2072 replies to this topic

[AplusWebMaster]

FYI...

Adware sites to block - 1 July 2013
- http://blog.dynamoo....block-1713.html
1 July 2013 - "Never trust any sort of ad network that uses anonymous domains and hides all other identifying data. These seem to be doing to rounds at the moment, some of them may be involved in injection attacks or adware installs...
cdnsrv .com
tracksrv .com
cdnloader .com
secure-content-delivery .com
mydatasrv .com
Domains all seem to be on parking IPs or Amazon AWS, so difficult to block by IP address."
___

Email credentials - Phish
- http://threattrack.t...edentials-phish
July 1, 2013 - "Subjects Seen:
Email Deactivation Notice
Typical e-mail details:
An automatic security update has been carried out on your Email Account.
Click here to Login and complete update
Please note that you have within 24 hours to complete this update, because you might lose access to your Email Account

Malicious URLs
190.6.206.173 /~radioxge/updated/index.html

Screenshot: https://gs1.wac.edge...Pz3B1qz4rgp.png
___

Fake Pinterest SPAM / pinterest .com.reports0701.net
- http://blog.dynamoo....ports0701n.html
1 July 2013 - "This fake Pinterest spam leads to malware on pinterest .com.reports0701.net:
Date: Mon, 1 Jul 2013 21:04:36 +0530
From: "Pinterest" [naughtinessw5 @newsletters .pinterest .net]
To: [redacted]
Subject: Your password on Pinterest Successfully changed!
[redacted]
Yor password was reset. Request New Password.
See Password
Pinterest is a tool for collecting and organizing things you love.
This email was sent to [redacted].
Don?t want activity notifications? Change your email preferences.
�2013 Pinterest, Inc. | All Rights Reserved
Privacy Policy | Terms and Conditions

The link goes through a legitimate -hacked- site to end up on a malicious payload at [donotclick]pinterest .com.reports0701.net/news/pay-notices.php (report here* and here**) which contains an exploit kit. The malware is hosted on a subdomain of a main domain with fake WHOIS details (it belongs to the Amerika gang) which is a slightly new technique:
June Parker parker @mail .com
740-456-7887 fax: 740-456-7844
4427 Irving Road
New Boston OH 45663
us
The following IPs are in use:
77.240.118.69 (Acens Technlogoies, Spain)
89.248.161.148 (Ecatel, Netherland)
208.81.165.252 (Gamewave Hongkong Holdings, US)
Recommended blocklist:
77.240.118.69
89.248.161.148
208.81.165.252 ..."
* http://urlquery.net/....php?id=3454469

** http://urlquery.net/....php?id=3454450

Edited by AplusWebMaster, 01 July 2013 - 03:48 PM.

[AplusWebMaster]

FYI...

Adware sites to block 2/7/13
- http://blog.dynamoo....block-2713.html
2 July 2013 - "Never trust an ad network that uses anonymous WHOIS details. These are hosted on 108.161.189.161 (NetDNA, US) and all hide their details... Given the amount of adware* on this server, I would recommend blocking it... "
(More detail at the dynamoo URL above.)
* https://www.virustot...61/information/
___

Malware sites to block 2/7/13
- http://blog.dynamoo....block-2713.html
2 July 2013 - "These sites belong to this gang* and house exploit kits and other nastiness. I've broken the list down into three sections: IPs and web hosts, plain IPs (for copy and pasting) and malware domains. The domains change on a regular basis, the IPs less frequently and are therefore probably the best things to block..."
(Long lists at the dynamoo URL above.)
* http://blog.dynamoo....h/label/Amerika
___

Babylon and the 3954 Trojans...
- http://blog.dynamoo....r-whore-of.html
2 July 2013 - ""Babylon and the 3954 Trojans" sounds like a swords and sandals epic, but unfortunately it's just another example of crapware gone wild... At the heart of Babylon.com's business is a marginally useful "free" translation application plus some paid add-ons... and installs a load of crapware onto your computer when it does so... system administrators keep finding the product installed on their machines, adware and all. This piece of software even has its own Wikipedia entry* covering malware issues. Do you really want your users to go anywhere near this site? As far as I can tell, at the moment the Babylon software is downloaded from the following IPs which you may want to -block- (all operated by Singlehop):
69.175.87.109
81.93.185.144
81.93.185.145
173.236.48.139
173.236.91.147
184.154.40.59
184.154.151.19
198.143.175.67
216.104.42.91 ..."
(More detail at the dynamoo URL above.)
* http://en.wikipedia....#Malware_issues

> https://www.virustot...om/information/

Diagnostic page for AS32475 (SINGLEHOP)
- https://www.google.c...c?site=AS:32475

- https://www.google.c...ite=babylon.com
"... Malicious software includes 3954 trojan(s) ..."
___

DHL Shipment Notification Spam
- http://threattrack.t...tification-spam
July 2, 2013 - "Subjects Seen:
Delivery Status Notification ID#[removed]
Typical e-mail details:
DHL Ship Shipment Notification
On June 23, 2013 a shipment label was printed for delivery.
The shipment number of this package is [removed].
To get additional info about this shipment use any of these options:
1) Click the following URL in your browser:
Get Shipment Info
2) Enter the shipment number on tracking page:
Tracking Page
For further assistance, please call DHL Customer Service.
For International Customer Service, please use official DHL site.

Malicious URLs
ah-nanas .se/main.php?inf=ss00_323
unitedcricketclub .co.za/main.php?inf=ss00_323
dsfstore .ro/main.php?inf=ss00_323

Malicious File Name and MD5:
Delivery_Information.zip (6ea731d13579040c20208dfbc7bddb0f)
Delivery_Information_ID-<random>.exe (560f37022593bf13c4071f4c5dc3b48c)

Screenshot: https://gs1.wac.edge...AKhv1qz4rgp.png

Edited by AplusWebMaster, 04 July 2013 - 05:49 AM.

[AplusWebMaster]

FYI...

Blackhole Exploit Kit SPAM campaign hits Pinterest
- http://blog.trendmic...hits-pinterest/
July 3, 2013 - "... we are now seeing a BHEK spam campaign targeting social networking website -Pinterest- and its users. Prior to this campaign, the website has also been the target of other threats, such as survey scams and spammed mails that lead to malicious websites.
> https://blog.trendmi...nterestbhek.jpg
We received a sample of the messages being spammed, and upon analysis, discovered how its infection chain goes. Here is the entire infection chain, as follows:
• The user receives the spammed mail in his inbox. It is tailored to resemble a legitimate mail from Pinterest, and notifies the user about a successful password change. It also presents a link that would allow him to see his new password.
• Should the user click on the link, he is put through a series of website redirects. This redirection is detected as HTML_IFRAME.USR.
• HTML_IFRAME.USR then downloads another malware onto the system, TROJ_PIDIEF.USR, which in turn drops BKDR_KRIDEX.KA. This final payload, being backdoor malware, has the ability to perform commands from a remote malicious user, and therefore can compromise a system’s security.
While there is nothing new in this routine, users are still advised to always perform account-related changes only the websites they subscribe to. We also point towards the usage of CRIDEX as a final payload – a malware family that we’ve written about as one of the two families used in BHEK attacks. Like ZBOT, CRIDEX is used mainly to steal online banking information. To further protect themselves from these sort of threats, users should ensure that all software in their systems are updated and patched (namely Java, Adobe Acrobat, Adobe Reader, and Flash). This is because BHEK operates by exploiting vulnerabilities in popular software, and having those software plus their browser of choice can help prevent them from becoming victims. Avoiding links presented in suspicious mails and verifying the mail’s content first by contacting the supposed sender through other means (phone call, visitation) can also go a long way..."

[AplusWebMaster]

FYI...

Fake EBC Password Reset Confirmation SPAM / paynotice07 .net
- http://blog.dynamoo....ation-spam.html
5 July 2013 - "This fake password reset spam leads to malware on paynotice07 .net:
From: EBC_EBC1961Registration@ebank6 .secureaps .com
Sent: 05 July 2013 12:27
Subject: Password Reset Confirmation
Your Online Bankking password was successfully changed on 07/05/2013. If you did not make this change, or if you have any questions, please contact EBC Technical Support using this link.
Support is available Monday - Friday, 8 AM to 8 PM CST.
This is an automated message, please do not reply. Your message will not be received...

The link goes through a legitimate -hacked- site and ends up on a payload at [donotclick]paynotice07 .net/news/must-producing.php (report here*) hosted on the following IPs:
189.84.25.188 (DataCorpore Serviços e Representações, Brazil)
202.28.69.195 (Walailuk University, Thailand)
Blocklist:
189.84.25.188
202.28.69.195 ..."
* http://urlquery.net/....php?id=3554479
___

Invoice Export License Spam
- http://threattrack.t...rt-license-spam
July 5, 2013 - "Subjects Seen:
invoice copy
Typical e-mail details:
Kindly open to see export License and payment invoice attached,
meanwhile we sent the balance payment yesterday.
Please confirm if it has settled in your account or you can call if
there is any problem.
Thanks
Karen parker

Malicious File Name and MD5:
invoice copy.zip (5e58effccB7dfbe81910fefaf17766d9)
invoice copy (2).exe (d70ab58ee9fffd968c3e7327adbb550e)

Screenshot: https://gs1.wac.edge...ValW1qz4rgp.png

Edited by AplusWebMaster, 05 July 2013 - 01:16 PM.

[AplusWebMaster]

FYI...

Fake AMEX SPAM - americanexpress .com.krasalco .com
- http://blog.dynamoo....rasalcocom.html
8 July 2013 - "This fake Amex spam leads to malware on americanexpress .com.krasalco .com:
From: American Express [mailto:AmericanExpress @emalsrv.aexpmail .org]
Sent: 08 July 2013 15:00
Subject: Account Alert: A Payment Was Received
Check your account balance online at any time
Hello, [redacted]
View Account
Make a Payment
Manage Alerts Preferences
Payment Received
Check Balance
We received a payment for your Card account.
Date Received:
Mon, Jul 08, 2013
Payment Amount:
$2,511.92
Payments received after 8PM MST may not be credited until the next day. Please allow 24-48 hours for your payment to appear online.
Thank you for your Cardmembership.
American Express Customer Care
Was this e-mail helpful? Please click here to give us your feedback...

Screenshot: https://lh3.ggpht.co...8/s400/amex.png

The link in the email goes through a legitimate -hacked- site to end up on a malicious landing page at [donoclick]americanexpress .com.krasalco .com/news/slightly_some_movie.php (report here*) hosted on the following IPs:
77.240.118.69 (Acens Technologies, Spain)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
151.155.25.111 (Novell Inc, US)
202.28.69.195 (Uninet, Thailand)
Blocklist:
77.240.118.69
103.9.23.34
151.155.25.111
202.28.69.195 ..."
* http://urlquery.net/....php?id=3606244
___

Fake Xerox WorkCentre Pro Spam
- http://threattrack.t...centre-pro-spam
July 8, 2013 - "Subjects Seen:
Scanned Image from a Xerox WorkCentre
Typical e-mail details:
Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
Sent by: [removed]
Number of Images: 6
Attachment File Type: ZIP [PDF]
WorkCentre Pro Location: Machine location not set
Device Name: [removed]
Attached file is scanned image in PDF format.

Malicious URLs
2ndtimearoundweddingphotography .com/ponyb/gate.php
bobkahnvideo .com/ponyb/gate.php
gfpmenusonline .com/ponyb/gate.php
gfponlineordering .com/ponyb/gate.php
lacasadelmovilusado .com/bts1.exe
common.karsak .com.tr/FzPfH6.exe
ftp(DOT)vickibettger .com/oEoASW64.exe
qualitydoorblog .com/qbSTq.exe

Malicious File Name and MD5:
SCAN_<random>.zip (da8f4d5dc27dd81c6e3eff217a6501ec)
SCAN_<random>.exe (59ee4453da8909e96762f2c8cd0d6f37)

Screenshot: https://gs1.wac.edge...FfuK1qz4rgp.png
___

Man of Steel, Fast and Furious 6 Among Online Fraudsters’ Most Used Lures
- http://blog.trendmic...ost-used-lures/
July 8, 2013 - "... Fraudsters are relentless in creating fake streaming sites, not just on the screening date of these movies, but also before the release of movies in theaters... attackers use various social media sites like Facebook, Google+, Youtube, LinkedIn, and many others to drive users to the fake streaming pages. These are hosted on blogging services like Tumblr, WordPress, and Blogger. Most pages on these blogs have shortened URLs that lead to the final sites... Because they used the services of URL shorteners, we were able to view the number of visits per selected movie. It appears that Man of Steel, Fast and the Furious 6 and Iron Man 3 got the highest number of viewers. This data is for a two-month period from late April up to the end of June.
> http://blog.trendmic...views-chart.jpg
Total pageviews of fake streaming sites (per movie titles)
To lure in users, attackers use key phrases like “watch movie title online” or “download movie title free”. Using Blackhat Search Engine Optimization or BHSEO, users looking for the above pages are lured to visit the -fake- streaming sites. This is also known as one of the manipulation of search engine indexes in -spamdexing. Many of the common keywords used are what you’d expect: “watch”, “online”, “free”, etcetera. One of the more surprising keywords is “putlocker”, which refers to a UK-based file locker. In terms of countries involved, while the United States accounts for more than two-thirds of the traffic to these sites, other countries were also represented. Users are advised to stream and subscribe to -legitimate- sites and -not- from these fake streaming sites. Be wary of sharing posts and clicking links that could propagate these scams. In addition, there might be no such thing as online streaming or movie download except for pirated copies, which in itself can be risky..."
___

sendgrid .me / amazonaws .com SPAM
- http://blog.dynamoo....wscom-spam.html
8 July 2013 - "This spam is unusual in that it comes through an apparently genuine commercial email provider (sendgrid .me) and leads to malware hosted on Amazon's cloud service, amazonaws .com. There is no body text in the spam, just an image designed to look like a downloadable document.
from: [victim] via sendgrid .me
date: 8 July 2013 19:08
subject: Urgent 6:08 PM 244999
Signed by: sendgrid .me

Screenshot: https://lh3.ggpht.co...0/pic848755.jpg

The email appears to originate from 138.91.78.32 which is a Microsoft IP, so that part of the mail header might be faked. It certainly comes through 208.117.55.132 (o1.f.az.sendgrid .net)
The text at the bottom says "Please find attached the document." but actually leads to a malicious executable at [donotclick]s3.amazonaws .com/ft556/Document_948357853____.exe [https] (VirusTotal report*) which then downloads a further executable from [donotclick]s3.amazonaws .com/mik49/ss32.exe [http] (VirusTotal report**) which installs itself into C:\Documents and Settings\Administrator\Application Data\ss32.exe. ThreatExpert reports*** that the downloader (the first executable) is hardened against VM-based analysis:
Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine)... The second part (ss32.exe) attempts to lookup a server called mssql.maurosouza9899.kinghost .net 177.185.196.130 (IPV6 Internet Ltda, Brazil)... VirusTotal does report some other badness on 177.185.196.130 so this is probably worth blocking.
Recommended blocklist:
177.185.196.130 ..."
* https://www.virustot...sis/1373309007/
File name: Document_948357853____.exe
Detection ratio: 15/46
Analysis date: 2013-07-08
** https://www.virustot...sis/1373315068/
File name: ss32.exe
Detection ratio: 8/44
Analysis date: 2013-07-08
*** http://www.threatexp...6afe6928fa84c89

**** https://www.virustot...30/information/

Edited by AplusWebMaster, 08 July 2013 - 05:03 PM.

[AplusWebMaster]

FYI...

Malware sites to block 9/7/13
- http://blog.dynamoo....block-9713.html
9 July 2013 - "These are the current IPs and domains that appear to be in use by this gang*. IPs are listed with hosting companies and countries first, and then a plain list of IPs and domains for copy-and-pasting (blocking)..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo....h/label/Amerika
___

Fake "Payment File Successfully Processed" SPAM / autorize .net.models-and-kits .net
- http://blog.dynamoo....-processed.html
9 July 2013 - "This spam leads to malware on autorize.net.models-and-kits .net:
Date: Tue, 9 Jul 2013 15:36:42 -0500
From: batchprovider @eftps .gov
Subject: Payment File Successfully Processed
*** PLEASE DO NOT REPLY TO THIS MESSAGE***
Dear Batch Provider,
This message is being sent to inform you that your payment file has successfully processed. 2013-07-09-12.08.00.815358
Detailed information is available by logging into the Batch Provider software by clicking this link and performing a Sync request.
Thank You,
EFTPS
Contact Us: EFTPS Batch Provider Customer Service
at this link

A sender's email address of batchprovider @email.eftpsmail .gov is seen in another sample. The link goes through a legitimate -hacked- site and ends up an a malware laden page at [donotclick]autorize.net.models-and-kits .net/news/shortest-caused-race.php (report here**) hosted on:
77.240.118.69 (Acens Technlogies, Spain)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
151.155.25.111 (Novell Inc, US)
202.28.69.195 (UniNet, Thailand)
All these IPs and more can be found in this recommended blocklist*. Out of these four IPs we can see the following malicious domains which should also be blocked if you can't block the IPs themselves..
77.240.118.69
103.9.23.34
151.155.25.111
202.28.69.195 ..."
(More detail at the dynamoo URL above.)
* http://blog.dynamoo....block-9713.html

** http://wepawet.isecl...3...740&type=js

Edited by AplusWebMaster, 09 July 2013 - 10:09 PM.

[AplusWebMaster]

FYI...

Something evil on 199.231.93.182
- http://blog.dynamoo....9923193182.html
10 July 2013 - "199.231.93.182 (Webline Service, US suballocated to "Alex Capersov") is hosting a number of exploits [1] [2] being used in injection attacks. In the sample I saw, code had been injected into the legitimate site englishrussia .com possibly through a traffic exchanger. The following domains are all hosted on or are associated with this IP. There's a shorter list at the bottom of the post without the subdomains that you might want to use as a blocklist..."
(More detail at the dynamoo URL above.)

1) http://urlquery.net/...9...7-10&max=50

2) https://www.virustot...82/information/
___

Fake Booking Reservation themed emails serve malware
- http://blog.webroot....-serve-malware/
July 10, 2013 - "Cybercriminals are currently mass mailing tens of thousands of fake emails impersonating the Westminster Hotel, in an attempt to trick users into thinking that they’ve received a legitimate booking confirmation. In reality through, once the socially engineered users execute the malicious attachments, their PCs automatically join the botnet operated by the cybercriminals behind the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog....1...w=465&h=587
Detection rate for the malicious attachment – MD5: 7eed403cfd09ea301c4e10ba5ed5148a * ... Trojan-PSW.Win32.Tepfer.nprd.
The UPX compressed executable creates an Alternate Data Stream (ADS), starts at Windows startup... It then phones back to the following C&C server:
hxxp :// 62.76.178.178 /fexco/com/index.php
We’ve already seen the same C&C directory structure in the previous profiled ‘Fake ‘Vodafone U.K Images’ themed malware serving spam campaign circulating in the wild‘ campaign... While we were investigating this campaign, we also found out that, apparently, the Westerminster Hotel in Rhyl, Denbighshire, did not renew their primarily domain name (westminster-rhyl.com – 64.74.223.31), allowing opportunistic ‘domainers’ to quickly snatch it. Not surprisingly, we also detected malicious activity with multiple malicious software phoning back to the current hosting IP of the Web site of the Westerminster Hotel in Rhyl, Denbighshire...
> https://webrootblog...._maps.png?w=869
... MD5s known to have phoned back to the same IP (64.74.223.31) ..."
(More detail at the webroot URL above.)
* https://www.virustot...sis/1373366558/
File name: Document.pdf .exe
Detection ratio: 6/47
Analysis date: 2013-07-09
___

Fake Visa SPAM / estateandpropertty.com and clik-kids .com
- http://blog.dynamoo....ttycom-and.html
10 July 2013 - "This fake Visa spam attempts to lead to malware on estateandpropertty .com:
Date: Wed, 10 Jul 2013 13:20:38 -0300 [12:20:38 EDT]
From: Visa [policemank3 @newsletters.visabusinessnewsmail .org]
Reply-To: flintierv34 @complains .visabusinessnewsmail .org
Subject: Update Your Business Visa Card Information
Your Visa Business card has been limited. Please update your information to reactivate your account.
Please proceed the link: http ://visabusiness .com/ fraud/warning_mail=81413185766854518964...96368, update necessary information and view further information that caused us to set a limit.
Your Case ID is: NW61826321176497
Look for unexpected charges or questionable activity, and if you see anything suspicious,don't wait to act.
This added security is to prevent any additional fraudulent charges from taking place on your account...
Please be advised that the Information may constitute material nonpublic information under U.S. federal securities laws and that purchasing or selling securities of Visa Inc. while being aware of material nonpublic information would constitute a violation of applicable U.S. federal securities laws. This information may change from time to time. Please contact your Visa representative to verify current information. Visa is not responsible for errors in this publication. The Visa Non-Disclosure Agreement can be obtained from your Visa Account Manager or the nearest Visa Office.
This message was sent to you by Visa, P.O. Box 8999, San Francisco, CA 94128. Please click here to unsubscribe.

The link in the email goes through a legitimate -hacked- site and then attemped to go to a malware page at [donotclick]estateandpropertty .com/news/visa-report.php (report here*) but it appears the registrar has -nuked- the domain, so the spammers have switched the link to [donotclick]clik-kids .com/news/visa-report.php (report here**) instead. IPs involved are:
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
77.240.118.69 (Acens Technlogies, Spain)
150.244.233.146 (Universidad Autonoma De Madrid, Spain)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)
Recommended blocklist:
46.45.182.27
77.240.118.69
150.244.233.146
203.236.232.42
209.222.67.251 ..."
* http://urlquery.net/....php?id=3651712

** http://urlquery.net/....php?id=3653370

Edited by AplusWebMaster, 10 July 2013 - 03:02 PM.

[AplusWebMaster]

FYI...

Fake "WTX Media INC" SPAM / dajizzum .com
- http://blog.dynamoo....ajizzumcom.html
11 July 2013 - "This fake invoice spam from the nonexistant "WTX Media" leads to a malware landing page on dajizzum .com:
From: Rebecca Media [mailto:support @rebeccacella .com]
Sent: 11 July 2013 07:46
To: [redacted]
Subject: Subscription Details
We hereby inform you that your subscription has been activated, your login information is as follows:
Username: IX9322130
Password: X#(@kIE04N
Login Key: 839384
Please do not share the login information with anyone as this account is only for your use, sharing the account will result in account termination without a refund.
The credit card on file submited by you will be billed within 24 hours, in the amount of 499.00 GBP, amount equal to one year unlimited subscription.
Your bank statement will show up as being billed by "WTX Media INC".
If you have any questions or issues with your login as well as requests to upgrade or cancel your membership please contact us using the form at:
[donotclick]www.rebeccacella .com/wp-content/plugins/subscribe/
Any feedback is appreciated as we strive to improve our services constantly.
WTX Media Team

The link in the email goes through a legitimate but -hacked- website (rebeccacella .com) and lands on a malware landing page at [donotclick]dajizzum .com/team/administration/admin4_colon/fedora.php?view=44 (report here*) which contains an exploit kit. dajizzum .com is hosted on 109.123.100.219 (UK2.NET, UK) which appears to be a -hijacked- server. At the moment I can only see that one site hosted on this box, but -blacklisting- the IP as a precaution may be wise. The spam originates from another malware server on 188.138.89.106 (more of this later) but it appears to use a compromised 1&1 account as the spamvertised domain, sender's address and SMTP relay of 212.227.29.10 all belong to that provider."
* http://urlquery.net/....php?id=3664350
___

Malware sites to block 11/7/13
- http://blog.dynamoo....lock-11713.html
11 July 2013 - "I noticed 188.138.89.106 (Intergenia AG, Germany) was the originating IP being used in this spam run* using a -hijacked- 1&1 account, and VirusTotal thinks that the server is pretty darned evil**. A quick poke at this box shows that has a number of multihomed malicious and C&C domains. Looking at some of these servers, I'm suspicious that they may have been compromised using a Plesk vulnerability***. Various domains are used for botnets, including some Bitcoin miners. There may be some formerly legitimate domains in this mix, but given the compromised nature of the servers I would not trust them.
37.123.112.147 (UK2.NET, UK)
37.123.113.7 (UK2.NET, UK)
68.169.38.143 (Westhost Inc, US)
68.169.42.177 (Westhost Inc, US)
74.208.133.134 (1&1, US)
85.25.86.198 (Intergenia AG, Germany)
109.123.95.8 (UK2.NET, UK)
188.138.89.106 (Intergenia AG, Germany)
212.53.167.13 (FASTCOM IP Net, Poland)
212.227.53.20 (1&1, Germany)
212.227.252.92 (1&1, Germany)
213.165.71.238 (1&1, Germany)
217.160.173.154 (1&1, Germany)
Recommended blocklist:
37.123.112.147
37.123.113.7
68.169.38.143
68.169.42.177
74.208.133.134
85.25.86.198
109.123.95.8
188.138.89.106
212.53.167.13
212.227.53.20
212.227.252.92
213.165.71.238
217.160.173.154 ..."
* http://blog.dynamoo....ajizzumcom.html

** https://www.virustot...06/information/

*** http://threatpost.co...k-vulnerability
___

Facebook Phish leads to Fake Flash and Mining
- http://www.threattra...ash-and-mining/
July 10, 2013 - "... A new scam has emerged, this time using Tumblr as the launchpad to redirect end-users to a Facebook credential phish (including the collection of the answer to a secret question). At the end of the journey, victims will come across a fake Flash Player install touting the same fake landing page the old attack made use of, while adding a fresh sting in the tail. There’s a message which has been seen on some Facebook profiles doing the rounds at the moment, which reads as follows:
> http://www.threattra...7/minespam1.jpg
With a link to...
> http://www.threattra...am2-300x226.jpg
The spamblog Tumblr will attempt to redirect end-users to a -fake- Facebook login:
> http://www.threattra...7/minespam3.jpg
After handing over their login, the end-user is then asked to surrender the answer to a security question of their own choosing:
> http://www.threattra...7/minespam4.jpg
Finally, they will arrive at the fake Flash player page – identical to the ones used in the 2012 spam runs on Twitter. While the message is the same:
“An update for Youtube player is needed
The Flash player update 10.1 includes
* Smoother video with hardware accelleration support
* Enhanced performance and memory management
* Support for multi-touch and gesture-enabled content
* Private browsing support and security enhancements”

…the downloaded file and intent are rather different.
> http://www.threattra...7/minespam5.jpg
Here’s what it looks like on the desktop, along with information from the Properties tab:
> http://www.threattra...7/minespam7.jpg
... It appears that once they’re done redirecting you to fake Facebook pages, stealing your login / security question information and loading up a fake video page they then want your PC to go mining (most likely Bitcoin, though the files aren’t displaying much activity at time of writing). The domain involved contains numerous files, some of which are password protected and won’t be downloadable unless the infected PC is following the correct “steps”. A compromised machine will attempt to download a proxy and a miner..."
> http://www.threattra...7/minespam8.jpg

Edited by AplusWebMaster, 11 July 2013 - 06:45 AM.

[AplusWebMaster]

FYI...

Fake TAX Return Reminder SPAM / cpa.state.tx .us.tax-returns.mattwaltererie .net
- http://blog.dynamoo....atetxustax.html
12 July 2013 - "This fake tax return reminder leads to malware on cpa.state.tx.us.tax-returns.mattwaltererie .net:

--- Version 1 --------------------
Date: Fri, 12 Jul 2013 14:35:31 +0300
From: DO.NOT.REPLY @REMINDER.STATE .TX .US.GOV
Subject: TAX Return Reminder
After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $964.17. Please submit the tax refund request and allow us 2-5 business days to process it.
A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline
Returns can be electronically filed at www .cpa.state.tx .us/returns_caseid=035549412645
For security reasons we will record your IP address, date and time.
Deliberate scam inputs are criminally pursued and indicated.
Please do not reply to this e-mail.
Please disregard this reminder if the return has already been submitted.
--- Version 2 --------------------
Date: Fri, 12 Jul 2013 17:05:39 +0530 [07:35:39 EDT]
From: tax.help @STATE.TX .GOV .US
Subject: TAX Return Reminder
After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $909.70. Please submit the tax refund request and allow us 2-3 business days to process it.
A refund may be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline
Returns can be electronically filed at www .cpa.state.tx .us/returns_caseid=488702484517
For security reasons we will record your IP address, date and time.
Deliberate wrong inputs are criminally pursued and indicated.
Please do not reply to this e-mail.
Please disregard this reminder if the return has already been submitted.

Unusually, the link in the email goes directly to the malware landing page rather than going through a legitimate -hacked- site, in this case directly to [donotclick]cpa.state.tx.us.tax-returns.mattwaltererie .net/news/tax_refund-caseid7436463593.php?[snip] (example 1*, example 2**) but I cannot get the malware to reveal itself (there's either a fault or it is resistant to analysis).
cpa.state.tx.us.tax-returns.mattwaltererie .net is hosted on the following IP addresses that are under control of what I call the Amerika gang:
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S., Turkey)
150.244.233.146 (Universidad Autonoma de Madrid, Spain)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)
The domain mattwaltererie .net also features the fake US WHOIS details that are characteristic of the Amerika gang (which is where they get their name from)...
Below is a partial blocklist that I would recommened you use in conjunction with this one:
46.45.182.27
150.244.233.146
203.236.232.42
209.222.67.251 ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/....php?id=3689715

** http://urlquery.net/....php?id=3688402

[AplusWebMaster]

FYI...

Spamvertised emails lead to Casino PUAs
- http://blog.webroot....ed-application/
July 15, 2013 - "... You may want to skip the rogue online casinos... Over the past few days, we intercepted multiple spam campaigns launched by the same party, enticing users into downloading -fake- online casinos most commonly known as the Win32/PrimeCasino/Win32/Casonline PUA (Potentially Unwanted Application)...
Sample screenshots of the landing pages:
> https://webrootblog....1...w=675&h=536
.
> https://webrootblog....1...w=711&h=532
.
> https://webrootblog....1...w=741&h=328
... (More screenshots shown at the first webroot URL above.) ...
Rogue domains reconnaissance:
royalvegascasino .com – 193.169.206.146
888casino .com – 213.52.252.59
spinpalace .com – 109.202.114.65
riverbelle1 .com – 193.169.206.233
alljackpotscasino .com – 64.34.230.122
luckynuggetcasino .com – 67.211.111.163
allslotscasino .com – 64.34.230.149; 205.251.192.125; 205.251.195.210; 205.251.196.131; 205.251.199.63 ...
Detection rates for the Potentially Unwanted Applications (PUAs):
AllJackpots.exe – MD5: fed4e5ba204f3b3034b882481a6ab002 ... Win32/PrimeCasino; W32/Casino.P.gen!Eldorado; PUP.PrimeCasino
luckynugget.exe – MD5: 1e97ddc0ed28f5256167bd93f56a46b2 ... GAME/Casino.Gen; W32/Casino.P.gen!Eldorado;
Riverbelle.exe – MD5: 1828fc794652e653e6083c204d3b1f34 ... GAME/Casino.Gen; W32/Casino.P.gen!Eldorado
RoyalVegas.exe – MD5: 2dd87b67d4b7ca7a1bfae2192b09f8e6 ... GAME/Casino.Gen; W32/Casino.P.gen!Eldorado
Rogue casino domains... responded to 193.169.206.146 ..."
(More detail at the first webroot URL above.)
___

Half-Life 3 Fakeout...
- http://www.threattra...akeout-roundup/
July 15, 2013 - "Half-Life 3: it doesn’t exist. This short, brutal truth doesn’t mean there aren’t a lot of Half Life 3 fakeouts doing the rounds. For example, here’s a fake Steam Store page located at store(dot)stearnpowered(dot)com... The real thing would be store(dot)steampowered(dot)com – they’re likely banking on end-users not noticing the join between the “r” and the “n”... There’s a lot of so-called “Half-Life 3 giveaway” sites online, and – amazingly enough – -none- of those sites are going to give you Half-Life 3... Halflife3beta(dot)com, which takes the tried and tested survey scam route (complete with fake “Downloads allowed” graphic at the bottom of the survey splash)... If and when Half-Life 3 ever arrives, the first you hear about it won’t be on some obscure domains serving up deals and offers. Keep your wits, your skepticism and your crowbar handy…"

Fake Wiki in the Wild Wild Web
- http://www.threattra...-wild-wild-web/
July 15, 2013 - "If you happen to make a mess of typing up the Wikipedia domain, you could in theory wind up at the following address which is clearly hoping for some finger-related typo malfunction traffic: wikipeida(dot)org
As you can see, it isn’t far off from the real thing. What lurks there? This:
> http://www.threattra...7/fakewiki1.jpg
... The end-user is presented with 3 meaningless questions then asked to choose their final “I’m being marketed to” destination... As far as typosquatting well known sites with the intention of driving traffic to surveys goes, this is a well worn trick and – one would hope – not something a person looking for Wikipedia would fall for..."
___

NOST (NOST.QB) / NSU Resources Inc Pump and Dump SPAM
- http://blog.dynamoo....p-and-dump.html
15 July 2013 - "Over the weekend a pump-and-dump spam* run started for NSU Resources Inc trading as NOST.QB **. NSU Resources almost definitely have -nothing- to do with this spam run...
Subject: This Stock MOVED HARD...
Subject: This Stock Is The Hottest Stock In The Whole Market!...
Subject: They`ve got their rally caps on!...
Subject: Look for Another Push Higher...
... we can expect to see NOST spam for a while yet as the spammer - and perhaps whoever employed them - try to offload worthless shares onto unsuspecting investors. Avoid."
* http://en.wikipedia....i/Pump_and_dump

** http://www.nasdaq.com/symbol/nost
___

Bank of America Paymentech SPAM
- http://threattrack.t...paymentech-spam
15 July 2013 - "Subjects Seen:
Merchant Statement
Typical e-mail details:
Attached (pdflPDF|pdf file|document|file) is your Bank of America Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Bank of America Paymentech.
Bank of America Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Bank of America Paymentech’s or the Merchant’s email service or otherwise. Bank of America Paymentech recommends that Merchants continue to monitor their statement information regularly.

Malicious File Name and MD5:
stid <random>.zip (d8f8701b9485f7a2215da9425c5af7d6)
stid <random>.exe (198385457408361504c7ccac9d67bd3e)

Screenshot: https://gs1.wac.edge...Prth1qz4rgp.png
___

Fake UPS SPAM / tvblips .net
- http://blog.dynamoo....tvblipsnet.html
15 July 2013 - "This fake UPS spam leads to malware on tvblips .net:
Date: Mon, 15 Jul 2013 10:20:13 -0500
From:
Subject: Your UPS Invoice is Ready
This is an automatically generated email. Please do not reply to this email address.
Dear UPS Customer,
Thank you for your business.
New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center.
Please visit the UPS Billing Center to view and pay your invoice.
Questions about your charges? To get a better understanding of surcharges on your invoice, click here..."

The link in the email goes to a legitimate -hacked- site that has some highly obfuscated javascript that leads to a malware landing page on [donotclick]tvblips .net/news/ups-information.php (report here*) hosted on:
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
209.222.67.251 (Razor Inc, US)
Recommended blocklist:
46.45.182.27
209.222.67.251 ..."
* http://urlquery.net/....php?id=3762051
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Bank Payment Information Email Message - 2013 Jul 15
Fake Shipping Invoice Notification Email Messages - 2013 Jul 15
Email Messages with Malicious Attachments - 2013 Jul 15
Fake Bank Payment Confirmation Email Messages - 2013 Jul 15
Fake Bank Deposit Confirmation Email Messages - 2013 Jul 15
Fake CashPro Online Digital Certificate Notification Email Message - 2013 Jul 15
Fake Online Dating Proposal Email Messages - 2013 Jul 15
Fake Product Quote Request Email Messages - 2013 Jul 15
Fake Order Document Email Attachment Messages - 2013 Jul 15
Fake Photo Email Messages - 2013 Jul 15
Fake Canceled Electronic Payment Notification Email Message - 2013 Jul 15
Fake Telegraphic Transfer Notification Email Messages - 2013 Jul 15
Fake Receipt Attachment Email Messages - 2013 Jul 15
Fake Purchase Order Notification Email Messages - 2013 Jul 15
Fake Billing Statement Email Messages - 2013 Jul 15
Fake Financial Document Delivery Email Messages - 2013 Jul 15
Fake CashPro Online Digital Certificate Notification Email Messages - 2013 Jul 15
Fake Product Order Email Messages - 2013 Jul 15
Fake Money Transfer Notification Email Messages - 2013 Jul 15
(More detail and links at the cisco URL above.)

Edited by AplusWebMaster, 15 July 2013 - 01:09 PM.

[AplusWebMaster]

FYI...

Malware sites to block 16/7/13
- http://blog.dynamoo....lock-16713.html
16 July 2013 - "These domains and IPs are associated with this gang*. This time there appear to be some diet pill sites in the mix, these may be spammy or they may be malicious.. I would recommend blocking them -all- ..."
(Long list available at the dynamoo URL above.)
* http://blog.dynamoo....h/label/Amerika
___

Photo Attachment Spam
- http://threattrack.t...attachment-spam
July 16, 2013 - "Subjects Seen:
my undressed image is attached
Typical e-mail details:
zdjakinuii fgcaba rjgvsy
vyjxsvlsa luoans vnlfo
aovkq I R W Q G A L S C M R
caeqmjj W R P L P D A F

Malicious File Name and MD5:
mypic62.zip (f2845f8eeeb5e8b2985fdd2c7636bc39)
mypic.vcr (118980814772348b8e42a5166a4dc2a1)

Screenshot: https://gs1.wac.edge...XZRB1qz4rgp.png
___

Fake Invoice SPAM / doc201307161139482.doc
- http://blog.dynamoo....1139482doc.html
16 July 2013 - "This spam has a malicious word attachment, doc201307161139482.doc which contains an exploit.
From: Carlos Phillips [accounting @travidia .com]
Subject: Invoice 48920
Thanks !!
Greg
Precision Assemblies Products, Inc.Llc.
179 Nesbitt Hills
Holley, NY 51902
(176)-674-6500
nightmarewdp50 @travidia .com

Note that the date is included into the filename. The document has an MS12-027 exploit with a VirusTotal detection rate of just 5/47*. In theory, if your copy of Microsoft Word is up-to-date you should be immune to this...
UPDATE: The ThreatTrack report [pdf**] shows similar characterstics, including an attempted download from [donotclick]mycanoweb .com/report/doc.exe which is a Zbot variant with a low detection rate***... Most of the IPs for mycanoweb .com overlap with these belonging to the Amerika gang. The other two IPs are shared hosting and might block a relatively small number of legitimate sites.. I would lean towards blocking them now and unblock them later it there's a problem.
Recommended blocklist:
mycanoweb .com
classified.byethost11 .com
myhomes.netau .net
46.45.182.27
50.97.253.162
59.126.142.186
188.40.92.12
209.222.67.251
209.190.24.9
31.170.160.129
Additional IPs for Zbot component:
182.237.17.180
194.44.219.226
210.56.23.100 ..."

* https://www.virustot...d878c/analysis/

** http://www.dynamoo.c...b1201a3e6ef.pdf

*** https://www.virustot...sis/1373989372/
___

Dun and Bradstreet Attachment Spam
- http://threattrack.t...attachment-spam
July 16, 2013 - "Subjects Seen:
FW : Complaint - <random>
Typical e-mail details:
Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
In the interest of time and good customer relations, please provide the DnB with written verification of your position in this matter by June 8, 2013. Your prompt response will allow DnB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter...
We encourage you to print this complaint (attached file), answer the questions and respond to us.
We look forward to your prompt attention to this matter.

Malicious URLs
b-markenergy .com/ponyb/gate.php
arizonaenergysuppliers .com/ponyb/gate.php
alabamaenergysuppliers .com/ponyb/gate.php
bemarkenergy .com/ponyb/gate.php
costruzionimediterraneo .it/FP0gd6.exe
preview.vibration-trainers .com/V2YE.exe

Malicious File Name and MD5:
Case_<random>.zip (b3f17fd862e5e7C617240251be8de706)
Case_<random>.exe (59ee4453da8909e96762f2c8cd0d6f37)

Screenshot: https://gs1.wac.edge...6ea31qz4rgp.png
___

Spamvertised Payroll themed emails lead to malware
- http://blog.webroot....ntical-malware/
July 16, 2013 - "We’ve intercepted two, currently circulating, malicious spam campaigns enticing users into executing the malicious attachments found in the fake emails. This time the campaigns are impersonating Vodafone U.K or pretending to be a legitimate email generated by Sage 50's Payroll software...
Sample screenshot of the spamvertised email:
> https://webrootblog....slip_sage50.png
... What’s particularly interesting about these two campaigns is the fact that they’ve both been launched by the same cybercriminal/gang of cybercriminals. Not only do the campaigns use an identical MD5 with two previously profiled malicious spam campaigns, but also, all the MD5s phone back to the same C&C server - hxxp:// 62.76.178.178 /fexco/com/index.php
Detection rate for the unique MD5 used in the fake Vodafone U.K MMS themed campaign: 4e9d834fcc239828919eaa7877af49dd * ... Backdoor.Win32.Androm.abrz; Troj/Agent-ACLZ..."
* https://www.virustot...6fd16/analysis/
File name: vt-upload-b6gNq
Detection ratio: 8/47
Analysis date: 2013-07-14
___

Fake Bank of America SPAM / stid 36618-22.zip
- http://blog.dynamoo....6618-22zip.html
16 July 2013 - "This fake Bank of America spam comes with a malicious attachment:
Date: Tue, 16 Jul 2013 21:21:06 +0200 [15:21:06 EDT]
From: Joyce Bryson [legalsr @gmail .com]
Subject: Merchant Statement
Enclosed (pdflPDF|pdf file|document|file) is your Bank of America Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Bank of America Paymentech.
Bank of America Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Bank of America Paymentech's or the Merchant's email service or otherwise. Bank of America Paymentech recommends that Merchants continue to monitor their statement information regularly...

Attached is a file called stid 36618-22.zip which in turn contains stid 36618-22.exe which is a variant of Zbot. VirusTotal detections are just 11/47*. Anubis reports** what appear to be several peer-to-peer connection attempts plus an attempted download from [donotclick]apsuart .com/741_out.exe that appears to fail..."
* https://www.virustot...sis/1374010738/

** http://anubis.isecla...amp;format=html

Edited by AplusWebMaster, 16 July 2013 - 05:11 PM.

[AplusWebMaster]

FYI...

Fake Reservation Confirmation SPAM / marriott .com.reservation.lookup.viperlair .net
- http://blog.dynamoo....eservation.html
17 July 2013 - "This fake Marriott spam leads to malware on marriott.com.reservation.lookup.viperlair .net:
Date: Wed, 17 Jul 2013 05:12:22 -0800 [09:12:22 EDT]
From: Marriott Hotels & Resorts Reservation [reservations @clients.marriottmail .org]
Reply-To: reservations @clients.marriottmail .org
Subject: Houston Marriott Westchase Reservation Confirmation #86903601
Marriott Hotels & Resorts Houston Marriott Westchase 2900 Briarpark Dr.,
Houston, Texas 77042 USA Phone: 1-713-978-7400 Fax: 1-713-735-2726
Reservation for [redacted]
Confirmation Number: 86903601
Check-in: Sunday, July 21, 2013 (03:00 PM)
Check-out: Wednesday, July 24, 2013 (12:00 PM)
Modify or Cancel reservation ...

The -link- in the email goes through a legitimate -hacked- site and lands on [donotclick]marriott.com.reservation.lookup.viperlair .net/news/marriott-ebill-order-confirmation.php (report here*) hosted on the following IPs:
(viperlair .net is registered with -fake- WHOIS details that mark it out as belonging to the Amerika gang...)
50.97.253.162 (Softlayer, US)
59.126.142.186 (Chunghwa Telecom, Taiwan)
209.222.67.251 (Razor Inc, US)
Recommended blocklist:
50.97.253.162
59.126.142.186
209.222.67.251 ..."
* http://urlquery.net/....php?id=3804348
___

"PC Wizard" tech support SCAM
- http://blog.dynamoo....pport-scam.html
17 July 2013 - "Just a quick one.. some Indian scammers routing through a UK number 02086 547426 (02086547426) and purporting to be from a company "PC Wizard" just called and tried to convince me that something was wrong with my PC. I'll do a write up later.. but in the mean time their MO is to get you to look at your Event Viewer for errors (there are always errors), and then visit ammyy .com to run some remote control software. DO NOT LET THEM DO THIS!"

- http://centralops.ne...ainDossier.aspx
canonical name ammyy.com
addresses 70.38.40.185
OriginAS: AS32613 *
City: Moscow ...
Country: RU ...

* https://www.google.c...c?site=AS:32613
"... over the past 90 days, 1721 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-07-17, and the last time suspicious content was found was on 2013-07-17... we found 313 site(s) on this network... that appeared to function as intermediaries for the infection of 794 other site(s)... We found 280 site(s)... that infected 1790 other site(s)..."

Edited by AplusWebMaster, 17 July 2013 - 02:42 PM.

[AplusWebMaster]

FYI...

Site primrose .co .uk hacked, emails compromised
- http://blog.dynamoo....ompromised.html
18 July 2013 - "Garden accessory primroseb.co .uk has been -hacked- and email addresses stored in their system are being abused for phishing purposes:
From: paypal .co .uk [service @paypal .co .uk]
Date: 18 July 2013 11:01
Subject: We cannot process your payment at this time.
Dear,
We need your help resolving an issue with your account.To give us time to work together on this, we've temporarily limited what you can do with your account until the issue is resolved.
we understand it may be frustrating not to have full access to your PayPal account.We want to work with you to get your account back to normal as quickly as possible.
What's the problem ? It's been a little while since you used your account.For reasons relating to the safe use of the PayPal service we need some more information about your account.
Reference Number: PP-001-278-254-803
It's usually quite straight forward to take care of these things.Most of the time, we just need some more information about your account or latest transactions.
1. Download the attached document and open it in a browser window secure.
2. Confirm that you are the account holder and follow the instructions.
Yours sincerely,
PayPal
Copyright 2013 PayPal. All rights reserved PayPal Email ID PP1589

The attached form Account Information-Paypal.html is basically a phishing page, pulling content from www. thesenddirect .com (62.149.142.113 - Aruba, Italy) and submitting the data to www .paypserv .com (62.149.142.152 - also Aruba). The WHOIS details are no doubt -fake- are are respectively:
Saunders, John Alan mahibarayanlol @gmail .com
4 The Laurels off Oatland Close Botley, 4
Southampton, GB SO322EN
IT
+39.447885623455
----------
Clarke, Victoria johanjo1010 @gmail .com
Innex Cottage Ropers Lane, 754
Wrington, GB BS405NH
IT
+39.441934862064
Primrose .co .uk were informed of the breach on 4th July and told me that IT were investigating, but as I haven't heard anything back and customers haven't been notified then I will assume they did not find anything. Of note is that the spam email does not address customers by name, so it is possibly only email addresses that have been leaked. Also, passwords do not appear to be kept in plaintext which is good. Without further information from primrose .co .uk it is impossible to say if any financial data has been compromised."
___

Fake KLWines .com SPAM / prysmm .net
- http://blog.dynamoo....escom-spam.html
18 July 2013 - "This fake K&L Wine Merchants spam email leads to malware on www.klwines.com.order.complete .prysmm.net:
Date: Thu, 18 Jul 2013 05:57:28 -0800
From: drowsedl04 @inbound.ups .net
Subject: Your K&L order #56920789 is complete
Hello from K&L Wine Merchants -- www.KLWines .com
Just wanted to let you know that your order (#56920789) is complete.
Additional comments for this order: Ship Fri. 7/19
The following items are included...
Item Subtotal: $247.91
Tax: $0.00
Shipping & Handling: $67.18
Total: $315.09
The tracking number for this shipment is 1Z474482A140261050.
Please visit the freight carrier's site for exact shipping pickup and dropoff dates, by clicking on the link below.
To see the latest information about your order, visit "My Account"...

The link in the email goes through a legitimate -hacked- site and ends up on a malware page at [donotclick]www.klwines.com.order.complete.prysmm .net/news/order-information.php (report here*) hosted on:
50.97.253.162 (Softlayer, US)
59.126.142.186 (Chungwa Telecom, Taiwan)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)
The -fake- WHOIS details mark this out as belonging to the Amerika gang...
Recommended blocklist:
50.97.253.162
59.126.142.186
203.236.232.42
209.222.67.251 ..."
* http://urlquery.net/....php?id=3833979
___

Fake QuickBooks Overdue Payment SPAM
- http://threattrack.t...ue-payment-spam
July 18, 2013 - "Subjects Seen:
Please respond - overdue payment
Typical e-mail details:
Please find attached your invoices for the past months. Remit the payment by 07/18/2013 as outlines under our “Payment Terms" agreement.
Thank you for your business,
Sincerely,
Nathan Phipps

Malicious URLs
prospexleads .com:8080/ponyb/gate.php
phonebillssuck .com:8080/ponyb/gate.php
picaletter .com/ZDpczi37.exe
s268400504.onlinehome .us/v73.exe
wineoutleteventspace .com/7UNFVh.exe

Malicious File Name and MD5:
invoice_<random>.zip (9E2221D918E83ED2B264214F5DDAB9FF)
invoice_<random>.exe (06C3A27772C2552A28C32F82583B7645)

Screenshot: https://gs1.wac.edge...diSE1qz4rgp.png
___

Wells Fargo Important Documents Spam
- http://threattrack.t...-documents-spam
July 18, 2013 - "Subjects Seen:
IMPORTANT Documents - WellsFargo
Typical e-mail details:
Please review attached files.
Alyce_Granger
Wells Fargo Advisors

Malicious URLs
prospexleads .com:8080/ponyb/gate.php
phonebillssuck .com:8080/ponyb/gate.php
ciclografico .pt/9Up.exe
mdebra.o2switch .net/2ccVsM9z.exe
magusdev .com/YSQsWZVU.exe
splendidhonda .com/Hb3qCt.exe

Malicious File Name and MD5:
DOC_<name>.zip (44A3AFFC21D0BA3E4CA5ACE0732C6D65)
DOC_{_MAILTO_USERNAME}.exe (4A182976242CF4F65B6F219D649B0A98)

Screenshot: https://gs1.wac.edge...zlo31qz4rgp.png
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Video Sharing Email Messages - 2013 Jul 18
Fake Product Order Quotation Email Messages - 2013 Jul 18
Malicious Attachment Email Messages - 2013 Jul 18
Email Messages with Malicious Attachments - 2013 Jul 18
Fake Money Transfer Notification Email Messages - 2013 Jul 18
Fake Product Supply Request Email Messages - 2013 Jul 18
Malicious Personal Pictures Attachment Email Messages - 2013 Jul 18
Malicious Attachment Email Messages - 2013 Jul 18
Fake Money Transfer Notification Email Messages - 2013 Jul 18
Fake Invoice Statement Attachment Email Messages - 2013 Jul 18
Fake Customer Complaint Attachment Email Messages - 2013 Jul 18
Fake Picture Link Email Messages - 2013 Jul 18
Fake Fund Transfer Confirmation Email Messages - 2013 Jul 18
Fake Order Information Email Messages - 2013 Jul 18
Fake Tax Report Documentation Email Messages - 2013 Jul 18
Fake Product Quote Request Email Messages - 2013 Jul 18
Fake Product Quotation Request Email Messages - 2013 Jul 18
(More detail and links at the cisco URL above.)

Edited by AplusWebMaster, 18 July 2013 - 03:14 PM.

[AplusWebMaster]

FYI...

Who's Who SCAM
whoswhonetworkonline .com
- http://blog.dynamoo....necom-spam.html
19 July 2013 - "This turd of an email was sent to an info@ email address on a domain I own. It appears to be a classic Who's Who scam*.
* https://en.wikipedia.../Who's_Who_scam
From: Who's Who [cpm2 @contactwhoswho .us]
Reply-To: databaseemailergroup @gmail .com
date: 19 July 2013 05:44
subject: You were recently nominated into Who's Who Amoung Executives
Who's Who Network Online
Hello,
As you are probably aware, in the last few weeks, we at the Who's Who Among Executives and Proefssionals have reached out to several hundred individuals for placement in our upcoming 2013 edition of our directory. You were contacted, but we did not receive any of your biographical information. We would like to give you another opportunity to do so...

Clicking on the link takes you to whoswhonetworkonline .com hosted on 66.11.129.87 (Stafford Associates Computer Specialists Inc., New York). The WHOIS details are hidden.
Screenshot: https://lh3.ggpht.co...tworkonline.png
There's no clue anywhere on the site or in the email about who is behind the spam. There is no corporation in New York with the exact name "Who's Who Network Online" although there are several similar sounding entities. However, there are some clues in the headers of the email that link it through to another recent and similarly-themed spam... The email originates from a Comcast IP address of 174.58.75.1 in West Florida, and then routes through a server at 192.217.104.157 (NTT America) which has the hostname contactwhoswho.us which is consistent with the cpm2 @contactwhoswho .us sender's address...
Darin Delia appears to be the same person who was sending out Spotlite Radio spam**..."
** http://blog.dynamoo....13com-spam.html
___

Bank of America Transaction Completed Spam
- http://threattrack.t...-completed-spam
19 July 2013 - "Subjects Seen:
Your transaction is completed
Typical e-mail details:
Transaction is completed. $99479350 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt on payment is attached.

Malicious File Name and MD5:
payment receipt(copy).zip (F87DB429BED542ED6D26ACF8924280FB)
payment receipt(copy).exe (22C694FDA2FF8BECC447D1BE198A74DC)

Screenshot: https://gs1.wac.edge...O0qX1qz4rgp.png
___

Fake Verizon Wireless "Data Usage Overage Alert" / verizonwirelessreports .com
- http://blog.dynamoo....ge-overage.html
20 July 2013 - "This fake Verizon email leads to malware on the domain onemessage.verizonwireless.com.verizonwirelessreports .com:
Date: Fri, 19 Jul 2013 10:48:31 -0500 [11:48:31 EDT]
From: Verizon Wireless [VZWMail @e-marketing. verizonwireless-mail .net]
Subject: Data Usage Overage Alert
Important Information About Your Account. View Online
verizon wireless Explore Shop My Verizon Support
Important Information About Your Data Usage
Your account has used your data allowance for this month and you may now be billed overage charges. Your monthly data allowance will reset on the 20th.
Run an Account Analysis in My Verizon to analyze your recent months' data usage and review your plan options.
Don't forget, you can also manage your alert settings in My Verizon including adding recipients and opting out of specific alerts.
Thank you for choosing Verizon Wireless.
Details as of:
[redacted]
07/19/2013 02:15 AM EDT
We respect your privacy. Please review our privacy policy for more information
about click activity with Verizon Wireless and links included in this email.
This email was sent to [redacted];
ID: [redacted]

The -link- in the email goes through a legitimate -hacked- site and ends up on a malware landing page at [donotclick]onemessage.verizonwireless.com.verizonwirelessreports .com/news/verizon-bill.php (report here*) hosted on:
172.255.106.126 (Nobis Technology Group, US / Creative Factory Beijing, China)
188.134.26.172 (Perspectiva Ltd, Russia)
The domain verizonwirelessreports .com is -fake- and was recently registered to an anonymous person. However, given the IPs and associated domains then this is clearly the work of this gang.
Blocklist:
172.255.106.126
188.134.26.172
verizonwirelessreports .com
firerice .com
onemessage.verizonwireless .com.verizonwirelessreports.com
package.ups.com.shanghaiherald .net
epackage.ups.com.shanghaiherald .net
vitans .net
www .klwines .com.order.complete.prysmm .net
prysmm .net
shanghaiherald .net"
* http://urlquery.net/....php?id=3863421

Edited by AplusWebMaster, 19 July 2013 - 07:09 PM.

[AplusWebMaster]

FYI...

Fake BBC website SPAM hits Twitter
- http://www.threattra...m-hits-twitter/
July 19, 2013 - "There’s a spam-run doing the rounds right now which uses a -fake- BBC website to drive traffic to a diet pill website:
> http://www.threattra...amazingbbc1.jpg
... All of the posts use the hashtag “Amazing”, with a link to a fake BBC URL + 6 seemingly random numbers:
#amazing newslinkbbc(dot)co(dot)uk/??[6 digits]
The above URL was registered in August 2011. Additionally, there are more fake BBC sites located at mailbbc(dot)co(dot)uk (registered August 2011, on the same day as the URL currently being posted to Twitter) and securebbc(dot)co(dot)uk (registered August 2012). At least one other URL has been up for debate in years gone by in relation to the person claiming ownership of newslinkbbc and mailbbc. Clicking
newslinkbbc(dot)co(dot)uk takes end-users to world-bbc(dot)co(dot)uk (registered August 2012):
Fake BBC Spam site..
> http://www.threattra...amazingbbc2.jpg
... The above site advertises a weightloss diet designed to remove belly fat. The live link on the site leads to bbchost(dot)altervista(dot)org/news/health-21434875/try-garcinia-now which -redirects- to
pgc(dot)my-secure-orders(dot)com/?clickid=[ID removed]
> http://www.threattra...amazingbbc3.jpg
The site is promoting the formerly mentioned diet pills... We’ve seen 360+ of these links being spammed on Twitter... and no doubt the spam will continue to grow before Twitter gets a handle on the situation. For now, be very wary of any and all links being spammed with the #amazing hashtag, and if you find yourself spamming the same Tweets then change your password and remove any apps tied to your account that you don’t remember adding (or indeed, have added recently but don’t feel so confident about anymore)."