2072 replies to this topic

[AplusWebMaster]

FYI...

Malicious ADP Spam
- http://threattrack.t...dp-invoice-spam
22 May 2013 - "Subjects Seen:
Invoice #[removed] - Remit file
Typical e-mail details:
Attached is the invoice (ADP_Invoice_[removed].zip) received from your bank.
Please print this label and fill in the requested information. Once you have filled out
all the information on the form please send it to payroll.invoices @adp .com.
For more details please see the attached file.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you ,
Automatic Data Processing, Inc...

Malicious URLs
116.122.158.195 :8080/ponyb/gate.php
mail.yaklasim .com:8080/ponyb/gate.php
10healthynails .com/ponyb/gate.php
advprintgraphics .com/ponyb/gate.php
50.63.222.182 /GGBG2H.exe
Malicious File Name and MD5:
ADP_Invoice_[removed].zip (638d32dc80678f17609fe21dF73c6f6d)
ADP_Invoice_[removed].exe (a8aab9bcd389348823b77b090fb0afcc)
uszyly.vxe (707423e64a6ab41d694a9e1d8e823d292)

Screenshot: https://gs1.wac.edge...yMJg1qz4rgp.png
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake Purchase Order E-mail Messages - 2013 May 22
Fake Xerox Scan Attachment E-mail Messages - 2013 May 22
Fake Product Order Quote Request E-mail Messages - 2013 May 22
Fake Document Sharing E-mail Messages - 2013 May 22
Fake Facebook Voice Comment E-mail Message - 2013 May 22
Fake DHL Order Tracking Notification E-mail Messages - 2013 May 22
Fake Product Order Quote Request E-mail Messages - 2013 May 22
Fake Check Return Notification E-mail Messages - 2013 May 22
Fake Picture Link E-mail Messages - 2013 May 22
Fake Money Transfer Notification E-mail Messages - 2013 May 22
Fake Invoice Statement Attachment E-mail Messages - 2013 May 22
Fake Product Order E-mail Messages - 2013 May 22
Fake Holiday Photo Sharing Request E-mail Messages - 2013 May 22
Fake Scanned Document Attachment E-mail Messages - 2013 May 22
Fake Payment Request Notification E-mail Messages - 2013 May 22
(More detail and links at the cisco URL above.)

Edited by AplusWebMaster, 22 May 2013 - 02:45 PM.

[AplusWebMaster]

FYI...

Spear-phish e-mails lead to APT
- https://atlas.arbor....dex#-1950400672
Elevated Severity
May 22, 2013
Yet another targeted attack is dissected. Password theft was one of the motivating factors in the campaign.
Analysis: Well-crafted spear-phish e-mails were sent to the victim organizations. These spear phish included exploit code for patched vulnerabilities in Microsoft Office and also delivered bait files of interest to the target. In some cases, the bait files contain exploit code and in other cases they merely serve as a distraction. This is a tried-and-true method in wide use by cybercriminals and nation-state espionage actors. Once the malware is installed, credential theft applications can be used. The document provided by trend includes various Indicators of Compromise (IOCs) that organizations can use to help detect if they have been or are currently a victim. Additionally, domains used for malicious purposes are sometimes re-used at a later time, so keeping an eye on DNS logs and HTTP activity can help spot a new campaign re-using older infrastructure.
Source: http://www.trendmicr...eted-threat.pdf

- http://blog.trendmic...w-apt-campaign/
"... The distribution method of this campaign involves spear-phishing emails that contain a malicious attachment exploiting a Microsoft Office vulnerability (CVE-2012-0158*)..."
* https://web.nvd.nist...d=CVE-2012-0158 - 9.3 (HIGH) - MS12-027

- https://www.net-secu...ews.php?id=2500
May 20, 2013 - "... Dubbed "Safe," the campaign has first been spotted in October 2012 and has so far resulted in nearly 12,000 unique IP addresses spread over more than 100 countries to be connected to two sets of command-and-control (C&C) infrastructures..."
___

Fake ‘Export License/Payment Invoice’ emails lead to malware
- http://blog.webroot....ead-to-malware/
May 23, 2013 - "... just intercepted yet another currently ongoing malicious spam campaign, enticing users into executing a fake Export License/Payment Invoice. Once gullible and socially engineering users do so, their PCs automatically join the botnet operated by the cybercriminals. More details:
Detection rate for the malicious executable: MD5: 4e7dc191117a6f30dd429cc619041552 * ... Trojan.Win32.Inject.foiq; Trojan.Zbot.
Once executed, the sample starts listening on port 28723...
It then phones back to the following C&C servers:
213.230.101.174 :11137
87.203.65.0 :12721
180.241.97.79 :16114
83.7.104.50 :13647
84.59.222.81 :10378
194.94.127.98 :25549
98.201.143.22 :19595
78.139.187.6 :14384
180.183.178.134 :20898
We’ve also seen the following C&C server IP (194.94.127.98) in previously profiled malicious campaigns... As well as 78.139.187.6 ... We’re aware of more MD5s that phoned back to the same IPs over the last couple of days..."
(More detail at the webroot URL above.)
* https://www.virustot...sis/1369151297/
File name: invoice copy.exe
Detection ratio: 33/47
Analysis date: 2013-05-21
___

Fake FBI Ransomware - spikes...
- http://blog.webroot....king-worldwide/
May 23, 2013 - "Recently we have seen a spike of this ransomware in the wild as it appears as though its creators are not easily giving up. This infection takes your computer hostage and makes it look as though the authorities are after you, when in reality this is all just an elaborate attempt to make you -pay- to unblock your computer. Once infected, a warning similar to the one below* will take up your entire screen in such a way that you can’t get around it, thus effectively blocking you from accessing your files, programs or anything else on your computer. To further scare you into believing that you’ve been caught in illegal activity, your IP address, rough location, internet service provider, operating system and webcam image may be displayed.
* https://webrootblog....erdiv.png?w=869
To ensure maximum profits, the malware writers made sure that everyone understood their warning and payment instructions by localizing the infection around the world... there are variants of this infection that will encrypt your files so even after the infection is removed, documents, pictures and many other files on the hard drive will be inaccessible. Once the files are encrypted it can be very difficult or impossible to restore the original unencrypted versions. To avoid data loss, we strongly suggest periodically backing up your data...The infection executable may be located in the AppData, Temp, or User Profile directories and typically loads by adding itself to the Run keys or by modifying the Winlogon Shell entry. In some cases it may load using only a shortcut that’s placed in the Startup folder..."

Edited by AplusWebMaster, 23 May 2013 - 11:15 AM.

[AplusWebMaster]

FYI...

Malicious UPS Spam
- http://threattrack.t...icious-ups-spam
24 May 2013 - "Subjects Seen:
UPS - Your package is available for pickup ( Parcel [removed] )
Typical e-mail details:
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.

Malicious URLs
116.122.158.195 :8080/ponyb/gate.php
50.63.222.182 /GGBG2H.exe
Malicious File Name and MD5:
UPS_Label_[removed].zip (667cf9590337d47f8c23053a8b2480a1)
UPS_Label_[removed].exe (1ef1438e2f2273ddbaf543dcdbaea5b1)
73036718.exe (c7e0c3d8b14e8755d32e27051d0e6477)

ThreatAnalyzer Report: http://db.tt/gTlNJnGy

Screenshot: https://gs1.wac.edge...eaHb1qz4rgp.png
___

Bank of America Credentials Phish
- http://threattrack.t...edentials-phish
24 May 2013 - "Subjects Seen:
Bank of America alert: Your account has been locked
Typical e-mail details:
There are a number of invalid login attempts on your account. We had to believe that, there might be some security problems on your account. So we have decided to put an extra verification process to ensure your identity and your account security.
Please click here to continue the verification process and ensure your account security.

Malicious URLs
radiojetaislame .com/images/safe5

Screenshot: https://gs1.wac.edge...7cwo1qz4rgp.png
___

Fake Chase "Incoming Wire Transfer" SPAM / incoming_wire_05242013.zip
- http://blog.dynamoo....nsfer-spam.html
24 May 2013 - "This fake Chase "Incoming Wire Transfer" email has a malicious attachment...
Date: Fri, 24 May 2013 09:18:23 -0500 [10:18:23 EDT]
From: Chase [Chase @emailinfo.chase .com]
Subject: Incoming Wire Transfer
Note: This is a service message with information related to your Chase account(s)...

Screenshot: https://lh3.ggpht.co...s1600/chase.png

The attachment incoming_wire_05242013.zip contains an executable incoming_wire_05242013.exe with a detection rate of 9/47 at VirusTotal*. The ThreatTrack report** [pdf] and ThreatExpert report*** show various characteristics of this malware, in particular a callback to the following IPs and domains:
116.122.158.195
188.93.230.115
199.168.184.197
talentos.clicken1 .com
Checksums are as follows:
MD5 f9182e5f13271cefc2695baa11926fab
SHA1 b3cff6332f2773cecb2f5037937bb89c6125ec15
SHA256 0a23cdcba850056f8425db0f8ad73dca7c39143cdafc61c901c8c3428f312f2d
* https://www.virustot...sis/1369405971/
File name: incoming_wire_05242013.exe
Detection ratio: 9/47
Analysis date: 2013-05-24

** http://www.dynamoo.c...baa11926fab.pdf

*** http://www.threatexp...2695baa11926fab
___

Compromised Indian gov't Web site leads to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
May 24, 2013 - "Our sensors recently picked up a Web site infection, affecting the Web site of the Ministry of Micro And Medium Enterprises (MSME DI Jaipur). And although the Black Hole Exploit Kit serving URL is currently not accepting any connections, it’s known to have been used in previous client-side exploit serving campaigns...
Sample screenshot of the affected Web site:
> https://webrootblog....loit_kit_01.png
Sample compromised URLs:
hxxp ://sisijaipur .gov.in/cluster_developement.html
hxxp ://msmedijaipur .gov.in/cluster_developement.html
Detection rate for the malicious script: MD5: 44a8c0b8d281f17b7218a0fe09840ce9 * ... Trojan:JS/BlacoleRef.W; Trojan-Downloader.JS.Iframe.czf.
Malicious domain names/redirectors reconnaissance:
888-move-stuff .com – 50.63.202.21 – Email: van2move @yahoo .com
888movestuff .com – 208.109.181.190 – Email: van2move @yahoo .com
jobbelts .com (redirector/C&C) – 98.124.198.1 – Email: aanelli @yahoo .com
More malicious domains are known to have been responding to the same IP in the past (98.124.198.1)... MD5s are also known to have phoned back to the same (redirector/C&C) IP in the past... phoning back to vnclimitedrun .in:443 (199.59.166.86). In 2012, the same IP was also seen in a malvertising campaign..."
* https://www.virustot...sis/1369337259/
File name: Indian.html
Detection ratio: 24/47
Analysis date: 2013-05-23

Edited by AplusWebMaster, 24 May 2013 - 11:43 AM.

[AplusWebMaster]

FYI...

Fake Citibank SPAM / Statement 57-27-05-2013.zip
- http://blog.dynamoo....05-2013zip.html
27 May 2013 - "This fake Citibank email has a malicious attachment:
Date: Mon, 27 May 2013 23:25:06 +0530 [13:55:06 EDT]
From: Millard Hinton [leftoverss75 @gmail .com]
Subject: Merchant Statement
Enclosed (xlsx|Exel file|document|file) is your Citibank Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech.
Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech's or the Merchant's email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly...

The attachment Statement 57-27-05-2013.zip contains a malicious executable Statement 57-27-05-2013.exe with a VirusTotal result of 12/46*. The Comodo CAMAS report and Anubis report are pretty inconclusive. The ThreatTrack report** [pdf] is more comprehensive some peer-to-peer traffic and accessing of the WAB. Simseer's prognosis*** is that this is a Zbot variant. For the record, these are the checksums involved:
MD5 0bbf809dc46ed5d6c9f1774b13521e72
SHA1 9a50fa08e71711d26d86f34d8179f87757a88fa8
SHA256 00b832b5128a7caffe8bd4a854b1e112d488acb37f3a787245d077ae0d106400
* https://www.virustot...sis/1369679734/
File name: Statement 57-27-05-2013.exe
Detection ratio: 12/47
Analysis date: 2013-05-27
** http://www.dynamoo.c...74b13521e72.pdf

*** http://www.simseer.c...9f1774b13521e72

[AplusWebMaster]

FYI...

Something evil on 158.255.212.96 and 158.255.212.97
- http://blog.dynamoo....521296-and.html
28 May 2013 - "The IPs 158.255.212.96 and 158.255.212.97 (EDIS GmbH, Austria) are hosting malware used in injection attacks (see this example* for fussball-gsv .de). These two** examples*** report a TDS URL pattern which is resistant to automated analysis. The domains appear to be part of a traffic exchanger system (never a good idea), but they have been used to distribute malware... In the cases where no malware has been reported it may well be because Google hasn't visited the site. The domains all have anonymous WHOIS details and have been registered in the past year or so... I can identify a couple more IPs in this cluster, and I would advise you to treat all the domains here as suspect and add them to your blocklist:
158.255.212.96
158.255.212.97
193.102.11.3
205.178.182.1..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/....php?id=2705726

** http://urlquery.net/....php?id=2705607

*** http://urlquery.net/....php?id=2515019
___

fab .com SPAM
[Via the WeAreSpammers blog]
- http://blog.dynamoo....abcom-spam.html
28 May 2013 - "I've never heard of fab .com before, but online comments are very negative*. Originating IP is 65.39.215.63 (Sailthru / Peer 1, US) spamvertising mailer.eu.fab .com on 63.251.23.249 (Insight Express LLC, US) which in turn leads to the main site of fab .com on 184.73.196.153 (Amazon .com, US). Avoid."
From: Fab [info@eu.fab .com]
To: donotemail @wearespammers .com
Date: 27 May 2013 17:26
Subject: Invite from jenotsxx @gmail .com to Fab
Mailing list: tm.3775.3198a5cdc7466d097e36916b482cde87.sailthru .com
Signed by: eu.fab .com
* https://www.google.c...="fab.com" spam
___

BANKER Malware hosted in compromised Brazilian gov't sites
- http://blog.trendmic...vernment-sites/
28 May 2013 - "Two Brazilian government websites have been compromised and used to serve malware since April 24. We spotted a total of 11 unique malware files being distributed from these sites, with filenames that usually include “update”, “upgrade”, “Adobe”, “FlashPlayer” or combinations thereof. Besides the different filenames, these samples also have different domains where they can connect to download other malicious files, as well as varying command-and-control (C&C) servers... 90% of the affected customers are from Brazil. Other affected countries include the United States and Angola.
> http://blog.trendmic..._percountry.jpg
The general behavior of these malicious files (detected as TROJ_BANDROP.ZIP) are similar. They drop two files: one executable file (detected as TSPY_BANKER.ZIP) and a supposed GIF file (detected as JAVA_BANKER.ZIP) file in the system’s temporary folder. The executable file modifies the Windows registry to lower system’s security settings, and ultimately loads the .GIF file. The “GIF file” is actually a Java file, loaded using the javaw.exe executable, which is part of the Java Runtime Environemnt. JAVA_BANKER.ZIP contains commands that can download and execute files from several pre-configured URLs. The downloaded files are then saved as %User Profile%\update.gif (also detected as JAVA_BANKER.ZIP) and executed. These JAR files use several open source libraries such as Java Secure Channel (JSch) and Java Native Access (JNA). These libraries and can be used for network operations, in particular connecting to an SSH server, port forwarding, file transfers among others. The final payload of JAVA_BANKER.ZIP is a .JAR file, which elevates the affected user’s administrator right. Given that the attacker has taken control of the system, modifying the victim’s admin rights enables him to modify the normal system file termsvr.dll. This .DLL is mainly used for remote desktop sessions. The malware will replace this file with %Temp%\update.gif... Compromising and using government sites to deliver malware is not an unusual practice. Earlier this month, a website of the US Department of Labor was compromised to serve zero-day Internet Explorer exploit. This tactic provides a certain social engineering leverage, as government-related sites are usually deemed safe and secure. But as this incident clearly shows, there is no sacred cow when it comes to cybercrime. Everyone is fair game..."

Edited by AplusWebMaster, 28 May 2013 - 10:25 AM.

[AplusWebMaster]

FYI...

Ruby on Rails attack installs bot ...
- http://h-online.com/-1872588
29 May 2013 - "Over the past few days, criminals have increasingly attempted to compromise servers via a security hole in the Ruby on Rails (RoR) web application framework. Successful intruders install a bot that waits for further instructions on an IRC channel. On his blog*, security expert Jeff Jarmoc reports that the criminals are trying to exploit one of the vulnerabilities described by CVE-2013-0156**. Although the holes were closed back in January, more than enough servers on the net are probably still running an obsolete version of Ruby... The bot appears in the process list as "– bash". When launched, it also creates a file called /tmp/tan.pid to ensure that only one instance of the bot will be executed. Those who run a server with Ruby on Rails should always make sure to have the current RoR version installed. The current versions of Ruby on Rails are 3.2.13, 3.1.12 and 2.3.18."
* http://jarmoc.com/bl...56-in-the-wild/
"... Exploit activity is reportedly sourcing from * 88.198.20.247 * 95.138.186.181 * 188.190.126.105..."

** https://web.nvd.nist...d=CVE-2013-0156 - 7.5 (HIGH)

*** http://rubyonrails.org/download

- http://weblog.rubyon...s.org/releases/

- http://atlas.arbor.n...ndex#-789014484
Elevated Severity
May 30, 2013 - "... Monitoring for outbound connections to IRC ports on cvv4you .ru, 188.190.124.120, 188.190.124.81 is recommended to find compromised systems that may still be at risk..."
___

Fake Citibank emails serve malware ...
- http://blog.webroot....-serve-malware/
May 29, 2013 - "Over the past week, the cybercriminals behind the recently profiled ‘Citibank Merchant Billing Statement‘ themed campaign, resumed operations, and launched yet another massive spam campaign impersonating Citibank, in an attempt to trick its customers into executing the malicious attachment found in the fake emails...
Sample screenshot of the spamvertised email:
> https://webrootblog....ent_malware.png
Detection rate for the malicious executable – MD5: 0bbf809dc46ed5d6c9f1774b13521e72 * ... Trojan-Spy.Win32.Zbot.lvpo.
Once executed, the sample starts listening on port 12674. It then drops the following MD5s on the affected hosts:
MD5: 6044cc337b5dbf82f8746251a13f0bb2
MD5: d20d915dbdcb0cca634810744b668c70
MD5: 758498d6b275e58e3c83494ad6080ac2 ...
It then phones back to the following C&C servers:
78.161.154.194 :25633
186.29.77.250 :18647
190.37.115.43 :29609
187.131.8.1 :13957
181.67.50.91 :27916
8.161.154.194
186.29.77.250
190.37.115.43
187.131.8.1
181.67.50.91
84.59.222.81
211.209.241.213
108.215.44.142
122.163.41.96
99.231.187.238
89.122.155.200
79.31.232.136
142.136.161.103
63.85.81.254
98.201.143.22
110.164.140.144
195.169.125.228
190.83.222.173
96.29.242.234
178.251.75.50
199.21.164.167
180.92.159.2
213.43.242.145
94.240.224.115
2.187.51.145
208.101.114.115
50.97.98.134
41.99.119.243
197.187.33.59
79.106.11.64
178.89.68.255
190.62.162.200
165.98.119.94
94.94.211.18 ..."
(More details at the webroot URL above.)
* https://www.virustot...06400/analysis/
File name: Statement 57-27-05-2013.exe
Detection ratio: 32/47
Analysis date: 2013-05-29
___

University of Illinois CS department compromised
- http://blog.dynamoo....department.html
29 May 2013 - "There's a bunch of malware sites infesting University of Illinois CS department machines in the 128.174.240.0/24, range, mostly pointed out in this post. Compromised machines are tarrazu.cs.uiuc .edu, croft.cs.illinois .edu, tsvi-pc.cs.uiuc .edu, mirco.cs.uiuc .edu, ytu-laptop.cs.uiuc .edu, node3-3105.cs.uiuc .edu and they are on the following IPs with the following malicious domains (I would recommend blocking the whole /24):
128.174.240.37 ...
128.174.240.52 ...
128.174.240.53 ...
128.174.240.74 ...
128.174.240.153 ...
128.174.240.213 ..."

(More domains listed at the dynamoo URL above.)

Update: the University says that this was a single machine on the network which has now been cleaned up.
___

Malware sites to block 29/5/13
- http://blog.dynamoo....lock-29513.html
29 May 2013 - "These domains and IP addresses are connected to this malware spam run* and belong to a group I call the "Amerika" gang (because they tend to use fake US addresses for their WHOIS details but really seem to be Russian). It's quite a long set of lists: first there is a list of malware domains, then a list of malicious IPs and their web hosts, followed by a plain recommended blocklist list of IPs for copy-and-pasting... You might notice something odd going on at the University of Illinois in the 128.174.240.0/24 range. Hmm...
Recommended IP blocklist:
5.175.155.183
37.131.214.69
41.89.6.179
42.62.29.4
50.193.197.178
54.214.22.177
62.109.28.0/22
77.237.190.0/24
82.50.45.42
91.93.151.127
91.193.75.0/24
94.249.208.228
95.43.161.50
99.61.57.201
103.7.251.36
109.169.64.170
112.196.2.39
114.4.27.219
114.247.121.139
115.28.35.163
122.160.51.9
128.174.240.0/24
140.117.164.154
151.1.224.118
159.253.18.0/24
162.209.12.86
166.78.136.235
177.5.244.236
178.20.231.214
178.209.126.87
181.52.237.17
183.82.221.13
186.215.126.52
188.32.153.31
190.106.207.25
192.154.103.81
192.210.216.53
197.246.3.196
201.65.23.153
201.170.148.171
204.45.7.213
208.68.36.11
210.61.8.50
212.179.221.31
213.113.120.211
217.174.211.1
222.200.187.83 ..."
(More detail at the dynamoo URL above.)
* http://blog.dynamoo....t-unioncom.html
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake Scanned Document Attachment E-mail Messages - 2013 May 29
Malicious Personal Pictures Attachment E-mail Messages - 2013 May 29
Fake Electronic Payment Cancellation E-mail Messages - 2013 May 29
Fake Invoice Statement Attachment E-mail Messages - 2013 May 29
Fake Sample Product Offering E-mail Messages - 2013 May 29
Fake Bank Account Statement E-mail Messages - 2013 May 29
Fake Order Invoice Notification E-mail Messages - 2013 May 29
Fake Billing Statement E-mail Messages - 2013 May 29
Fake Credit Card Fraud Alert E-mail Messages - 2013 May 29
Fake Bank Deposit Notification E-mail Messages - 2013 May 29
Fake Payment Transfer Notification E-mail Messages - 2013 May 29
Fake Purchase Order Request E-mail Messages - 2013 May 29
Fake Product Quote Inquiry E-mail Messages - 2013 May 29
(Links with more detail available at the cisco URL above.)

Edited by AplusWebMaster, 02 June 2013 - 01:15 PM.

[AplusWebMaster]

FYI...

Fake ADP Funding Notification - Debit Draft
- http://threattrack.t...ion-debit-draft
May 30, 2013 - "Subjects Seen:
ADP Funding Notification - Debit Draft
ADP Invoice Reminder
Typical e-mail details:
Your Transaction Report(s) have been uploaded to the web site:
https :/ /www.flexdirect. adp .com/client/login.aspx
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
Thank You,
ADP Benefit Services

Malicious URLs
www .primolevi .gov.it/andromeda/index.html
annbrauner .com/yeltsin/index.html
www. omegaservice .it/ulcerate/index.html
www. sweethomesorrento .it/unwell/index.html
www. italtrike .tv/tomboys/index.html
kalimat.egyta .com/swearer/titan.js
www. asitecsrl .com/servicemen/ethic.js
www. mbbd .it/dzerzhinsky/bewilders.js
4rentcoloradosprings .com/news/cross_destroy-sets-separate.php

Screenshot: https://gs1.wac.edge...1bxv1qz4rgp.png
___

Fake ADP SPAM / 4rentconnecticut .com and 174.140.171.233
- http://blog.dynamoo....cutcom-and.html
30 May 2013 - "These fake ADP spams lead to malware on 4rentconnecticut .com:
Date: Thu, 30 May 2013 12:41:28 -0500 [13:41:28 EDT]
From: "ADPClientServices @adp .com" [ADPClientServices @adp .com]
Subject: ADP Funding Notification - Debit Draft
Your Transaction Report(s) have been uploaded to the web site:
https ://www.flexdirect .adp.com/client/login.aspx
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
Thank You,
ADP Benefit Services
====================
Date: Thu, 30 May 2013 08:45:16 -0800 [12:45:16 EDT]
From: ADP Inc [ADP_FSA_Services @ADP .com]
Subject: ADP Invoice Reminder
Your latest ADP Dealer Services Invoice is now available to view or pay online at ADP Online Invoice Management .
To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice Management account.
Total amount due by May 31, 2013
$26062.29
If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.
Questions about your bill?
Contact David Nieto by Secure Mail.
Note: This is an automated email. Please do not reply.

The link in the email goes to a legitimate -hacked- site and then tries to load three different scripts, currently:
[donotclick]kalimat.egyta .com/swearer/titan.js
[donotclick]www.asitecsrl .com/servicemen/ethic.js
[donotclick]www.mbbd .it/dzerzhinsky/bewilders.js
From there the victim is directed to the main malware landing page at [donotclick]4rentconnecticut .com/news/cross_destroy-sets-separate.php on 174.140.171.233 (DirectSpace LLC, US). A look at URLquery shows many suspect URLs on this server* and VirusTotal also reports several malicious URLs**. It appears that every single domain on this server has been compromsed. Blocking the IP address is the easiest way to mitigate against this problem..."
* http://urlquery.net/...1...5-30&max=50
** https://www.virustot...33/information/
___

Fake NewEgg .com SPAM / 174.140.171.233
- http://blog.dynamoo....4140171233.html
30 May 2013 - "This fake NewEgg.com spam leads to malware on 174.140.171.233:
Date: Thu, 30 May 2013 16:06:12 +0000 [12:06:12 EDT]
From: Newegg [info @newegg .com]
Subject: Newegg.com - Payment Charged...

Screenshot: https://lh3.ggpht.co...600/newegg2.png

The malicious payload is any one of a number of domains hosted on 174.140.171.233 which is also being used in this attack*. Blocking the IP is the easiest way to protect against the malicious sites hosted on that server."
* http://blog.dynamoo....cutcom-and.html
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Bank Report Summary E-mail Messages - 2013 May 30
Fake Scanned Document Attachment E-mail Messages - 2013 May 30
Fake Contract Document Information E-mail Messages - 2013 May 30
Fake Product Supply Quote E-mail Messages - 2013 May 30
Fake Electronic Payment Cancellation E-mail Messages - 2013 May 30
Malicious Attachment E-mail Messages - 2013 May 30
Fake Business Complaint Notification E-mail Messages - 2013 May 30
Fake Payroll Report E-mail Messages - 2013 May 30
Fake Product Supply Request E-mail Messages - 2013 May 30
(Links and more detail at the cisco URL above.)

Edited by AplusWebMaster, 30 May 2013 - 05:07 PM.

[AplusWebMaster]

FYI...

Fake Vodafone SPAM serving malware in the wild ...
- http://blog.webroot....ng-in-the-wild/
May 31, 2013 - "We have just intercepted yet another spamvertised malware serving campaign, this time impersonating Vodafone U.K., in an attempt to trick the company’s customers into thinking that they’ve received an image. In reality, once users execute the malicious attachments, their PCs automatically join the botnet operated by the cybercriminal...
Detection rate for the malicious executable – MD5: 4e148480749937acef8a7d9bc0b3c8b5 * ... VirTool:Win32/Obfuscator.ACP; Backdoor.Win32.Androm.sed.
Once executed, the sample creates an Alternate Data Stream (ADS) –
C:\Documents and Settings\User\Application Data\dbgbshes\habeegeg.exe:Zone.Identifier, as well as installs itself at Windows startup.
It then creates the following files on the affected hosts:
C:\Documents and Settings\User\Application Data\dbgbshes\habeegeg.exe
C:\DOCUME~1\User\LOCALS~1\Temp\IMG.JPEG.exe
C:\WINDOWS\Registration\R000000000007.clb
C:\WINDOWS\system32\wbem\wbemdisp.TLB ...
It then phones back to the following C&C server:
hxxp ://85.143.166.158 /fexco/com/index.php ..."
* https://www.virustot...38678/analysis/
File name: IMG 9857648740.JPEG.exe
Detection ratio: 29/47
Analysis date: 2013-05-29

- http://centralops.ne...ainDossier.aspx
85.143.166.158
canonical name webcluster.oversun.clodo .ru.
addresses 62.76.181.230 * 62.76.181.229
inetnum: 85.143.164.0 - 85.143.167.255
descr: 192012, St.Petersburg
country: RU
___

Medfos sites to block 31/5/13
- http://blog.dynamoo....lock-31513.html
31 May 2013 - "The following domains and IPs are currently being used as C&C servers by the Medfos family of trojans* (this** one*** in particular):
84.32.116.110
85.25.132.55
173.224.210.244
184.82.62.16
188.95.48.152 ...
The domains listed are used in conjunction with hundreds of subdomains. Blocking the main domain will be the best approach, else the ones that I have been able to determine are listed here****."
* http://www.microsoft.....=Win32/Medfos

** https://www.virustot...fb399/analysis/

*** http://www.threatexp...921cabf331d1e39

**** http://pastebin.com/L9UuMAC7
___

USSR old domain name attracts cybercriminals
- https://www.nytimes....cker-haven.html
May 31, 2013 AP - "... the .su Internet suffix assigned to the USSR in 1990 has turned into a haven for hackers who've flocked to the defunct superpower's domain space to send spam and steal money... other obscure areas of the Internet, such as the .tk domain associated with the South Pacific territory of Tokelau, have been used by opportunistic hackers... The most notorious site was Exposed .su, which purportedly published credit records belonging to President Barack Obama's wife, Michelle, Republican presidential challengers Mitt Romney and Donald Trump, and celebrities including Britney Spears, Jay Z, Beyonce and Tiger Woods. The site is now defunct. Other Soviet sites are used to control botnets — the name given to the networks of hijacked computers used by criminals to empty bank accounts, crank out spam, or launch attacks against rival websites. Internet hosting companies generally eliminate such sites as soon as they're identified. But Swiss security researcher Roman Huessy, whose abuse.ch blog* tracks botnet control sites, said hackers based in Soviet cyberspace can operate with impunity for months at a time. Asked for examples, he rattled off a series of sites actively involved in ransacking bank accounts or holding hard drives hostage in return for ransom — brazenly working in the online equivalent of broad daylight..."

* https://www.abuse.ch/?p=3581

Edited by AplusWebMaster, 31 May 2013 - 10:03 AM.

[AplusWebMaster]

FYI...

NACHA .ZIP file attachment spam
- http://threattrack.t...attachment-spam
June 1, 2013 - "Subjects Seen:
ACH Payment rejected: #<uniq_id>
Typical e-mail details:
Ach payment canceled Transaction ID: #[removed] The ACH transaction, recently initiated from your checking account (by you or any other person), was canceled by the other financial institution.
Transaction Status: Rejected Transaction ID: [uniq number removed\
Amount : $
To view more details for this transaction , please check the attached file .
NACHA works to maintain the privacy of any personally identifiable information (name, mailing address, e-mail address, etc.) that may be collected though our Web site. This Web site has security measures in place; however, NACHA does not represent, warrant or guarantee that personal information will be protected against unauthorized access, loss, misuse or alterations. Similarly, NACHA disclaims liability for personal information submitted through this Web site. Users are hereby advised that they submit such personal information at their own risk.
Thank you,
13450 Sunrise Valley Drive
Suite 100 Herndon
VA 20171
© 2013 NACHA - The Electronic Payments Association

Malicious URLs
Spam contains a malicious attachment.

Screenshot: https://gs1.wac.edge...IWMy1qz4rgp.png
___

iOS7 announcement prompts themed ransomware kits
- http://community.web...mware-kits.aspx
May 31, 2013 - "... phishing domain related to the imminent release of the Apple iOS7 Operating System. As gossips circulate news in the wild about iOS7 after the D11 conference... cybercriminals are setting up a foundation for phishing and malicious activities...
ios7news .net - 85.25.20.153 **
> http://community.web...40.sshto004.PNG
... As a ransomware toolkit, Silence Locker can generate a malicious file associated with familiar police enforcement pictures, based on the country of the potential victims. For example, in the following page the fake FBI Cyber Squad Investigation team is bound with a binary file that has been uploaded:
> http://community.web...41.sshto003.PNG
... we noticed that the AutoIT tool was used to package the malware. This conforms to the current trend of packaging malware to make detection more difficult. We continued our investigation by gathering some telemetry about the IP address that hosts this domain (ios7news .net). From what we discovered, it seems that this IP address is also used for other phishing domains... The domain "hxxp ://gamingdaily .us" is most likely a phishing domain for a gaming news website that is also used to host the exploit kit BleedingLife*... both IT news and rumors could be used by the attackers to leverage people's curiosity, as was done here. In this case, we can suppose (due to details such as the open directory access) that the attackers are going to use and configure that domain for malicious activities based on ransomware."
* http://community.web...xploit-kit.aspx
"... The Bleeding Life exploit kit uses exploits which can bypass ASLR and DEP, which means this product could be used successfully against Windows 7 and Windows Vista operating systems..."

** https://www.google.c...ic?site=AS:8972

:ph34r: :ph34r: <_<

Edited by AplusWebMaster, 01 June 2013 - 07:23 AM.

[AplusWebMaster]

FYI...

Malicious photo attachment Spam
- http://threattrack.t...attachment-spam
June 3, 2013 - "Subjects Seen:
Check the attachment you have to react somehow to this picture
Typical e-mail details:
Hi there ,
I got to show you this picture in attachment. I can’t tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who’s that dude??

Malicious File Name and MD5:
IMG[removed].zip (724bb53c12ebeb9df3e8525c6e1f9052)
ThreatAnalyzer Report: http://www.threattra...x-software.aspx
- http://db.tt/2ZLJo3Wq [PDF]

Screenshot: https://gs1.wac.edge...K1JB1qz4rgp.png
___

Fivserv Secure Email Notification Spam
- http://threattrack.t...tification-spam
June 3, 2013 - "Subjects Seen:
Fiserv Secure Email Notification - [removed]
Typical e-mail details:
You have received a secure message
Read your secure message by opening the attachment, SecureMessage_[removed].zip.
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - [removed]
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it.
To access from a mobile device, forward this message to mobile @res.fiserv.com to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly...

Malicious URLs
116.122.158.195 :8080/ponyb/gate.php
nourrirnotremonde .org/ponyb/gate.php
zoecopenhagen .com/ponyb/gate.php
goldenstatewealth .com/ponyb/gate.php
190.147.81.28 /yqRSQ.exe
paulcblake .com/ngY.exe
207.204.5.170 /PXVYGJx.exe
netnet-viaggi .it/2L6L.exe

Screenshot: https://gs1.wac.edge...rqkk1qz4rgp.png

- http://blog.dynamoo....ation-spam.html
3 Jun 2013 - "This spam email contains an encrypted ZIP file with password-protected malware.
Date: Mon, 3 Jun 2013 14:11:14 -0500 [15:11:14 EDT]
From: Fiserv Secure Notification [secure.notification @fiserv .com]
Subject: Fiserv Secure Email Notification - IZCO4O4VUHV83W1
You have received a secure message
Read your secure message by opening the attachment, SecureMessage_IZCO4O4VUHV83W1.zip.
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - Iu1JsoKaQ
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it.
To access from a mobile device, forward this message to mobile@res.fiserv.com to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly.

Of course, it would be supremely pointless password protecting a document and then including the password in the email! The file has been password protected in an attempt to thwart anti-virus software. In this case, the password for the file SecureMessage_IZCO4O4VUHV83W1.zip is Iu1JsoKaQ which in turn leads to a file called SecureMessage_06032013.exe (note the date in included in that filename). At the moment the VirusTotal detection rate is a so-so 16/47*. The ThreatTrack analysis** identifies some locations that the malware phones home to:
netnet-viaggi .it
paulcblake .com
74.54.147.146
116.122.158.195
190.147.81.28
194.184.71.7
207.204.5.170 ..."
* https://www.virustot...sis/1370289657/
File name: SecureMessage_06032013.exe
Detection ratio: 16/47
Analysis date: 2013-06-03
** http://www.dynamoo.c...f3135add304.pdf
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Secure Message Notification E-mail Messages - 2013 Jun 03
Malicious Attachment E-mail Messages - 2013 Jun 03
Fake Product Order E-mail Messages - 2013 Jun 03
Fake Bank Transfer Notification E-mail Messages - 2013 Jun 03
Fake Customer Complaint Notification E-mail Messages - 2013 Jun 03
Malicious Attachment E-mail Messages - 2013 Jun 03
Fake Order Invoice Notification E-mail Messages - 2013 Jun 03
Fake Payment Confirmation Notification E-mail Messages - 2013 Jun 03
Malicious Attachment E-mail Messages - 2013 Jun 03
Fake Remittance Slip with Invalid Digital Signature E-mail Messages - 2013 Jun 03
Fake Scanned Document Attachment E-mail Messages - 2013 Jun 03
Fake Product Order Quotation E-mail Messages - 2013 Jun 03
Fake Product Order Request E-mail Messages - 2013 Jun 03
Fake Online Dating Personal Photos Sharing E-mail Messages - 2013 Jun 03
Fake Purchase Order Request E-mail Messages - 2013 Jun 03
Fake Online Dating Proposal E-mail Messages - 2013 Jun 03
Fake Product Order Quotation E-mail Messages - 2013 Jun 03
Fake Processes and Subpoenas Notification E-mail Messages - 2013 Jun 03
(More detail and links available at the cisco URL above.)

Edited by AplusWebMaster, 03 June 2013 - 07:47 PM.

[AplusWebMaster]

FYI...

Fake Xerox WorkCentre Attachment Spam
- http://threattrack.t...attachment-spam
June 5, 2013 - "Subjects Seen:
Scanned Image from a Xerox WorkCentre
Typical e-mail details:
Reply to: Xerox.WorkCentre @[removed]
Device Name: Not Set
Device Model: XEROX-2178N
Location: Not Set
File Format: PDF (Medium)
File Name: Xerox_Scan_06-04-2013-466.zip
Resolution: 200dpi x 200dpi
Attached file is scanned image in PDF format.

Malicious URLs
116.122.158.195 :8080/ponyb/gate.php
4renttulsa .com/ponyb/gate.php
4rentunitedstates .com/ponyb/gate.php
newsouthdental .com/jENnMd2X.exe
leclosdelentaille .fr/2Zxq1hZ.exe
forexwinnersacademy .com/fmy.exe

Malicious File Name and MD5:
Xerox_Scan_06-04-2013-[removed].zip (e45db46d63330f20ef8c381f6c0d8f1a)
Xerox_Scan_06-04-2013-[removed].exe (7e4b3aca9a2a86022d50110d5d9498e2)
fmy.exe (c3c103ebb3ce065b8b62b08fba40483f)

ThreatAnalyzer Report: http://db.tt/yJoSwFM8 [PDF]
199.168.184.198, 82.165.79.64, 69.163.187.171, 216.172.167.17

Screenshot: https://gs1.wac.edge...58Hw1qz4rgp.png
___

Don't like clicking when you won't know where you're going?
- http://urlxray.com/
Find out where shortened URLs lead to without clicking on them
Enter any shortened URL...
___

More Champions Club Community SPAM
- http://blog.dynamoo....unity-spam.html
5 June 2013 - "... the originating IP is 217.174.248.194 [web1-opp2.champions-bounce .co.uk] (Fasthosts, UK). Spamvertised domains are champions.onlineprintproofing .co.uk also on 217.174.248.194 and championsclubcommunity .com on 109.203.113.124 (Eukhost, UK). Give these spammers a wide berth..."
- http://blog.dynamoo....-community.html
___

Backdoor Wipes MBR, Locks Screen
- http://blog.trendmic...r-locks-screen/
June 5, 2013 - "German users are at risk of having their systems rendered unusable by a malware that we’re seeing being sent via spam messages. This particular malware, on top of its ability to remotely control an affected system, is able to wipe out the Master Boot Record – a routine that had previously caused a great crisis in South Korea. We recently uncovered this noteworthy backdoor as an attached file in certain spam variants. The spam sample we found is in German and forces recipients to pay for a certain debt, the details of which are contained in the attachment. Those who open the attachment are actually tricked into executing the malware, in this instance, a backdoor.
> http://blog.trendmic...tached-file.jpg
Like any backdoor, BKDR_MATSNU.MCB performs certain malicious commands, which include gathering machine-related information and send it to its command-and-control (C&C) server. However, the backdoor’s most noteworthy feature is its capability to wipe the Master Boot Record (MBR). The wiping of the MBR was recently used in the high-profile (but different) attack against certain South Korean institutions. What makes this routine problematic is that once done, infected systems won’t reboot normally and will leave users with unusable machines. Another command is the backdoor’s capability to lock and unlock a screen. This locking of screen is definitely a direct copy from ransomware’s playbook, in which the system remains completely or partially inaccessible unless the victim pays for the “ransom”. Ransomware is a malware that locks an infected system’s screen and display a message, which instructs users to pay for a “ransom” thru certain payment methods... During our testing, BKDR_MATSNU.MCB readily performed the MBR wiping routine. The remote malicious (via server) only needs to communicate this command to the backdoor and it can execute this routine immediately. However, this is not the case with the screen locking. BKDR_MATSNU.MCB is likely to download a different module onto the system, which will then lock the screen. As to what routines will be first executed or not is dependent on the remote malicious user. Attackers may opt to lock the screen first then initiate the MBR overwriting or just initiate any of the two. Another possible scenario is that another version of BKDR_MATSNU is integrated with the screen blocking routine, which will make the screen locking command easier to execute... For better protection, users should always be cautious be the email they receive and must not readily open any attachments. If your system is already infected, it is a safer bet to not pay for the “ransom”, as paying does not guarantee anything..."

Edited by AplusWebMaster, 05 June 2013 - 11:26 AM.

[AplusWebMaster]

FYI...

Fake Innex, Inc SPAM
- http://blog.dynamoo....-fake-spam.html
6 June 2013 - "Innex, Inc is a real company. This spam email message is -not- from Innex, Inc.
From: PURCHASING DEPARTMENT [fdmelo @fucsalud .edu.co]
To:
Reply-To: pinky .yu@chanqtjer .com.tw
Date: 6 June 2013 08:55
Subject: Innex, Inc.
Sir/Madam,
Our Company is interested in your product, that we saw in trading site,
Your early reply is very necessary for further detail specification immediately you receive our email.
Regards
Purchasing manager,
Mr James Vincent ...

Innex is based in California in the US, but the email appears to be from a university in Colombia and solicits replies to an email address in Taiwan. Note as well that the email is very vague about the "product" they are interested in, and the To: field is blank as the recipient list has been suppressed (i.e. it is being sent to multiple recipients). Avoid."
___

rxlogs .net: spam or Joe Job?
- http://blog.dynamoo....or-joe-job.html
6 June 2013 - "I've had nearly one hundred of these this morning. Is it a genuine spam run or a Joe Job**?
Date: Thu, 6 Jun 2013 09:44:18 -0700 [12:44:18 EDT]
From: Admin [whisis101 @gmail .com]
Reply-To: ec2-abuse @amazon .com
facebook
You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 4 ago.
This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.
If you have any other questions, please visit our Help Center.
Thanks,
The Facebook Team

Screenshot: https://lh3.ggpht.co...1600/rxlogs.png

The link in the emails goes to multiple pages on rxlogs .net which as far I as can tell is -not- malware*, but is a blog about online pharmacies. But is is spam? Well, let's dig a little deeper.. Each email comes from a different IP, probably being sent by a botnet. That's pretty normal for pharma spam, but in this case there appear to be some anomalous addition headers.. The mildly munged headers from an example email are quite revealing. It appears that there are references to Amazon ECS (Amazon's cloud service) and a valid sender address of whisis101 -at- gmail.com injected into the headers, along with a load of other elements that you'd expect from botnet spam. The email has at no point hit either Gmail or Amazon, but the headers appear to have been -faked- in order to generate reports to Amazon and/or Gmail. It's worth noting that rxlogs .net is hosted on 107.20.147.122 which is an Amazon IP... I believe this is a Joe Job and not a "genuine" spam run, and rxlogs .net is simply another victim of the bad guys."
* http://urlquery.net/....php?id=2919241
Source IP: 94.102.48.224 - Known RBN IP

** http://searchsecurit...inition/Joe-job
___

Fake NatPay SPAM / usforclosedhomes .net
- http://blog.dynamoo....ation-spam.html
6 Jun 2013 - "This fake NatPay spam leads to malware on usforclosedhomes .net.
Version 1:
Date: Thu, 6 Jun 2013 20:53:08 +0600 [10:53:08 EDT]
From: National Payment Automated Reports System [dunks @services .natpaymail .net]
Subject: Transmission Confirmation ~26306682~N25BHHL1~
Transmission Verification
Contact Us
To:
NPC Account # 26306682
Xavier Reed
Re:
NPC Account # 26306682
D & - D5
Thursday, July 04, 2013, Independence Day is a Federal Banking Holiday. All banks are closed for this holiday, therefore NatPay will not be able to process any files on that date. If you plan on transmitting for a paydate that falls between Thursday, July 04, 2013 and Thursday, July 11, 2013 you will need to the file a day earlier.
Batch Number 408
Batch Description VENDOR PAY
Number of Dollar Entries 2
Number of Prenotes 0
Total Deposit Amount $3,848.19
Total Withdraw Amount $3,848.19
Batch Confirmation Number 50983
Date Transmitted Thursday, June 06, 2013 ...
---
Version 2:
Date: Thu, 6 Jun 2013 09:59:06 -0500
From: National Payment Automated Reports System [lemuel @emalsrv.natpaymail .com]
Subject: Transmission Confirmation ~10968697~607MPYRC~
Transmission Verification
Contact Us
To: NPC Account # 10968697
Benjamin Turner
Re: NPC Account # 10968697
D & - MN
Thursday, July 04, 2013, Independence Day is a Federal Banking Holiday. All banks are closed for this holiday, therefore NatPay will not be able to process any files on that date. If you plan on transmitting for a paydate that falls between Thursday, July 04, 2013 and Thursday, July 11, 2013 you will need to the file a day earlier.
Batch Number 219
Batch Description VENDOR PAY
Number of Dollar Entries 2
Number of Prenotes 0
Total Deposit Amount $2,549.12
Total Withdraw Amount $2,549.12
Batch Confirmation Number 24035 ...

The malicious payload is on [donotclick]usforclosedhomes .net/news/walls_autumns-serial.php (report here*) hosted on the following IPs:
41.89.6.179 (Kenya Education Network, Kenya)
46.18.160.86 (Saudi Electronic Info Exchange Company (Tabadul) JSC, Saudi Arabia)
93.89.235.13 (FBS Bilisim Cozumleri, Cyprus)
112.170.169.56 (Korea Telecom, South Korea)
The cluster of IPs and domains this belongs to identifies it as part of the Amerika spam run.
Blocklist:
41.89.6.179
46.18.160.86
93.89.235.13
112.170.169.56 ..."
* http://urlquery.net/....php?id=2926577
___

USPS Package Pickup Spam
- http://threattrack.t...age-pickup-spam
June 6, 2013 - "Subjects Seen:
USPS - Your package is available for pickup ( Parcel [removed])
Typical e-mail details:
We attempted to deliver your item at 6 Jun 2013.
Courier service could not make the delivery of your parcel.
Status Deny / Invalid ZIP Code.
If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.
Label/Receipt Number: [removed]
Expected Delivery Date: Jun 6, 2013
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office...

Malicious URLs
michaelscigars .net/ponyb/gate.php
montverdestore .com/ponyb/gate.php
errezeta .biz/ToSN79T.exe
190.147.81.28 /yqRSQ.exe
207.204.5.170 /PXVYGJx.exe
archeting .it/86zP.exe

Screenshot: https://gs1.wac.edge...VIUE1qz4rgp.png
___

Global $200M credit card hacking ring busted
- http://www.reuters.c...E95419G20130605
Jun 5, 2013 - "Eleven people in the United States, the UK and Vietnam have been arrested and accused of running a $200 million worldwide credit card fraud ring, U.S. and UK law enforcement officials said... Federal prosecutors in New Jersey said they had filed charges against a 23-year-old man from Vietnam... authorities in Vietnam had arrested Duy Hai Truong on May 29 in an effort to break up a ring he is accused of running with co-conspirators, who were not named in the statement... The arrests come as law enforcement officials around the world are cracking down on Internet-related heists. Two weeks ago, authorities raided Liberty Reserve, a Costa Rica-based company that provided a virtual currency system used frequently by criminals to move money around the world without using the traditional banking system. Earlier last month, authorities arrested seven people involved in a $45 million heist in which hackers removed limits on prepaid debit cards and used ATM withdrawals to drain cash from two Middle Eastern banks... the charges were filed in New Jersey's federal court because some of the victims of the scheme are residents of the state. Prosecutors claim Truong and accomplices stole information related to more than a million credit cards and resold it to criminal customers... According to the complaint, Truong hacked into websites that sold goods and services over the Internet and collected personal credit card information from the sites' customers. "The victims' credit cards incurred, cumulatively, more than $200 million in fraudulent charges," the complaint said..."
- http://www.soca.gov....minal-web-forum

Edited by AplusWebMaster, 06 June 2013 - 02:08 PM.

[AplusWebMaster]

FYI...

Malware sites to block 7/6/13
- http://blog.dynamoo....block-7613.html
7 June 2013 - "Two IPs that look related, the first is 37.235.48.185 (Edis, Poland or Austria) which host some domains that are also found here** (158.255.212.96 and 158.255.212.97, also Edis) that seem to be used in injection attacks. I can identify the following domains linked to 37.235.48.185:
faggyppvers5 .info
finger2 .climaoluhip.org
linkstoads .net
node1.hostingstatics .org
node2.hostingstatics .org
Injecting some of the same sites as the domains on the above IPs is jstoredirect .net which is currently offline but was hosted on 149.154.152.18 which is also Edis (can you see the pattern yet?) so I would assume that they are linked. In the few days that jstoredirect .net was online it managed to infect over 1500 sites*.
Aggregate blocklist:
98.126.9.34
114.142.147.51
158.255.212.96
158.255.212.97
nethostingdb .com
netstoragehost .com
connecthostad .net
climaoluhip .org
hostingstatics .org
systemnetworkscripts .org
numstatus .com
linkstoads .net
faggyppvers5 .info
jstoredirect .net ..."
* http://www.google.co...storedirect.net

** http://blog.dynamoo....521296-and.html
___

Fake USPS SPAM / USPS_Label_861337597092.zip
- http://blog.dynamoo....7597092zip.html
6 June 2013 - "This fake USPS spam contains a malicious attachment:
Date: Thu, 6 Jun 2013 10:43:56 -0500 [11:43:56 EDT]
From: USPS Express Services [service-notification @usps .com]
Subject: USPS - Your package is available for pickup ( Parcel 861337597092 )
Postal Notification,
We attempted to deliver your item at 6 Jun 2013.
Courier service could not make the delivery of your parcel.
Status Deny / Invalid ZIP Code.
If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.
Label/Receipt Number: 861337597092
Expected Delivery Date: Jun 6, 2013
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Thank you,
© 2013 Copyright© 2013 USPS. All Rights Reserved.
*** This is an automatically generated email, please do not reply ...

There is an attachment called USPS_Label_861337597092.zip which in turn contains a malicious executable file USPS_Label_06062013.exe (note the date is encoded into the filename). VirusTotal results for this are 18/47*. The Comodo CAMAS report** shows an attempt to download more components from michaelscigarbar .net on 184.95.37.109 (Jolly Works Hosting, Philippines.. rented from Secured Servers in the US). URLquery shows a very large amount of malware activity on that IP, mostly apparently running on legitimate -hacked- domains. You should probably treat all of the following domains as hostile:
alliancelittleaviators .com
apparelacademy .com
apparelacademy .net
brokerforcolorado .com
carlaellisproperties .com
dragoncigars .net
heavenlycigars .net
libertychristianstore .com
michaelscigarbar .com
michaelscigarbar .net
michaelscigars .net
montverdestore .com
montverdestore .net
montverdestore .org ..."

* https://www.virustot...sis/1370549956/
File name: USPS_Label_06062013.exe
Detection ratio: 18/47
Analysis date: 2013-06-06
** http://camas.comodo....fb2b4cf553ab695

*** http://urlquery.net/...7...6-06&max=50
___

Better Business Bureau Compliant Spam
- http://threattrack.t...-compliant-spam
7 June 2013 - "Subjects Seen:
BBB Appeal [removed]
Typical e-mail details:
The Better Business Bureau has been booked the above mentioned grievance from one of your users in respect to their dealings with you. The detailed description of the consumer’s trouble are available for review at a link below. Please give attention to this matter and notify us about your sight as soon as possible.
We graciously ask you to overview the CLAIM REPORT to answer on this plaint.
We awaits to your prompt answer.
WBR
Ryan Myers
Dispute Advisor

Malicious URLs
amapi .com .br/bbb.html
pnpnews .net/news/readers-sections.php?hvv=rvjzzloo&jnjpe=thpe
pnpnews .net/news/readers-sections.php?yf=1i:1f:32:33:2v&re=1n:2w:1n:1g:30:1f:1o:1n:1i:2v&u=1f&br=b&sd=c&jopa=5698723

Screenshot: https://gs1.wac.edge...rpWf1qz4rgp.png

- http://blog.dynamoo....pnpnewsnet.html
7 June 2013 - "This fake BBB spam leads to malware on pnpnews .net:
From: Better Business Bureau [mailto:standoffzwk68 @clients.bbb .com]
Sent: 07 June 2013 15:08
Subject: BBB information regarding your customer's pretension No. 00167486
Better Business Bureau ©
Start With Trust ©
Fri, 7 Jun 2013
RE: Complaint No. 00167486
[redacted]
The Better Business Bureau has been entered the above said grievance from one of your users in regard to their business relations with you. The information about the consumer's trouble are available visiting a link below. Please pay attention to this matter and notify us about your sight as soon as possible.
We kindly ask you to overview the CLAIM LETTER REPORT to meet on this claim.
We awaits to your prompt answer.
Faithfully yours
Jonathan Edwards
Dispute Advisor
Better Business Bureau ...

Screenshot: https://lh3.ggpht.co...iQ/s400/bbb.png

The link in the email goes through a legitimate hacked site and then to a payload at [donotclick]pnpnews .net/news/readers-sections.php (report here*) hosted on:
46.18.160.86 - Saudi Electronic Info Exchange Company (Tabadul) JSC
93.89.235.13 - FBS Bilisim Cozumleri, Cyprus
178.16.216.66 - Gabrielson Invest AB, Sweden
186.215.126.52 - Global Village Telecom, Brazil
190.93.23.10 - Greendot, Trinidad and Tobago
Blocklist:
46.18.160.86
93.89.235.13
178.16.216.66
186.215.126.52
190.93.23.10 ..."
* http://urlquery.net/....php?id=2944992
... Detected BlackHole v2.0 exploit kit URL pattern ...
___

Fake American Express PAYVE Remit Spam
- http://threattrack.t...ayve-remit-spam
June 7, 2013 - "Subjects Seen:
PAYVE - Remit file
Typical e-mail details:
A payment(s) to your company has been processed through the American Express Payment Network.
The remittance details for the payment(s) are attached ([removed].zip).
- The remittance file contains invoice information passed by your buyer. Please contact your buyer for additional information not available in the file.
- The funds associated with this payment will be deposited into your bank account according to the terms of your American Express merchant agreement and may be combined with other American Express deposits. For additional information about Deposits, Fees, or your American Express merchant agreement:
Contact American Express Merchant Services at 1-800-528-0933 Monday to Friday, 8:00 AM to 8:00 PM ET.
- You can also view PAYVE payment and invoice level details using My Merchant Account/Online Merchant Services. If you are not enrolled in My Merchant Account/OMS, you can do so at americanexpress .com/mymerchantaccount or call us at 1-866-220-7374, Monday - Friday between 9:00 AM-7:30 PM ET, and we’ll be glad to help you.
For quick and easy enrollment, please have your American Express Merchant Number, bank account ABA (routing number) and DDA (account number) on hand.
This customer service e-mail was sent to you by American Express. You may receive customer service e-mails even if you have unsubscribed from marketing e-mails from American Express...

Malicious URLs
storeyourbox .net/ponyb/gate.php
storeyourthings .net/ponyb/gate.php
drjoycethomasderm .com/ponyb/gate.php
errezeta .biz/ToSN79T.exe
190.147.81.28 /yqRSQ.exe
207.204.5.170 /PXVYGJx.exe
archeting .it/86zP.exe

Screenshot: https://gs1.wac.edge...Pc6a1qz4rgp.png

- http://blog.dynamoo....-file-spam.html
7 June 2013 - "This fake American Express Payment Network spam has a malicious attachment.
Date: Fri, 7 Jun 2013 20:41:25 +0600 [10:41:25 EDT]
From: "PAYVESUPPORT @AEXP .COM" [PAYVESUPPORT @AEXP .COM]
Subject: PAYVE - Remit file ...

Attached to the email is an archive file called CD0607213.389710762910.zip which in turn contains an executable named CD06072013.239871839.exe (note that the date is included in the filename). Virustotal reports that just 8/46* anti-virus scanners detect it.
The Comodo CAMAS report*** gives some details about the malware, including the following checksums:
MD5 fd18576bd4cf1baa8178ff4a2bef0849
SHA1 8b8ba943393e52a3972c11603c3f1aa1fc053788
SHA256 f31ca8a9d429e98160183267eea67dd3a6e592757e045b2c35bb33d5e27d6875
The malware attempts to download further components from storeyourbox .com on 97.107.137.239 (Linode, US) which looks like a legitimate server that has been -badly- compromised**. The following domains appear to be on the server, I would advise that they are all dangerous at the moment:
drjoycethomasderm .com
goodvaluemove .com
jacksonmoving .com
jacksonmoving .net
napervillie-movers .com
reebie .net
storageandmoving .net
storeyourbox .com
storeyourbox .net
storeyourthings .net "
* https://www.virustot...sis/1370627576/
File name: CD06072013.239871839.exe
Detection ratio: 8/46
Analysis date: 2013-06-07
** https://www.virustot...39/information/

*** http://camas.comodo....5bb33d5e27d6875

Edited by AplusWebMaster, 07 June 2013 - 01:00 PM.

[AplusWebMaster]

FYI...

Fake Wells Fargo - attachment Spam
- http://threattrack.t...attachment-spam
June 19, 2013 - "Subjects Seen:
IMPORTANT - WellsFargo
Typical e-mail details:
Please check attached documents.
Michael_Kane
Wells Fargo Advisors
817-563-5247 office
817-368-5170 cell [removed]
ATTENTION: THIS E-MAIL MAY BE AN ADVERTISEMENT OR SOLICITATION FOR PRODUCTS AND SERVICES.
To unsubscribe from marketing e-mails from:
· An individual Wells Fargo Advisors financial advisor: Reply to one of his/her e-mails and type “Unsubscribe” in the subject line.
· Wells Fargo and its affiliates: Unsubscribe at wellsfargoadvisors.com/unsubscribe.
Neither of these actions will affect delivery of important service messages regarding your accounts that we may need to send you or preferences you may have previously set for other e-mail services.
For additional information regarding our electronic communication policies, visit wellsfargoadvisors.com/disclosures/email-disclosure.html .
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103

Malicious URLs
megmcenery .com/ponyb/gate.php
mceneryfinancial .com/ponyb/gate.php
margueritemcenery .com/ponyb/gate.php
hraforbiz. com/ponyb/gate.php
ftp(DOT)impactdata .com/da4.exe
errezeta .biz/ToSN79T.exe
ftp(DOT)myfxpips .com/PMLyQRMt.exe
207.204.5.170 /PXVYGJx.exe

Malicious File Name and MD5:
WellsFargo.<random>.zip (05c33cfcf22c5736C4a162f6d7c2eeac)
Important WellsFargo Docs.exe (47e739106c24fbf52ed3b8fd01dc3668)

Screenshot: https://gs1.wac.edge...L1ca1qz4rgp.png

- http://blog.dynamoo....wellsfargo.html
10 June 2013 - "This fake Wells Fargo spam run comes with one of two malicious attachments:
Date: Mon, 10 Jun 2013 13:00:13 -0500 [14:00:13 EDT]
From: Anthony_Starr @wellsfargo .com
Subject: IMPORTANT - WellsFargo
Please check attached documents.
Anthony_Starr
Wells Fargo Advisors
817-563-9816 office
817-368-5471 cell Anthony_Starr@wellsfargo.com
ATTENTION: THIS E-MAIL MAY BE AN ADVERTISEMENT OR SOLICITATION FOR PRODUCTS AND SERVICES.
To unsubscribe from marketing e-mails from:
· An individual Wells Fargo Advisors financial advisor: Reply to one of his/her
e-mails and type “Unsubscribe” in the subject line.
· Wells Fargo and its affiliates: Unsubscribe at
www.wellsfargoadvisors.com/unsubscribe. Neither of these actions will affect delivery of
important service messages regarding your accounts that we may need to send you or
preferences you may have previously set for other e-mail services.
For additional information regarding our electronic communication policies, visit
http ://wellsfargoadvisors .com/disclosures/email-disclosure.html .
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...

There is a ZIP file attached to the email message, and the spammers have attempted to name the attachment after the recipient.. but because the spam has multiple recipients it may end up with a random name. Inside the ZIP file is an EXE file, and there appear to be -two- variants.
One is called Important WellsFargo Doc.exe and it has a pretty shocking VirusTotal detection rate of 0/47* (yup.. none at all). The Comodo CAMAS report** gives the following checksums..
Name Value
Size 94720
MD5 70e604777a66980bcc751dcb00eafee5
SHA1 52ef61b6296f21a3e14ae35320654ffe3f4e769d
SHA256 f669768216872c626abc46e4dd2e0b1d783ba5927166282922c16d6db3b8adae
..it identifies that this version of the malware attempts to download additional components from mceneryfinancial .com on 173.255.213.171 (specifically it is a pony downloader querying /ponyb/gate.php)... ThreatTrack has a more detailed report*** which also identifies callbacks to www.errezeta .biz and ftp.myfxpips .com. ThreatExpert has a slightly different report (1) and further identifies megmcenery .com, taxfreeincomenow .com, taxfreeincomenow .info and 207.204.5.170 (Linode, US). The second version has a similarly named files called Important WellsFargo Docs.exe (plural) with a higher VirusTotal detection rate of 11/46 (2). Comodo CAMAS reports(3) the following file characteristics..
Name Value
Size 114176
MD5 47e739106c24fbf52ed3b8fd01dc3668
SHA1 b85b4295d23c912f9446a81fd605576803a29e53
SHA256 2d0d16d29ceca912d529533aa850f1e1539f4b509ea7cb89b8839f672afb418b
..in this case the pony download contacts hraforbiz .com (also on 173.255.213.171). Other analyses are pending. Several of these malware domains are hosted on 173.255.213.171 (Linode, US) and we can assume that this server is compromised along with all the domains on it. 62.149.131.162 (Aruba, Italy) also seems to be compromised(4). 173.254.68.134 (5) (Unified Layer, US) and 207.204.5.170 (6) (Register .com, US) appear to be compromised in some way to. Of note is the fact that almost all of these domains appear to be legitimate but have been -hacked- in some way, I would expect them to be cleaned up at some point in the future. Putting all these IPs and domains together gives a recommended blocklist:
173.254.68.134
173.255.213.171
207.204.5.170
62.149.131.162 ..."
(More listed at the dynamoo URL above.)
* https://www.virustot...sis/1370888138/
File name: Important WellsFargo Doc.exe
Detection ratio: 0/47
Analysis date: 2013-06-10
** http://camas.comodo....2c16d6db3b8adae
*** http://www.dynamoo.c...dcb00eafee5.pdf
1) http://www.threatexp...c751dcb00eafee5
2) https://www.virustot...sis/1370888252/
File name: Important WellsFargo Docs.exe
Detection ratio: 11/46
Analysis date: 2013-06-10
3) http://camas.comodo....2c16d6db3b8adae
4) https://www.virustot...62/information/
5) https://www.virustot...34/information/
6) https://www.virustot...70/information/
___

- http://tools.cisco.c...Outbreak.x?i=77
E-mail Messages with Malicious Attachments - 2013 Jun 10
Fake Deposit Transfer Confirmation Notification E-mail Messages - 2013 Jun 10
Fake Documents Attachment Email Messages - 2013 Jun 10
Malicious Attachment Email Messages - 2013 Jun 10
Fake Bill Payment Notification Email Messages - 2013 Jun 10
Fake Legal Assistance Inquiry E-mail Messages - 2013 Jun 10
Fake Products Advertisement E-mail Messages - 2013 Jun 10
Fake FedEx Shipment Notification E-mail Messages - 2013 Jun 10
Fake Xerox Scan Attachment Email Messages - 2013 Jun 10
Fake Gift Voucher Redemption Email Messages - 2013 Jun 10
Fake Deposit Statement Notification E-mail Messages - 2013 Jun 10
(More detail and links at the cisco URL above.)

Edited by AplusWebMaster, 11 June 2013 - 05:20 AM.

[AplusWebMaster]

FYI...

Fake Fax Transmission emails lead to malware
- http://blog.webroot....ead-to-malware/
June 11, 2013 - "Have you sent an eFax recently? Watch out for an ongoing malicious spam campaign that tries to convince you that there’s been an unsuccessful fax transmission. Once socially engineered users execute the malicious attachment found in the fake emails, their PCs automatically join the botnet of the cybercriminals behind the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog....engineering.png
Detection rate for the malicious attachment: MD5: 66140a32d7d8047ea93de0a4a419880b * ... UDS:DangerousObject.Multi.Generic... phones back to the following C&C server hxxp ://lukafalls .com/banners/index.php – 95.154.254.17, as well as to the following C&C IPs:
95.154.254.17, 190.179.212.30, 65.92.129.196, 125.25.82.22, 69.235.15.127, 108.215.44.142, 188.153.47.135, 76.226.112.216, 78.100.36.98, 190.162.42.76, 78.99.110.225, 118.101.184.54, 90.156.118.144, 212.182.121.226, 99.97.73.189, 181.67.50.91, 2.87.2.21, 108.215.99.94, 84.59.222.81, 142.136.161.103, 178.203.226.84, 95.234.169.221, 217.41.0.85, 71.143.224.43, 74.139.10.100, 78.38.40.207, 213.215.153.212 ..."
(More detail at the webroot URL above.)
* https://www.virustot...22f68/analysis/
File name: Fax details and transmission_report.doc.exe
Detection ratio: 31/47
Analysis date: 2013-06-10
___

Self-propagating ZBOT malware ...
- http://blog.trendmic...alware-spotted/
June 10, 2013 - "... we have spotted a new ZBOT variant that can spread on its own. This particular ZBOT variant arrives through a malicious PDF file disguised as a sales invoice document. If the user opens this file using Adobe Reader, it triggers an exploit which causes the following pop-up window to appear:
> http://blog.trendmic...13/06/zbot1.jpg
... error message upon execution of the malicious PDF file
While this is going on, the malicious ZBOT variant – WORM_ZBOT.GJ – is dropped onto the system and run. It is here that several differences start to appear. First of all, WORM_ZBOT.GJ has an autoupdate routine: it can download and run an updated copy of itself. Secondly, however, it can spread onto other systems via removable drives, like USB thumb drives. It does thus by searching for removable drives and then creating a hidden folder with a copy of itself inside this folder, and a shortcut pointing to the hidden ZBOT copy.
> http://blog.trendmic...bot-BD-JPEG.jpg
... Portion of WORM_ZBOT.GJ code creating copy of itself
This kind of propagation by ZBOT is unusual... ZBOT malware is usually distributed by exploit kits and/or malicious attachments..."

- https://net-security...ews.php?id=2515
June 11, 2013 - "The Zeus / Zbot Trojan has been around since 2007, and it and its variants continued to perform MitM attacks, log keystrokes and grab information entered in online forms. It is usually spread via exploit kits (drive-by-downloads), phishing schemes, and social media..."
___

Washington Free Beacon compromised to serve up Malware
- http://www.invincea....rve-up-malware/
UPDATE 10:02 a.m. 6/11 – "Repeated attempts to reach the Beacon have been unsuccessful. We have not seen reinfection in subsequent visits but it is hard to know without navigating every page...
WARNING: Do NOT browse to freebeacon[.]com until further notice, as the site is still actively redirecting user traffic to malware. The Washington Free Beacon has been notified but have not confirmed nor responded... an article from The Washington Free Beacon on the breaking NSA Leaks story (freebeacon[.]com/nsa-leaker-surfaces-in-hong-kong/) linked to by the Drudge report has been compromising readers with a Java-based exploit kit* ... patching Java to the latest version (if you can) may be your only (temporary) protection..."
- http://www.invincea..../uploads/27.png
(More detail at the invincea URL above.)
* https://www.virustot...sis/1370873028/
File name: 1.jar
Detection ratio: 3/47
Analysis date: 2013-06-10
___

Something evil on 173.255.213.171
- http://blog.dynamoo....3255213171.html
11 June 2013 - "As a follow-up to this post*, the exploit server on 173.255.213.171 (Linode, US) is hosting a number of -hijacked- GoDaddy-registered domains that are serving an exploit kit [1] [2]... block 173.255.213.171 ..."
* http://blog.dynamoo....wellsfargo.html

1) https://www.virustot...71/information/

2) http://urlquery.net/...2...6-11&max=50
___

CitiBank Secure Message Spam
- http://threattrack.t...re-message-spam
June 11, 2013 - "Subjects Seen:
(SECURE)Electronic Account Statement [removed]
Typical e-mail details:
You have received a Secure PDF message from the CitiSecure Messaging Server.
Open the PDF file attached to this notification. When prompted, enter your Secure PDF password to view the message contents.
To reply to this message in a secure manner, it is important that you use the Reply link inside the Secure PDF file. This will ensure that any confidential information is sent back securely to the sender.
Help is available 24 hours a day by calling 1-866-535-2504 or 1-904-954-6181 or by email at secure.emailhelp @citi .com
Please note: Adobe Reader version 7 or above is required to view all SecurePDF messages.

Malicious URLs
chriscarlson .com/ponyb/gate.php
chrisandannwedding .com/ponyb/gate.php
ccrtl .com/ponyb/gate.php
chrisandannwedding .com/ponyb/gate.php
hoteloperaroma .it/Sb9A7JV1.exe
stitaly .net/E2KYVJD.exe
newmountolivet .org/iUHgGvn.exe
mozzarellabroker .com/pZYTn.exe

Malicious File Name and MD5:
Secure.<random>.zip (05c33cfcf22c5736C4a162f6d7c2eeac)
secure.pdf.exe (4209430a3393287d5e28def88e43b93b)

ThreatAnalyzer Report: http://db.tt/RtlUb5Vs [PDF]

Screenshot: https://gs1.wac.edge...S8e01qz4rgp.png
___

Amazon Order Notification Spam
- http://threattrack.t...tification-spam
June 11, 2013 - "Subjects Seen:
Payment for Your Amazon Order # [removed]
Typical e-mail details:
We’re writing to let you know that we are having difficulty processing your payment for the above transaction. To protect your security and privacy, your issuing bank cannot provide us with
information regarding why your credit card was declined.
However, we suggest that you double-check the billing address, expiration date and cardholder name
that you entered; if entered incorrectly these will sometimes cause a card to decline. There is no
need to place a new order as we will automatically try your credit card again.
There are a few steps you can take to make the process faster:
1. Verify the payment information for this order is correct (expiration date, billing address, etc).
You can update your account and billing information at :
amazon .com/gp/css/summary/edit.html?ie=UTF8&orderID=[removed]
2. Contact your issuing bank using the number on the back of your card to learn more about their
policies. Some issuers put restrictions on using credit cards for electronic or internet
purchases. Please have the exact dollar amount and details of this purchase when you call the
bank. If paying by credit card is not an option, buy Amazon.com Gift Card claim codes with cash
from authorized resellers at a store near you. Visit amazon.com/cashgcresellers to learn
more.
Thank you for shopping at Amazon.com. Sincerely, Amazon.com Customer Service

Malicious URLs
gnqlawyers .com/proteans/index.html
eucert .com/herein/index.html
gauravvashisht .com/desisted/index.html
goldcoinvault .com/news/pictures_hints_causes.php
sweethomesorrento .it/t0q.exe
server1.extra-web .cz/fdCtJM.exe

Screenshot: https://gs1.wac.edge...3ZjB1qz4rgp.png

- http://blog.dynamoo....invaultcom.html
June 11, 2013 - "This fake Amazon.com spam leads to malware on goldcoinvault .com:
Date: Tue, 11 Jun 2013 14:25:21 -0600 [16:25:21 EDT]
From: "Amazon.com Customer Care Service" [payments-update @amazon .com]
Subject: Payment for Your Amazon Order # 104-884-8180383
Regarding Your Amazon.com Order
Order Placed: June 11, 2013
Amazon.com order number: 104-884-8180383
Order Total: $2761.86 ...

The link in the email goes through a legitimate hacked site to an intermediate page with the following redirectors:
[donotclick]ftp.blacktiedjent .com/mechanic/vaccinated.js
[donotclick]piratescoveoysterbar .com/piggybacks/rejoiced.js
[donotclick]nteshop .es/tsingtao/flanneling.js
..from there it hits the main malware payload site at [donotclick]goldcoinvault .com/news/pictures_hints_causes.php (report here*) hosted on goldcoinvault .com which is a hacked GoDaddy domain -hijacked- to point at 173.255.213.171 (Linode, US). This same server is very active and has been spotted here** and here***, also using hacked GoDaddy domains, but right at the moment the malware page appears to be 403ing which is good..."
* http://urlquery.net/....php?id=3054553

** http://blog.dynamoo....3255213171.html

*** http://blog.dynamoo....wellsfargo.html

Edited by AplusWebMaster, 11 June 2013 - 08:34 PM.