above.)
* https://www.virustot...sis/1368314633/
File name: VLCMediaPlayerSetup-9Kf76Wv.exe
Detection ratio: 8/46
Analysis date: 2013-05-11
** https://www.virustot...sis/1368314918/
File name: 7ZipSetup-aVEkw5Y.exe
Detection ratio: 8/46
Analysis date: 2013-05-11

Removal Guide for Somoto.BetterInstaller
> http://forums.spybot...BetterInstaller
2013-05-08
___

Malicious FedEx SPAM delivers trojan ...
- http://www.hotforsec...kages-6173.html
May 15, 2013 - "A new wave of malicious FedEx spam delivers Trojans instead of packages, infecting users with malware when opening the attachments. In the last couple months, the Gamarue Trojan has spread intensely in the US, Australia, Croatia, Romania, Iran, the UK, Germany and Spain...
Screenshot1: http://www.hotforsec...-packages-1.jpg
... To give credibility to the malicious payload, scammers added links to the authentic shipping company. Trojan.Gamarue silently installs itself on the system, sending sensitive information to the command and control center. The stolen data can then be used for identity theft and other cyber-criminal activities. Gamarue can also download and execute arbitrary files, performing updates without users noticing. The malicious software can also spread to removable drives, so users should be careful when managing important documents through USB devices...
Screenshot2: http://www.hotforsec...-packages-2.png
FedEx is a common target for cyber-criminals, who only change the bait from time to time. Other excuses to ship malware include parcel delivery notifications. Scammers also request money in return for delivery of a package by posing as representatives of the shipping service. They also go so far as to create spoofed web sites to collect usernames, passwords, Social Security Numbers, credit card details and more..."
___

Fake Facebook SPAM / otophone .net
- http://blog.dynamoo....tophonenet.html
15 May 2013 - "This fake Facebook spam leads to malware on otophone .net:
Date: Tue, 14 May 2013 15:29:24 -0500 [05/14/13 16:29:24 EDT]
From: Facebook [notification+LTFS15RDTR @facebookmail .com]
Subject: Jonathan Rogers wants to be friends on Facebook
facebook
Jonathan Rogers wants to be friends with you on Facebook Facebook...
1083 friends · 497 photos · 2 notes · 1535 Wall posts
Confirm Friend Request
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 417 P.O Box 10005 Palo Alto CA 96303

The link in the email goes through a legitimate hacked site and then ends up on a malware landing page at [donotclick]otophone .net/news/appreciate_trick_hanging.php (report here*) hosted on the following IPs:
36.224.16.74 (Chunghwa Telecom, Taiwan)
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)...
Blocklist:
36.224.16.74
108.5.125.134
198.61.147.58 ..."
* http://urlquery.net/....php?id=2474662
___

Something evil on 184.95.51.123
- http://blog.dynamoo....1849551123.html
15 May 2013 - "184.95.51.123 (Secured Servers LLC, US) appears to be trying to serve the Blackhole Exploit kit through an injection attack (for example). The payload appears to be 404ing when viewed in the automated tools I am using, but indications are that the malware on this site is still very much live. The domains on this server belong to a legitimate company, Lifestyle exterior Products, Inc. of Florida who are probably completely unaware of the issue.
These following domains are all flagged by Google as being malicious, and are all based on 184.95.51.123. I would recommend blocking the IP if you can..."
___

Malicious DocuSign Payroll Spam
- http://threattrack.t...gn-payroll-spam
15 May 2013 - "Subjects Seen:
Completed: Please DocuSign this document : Payroll May 2013..pdf
Typical e-mail details:
Your document has been completed
Sent on behalf of [removed].
All parties have completed the envelope ‘Please DocuSign this document: Payroll April 2013..pdf’.
To view or print the document download the attachment .
(self-extracting archive, Adobe PDF)
This document contains information confidential and proprietary to [removed]

Malicious URLs
mail.yaklasim .com:8080/forum/viewtopic.php
116.122.158.195 :8080/forum/viewtopic.php
lifestylehomeowners .com/ponyb/gate.php
lifestylehurricaneguide .com/ponyb/gate.php
parpaiol a.com/0nWhFjZ.exe

Screenshot: https://gs1.wac.edge...rAIV1qz4rgp.png
___

Fake ADP SPAM / outlookexpres .net
- http://blog.dynamoo....kexpresnet.html
15 May 2013 - "This fake ADP spam leads to malware on outlookexpres .net:
Date: Wed, 15 May 2013 22:39:26 +0400
From: "donotreply @adp .com" [phrasingr6 @news.adpmail .org]
Subject: adp_subj
ADP Instant Warning
Report #: 55233
Respected ADP Client May, 15 2013
Your Processed Transaction Report(s) have been uploaded to the website:
Sign In here
Please see the following information:
• Please note that your bank account will be charged within 1 business banking day for the sum shown on the Statement(s).
• Please don't try to reply to this message. automative notification system not configured to accept incoming email. Please Contact your ADP Benefits Expert.
This email was sent to existing users in your company that access ADP Netsecure.
As every time, thank you for using ADP as your business affiliate!
Rep: 55233 [redacted]

The link in the spam email goes through a legitimate but hacked site and ends up on a malware landing page at [donotclick]outlookexpres .net/news/estimate_promising.php (report here*) hosted on the same IPs found in this attack:
36.224.16.74 (Chunghwa Telecom, Taiwan)
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
Blocklist:
36.224.16.74
108.5.125.134
198.61.147.58 ..."
* http://urlquery.net/....php?id=2479638
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake Scanned Document Attachment E-mail Messages - 2013 May 15
Fake Product Order E-mail Messages - 2013 May 15
Fake Document Sharing Notification E-mail Messages - 2013 May 15
Fake Invoice Statement Attachment E-mail Messages - 2013 May 15
Malicious Attachment E-mail Messages - 2013 May 15
Fake Delta E-Ticket Attachment E-mail Messages - 2013 May 15
Fake Third Party Consumer Complaint Notification E-mail Messages - 2013 May 15
Fake Portuguese Invoice Notification E-mail Messages - 2013 May 15
Fake Photo Sharing E-mail Messages - 2013 May 15
Fake Product Order Request E-mail Messages - 2013 May 15
Fake Xerox Scan Attachment E-mail Messages - 2013 May 15
Malicious Attachment E-mail Messages - 2013 May 15
(More info and links at the cisco URL above.)

Edited by AplusWebMaster, 15 May 2013 - 03:38 PM.

[AplusWebMaster]

FYI...

Fake "Invoice Copy" SPAM / invoice copy.zip
- http://blog.dynamoo....ce-copyzip.html
16 May 2013 - This fake invoice email contains a malicious attachment:
Date: Thu, 16 May 2013 00:27:41 -0500 [01:27:41 EDT]
From: Karen Parker [Kk.parker @tiffany .com]
Subject: invoice copy
Kindly open to see export License and payment invoice attached,meanwhile we sent the balance payment yesterday.Please confirm if it has settled in your account or you can call ifthere is any problem.ThanksKaren parker

The attachment is invoice copy.zip which in turn contains an executable invoice copy.exe which has an icon to make it look like a spreadsheet. VirusTotal results are a pretty poor 7/45* and indicate that this is a Zbot variant. The Comodo CAMAS report** indicates that the malware seems to be rummaging though address books and gives the following characteristics:
Size 331776
MD5 ebdcd7b8468f28932f235dc7e0cd8bcd
SHA1 a3d251b8f488ef1602e7016cb1f51ffe116d7917
SHA256 4b15971cf928a42d44afdf87a517d229e4aabbb5967cb9230a19592d2b939fe6
... The ThreatTrack report*** is nicely detailed and gives some details about network connections... As ever, blocking EXE-in-ZIP files at the perimeter is the best way to guard against this type of threat."
* https://www.virustot...sis/1368687945/
File name: invoice copy.exe
Detection ratio: 7/45
Analysis date: 2013-05-16

** http://camas.comodo....a19592d2b939fe6

*** http://www.dynamoo.c...dc7e0cd8bcd.pdf
___

Fake HMRC SPAM / VAT Returns Repot 517794350.doc
- http://blog.dynamoo....7794350doc.html
16 May 2013 - "This fake HMRC (UK tax authority) spam contains a malicious attachment:
From: noreply @hmrc .gov.uk [mailto:noreply @hmrc .gov.uk]
Sent: 16 May 2013 10:48
Subject: Successful Receipt of Online Submission for Reference 517794350
Thank you for sending your VAT Return online. The submission for reference 517794350 was successfully received on 2013-05-16 T10:45:27 and is being processed. Make VAT Returns is just one of the many online services we offer that can save you time and paperwork.
For the latest information on your VAT Return please open attached report.
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

The attachment is VAT Returns Repot 517794350.doc which contains an exploit which is currently being analysed. It is likely to use the same vulnerability as this attack*. VirusTotal results are just 1/46**, so either this is something completely new or it is a corrupt sample. UPDATE: ThreatTrack reports*** that the malware sample appears to make contact with the following IPs which are all dynamic IP addresses, indicating perhaps a P2P version of Zeus:
62.103.27.242
76.245.44.216
86.124.111.218
92.241.139.165
122.179.128.38
189.223.139.172
190.42.161.35 ..."
* http://blog.dynamoo....erica-spam.html

** https://www.virustot...sis/1368697862/
File name: VAT Returns Repot 517794350.doc
Detection ratio: 1/46
Analysis date: 2013-05-16

*** http://www.dynamoo.c...b5b3a8c2a34.pdf
___

Fake Walmart SPAM / bestunallowable .com
- http://blog.dynamoo....lowablecom.html
16 May 2013 - "This fake Walmart spam leads to malware on bestunallowable .com:
From: Wallmart.com [deviledm978 @news.wallmart .com]
Date: 16 May 2013 14:02
Subject: Thanks for your Walmart.com Order 3795695-976140
Walmart
Visit Walmartcom | Help | My Account | Track My Orders
[redacted]
Thanks for ordering from Walmart.com. We're currently processing your order.
Items in your order selected for shipping
• You'll receive another email, with tracking information, when your order ships.
• If you're paying by credit card or Bill Me Later®, your account will not be charged until your order ships. If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available. All other forms of payment are charged at the time the order is placed.
Shipping Information
Ship to Home
Hannah Johnson
1961 12 Rd
Orange, NC 68025-3157
USA
---
Walmart.com Order Number: 3795695-976140
Ship to Home - Standard
Items Qty Arrival Date Price
Philips UN65EH9060 50" 1080p 60Hz Class LED (Internet Connected) 3D HDTV 1 Arrives by Tue., May 21
Eligible for Free Standard Shipping to Home. $898.00
Subtotal: $898.00
Shipping: Free
Tax: $62.86
See our Returns Policy or
contact Customer Service Walmart.com Total: $960.86
Order Summary
Order Date: 05/15/2013
Subtotal: $898.00
Shipping: Free
Tax: $62.86
Order Total: $960.86
Credit card: $960.86
Billing Information
Payment Method:
Credit card
If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
Thanks,
Your Walmart.com Customer Service Team...
Rollbacks Sign Up for Email Savings and Updates
Have the latest Rollbacks, hot new releases, great gift ideas and more sent right to your inbox!
©Walmart.com USA, LLC, All Rights Reserved.

The link goes through a legitimate hacked site and ends up on a malware page at [donotclick]bestunallowable .com/news/ask-index.php (report here*) hosted on:
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
The WHOIS details are characterstic of the Amerika gang...
Blocklist (including nameservers):
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
bestunallowable.com ..."
* http://urlquery.net/....php?id=2494957
___

More Walmart SPAM / virgin-altantic .net
- http://blog.dynamoo....ltanticnet.html
16 May 2013 - "Another -variant- of this spam* is doing the rounds, this time leading to a landing page on virgin-altantic .net:
From: Wallmart.com [mailto:sculptsu @complains .wallmartmail .com]
Sent: 16 May 2013 15:35
Subject: Thanks for your Walmart.com Order 3450995-348882 ...
---
Subtotal: $898.00
Shipping: Free
Tax: $62.86
See our Returns Policy or
contact Customer Service
Walmart.com Total: $960.86
Order Summary
Order Date: 05/15/2013
Subtotal: $898.00
Shipping: Free
Tax: $62.86
Order Total: $960.86
Credit card: $960.86
Billing Information
Payment Method:
Credit card
If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
Thanks,
Your Walmart.com Customer Service Team...

The malicious payload is at [donotclick]virgin-altantic .net/news/ask-index.php (report here**). IP addresses are the same as in the other attack, although obviously if you are blocking by domain you should add virgin-altantic .net too."
* http://blog.dynamoo....lowablecom.html

** http://urlquery.net/....php?id=2496275
___

Fake Wells Fargo and Citi SPAM / SecureMessage.zip and Securedoc.zip
- http://blog.dynamoo....-citi-spam.html
16 May 2013 - "This fake Wells Fargo message contains a malicious attachment:
Date: Thu, 16 May 2013 23:24:38 +0800 [11:24:38 EDT]
From: "Grover_Covington @wellsfargo .com" [Grover_Covington @wellsfargo .com]
Subject: New Secure Message
Wells Fargo
Help
To Read This Message:
Look for and open SecureMessage.zip (typically at the top or bottom; location varies by email service).
Secure Message
This message was sent to : [redacted]
Email Security Powered by Voltage IBE
Copyright 2013 Wells Fargo. All rights reserved

The attachment SecureMessage.zip contains a file SecureMessage.exe which has a SHA256 of 289bd82b66ed0c66f0e6a947cb61c928275c1053fa5d2b1119828217f61365ba and is only detected by 2/45 scanning engines at VirusTotal**.
The second version is a fake Citi spam with an attachment Securedoc.zip which contains Securedoc.exe. This is the same executable with the same SHA256, just a different name.
Date: Thu, 16 May 2013 10:16:27 -0500 [11:16:27 EDT]
From: "secure.email @citi .com" [secure.email @citi .com]
Subject: You have received a secure message
You have received a secure message
Read your secure message by opening the attachment, securedoc.html You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
First time users - will need to register after opening the attachment.
About Email Encryption - http ://www.citi .com/citi/citizen/privacy/email.htm

... the best analysis is this ThreatTrack report*... some IPs and domains worth blocking:
69.89.21.99
116.122.158.195
212.58.4.13
mail.yaklasim .com
ryulawgroup .com "
* http://www.dynamoo.c...0cddcbdc604.pdf

** https://www.virustot...sis/1368718128/
File name: SecureMessage.exe
Detection ratio: 2/45
Analysis date: 2013-05-16
___

Get Free Followers! on Instagram? Get Free Malware, Survey Scams Instead
- http://blog.trendmic...-scams-instead/
May 16, 2013 - "The popular photosharing app Instagram is the latest social networking site targeted by the ubiquitous survey scams seen on Facebook and Twitter. This time, we found that these survey scams may also lead users to download an Android malware... these Instagram followers have repetitive account names like “Tawna Tawna” and “Concetta Concetta”... Given these suspicious signs, I then checked this “Get Free Followers” picture (which is actually clickable) and was led to this page that supposedly offers the “Get Followers” app. This app is detected by Trend Micro as ANDROIDOS_GCMBOT.A, which can be used to launch malicious webpages or send SMS from the device.
> http://blog.trendmic...rvey-scam-4.jpg
Whether users download the said app or not (in my case, I tried to), in the end they are redirected to your run-of-the-mill survey scams. Since Instagram can also be accessed via a PC, we tried to access the malicious website and survey scam using a desktop. Fortunately, this ruse didn’t work. Cybercriminals profit from these survey scams via ad-tracking sites, which users are redirected to before the actual survey page. Plus, these bad guys can also use the data gathered from these scams by either peddling them to other cybercriminal groups or using them in their future schemes. Facebook, Pinterest, Tumblr, and now Instagram. The people behind these scams are jumping on every popular networking sites and potential engineering hooks like the Google Glass contest. To protect yourself against this scam, you must always double-check posts on your social media accounts, even if they come from friends, family members, or known acquaintance. Caution is your best defense..."

Edited by AplusWebMaster, 16 May 2013 - 01:49 PM.

[AplusWebMaster]

FYI...

e-netprotections.su ?
- https://isc.sans.edu...l?storyid=15818
Last Updated: 2013-05-17 - "Like with .biz, I sometimes have the impression that .su and .cc could be sinkholed in their entirety, because the bad domains seem to vastly outnumber whatever (if any) good is running under these TLDs as well. Earlier today, ISC reader Michael contacted us with information that several PCs on his network had started to communicate with iestats .cc, emstats .su, ehistats .su, e-protections .su and a couple other domains. I was pretty sure that I had seen the latter domain on an earlier occasion in a malware outbreak, but I couldn't find it in our records .. until I only searched for "e-protections", and found e-protections .cc. This domain had been implicated back in October 2012 in a malware spree that was linked to the nasty W32.Caphaw, a backdoor/information stealer... each infected box was apparently running a slightly different version of the EXE. Anti-Virus coverage is still thin (Virustotal*) , but the Heuristics of some products seem to be catching on. This sample looks more like a ransomware trojan than Caphaw, but we'll know more once we analyze all the information gathered so far..."
Partial list of IPs involved:
64.85.161.67
85.25.132.55
173.224.210.244
178.63.172.88
188.95.48.152
199.68.199.178
91.227.220.104
* https://www.virustot...b9041/analysis/
File name: dwdsrtrt
Detection ratio: 4/46
Analysis date: 2013-05-16

- https://www.abuse.ch/?p=3581
___

Malicious Wells Fargo Secure Message Spam
- http://threattrack.t...re-message-spam
16 May 2013 - "Subjects Seen:
New Secure Message
Typical e-mail details:
View attachment for details
To Read This Message:
Look for and open SecureMessage.zip (typically at the top or bottom; location varies by email service).

Malicious URLs
mail.yaklasim .com:8080/forum/viewtopic.php
116.122.158.195 :8080/forum/viewtopic.php
mylifestylestormproducts .com/forum/viewtopic.php
mysafefloridahomelife .com/forum/viewtopic.php
ryulawgroup .com/Gsdw1.exe

Screenshot: https://gs1.wac.edge...4bl91qz4rgp.png
___

Malicious "Referral link" SPAM / rockingworldds .net and parishiltonnaked2013 .net
- http://blog.dynamoo....worlddsnet.html
17 May 2013 - "This spam comes from a hacked AOL email account and leads to malware on 62.76.190.11:
From: [AOL sender]
Sent: 17 May 2013 14:12
To: [redacted]
Subject: [AOL screen name]
Subject :RE ( 8 )
Sent: 5/17/2013 2:11:53 PM
referral link
http ://printcopy.co .za/elemqi.php?whvbcfm

The link goes through a legitimate -hacked- site and in this case ends up at [donotclick]rockingworldds .net/sword/in.cgi?6 (report here*) which either -redirects- to a weight loss spam site or alternatively a malware landing page at [donotclick]parishiltonnaked2013 .net/ngen/controlling/coupon_voucher.php (report here**) which appears to load the BlackHole Exploit Kit. Both these sites are hosted on 62.76.190.11 (Clodo-Cloud / IT House, Russia)... I have several IPs blocked in the 62.76.184.0/21 range, you may want to consider blocking the entire lot if you don't have any reason to send web traffic to Russia."
* http://urlquery.net/....php?id=2512341

** http://urlquery.net/....php?id=2512431
___

Fake Newegg .com SPAM / balckanweb .com
- http://blog.dynamoo....ckanwebcom.html
17 May 2013 - "This fake Newegg.com spam leads to malware:
Date: Fri, 17 May 2013 10:29:20 -0600 [12:29:20 EDT]
From: Newegg [info @newegg .com]
Subject: Newegg.com - Payment Charged
Priority: High Priority 1
Newegg logo
My Account My Account | Customer Services Customer Services
Twitter Twitter You Tube You Tube Facebook Facebook Myspace Myspace
click to browse e-Blast click to browse Shell Shocker click to browse Daily Deals
Computer Hardware PCs & Laptops Electronics Home Theater Cameras Software Gaming Cell Phones Home & Office MarketPlace Outlet More
Customer ID: [redacted]
Account Number: 23711731
Dear Customer,
Thank you for shopping at Newegg.com.
We are happy to inform you that your order (Sales Order Number: 97850177) has been successfully charged to your AMEX and order verification is now complete.
If you have any questions, please use our LiveChat function or visit our Contact Us Page.
Once You Know, You Newegg.
Your Newegg.com Customer Service Team
ONCE YOU KNOW, YOU NEWEGG. Ž
Policy and Agreement | Privacy Policy | Confidentiality Notice
Newegg.com, 9997 Rose Hills Road, Whittier, CA. 90601-1701 | Š 2000-2013 Newegg Inc. All rights reserved.

Screenshot: https://lh3.ggpht.co...1600/newegg.png

In the version I have the link doesn't work, but I believe that it goes to [donotclick]balckanweb .com/news/unpleasant-near_finally-events.php (report here*) hosted or having nameservers on the following IPs:
5.231.24.162 (GHOSTnet, Germany)
71.107.107.11 (Verizon, US)
108.5.125.134 (Verizon, US)
198.50.169.2 (OVH, Canada)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
209.59.223.119 (Endurance International Group, US)
The domains and IPs indicate that this is part of the "Amerika" spam run.
Blocklist (including nameservers):
5.231.24.162
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
209.59.223.119 ..."
* http://urlquery.net/....php?id=2504632

Also at: http://threattrack.t...wegg-order-spam
May 17, 2013
Screenshot: https://gs1.wac.edge...Awpg1qz4rgp.png
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake Product Order Quotation Attachment E-mail Messages - 2013 May 17
Fake Product Order E-mail Messages - 2013 May 17
Fake Purchase Order E-mail Messages - 2013 May 17
Fake Account Compromise Notification E-mail Messages - 2013 May 17
Fake Scanned Document Attachment E-mail Messages - 2013 May 17
Fake Social Media User Notification E-mail Messages - 2013 May 17
Fake Facebook Security Software E-mail Messages - 2013 May 17
Fake Incoming Fax Message E-mail Messages - 2013 May 17
Fake Document Sharing E-mail Messages - 2013 May 17
Fake Italian Shared Document E-mail Messages - 2013 May 17
Fake Invoice Statement Attachment E-mail Messages - 2013 May 17
Fake Money Transfer Notification E-mail Messages - 2013 May 17
Fake Xerox Scan Attachment E-mail Messages - 2013 May 17
(More detail and links at the cisco URL above.)

Edited by AplusWebMaster, 19 May 2013 - 04:42 AM.

[AplusWebMaster]

FYI...

Something evil on 50.116.28.24
- http://blog.dynamoo....-501162824.html
19 May 2013 - "50.116.28.24 (Linode, US) is hosting the callback servers for some Mac malware as mentioned here* and here** plus some other suspect sites. I would advise that you assume that -all- domains hosted on this IP are malicious..."
(More detail at the dynamoo URL above.)

* http://www.f-secure....s/00002554.html

** http://forums.macrum...d.php?t=1583233
___

Wells Fargo Credentials Phish
- http://threattrack.t...edentials-phish
20 May 2013 - "Subjects Seen:
Account Update
Typical e-mail details:
In order to safeguard your account, we require that you confirm your details.
To help speed up this process, please access the following link so we can complete the verification of your Wells Fargo information details.
To get started, visit the link below:
Wells Fargo Online Confirmation

Malicious URLs
update.id5027-wellsfargo .com/index.php?id=586616

Screenshot: https://gs1.wac.edge...kVzo1qz4rgp.png
___

Malicious Invoice Attachment Spam
- http://threattrack.t...attachment-spam
20 May 2013 - "Subjects Seen:
invoice copy
Typical e-mail details:
Kindly open to see export License and payment invoice attached,
meanwhile we sent the balance payment yesterday.
Please confirm if it has settled in your account or you can call if
there is any problem.
Thanks
Karen parker

Spam contains malicious attachment.

Screenshot: https://gs1.wac.edge...O1qo1qz4rgp.png
___

Chase Bank Credentials Phish
- http://threattrack.t...edentials-phish
20 May 2013 - "Subjects Seen:
Billing Code:[removed]
Typical e-mail details:
During regularly scheduled account maintenance and verification procedures, we have detected a slight error in your billing information.
This might be due to either of the following reasons:
1. A recent change in your personal information ( i.e. change of address).
2. Submitting invalid information during the initial sign up process.
3. An inability to accurately verify your selected option of payment due to an internal error within our processors.
Click on the guide-link below and follow the directions or please call our Online Helpdesk.
Regards,
Chase Online
Billing Department
Thanks for your co-operation.

Malicious URLs
goodnickfitness .com.au/hnav.html
diamondtek .cl/diamondtek .cl/http/online.chaseonline1/com/logon.html

Screenshot: https://gs1.wac.edge...1itt1qz4rgp.png
___

Blackhole Spam Run evades detection using Punycode
- http://blog.trendmic...using-punycode/
May 20, 2013 - "... we have seen a slew of spam crafted as a notice from the popular retail chain Walmart. However, this spam run offers something different.
> http://blog.trendmic...HEK-walmart.jpg
... some of the URLs lead to Cyrillic domain names. These domains were translated into the English alphabet through punycode. Punycode* is a way to convert Unicode characters into a smaller character set. URLs in punycode have to be decoded first in order to see its original format. The use of international domain names (IDNs) can pose additional security risks to users. Users can be redirected to a phishing page that appears to have the same URL as a legitimate site. IDNs also allow spammers to create more spam domains not limited to English characters. This can make blocking malicious sites more difficult. This technique is not new, but seeing punycode used in a BHEK email campaign is unusual. Users who click the links are redirected to several sites, until they are lead to the site hosting a malware (detected as TROJ_PIDIEF.SMXY), which exploits a in Adobe Reader and Acrobat (CVE-2009-0924) to download and execute other malware onto the vulnerable system. This attempt at evading detection is not surprising, given how 2013 is shaping up to be the year of refining existing tools. In our 1Q 2013 Security Roundup, we already noticed how dated threats like Asprox and banking Trojans like CARBERP were returning to the scene with new and improved features. We can expect this trend to continue this year, though new threats can always appear anytime soon..."
* http://www.ietf.org/rfc/rfc3492.txt

Edited by AplusWebMaster, 20 May 2013 - 04:02 PM.

[AplusWebMaster]

FYI...

Fake NATO jobs SPAM ...
- http://blog.webroot....ersonates-nato/
May 21, 2013 - "Want to join the North Atlantic Treaty Organization (NATO)?... you’d be involuntarily sharing your information with what looks like an intelligence gathering operation...
Sample screenshot of the -fake- NATO Employment Application Form:
> https://webrootblog....application.png
A copy of the -fake- NATO Employment Application Form
> http://webrootblog.f...cation-form.pdf
A copy of the -fake- NATO Interview Form
> http://webrootblog.f...erview-form.pdf
... NATO impersonating domain name reconnaissance:
nspa-nato.int.tf – 188.40.117.12; 188.40.70.27; 188.40.70.29
Name server: ns1.idnscan .net
Name server: ns2.idnscan .net
usnato-hr.org – 208.91.198.24
Name Server: DNS1.SPIRITDOMAINS .COM
Name Server: DNS2.SPIRITDOMAINS .COM
... We know that on 2013-05-10 07:01:46 CET, responding to the same IP (188.40.117.12) was also the following Black Hole Exploit Kit redirecting URLs...
Always watch where you apply and be aware of offers which sound too good to be true."
(More detail at the webroot URL above.)
___

Fake Delivery_Information_ID-000512430489234.zip
- http://blog.dynamoo....0489234zip.html
21 May 2013 - "The file Delivery_Information_ID-000512430489234.zip is being promoted by a spam run (perhaps aimed at Italian users, although all the hosts are German)... best guess is that it is a fake package delivery report. So far I have identified three download locations for the malicious ZIP file:
[donotclick]www.interapptive .de/get/Delivery_Information_ID-000512453420234.zip
[donotclick]www.vankallen .de/get/Delivery_Information_ID-000512453420234.zip
[donotclick]www.haarfashion .de/get/Delivery_Information_ID-000512430489234.zip
The ZIP file decompresses to Delivery_Information_ID-000512453420234.Pdf_____________________________________________________________
__.exe (note all those underscores!) which has a VirusTotal detection rate of 23/47* and has the following checksums:
MD5: 791a8d50acfea465868dfe89cdadc1fc
SHA1: be67a7598c32caf3ccea0d6598ce54c361f86b0a
SHA256: 9ae8fe5ea3b46fe9467812cbb2612c995c21a351b44b08f155252a51b81095d7
The Anubis report is pretty inconclusive but ThreatTrack reports** [pdf] some peer-to-peer traffic and also some rummaging around the Window Address Book (WAB)."
* https://www.virustot...sis/1369127051/
File name: Delivery_Information_ID-000512453420234.Pdf______________________...
Detection ratio: 23/47
Analysis date: 2013-05-21
** http://www.dynamoo.c...e89cdadc1fc.pdf
___

Malicious eFax Corporate Spam
- http://threattrack.t...-corporate-spam
21 May 2013 - "Subjects Seen:
Corporate eFax message from [removed]
Typical e-mail details:
You have received a 3 fax at 2013-05-07 10:24:18 CST.
* The reference number for this fax is [removed].
Please visit efaxcorporate.com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport @mail.efax.com.
Thank you for using the eFax Corporate service!

Malicious URLs
116.122.158.195 :8080/ponyb/gate.php
mail.yaklasim .com:8080/ponyb/gate.php
debthelpsmart .org/ponyb/gate.php
debtsmartretirement .com/ponyb/gate.php
50.63.222.182 /GGBG2H.exe

Screenshot: https://gs1.wac.edge...C2PH1qz4rgp.png
___

Oklahoma tornado charitable organization scams, malware, and phishing
- https://isc.sans.edu...l?storyid=15854
Last Updated: 2013-05-21 17:09:55 UTC - "... Be very wary of any charity that is raising funds for victims of any disaster, particularly one that has -not- been around for very long. There are many legit charities, I would recommend sticking to ones you are already familiar with. The American Red Cross for example has been around for a long time, does amazing work, and is always in need of funding. They are just one example of a well established charity that does good work and is already involved in helping out in Moore, Oklahoma. Routine monitoring of newly registered domain names shows a number of brand new ones that have words like Oklahoma, Moore, tornado, recovery, help, assistance, and similar. I am certain that a number are registered by well meaning people, however I am equally sure that many are fake or scams. It does not take long for any recent newsworthy topic to be the subject line of phishing, malware, and scammers..."
___

prospectdirect .org SPAM
- http://blog.dynamoo....ctorg-spam.html
21 May 2013 - "Everything that this spammer says is a lie:
From: Emily Norton [emily.norton @prospectdirect .org]
To: [redacted]
Date: 21 May 2013 16:33
Subject: Cater to your email marketing needs
Signed by: prospectdirect .org
Hello,
I hope you don’t mind but I just wanted to contact you to discuss your email marketing strategy. If you don’t currently have one that is working for you then our client can help.
The company I am contacting you on behalf of have the dedicated knowledge and services to cater to your email marketing needs.
If you would like a quote please complete this form: http ://prospectdirect .org/email-marketing-strategy
Leave your details at the link above or reply with any requirements.
Kind Regards,
Emily Norton
75 Glandovey Terrace, Newquay, Cornwall TR8 4QD
Tel: 0843 289 4698
This email (including any attachments) is intended only for the recipient(s) named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not the named recipient please contact the sender and delete the email from your system. If you would no longer like to receive emails from us please unsubscribe here http ://www.prospectdirect .org/landing/page.php?jq=[snip]

Firstly, the email was sent to a scraped address from the website of the Slimeware Corporation and isn't any sort of opted-in address at all. The address of "75 Glandovey Terrace, Newquay, Cornwall TR8 4QD" simply does -not- exist, and the telephone number of 0843 289 4698 appears to belong to a completely -unrelated- company. I very much doubt there is anybody called "Emily Norton" involved, and there is no company in the UK with the name "Prospect Direct". The website prospectdirect .org itself carefully hides any contact details, the WHOIS details are anonymous, the domain was created on 2012-07-19 and is hosted on 109.235.51.98 (Netrouting / Xeneurope , Netherlands). There are no contact details on the website and there is no identifying information at all.. it hasn't just been omitted by accident, the whole thing has been left meticulously clean by a professional spamming outfit.
> https://lh3.ggpht.co...pect-direct.png
I would recommend giving these spammers a wide berth given their catalogue of lies."

Edited by AplusWebMaster, 21 May 2013 - 01:47 PM.