2072 replies to this topic

[AplusWebMaster]

FYI...

Malicious URLs in .lc zone
- https://www.secureli...URLs_in_lc_zone
July 20, 2013 - "While analyzing suspicious URLs I found out that more and more malicious URLs are coming from .lc domain, which formally belongs to Santa Lucia* country located in in the eastern Caribbean Sea. Our statistics confirm this trend.
> https://www.secureli...klblog/9106.png
Cybercriminals from different places of the world are actively using this domain, including cybercriminals from Brazil abusing free Web hosting available in that country.
> https://www.secureli...klblog/9104.jpg
How many legitimate domains at .lc zone have you ever had to visit in your life? If the answer is zero, so maybe it’s time to start filtering access to this domain, especially on the corporate Firewall / Proxy layer."
* https://en.wikipedia...iki/Saint_Lucia
___

PlugX malware factory revisited... Smoaler
- http://atlas.arbor.n...dex#-1265345240
High Severity
July 19, 2013
The Smoaler malware has been uncovered and is involved in targeted attacks. Organizations that may have been targeted would benefit from careful analysis of this information and associated indicators.
Analysis: Targeted attack campaigns continue as usual. As actors are discovered, their techniques, tactics and procedures evolve. While the technique of running malware in memory is not new, it is put into practice here, and the final payload varies. While many targeted attacks still involve only the amount of force necessary to compromise the targeted, many other attack campaigns that have yet to be unmasked are surely in operation.
Source: http://nakedsecurity...ducing-smoaler/

- https://web.nvd.nist...d=CVE-2012-0158 - 9.3 (HIGH) / MS12-027
Last revised: 03/07/2013

Edited by AplusWebMaster, 21 July 2013 - 08:41 AM.

[AplusWebMaster]

FYI...

Bitcoin mining tools in the wild...
- http://blog.webroot....ed-in-the-wild/
July 22, 2013 - "Cybercriminals continue releasing new, commercially available, stealth Bitcoin/Litecoin mining tools, empowering novice cybercriminals with the ability to start monetizing the malware-infected hosts part of their botnets, or the ones they have access to which they’ve purchased through a third-party malware-infected hosts selling service...
Sample screenshots of the stealth Bitcoin/Litecoin mining tool’s admin panel:
> https://webrootblog....mining_tool.png
.
> https://webrootblog....ing_tool_01.png
... the cybercriminal behind it released it in a way that would prevent its mass spreading, supposedly due to the fact that he doesn’t want to attract the attention of security vendors whose sensor networks would easily pick up any massive campaigns featuring the miner. Therefore, he’s currently offering a limited number of copies of this miner. Over the last couple of months we’ve been intercepting multiple subscription-based or DIY type of stealth Bitcoin/Litecoin miners, indicating that the international underground marketplace is busy responding to the demand for such type of tools. Despite the fact that Bitcoin is a ‘trendy’ E-currency, we believe that for the time being, Russian and Eastern European cybercrime gangs will continue to maintain a large market share of the underground’s market profitability metric, due to their utilization of mature, evasive, and efficient monetization tactics..."

Bitcoin Mining by Botnet...
- https://krebsonsecur...ning-by-botnet/
July 18, 2013
___

Fake American Airlines SPAM / sai-uka-sai .com
- http://blog.dynamoo....-saicom_22.html
22 July 2013 - "This fake American Airlines spam leads to malware on www .aa .com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai .com:
From: American.Airlines@aa .net
Date: 22 July 2013 17:22
Subject: AA.com Itinerary Summary On Hold
Dear customer,
Thank you for making your travel arrangements on AA.com! Your requested itinerary is now ON HOLD. Details below.
To ensure that your reservation is not canceled you must complete the purchase of this reservation by clicking the “Purchase” button on this email, or by using the “View/Change Reservations” section on www .aa .com.
left corners left corners
This reservation is on HOLD until July 22, 2013 11:59 PM CDT (Central Daylight Time) ...

The link in the email goes through a legitimate -hacked- site and ends up on a malware landing page at [donotclick]www.aa.com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai .com/news/american-airlines-hold.php (report here*) hosted on the following IPs:
50.97.253.162 (Softlayer, US**)
95.111.32.249 (Megalan / Mobitel EAD, Bulgaria)
188.134.26.172 (Perspectiva Ltd, Russia)
209.222.67.251 (Razor Inc, US)
The WHOIS details for that domain are the characteristically -fake- ones...
Recommended blocklist:
50.97.253.162
95.111.32.249
188.134.26.172
209.222.67.251 ..."
* http://urlquery.net/....php?id=3928752

Diagnostic page for AS36351 (SOFTLAYER)
** https://www.google.c...c?site=AS:36351
"... over the past 90 days, 5148 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-07-22, and the last time suspicious content was found was on 2013-07-22... Over the past 90 days, we found 662 site(s) on this network... that appeared to function as intermediaries for the infection of 2618 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 868 site(s)... that infected 6671 other site(s)..."
___

Fake BMW SPAM / pagebuoy .net
- http://blog.dynamoo....agebuoynet.html
22 July 2013 - "This convincing looking BMW spam leads to malware ...
Date: Mon, 22 Jul 2013 13:07:50 -0500 [14:07:50 EDT]
From: BMW of North America [womanliere75 @postmaster.aa-mail .org]
Reply-To: [redacted]@m.aa-mail .com
Subject: The BMW 6-Series M Sport Edition, M Universe, and more.
BMW’s 6-Series M Sport Edition View Online
BMW
A 6 SERIES.
WITH M PANACHE.
Meet the 6-Series M Sport Edition. Available in all 6 series models, the M Sport Edition boasts premium features like M Aerodynamics, LED Adaptive Headlights, an M leather steering wheel, and Nappa Leather sport seats for a ride that’s a 6-Series inside and out.
LEARN MORE
Efficient Dynamics
Table of Contents
» BMW M Universe
» BMW Wins Again
» BMW i3 Design
» BMW Superbike
» BMW Collections
WELCOME TO M’S NEW HOME.
In the M Universe, your own M photos will become part of a visual timeline spanning all 40 award-winning years of the iconic M brand, from the classic 1972 to the new M6 Gran Coupe. To all you M fans, welcome home.
» ENTER BMW M UNIVERSE
THE 3 SERIES WINS AGAIN
The BMW 3 Series continues to live up to its hard-earned reputation as the best compact sports sedan in the world. AUTOMOBILE MAGAZINE presented the 3 Series with the coveted 2013 All-Star award, making the number of AUTOMOBILE MAGAZINE awards won by the 3 Series alone over a dozen.
» BUILD YOUR OWN ...

Screenshot: https://lh3.ggpht.co...00/bmw-spam.jpg

The link in the email goes through a legitimate -hacked- site and ends up on [donotclick]links.emails.bmwusa.com.open.pagebuoy .net/news/bmw-newmodel.php (report here*) which is hosted on the same IP addresses as this spam run**."
* http://urlquery.net/....php?id=3929867

** http://blog.dynamoo....-saicom_22.html
___

NY Better Business Bureau Spam
- http://threattrack.t...ess-bureau-spam
July 22, 2013 - "Subjects Seen:
FW: Case <removed>
Typical e-mail details:
The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct.
In the interest of time and good customer relations, please provide the BBB with written verification of your position in this matter by June 30, 2013. Your prompt response will allow BBB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.
The Better Business Bureau develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.
We encourage you to print this complaint (attached file), answer the questions and respond to us.
We look forward to your prompt attention to this matter.
Sincerely ...

Malicious URLs
yourprospexblog .com:8080/ponyb/gate.php
myimpactblog .com:8080/ponyb/gate.php
phonebillssuck .com:8080/ponyb/gate.php
prospexleads .com:8080/ponyb/gate.php
moneyinmarketing .com/dL1.exe
abbeyevents .co .uk/fNF1.exe
salsaconfuego .com/RCY.exe
fales .info/PwvextRo.exe

Malicious File Name and MD5:
Complaint_<date>.zip (B82478381DCECD63B81F64EDF7632D51)
Complaint_<date>.zip (95B542B1BCBD7D5AEE65F97E9125D90C)

Screenshot: https://gs1.wac.edge...UJgV1qz4rgp.png
___

Fake IRS "Complaint Case #488870383295" SPAM / Complaint_488870383295.zip
- http://blog.dynamoo....83295-spam.html
22 July 2013 -"This spam contains a malicious attachment, but seems to confuse the roles of the BBB and the IRS.
Date: Mon, 22 Jul 2013 09:59:08 -0500 [10:59:08 EDT]
From: "IRS.gov" [fraud .dep @irs. gov]
Subject: Complaint Case #488870383295
You have received a complaint in regards to your business services.
The complaint was filled by Mr./Mrs. Ulivo DELERME on 07/22/2013/
Case Number: 488870383295
Instructions on how to resolve this complaint as well as a copy of the original complaint are attached to this email.
Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them: Claims based on product liability; Claims for personal injuries; Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.
The decision as to whether your dispute or any part of it can be arbitrated rests solely with the IRS.
The IRS offers a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.
2013 Council of IRS, Inc. All Rights Reserved.

Attached to the email is a ZIP file Complaint_488870383295.zip which in turn contains an executable Complaint_07222013.exe which is bad news. VirusTotal detection rates are a so-so 14/47*... the Malwr analysis** seems to be the most comprehensive and shows traffic out the the following compromised sites:
prospexleads .com
phonebillssuck .com
moneyinmarketing .com
abbeyevents .co.uk
salsaconfuego .com
fales .info
The second part has a much lower detection rate of just 2/47. At the moment this second stage is still being analysed."
* https://www.virustot...sis/1374520022/

** https://malwr.com/an...DE1YzE4Yzc0ZGI/

Edited by AplusWebMaster, 22 July 2013 - 07:53 PM.

[AplusWebMaster]

FYI...

Fake Media Player - rogue video Downloader PUA
- http://blog.webroot....pplication-pua/
July 23, 2013 - "Our sensors continue picking up deceptive advertisements that expose gullible and socially engineered users to privacy-invading applications and toolbars, most commonly known as Potentially Unwanted Applications (PUAs). The latest detected campaign utilizes multiple legitimately looking banners in an attempt to trick users into thinking that their media player needs to be updated. Once users install the bogus ‘Media Player Update’, they introduce third-party privacy-invading software onto their PCs and directly contribute to the revenue flow of the cybercriminals behind the campaign...
Sample screenshots of multiple deceptive ads leading to the same Potentially Unwanted Application (PUA):
> https://webrootblog....ayer_update.png
> https://webrootblog....te_01.png?w=869
> https://webrootblog....te_03.png?w=869
... Sample screenshot of the landing page:
https://webrootblog....1...w=641&h=544
Rogue URL:
hxxp ://dkg.videodownloadonline .com/download/video_downloader – 107.14.36.160; 107.14.36.120
Detection rate for the PUA – MD5: 85387afff8e5e66e2d9cc5dc1c43c922 * ... Adware.Downware.925; Bundlore (fs). The sample is digitally signed by Bundlore LTD, which is yet another pay-per-install affiliate network.
Rogue URL: bundlore .com – 98.129.229.186 – Email: eldad.shaltiel @gmail .com
... MD5s... known to have interacted with the same IP (98.129.229.186)..."
(More detail at the first webroot URL above.)
* https://www.virustot...e4d3a/analysis/
___

Malware sites to block 23/7/13
- http://blog.dynamoo....lock-23713.html
23 July 2013 - "These malicious domains and IPs are associated with this prolific gang*. As usual, I've listed IPs with hosts first and then a plain list of IPs and domains for copy-and-pasting at the end..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo....h/label/Amerika
___

Linkedin Spam leads to Canadian Pharma sites
- http://www.threattra...n-pharma-sites/
July 23, 2013 - "We’ve seen an email spam-run taking place over the last couple of days, involving what appear to be compromised websites redirecting end-users to Canadian pharmacy spam pages (and quite possibly other forms of medicinal spam content too). Here’s an example of one such email – at time of writing, -all- of them are Linkedin message imitations:
> http://www.threattra...07/sadtech1.jpg ...
> http://www.threattra...07/sadtech4.jpg
... Another redirect destination we’ve seen is ipadherbaltablet(dot)com – again, offline at time of writing. Campaigns such as the above tend to be fast moving, constantly shifting URLs as compromised sites get a handle on the hack and new spam domains are set up to replace the ones that are blacklisted / shut down... they have the direct, non-Linkedin URL right there in the Email body. The non-hidden URLs, combined with the seemingly short lifespan of the spam sites will hopefully mean this one isn’t clogging up mailboxes for too long."
___

“Click This Photo for Tumblr Fame” Turns Volume Up...
- http://www.threattra...e-up-to-eleven/
July 23, 2013 - "... garish set of posts that have been doing the rounds on Tumblr over the last day or so. Here’s the most recent collection of archived posts on an affected blog..
> http://www.threattra...ickforfame1.jpg
... “Click this photo for Tumblr fame”, claims the animated .gif. Animated? You bet. It rotates through 3 different “promo” images, and by the time the image goes out of sync on the Archive page it ends up looking something like this with all of the second-long splash images rotating away and vying for attention... The bulk of the posts on the above blog have around 1,000+ reblogs / notes each, though some of them are reposts of the same content. In all cases, they use a shortened URL service to send users to their final destination... At time of writing, none of the apps appear to have done anything publicly – there’s certainly nothing posted to our test account – but we’ll continue to monitor and see what happens."
(More detail at the first URL above.)
___

Something evil on 91.233.244.102
- http://blog.dynamoo....1233244102.html
23 July 2013 - "These following domains are hosted on 91.233.244.102 (Olborg Ltd, Russia). This IP is implicated in Runforestrun infectors*, has several malware detections on VirusTotal** plus a few on URLquery***. Google has flagged several domains as being malicious... Obviously there's quite a concentration of evil on this IP address and the simplest thing to do would be to banish it from your network, in fact I would personally recommend blocking the whole 91.233.244.0/23 block..."
(More detail at the dynamoo URL above.)
* http://malwaremustdi...struns-dga.html

** https://www.virustot...02/information/

*** http://urlquery.net/...4...7-23&max=50
___

Incoming Money Transfer Spam
- http://threattrack.t...y-transfer-spam
July 23, 2013 - "Subjects Seen:
Important Notice - Incoming Money Transfer
Typical e-mail details:
please complete the “A136 Incoming Money Transfer Form".
Fax a copy of the completed “A136 Incoming Money Transfer Form" to +1 800 722 1934.
To avoid delays or additional fees please be sure the Beneficiary Information including name, branch name, address, city, state, country, and Routing Number (ABA Number) or SWIFT BIC Code is correct. For international Wires be sure you include the International Routing Code (IRC) and International Bank Account Number (IBAN) for countries that require it.
Thank you,
Lowell_Madden
Senior Officer
Cash Management Verification

Malicious URLs
yourprospexblog .com:8080/ponyb/gate.php
myimpactblog .com:8080/ponyb/gate.php
phonebillssuck .com:8080/ponyb/gate.php
prospexleads .com:8080/ponyb/gate.php
abbeyevents .co .uk/fNF1.exe
salsaconfuego .com/RCY.exe
aasportsacademy .com/FPzbn.exe
whiteheadst .com/JrN9Jv.exe

Malicious File Name and MD5:
A136_Incoming_Money_Transfer_Form.zip (9BD136876BD8B5796C30F1750983E764)
A136_Incoming_Money_Transfer_Form.exe (3CDA70F6B2628A6CD1F552F5FEB11F05)

Screenshot: https://gs1.wac.edge...2TvM1qz4rgp.png
___

Fake Incoming Money Transfer SPAM / A136_Incoming_Money_Transfer_Form.zip
- http://blog.dynamoo....y-transfer.html
23 July 2013 - "This fake webcashmgmt .com spam comes with a malicious attachment:
Date: Tue, 23 Jul 2013 10:21:08 -0500 [11:21:08 EDT]
From: WebCashmgmt [Alberto_Dotson @webcashmgmt .com]
Subject: Important Notice - Incoming Money Transfer
An Incoming Money Transfer has been received by your financial institution for spamcop.net. In order for the funds to be remitted on the correct account please complete the "A136 Incoming Money Transfer Form".
Fax a copy of the completed "A136 Incoming Money Transfer Form" to +1 800 722 5331...

There is an attachment A136_Incoming_Money_Transfer_Form.zip containing an executable file A136_Incoming_Money_Transfer_Form.exe. The VirusTotal detection rate is a miserable 6/47*.
This is a two stage pony/gate infection according to the Malwr report**. Functionally it looks very similar to the payload used in this spam run***."
* https://www.virustot...sis/1374594791/

** https://malwr.com/an...jEzMzliYmRhYjg/

*** http://blog.dynamoo....83295-spam.html
___

Facebook Friend Spam
- http://threattrack.t...ook-freind-spam
July 23, 2013 - "Subjects Seen:
[removed] wants to be friends with you on Facebook.
Typical e-mail details:
[removed] wants to be friends with you on Facebook.

Malicious URLs
dynamicservicesllc .com/neglectfully/index.html
discountprescriptions.pacificsocial .com/displeased/index.html
ic44 .com/ganglier/index.html
hi-defhooters .com/topic/accidentally-results-stay.php
hi-defhooters .com /topic/accidentally-results-stay.php?VwsYyU=opovyGaoS&NWnVfHBlqeCu=CAAbE
hi-defhooters .com /topic/accidentally-results-stay.php?xf=2e2g2j2h2g&be=57312h522j2h2g562f2j&X=2d&Rf=q&El=C
hi-defhooters .com/adobe/update_flash_player.exe

Screenshot: https://gs1.wac.edge...GNae1qz4rgp.png

Edited by AplusWebMaster, 23 July 2013 - 12:57 PM.

[AplusWebMaster]

FYI...

Fake Facebook pwd reset SPAM / nphscards .com
- http://blog.dynamoo....k-password.html
July 24, 2013 - "This fake Facebook spam leads to malware on nphscards .com:
Date: Wed, 24 Jul 2013 11:22:46 -0300 [10:22:46 EDT]
From: Facebook [update+hiehdzge @facebookmail .com]
Subject: You requested a new Facebook password
facebook
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes through a legitimate -hacked- site and then through one or both of these following scripts:
[donotclick]ftp.thermovite .de/kurile/teeniest.js
[donotclick]traditionlagoonresort .com/prodded/televised.js
The victim is then directed to [donotclick]nphscards .com/topic/accidentally-results-stay.php (report here*) which appears to be 403ing, but this may just be trickery. The site is hosted on 162.216.18.169 (Linode, US) and the domain nphscards .com itself appears to have been hijacked from GoDaddy. The domain nphssoccercards .com is also on the same server and is probably hijacked."
* http://urlquery.net/....php?id=3976081

- https://www.virustot...69/information/
___

Royal Baby News Spam
- http://threattrack.t...aking-news-spam
July 24, 2013 - "Subjects Seen:
"Perfect gift for royal baby … a tree?" - BreakingNews CNN
Typical e-mail details:
Washington (CNN)— What will the Obamas get the royal wee one? Sources say it’s a topic under discussion in the White House and at the State Department.
No baby buggy will do. The president and first lady must find a special gift to honor the special relationship between the United States and the United Kingdom.
Kate and William bring home royal baby boy

Malicious URLs
wurster .ws/rump/index.html
assuredpropertycare .net/intersperse/index.html
tennisclub-iburg .de/hepper/index.html
nphscards .com /topic/accidentally-results-stay.php?Ff=5656562e2i&Ce=2d2i562g552g2f572i54&P=2d&Ek=j&PD=j
nphscards .com /topic/accidentally-results-stay.php?TbcoUkQBgX=hGSiu&qhiHoQj=JBEYjg
nphssoccercards .com/adobe/update_flash_player.exe

Screenshot: https://gs1.wac.edge...tKRB1qz4rgp.png

- http://blog.dynamoo....-baby-tree.html
24 July 2013 - "This fake CNN spam leads to malware on nphscards .com:
Date: Wed, 24 Jul 2013 19:54:18 +0400 [11:54:18 EDT]
From: "Perfect gift for royal baby ... a tree?" [BreakingNews @mail.cnn .com]
Subject: "Perfect gift for royal baby ... a tree?" - BreakingNews CNN
CNN
U.S. presidents have spotty record on gifts for royal births ..."

Screenshot: https://lh3.ggpht.co...00/cnn-baby.png

The payload works in exactly the same way as this fake Facebook spam* earlier today and consists of a hacked GoDaddy domain (nphscards .com) hosted on 162.216.18.169 by Linode."
* http://blog.dynamoo....k-password.html

- https://www.virustot...69/information/

- http://www.threattra...e-zbot-malware/
July 24, 2013 - "... “Royal Baby” Malware to start making the rounds... The Malware in question involves... Blackhole Exploit Kit, which leads end-users to Zbot (the Zeus Infostealer) / Medfos ( which typically displays adverts, connects to numerous IP addresses and can also download additional files )..."
> http://www.threattra...malwarespam.jpg
___

eBay iPhone Order Spam
- http://threattrack.t...hone-order-spam
July 24, 2013 - "Subjects Seen:
Payment Received - eBay item #[removed] NEW WHITE-CA Acoustic Guitar+GIGBAG+STRAP+TUNER+LESSON
Typical e-mail details:
Hello Dear Customer,
Your payment has been received for the following item. If extra shipping
charges is required per our ad and not received (for all military addresses/AK/PR/PO
Box and other U.S.territories outside of the 48 states), we may contact you
shortly. Be sure your Ebay registered address and contact phone number
is accurate as the order will be processed as such.

Malicious URLs
compare-treadmills .co .uk/fosters/index.html
bernderl .de/fife/index.html
tennisclub-iburg .de/hepper/index.html
nphscards .com/topic/accidentally-results-stay.php?ceJfcWErQTbG=kCwAByXBRdETOJ&tsDWPg=RpZTfjhgRFCk
nphscards .com/topic/accidentally-results-stay.php?ff=2g3131542j&ke=302g572f5352572i572f&D=2d&pb=U&sR=I
nphscards .com/adobe/update_flash_player.exe

Screenshot: https://gs1.wac.edge...lx4R1qz4rgp.png
___

Fake inTuit emails - "Your payments are being processed for deposit"
- http://security.intu.../alert.php?a=84
7/23/13 - "People are receiving -fake- emails with the title "Your payments are being processed for deposit". Below is a copy of the email people are receiving.
> http://security.intu...ges/phish84.jpg
This is the end of the -fake- email.
- Steps to Take Now
Do not open the attachment in the email...
Delete the email..."

Edited by AplusWebMaster, 25 July 2013 - 05:18 AM.

[AplusWebMaster]

FYI...

Fake CNN SPAM / evocarr .net
- http://blog.dynamoo....rails-spam.html
25 July 2013 - "This spam mismatches two topics, a train crash in Spain and the birth of a royal baby in the UK, but it leads to malware on evocarr .net:
Date: Thu, 25 Jul 2013 20:19:44 +0800 [08:19:44 EDT]
From: 77 dead after train derails [BreakingNews @mail.cnn .com>]
Subject: "Perfect gift for royal baby ... a tree?" - BreakingNews CNN
77 dead after train derails, splits apart in Spain
By Al Goodman, Elwyn Lopez, Catherine E. Shoichet, CNN July 25, 2013 -- Updated 0939 GMT (1739 HKT)
iReporter: 'It was a horrific scene'
STORY HIGHLIGHTS
NEW: Train driver told police he entered the bend too fast, public broadcaster reports
NEW: Regional governor declares 7 days of mourning for the victims, broadcaster says
Witness: "The train was broken in half. ... It was quite shocking"
77 people are dead, more bodies may be found, regional judicial official says
Madrid (CNN) -- An express train derailed as it hurtled around a curve in northwestern Spain on Wednesday, killing at least 77 people and injuring more than 100, officials said. Full Story ...

Screenshot: https://lh3.ggpht.co...0/cnn-train.png

The link in the email goes to a legitimate -hacked- site which tries to load one or more of the following scripts:
[donotclick]church.main .jp/psychosomatics/rayon.js
[donotclick]video.whatsonstage .com/overstocking/ownership.js
[donotclick]www.fewo-am-speckbusch .de/referees/metacarpals.js
From there the victim is sent to a landing page at [donotclick]evocarr .net/topic/accidentally-results-stay.php hosted on 69.163.34.49 (Directspace LLC, US). The following -hijacked- GoDaddy domains are on the same IP and can be considered suspect:
evocarr .net
serapius .com
leacomunica .net
mindordny .org
rdinteractiva .com
yanosetratasolodeti .org "
___

CNN Spanish Train Derailment Spam
- http://threattrack.t...derailment-spam
July 25, 2013 - "Subjects Seen:
"Perfect gift for royal baby … a tree?" - BreakingNews CNN
Typical e-mail details:
77 dead after train derails, splits apart in Spain
iReporter: ‘It was a horrific scene’
STORY HIGHLIGHTS
NEW: Train driver told police he entered the bend too fast, public broadcaster reports
NEW: Regional governor declares 7 days of mourning for the victims, broadcaster says
Witness: “The train was broken in half. … It was quite shocking"
77 people are dead, more bodies may be found, regional judicial official says
Madrid (CNN) — An express train derailed as it hurtled around a curve in northwestern Spain on Wednesday, killing at least 77 people and injuring more than 100, officials said. Full Story ...

Malicious URLs
caribbeancinemas .net/cheerfullest/index.html
sroehl .de/inpatient/index.html
evocarr .net/topic/accidentally-results-stay.php?wf=57552j302f&qe=302g572f5352572i572f&T=2d&XD=A&Zn=r
evocarr .net/topic/accidentally-results-stay.php?KVVWmNcvwPD=WJOsotrS&BTvKFG=felbOVVkanHPuB
evocarr .net/adobe/update_flash_player.exe

Screenshot: https://gs1.wac.edge...7d9o1qz4rgp.png
___

Malicious Facebook E-Mail Spam Campaigns
- http://threattrack.t...-spam-campaigns
July 25, 2013
"New Password Request:
> https://gs1.wac.edge...pVxT1qz4rgp.png
Friend Request:
> https://gs1.wac.edge...PsWI1qz4rgp.png
Tagged Photos Notification:
> https://gs1.wac.edge...THbs1qz4rgp.png
Subjects Seen:
You requested a new Facebook password
<Name> wants to be friends with you on Facebook.
<Name> tagged 2 photos of you on Facebook
Typical e-mail details:
New Password Request:
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Friend Request:
<Name> wants to be friends with you on Facebook.
Tagged Photos Notification:
<Name> added 5 photos of you.

Malicious URLs
dl2htd .de/surfaces/index.html
airductservicepro .com/lighthouse/index.html
99906.webhosting33.1blu .de/stupids/index.html
128.121.242.173 /nutritional/index.html
handmadelifecoaching .com/compelled/index.html
villaflorida .biz/deepness/index.html
ekaterini.mainsys .gr/exhorted/index.html
hackspitz .com/gnarl/index.html
joerg.gmxhome .de/skeptically/index.html
lostfounddevices .com/mama/index.html
spurtwinslotshelvingsystems .co .uk/aquamarine/index.html
bbsmfg .biz/servo/index.html
198.251.67.11 /reprehended/index.html
evocarr .net/topic/accidentally-results-stay.php?wf=57552j302f&qe=302g572f5352572i572f&T=2d&XD=A&Zn=r
evocarr .net/topic/accidentally-results-stay.php?KVVWmNcvwPD=WJOsotrS&BTvKFG=felbOVVkanHPuB
evocarr .net/adobe/update_flash_player.exe
___

Incoming Fax Report Spam
- http://threattrack.t...fax-report-spam
July 25, 2013 - "Subjects Seen:
INCOMING FAX REPORT : Remote ID: <random>
Typical e-mail details:
*********************************************************
INCOMING FAX REPORT
*********************************************************
Date/Time: 07/25/2013 04:42:54 CST
Speed: 26606 bps
Connection time: 05:09
Pages: 6
Resolution: Normal
Remote ID:
Line number: 1
DTMF/DID:
Description: June Payroll
Click here to view the file online ...

Malicious URLs
funeralsintexas .com/someplace/index.html
keralahouseboatstourpackages .com/mansion/index.html
christinegreenmd .com/inductees/index.html
ente-gmbh .de/bragg/index.html
impresiona2 .net/topic/regard_alternate_sheet.php?uf=2i2h2f5653&Je=302g572f5352572i572f&Y=2d&kc=i&bN=Q
impresiona2 .net/topic/regard_alternate_sheet.php?Ef=2i2h2f5653&Le=56302d2f2h53562j2j55&a=2d&dV=l&JB=a
impresiona2 .net/adobe/update_flash_player.exe

Screenshot: https://gs1.wac.edge...QlWe1qz4rgp.png

Fake FAX SPAM - 2013vistakonpresidentsclub .com
- http://blog.dynamoo....eport-spam.html
25 July 2013 - "This fake fax report spam (apparently from the Administrator at the Victim's domain) leads to malware on 2013vistakonpresidentsclub .com:
Date: Thu, 25 Jul 2013 10:32:10 -0600 [12:32:10 EDT]
From: Administrator [administrator @victimdomain]
Subject: INCOMING FAX REPORT : Remote ID: 1150758119
*********************************************************
INCOMING FAX REPORT
*********************************************************
Date/Time: 07/25/2013 02:15:22 CST
Speed: 23434 bps
Connection time: 09:04
Pages: 8
Resolution: Normal
Remote ID: 1150758119
Line number: 2
DTMF/DID:
Description: June Payroll
Click here to view the file online ...

The link in the spam leads to a legitimate -hacked- site and then on to one or more of these three intermediary scripts:
[donotclick]1954f7e942e67bc1.lolipop .jp/denominators/serra.js
[donotclick]internationales-netzwerk-portfolio .de/djakarta/opel .js
[donotclick]www.pep7 .at/hampton/riposts.js
From there, the victim is sent to a malware landing page at [donotclick]2013vistakonpresidentsclub .com/topic/regard_alternate_sheet.php which was hosted on 162.216.18.169 earlier to day (like this spam*) and was presumably a hijacked GoDaddy domain. I can't tell for certain if this site is clean now or not, but it seems to be on 184.95.37.110 which is a Jolly Works Hosting IP**, which has been implicated in malware before. I would personally block 184.95.37.96/28 to be on the safe side."
* http://blog.dynamoo....-baby-tree.html

** http://blog.dynamoo....y works hosting

Edited by AplusWebMaster, 25 July 2013 - 06:02 PM.

[AplusWebMaster]

FYI...

Fake eBay SPAM / artimagefrance .com
- http://blog.dynamoo....unity-spam.html
26 July 2013 - "This fake eBay email leads to malware on artimagefrance .com:
Date: Fri, 26 Jul 2013 21:40:48 +0900 [08:40:48 EDT]
From: eBay [eBay@ reply1.ebay .com]
Subject: [redacted] welcome to the eBay community! ...

Screenshot: https://lh3.ggpht.co...0/fake-ebay.png

The link in the email goes to a legitimate -hacked- site and then runs one or more scripts from the following list of three:
[donotclick]75.126.43.229 /deputy/clodhoppers.js
[donotclick]andywinnie .com/guessable/meteor.js
[donotclick]hansesquash .de/wimples/dunning.js
The victim is then sent to a malware landing page at [donotclick]artimagefrance .com/topic/accidentally-results-stay.php hosted on 184.95.37.110 (Secured Servers LLC, US / Jolly Works Hosting, Philippines). I would recommend blocking 184.95.37.96/28 in this case..."

... eBay Spam
- http://threattrack.t...me-to-ebay-spam
July 26, 2013 - "Subjects Seen:
<Name> welcome to the eBay community!
Typical e-mail details:
Welcome to eBay
The simpler way to save and shop
Start shopping ...

Malicious URLs
gwiz .de/balloonists/index.html
dialogueseriesonline .com/snag/index.html
dbrsnet .info/restore/index.html
b-able .gr/overshot/index.html
artimagefrance .com/adobe/update_flash_player.exe
artimagefrance .com/topic/accidentally-results-stay.php

Screenshot: https://gs1.wac.edge...l7mw1qz4rgp.png
___

Fake Intellicast weather SPAM / artimagefrance .com
- http://blog.dynamoo....efrancecom.html
26 July 2013 - "This fake weather spam leads to malware on artimagefrance .com:
Date: Fri, 26 Jul 2013 02:46:26 -0800 [06:46:26 EDT]
From: "Intellicast.com" [weather @intellicast .com]
Subject: Intellicast.com [weather @intellicast .com]
Intellicast.com Weather E-mail - Thursday, Jul 25, 2013 3:38 AM
For the complete 10-Day forecast and current conditions, visit ...

The payload and infection technique is exactly the same as the one used here*."
* http://blog.dynamoo....unity-spam.html

Intellicast Weather Report Spam
- http://threattrack.t...her-report-spam
July 26, 2013 - "Subjects Seen:
Intellicast .com <weather@intellicast .com>
Typical e-mail details:
Intellicast .com Weather E-mail - Thursday, Jul 25, 2013 3:38 AM
For the complete 10-Day forecast and current conditions, visit Intellicast .com:
intellicast .com/Local/Weather.aspx?location=USNH0164

Malicious URLs
tohoradio .dx .am/depression/index.html
tohoradio .dx .am/packers/index.html
artimagefrance .com/adobe/update_flash_player.exe
artimagefrance .com/topic/accidentally-results-stay.php

Screenshot: https://gs1.wac.edge...Oilk1qz4rgp.png
___

Fake BoA transaction SPAM / payment receipt 26-07-2013 .zip
- http://blog.dynamoo....saction-is.html
26 July 2013 - "This fake Bank of America spam has a malicious attachment:
Date: Fri, 26 Jul 2013 15:50:32 +0200 [09:50:32 EDT]
From: impairyd04 @gmail .com
Subject: Your transaction is completed
Transaction is completed. $09681416 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Payment receipt is attached...

There is an attachment payment receipt 26-07-2013.zip which in turn contains the executable file payment receipt 26-07-2013.exe. This appears to be a Zbot variant with a pretty low detection rate of 9/46 at VirusTotal*. The Malwr report** is the most detailed for this sample, and Anubis also has some useful information. Of note is that there is network traffic to the following IPs that seem to be pretty common for this Zbot / Zeus variant..."
(Long list of URLs at the dynamoo URL above.)
* https://www.virustot...sis/1374847946/

** https://malwr.com/an...2E0MDYyYjJkNmQ/
___

CNN Walking Dead News Alert Spam
- http://threattrack.t...news-alert-spam
July 26, 2013 - "Subjects Seen:
BreakingNews CNN: New season new ‘Walking Dead’
Typical e-mail details:
What you’ll see on the new ‘Walking Dead’
Before heading to Comic-Con in San Diego last weekend, the cast members of “The Walking Dead" were each given a folder with talking points about the upcoming fourth season.
The folders contained information on what the actors could and couldn’t say about the new episodes, which premieres October 13 on AMC. Although none of the actors could reveal the contents of the folders, it was clear that there are lots of secrets to be kept about where “The Walking Dead" will be headed when it returns.
Full Story »»

Malicious URLs
grupocelebrate .com .br/lozenge/index.html
stem.harrisonschools .org/optimization/index.html
grupocelebrate .com .br/saintlier/index.html
artimagefrance .com/adobe/update_flash_player.exe
artimagefrance .com/topic/accidentally-results-stay.php

Screenshot: https://gs1.wac.edge...GGfk1qz4rgp.png

Edited by AplusWebMaster, 26 July 2013 - 12:09 PM.

[AplusWebMaster]

FYI...

Fake Facebook SPAM - happykido .com
- http://blog.dynamoo....ppykidocom.html
29 July 2013 - "This fake Facebook spam leads to malware on happykido .com:
Date: Mon, 29 Jul 2013 09:33:38 -0600 [11:33:38 EDT]
From: Facebook [update+zj4o40c2_aay @facebookmail .com]
Subject: Betsy Wells wants to be friends with you on Facebook.
Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.
Betsy Wells
Baldric Aguino
Astrid Aggas
Deloris Bransfield
Perdita Brantz
Danelle Erstad
Daphne Escamilla
Giovanna Hadesty
Georgeann Habel
Hugh Campisi
Jake Callas ...

Apparently all these people look alike:
- https://lh3.ggpht.co...ke-facebook.png
This is a "ThreeScripts" attack, clicking the link goes to a legitimate hacked site which then tries to run one of the following:
[donotclick]system-hostings .info/aphrodisiac/nought.js
[donotclick]gc.sceonline .org/worsens/patronizingly.js
[donotclick]www.kgsindia .org/retell/manson.js
from there, the victim is sent to a malware landing page on a -hijacked- GoDaddy domain at [donotclick]happykido .com/topic/able_disturb_planning.php hosted on 50.2.138.161 (ServerHub Phoenix, US). There are several other hacked GoDaddy domains on the same server, all of which should be considered to be malicious.
Recommended blocklist:
50.2.138.161 ..."

- https://www.virustot...61/information/
___

Fake "Key Secured Message" SPAM / SecureMessage .zip
- http://blog.dynamoo....ssage-spam.html
29 July 2013 - "This spam has a malicious attachment:
Date: Mon, 29 Jul 2013 06:08:44 -0800 [10:08:44 EDT]
From: "Marcia_Manning @key .com" [Marcia_Manning @key .com]
Subject: Key Secured Message
You have received a Secured Message from:
Marcia_Manning @key .com
The attached file contains the encrypted message that you have received. To decrypt the
message use the following password - nC4WR706
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your
computer.
- Select whether to open the file or save it to your hard drive. Opening the file
displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it. This e-mail and any
attachments are confidential and intended solely for the addressee and may also be
privileged or exempt from
disclosure under applicable law. If you are not the addressee, or have received this
e-mail in error, please notify the sender
immediately, delete it from your system and do not copy, disclose or otherwise act upon
any part of this e-mail or its attachments...

The attachment SecureMessage.zip contains an executable SecureMessage.exe which has to be unencrypted with the password supplied in the email ( which is kind of stupid for a supposedly secure mail), and this has a VirusTotal detection rate of just 6/46*. The Malwr analysis** shows that this is a pony/gate downloader, first downloading from [donotclick]webmail.alsultantravel .com/ponyb/gate.php on 198.57.130.34 (Unified Layer / Bluehost, US) and then downloading one of the following:
[donotclick]a1bridaloutlet .co .uk/aiswY6.exe (5/45)
[donotclick]www.giftedintuitive .com/kQYjoPqY.exe (11/46)
[donotclick]198.61.134.93 /MM75.exe (5/45)
[donotclick]paulalfrey .com/guBwFA.exe (5/46)
Recommended blocklist:
198.57.130.34
198.61.134.93 ..."
* https://www.virustot...sis/1375109054/

- https://www.virustot...34/information/

- https://www.virustot...93/information/

** https://malwr.com/an...jBlMjAxZWVhMmU/

Key.com Secured Message Spam
- http://threattrack.t...ed-message-spam
July 29, 2013 - "Subjects Seen:
Key Secured Message
Typical e-mail details:
You have received a Secured Message from:
<removed>@key .com
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - <removed>
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it.
This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law...

Malicious URLs
198.57.130.35 :8080/ponyb/gate.php
webmail.alsultantravel .info:8080/ponyb/gate.php
alsultantravel .com:8080/ponyb/gate.php
webmail.alsultantravel .com:8080/ponyb/gate.php
a1bridaloutlet .co.uk/aiswY6.exe
giftedintuitive .com/kQYjoPqY.exe
198.61.134.93 /MM75.exe
paulalfrey .com/guBwFA.exe

Malicious File Name and MD5:
SecureMessage.zip (01CC5CE52FC839EBCE6497FB88B1781F)
SecureMessage.exe (81129764C62417D5B06C73E6FAD838A5)

Screenshot: https://gs1.wac.edge...4v541qz4rgp.png
___

HSBC E-Advice Spam
- http://threattrack.t...c-e-advice-spam
July 29, 2013 - "Subjects Seen:
HSBC E-Advice
Typical e-mail details:
Please find attached your Advice containing information on your transactions of last working day with the bank.
Please do not reply to this e-mail address. If you have any queries, please contact our Customer Services.
Yours faithfully
HSBC Bank

Malicious URLs
198.57.130.35 :8080/ponyb/gate.php
webmail.alsultantravel .info:8080/ponyb/gate.php
alsultantravel .com:8080/ponyb/gate.php
webmail.alsultantravel .com:8080/ponyb/gate.php
wx04.strato-wlh .de/EggT.exe
labycar .com/Zi6L.exe
208.112.50.5 /c38QVmd.exe
s148231503.onlinehome .us/y3R.exe

Malicious File Name and MD5:
HSBC_advice.zip (6C5A65A05E72ADFC64318E7730199192)
HSBC_advice.exe (E1DBB4BE2A7AE2180100A02C5E3E2D95)

Screenshot: https://gs1.wac.edge...30Ux1qz4rgp.png
___

FedEx Shipment Notification Spam
- http://threattrack.t...tification-spam
July 29, 2013 - "Subjects Seen:
FedEx Shipment Notification
Typical e-mail details:
This tracking update has been requested and attached to this email
Reference information includes: Invoice number, Reference, Special handling/Services, Residential Delivery. Reference information is attached to this email.
Tracking number: <removed>
To track the latest status of your shipment, click on the tracking number above, or visit us at fedex .com...
This tracking update has been sent to you by FedEx on the behalf of the Requestor noted above. FedEx does not validate the authenticity of the requestor and does not validate, guarantee or warrant the authenticity of the request, the requestor’s message, or the accuracy of this tracking update...
Thank you for your business.

Malicious File Name and MD5:
FedEx Notification.zip (7CFE2BE8E249E9A05664CB2E4BABD6AC)
FedEx Notification_.PDF.exe (E4EC9F6232A272EA76B65F94A86FF184)
FedEx Reference information.zip (F28D58D5CA4910495DBB786E8AC0E5D3)
FedEx Reference information.pdf.exe (CE23868B4F645A39CBB6AE98796346CB)

Screenshot: https://gs1.wac.edge...DK0H1qz4rgp.png
___

DocuSign Confidential Company Agreement Spam
- http://threattrack.t...-agreement-spam
July 29, 2013 - "Subjects Seen:
Completed: Please DocuSign this document : Confidential Company Agreement 2013..pdf
Typical e-mail details:
Your document has been completed
Sent on behalf of DocuSign Support.
All parties have completed the envelope ‘Please DocuSign this document: 2013 Company Contracts..pdf’.
To view, download or print the completed document click below.
View in DocuSign

Malicious URLs
thealphatechnologies .com/interlaces/index.html
digitalcaptive .net/chickpea/index.html
ftp(DOT)kirchdach .at/kimonos/index.html
webmail.alsultantravel .com:8080/ponyb/gate.php
happykiddoh .com/topic/able_disturb_planning.php
happykiddoh .com/adobe/update_flash_player.exe

Screenshot: https://gs1.wac.edge...HReI1qz4rgp.png

More here:
- https://www.virustot...34/information/
"... domains resolved to the given IP address...
... Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset..."
___

Visa Recent Transactions Report Spam
- http://threattrack.t...ons-report-spam
July 29, 2013 - "Subjects Seen:
VISA - Recent Transactions Report
Typical e-mail details:
Dear Visa card holder,
A recent review of your transaction history determined that your card was used in possible fraudulent transactions. For security reasons the requested transactions were refused. Please carefully review electronic report for your VISA card.
For more details please see the attached transaction report.
Augustus_Molina
Data Protection Officer
VISA EUROPE LIMITED
1 Sheldon Square
London W2 6WH
United Kingdom

Malicious URLs
asam.atspace .eu/windsocks/index.html
deltaboatworks .net/adobe/update_flash_player.exe
deltaboatworks .net/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edge...YWPV1qz4rgp.png

Edited by AplusWebMaster, 30 July 2013 - 08:01 AM.

[AplusWebMaster]

FYI...

Fake CNN Angelina Jolie SPAM / deltadazeresort .net
- http://blog.dynamoo....of-highest.html
30 July 2013 - "This fake CNN spam leads to malware on deltadazeresort .net:
Date: Tue, 30 Jul 2013 17:52:54 +0330 [10:22:54 EDT]
From: CNN [BreakingNews @mail .cnn .com]
Subject: CNN: Forbes: Angelina Jolie tops list of highest-paid actresses
Forbes: Angelina Jolie tops list of highest-paid actresses
By Sheridan Watson, EW.com
July 29, 2013 -- Updated 2014 GMT (0414 HKT)
Agelina Jolie attends a June 2013 premiere of Brad Pitt's movie, "World War Z" ...

Screenshot: https://lh3.ggpht.co.../s400/jolie.png

The link in the email goes to a legitimate -hacked- site and then to one or more of three scripts:
[donotclick]00002nd.rcomhost .com/immanent/surfeit.js
[donotclick]theplaidfox .com/bulbs/falcon.js
[donotclick]sandbox.infotraxdevdocs .com/afforestation/provosts.js
From there the victim is sent to a landing page at [donotclick]deltadazeresort .net/topic/able_disturb_planning.php. At the time of writing this hijacked GoDaddy domain does not resolve, but it was recently hosted on the following IPs alongside these other hacked GoDaddy domains:
66.175.217.235 (Linode, US)
173.246.104.136 (Gandi, US) ..."

CNN Angelina Jolie Spam
- http://threattrack.t...lina-jolie-spam
July 30, 2013 - "Subjects Seen:
CNN: Forbes: Angelina Jolie tops list of highest-paid actresses
Typical e-mail details:
(EW.com) — She might not get paid as much as “Iron Man," but there’s no doubt that celestial beauty Angelina Jolie is smiling all the way to the bank.
This year, Jolie topped Forbes’ annual list of the highest-paid actresses in Hollywood with an incredibly robust $33 million.

Malicious URLs
gbheatings .com/thou/index.html
casa-dor .com/bookstore/index.html
deltadazeresort .net/topic/able_disturb_planning.php
deltadazeresort .net/adobe/update_flash_player.exe

Screenshot: https://gs1.wac.edge...iSDk1qz4rgp.png
___

Pharma sites to block 30/7/13
- http://blog.dynamoo....lock-30713.html
30 July 2013 - "This IPs host (fake) pharma sites which seem to be associated with this gang* and share some of their infrastructure. As far as I can tell, none of them host malware.. but the IPs involved could be repurposed as malware servers and blocking them might be prudent...
Recommended blocklist:
88.190.218.27
91.199.149.0/24
91.200.13.0/24
91.204.162.81
91.204.162.96
94.152.188.165
94.242.239.4
109.107.203.45
192.162.19.0/24
198.23.59.79 ..."
(More listed at the dynamoo URL above.)
* http://blog.dynamoo....h/label/Amerika
___

Malware sites to block 30/7/13
- http://blog.dynamoo....lock-30713.html
30 July 2013 - "These sites and IPs are associated with this gang*, and are either currently in use or they have been in use recently. The list has individual IPs and web hosts first, followed by a plain list of recommended items to block..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo....h/label/Amerika
___

Fake Pinterest password SPAM / onsayoga .net
- http://blog.dynamoo....terest-was.html
30 July 2013 - "This fake Pinterest spam leads to malware on onsayoga .net:
Date: Tue, 30 Jul 2013 11:17:28 -0500 [12:17:28 EDT]
From: Pinterest [caulksf8195 @customercare .pinterrest .net]
Subject: Your password on Pinterest was Successfully modified!
A Few Updates...
[redacted]
Changing your password is complete. Please use the link below within 24 hours. reset. Receive New Password to email.
Ask for a New Password
Pinterest is a tool for collecting and organizing things you love.
This email was sent to [redacted].

Screenshot: https://lh3.ggpht.co...0/pinterest.png

The link goes through a legitimate -hacked- site and then on to [donotclick]www .pinterest.com.onsayoga .net/news/pinterest-paswword-changes.php (report here*) which is hosted on the following IPs:
95.111.32.249 (Megalan EAD, Bulgaria)
122.128.109.46 (Ximbo / CPCnet, Hong Kong)
209.222.67.251 (Razor Inc, US)
These IPs are controlled by this gang** and form part of this large network*** of malicious IPs and domains. I recommend you use -that- list in conjunction with blocking onsayoga .net."
* http://urlquery.net/....php?id=4226343

** http://blog.dynamoo....h/label/Amerika

*** http://blog.dynamoo....lock-30713.html
___

Fake eBay SPAM / deltamarineinspections .net
- http://blog.dynamoo....-heres-how.html
30 July 2013 - "There is currently an eBay-themed "ready to get started? Here’s how" spam run active, effectively almost the same as this one*, except this time there is a new set of intermediate scripts and payload page. The three scripts** involved are:
[donotclick]03778d6.namesecurehost .com/meaningful/unsnapping.js
[donotclick]icontractor .org/followings/trolloped.js
[donotclick]tvassist .co .uk/plead/grueled.js
..leading to a payload page at [donotclick]deltamarineinspections .net/topic/able_disturb_planning.php on 66.175.217.235 (Linode, US). The domains in use are -hijacked- from a GoDaddy account and belong to the same poor sod that last control of the ones here***.
Recommended blocklist:
66.175.217.235
deltaboatraces .net
deltaboatworks .net
deltadazeresort .net
deltamarineinspections .net
deltarentalcenter .net
deltariverhouse .net
deltayachtclub .net ..."
* http://blog.dynamoo....unity-spam.html

** http://blog.dynamoo....el/ThreeScripts

*** http://blog.dynamoo....of-highest.html
___

Fake Facebook SPAM again / deltaoutriggercafe .com
- http://blog.dynamoo....gercafecom.html
30 July 2013 - "These guys are busy. This fake Facebook spam leads to malware on deltaoutriggercafe .com:
Date: Tue, 30 Jul 2013 15:05:25 -0500 [16:05:25 EDT]
From: Facebook [no-reply @facebook .com]
Subject: Issac Dyer wants to be friends with you on Facebook.
facebook
Issac Dyer wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
See All Requests
This message was sent to [redacted]...

I don't know about you, but I think Isaac looks a bit like a girl:
> https://lh3.ggpht.co...00/facebook.png
Predicatably, clicking on the link in the email leads to a legitimate hacked site and then the same redirector scripts found in this spam run*. However, in this case the target has now changed to [donotclick]deltaoutriggercafe .com/topic/able_disturb_planning.php which is hosted on 66.175.217.235 (Linode, US) along with a whole bunch of other similar domains that have been -hijacked- from GoDaddy.
Recommended blocklist:
66.175.217.235
deltaboatraces .net
deltaboatworks .net
deltadazeresort .net
deltamarineinspections .net
deltaoutriggercafe .com
deltarentalcenter .net
deltariverhouse .net
deltayachtclub .net ..."
* http://blog.dynamoo....-heres-how.html

Edited by AplusWebMaster, 31 July 2013 - 04:53 AM.

[AplusWebMaster]

FYI...

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Bank Deposit Notification Email Messages - 2013 Jul 31
Fake Online Banking Software Security Update Email Messages [Trusteer] - 2013 Jul 31
Fake Customer Complaint Attachment Email Messages - 2013 Jul 31
Fake Product Services Specification Request Email Messages - 2013 Jul 31
(More detail and links at the cisco URL above.)
___

IRS Tax Payment Rejected Spam
- http://threattrack.t...t-rejected-spam
July 31, 2013 - "Subjects Seen:
Your FED TAX payment ( ID : <removed> ) was Rejected
Typical e-mail details:
... Your federal Tax payment (ID: <removed>), recently sent from your checking account was returned by the your financial institution.
For more information, please visit the following link -eftps.com/eftps/payments/history/detail/view?eft=
Transaction Number: <removed>
Payment Amount: $ 7882.00
Transaction status: Rejected
ACH Trace Number: <removed>
Transaction Type: ACH Debit Payment-DDA

Malicious URLs
diyhomeimprovementtips .com/clunkier/index.html
ossjobs .com/tangled/index.html
singular-cy .com/throughout/index.html
deltaoutriggercafe .com/adobe/update_flash_player.exe
deltaoutriggercafe .com/topic/regard_alternate_sheet.php

Screenshot: https://gs1.wac.edge...cWsD1qz4rgp.png

Edited by AplusWebMaster, 31 July 2013 - 11:53 AM.

[AplusWebMaster]

FYI...

Pump and dump SPAM - Biostem ...
- http://blog.dynamoo....dead-horse.html
1 August 2013 - "About a month-and-a-half ago* I had a look at the pump-and-dump spam promoting Biostem U.S. Corporation (HAIR)** when it was trading at around $0.30. Surprisingly, the pump-and-dump spam is still ongoing which will make it nearly two months of spam on one single stock..
This Company Will Make an Impressive Recovery! It is the answer
to your portfolio troubles!
Date: August 1st
Long Term Target: .85
Per share price: .035
Ticker: HAI_R
Name: Biostem Corp.
You might want to sit down before reading this... Stocks To
Look At!
So, out of curiosity I schlepped across to look at their stock price and was slightly surprised to see that it has lost around 90% of its value since the spam run started. What happened? Well, on 19th July the stock price fell off a cliff when rather predictably Biostem announced that it was shutting up shop***, and looking at news reports there seems to be little chance of recovery.
Screenshot: https://lh3.ggpht.co...00/biostem5.png
But now with shares bouncing along at around the 3 to 4 cents mark the pump-and-dump seems to be continuing, and since the collapse it appears that around 9.6 million shares have been traded, which is about 8.4% of the total equity. At today's prices those shares are worth about $336,000. A little over a year ago, on May 28th 2012, Biostem stock peaked at $439 per share, at close of business yesterday they were just 3.5 cents.. a 99.2% drop. Somebody has certainly taken a haircut on these stocks.. "
* http://blog.dynamoo....p-rakes-in.html

** http://www.nasdaq.com/symbol/hair

*** http://www.nasdaq.co...-20130717-01105
___

Current State of the Blackhole Exploit Kit
- http://blog.trendmic...le-exploit-kit/
July 31, 2013 9:42 pm (UTC-7) - "The Blackhole Exploit Kit is one of the most notorious exploit kits currently in circulation among the cybercriminal underground today. Thus, we continuously monitor for incidents and attacks involving the exploit kit itself. Last week we reported about the spam campaign leveraging the birth of Prince William’s and Kate Middleton’s son. Our analysis of the campaign yielded its connection to other currently-ongoing campaigns that used other recent news events, such as the controversy surrounding the upcoming movie Ender’s Game. Some of the other connected campaigns also used Facebook and eBay as lures to get users to click malicious links.
> http://blog.trendmic...7/bhekEbay1.jpg
The volume of spammed messages related to this spam run reached up to 0.8% of all spam messages collected during the time period — a relatively large percentage compared to other runs. We’ve also identified a list of countries that we detect where the bulk of the spam is coming from...
> http://blog.trendmic...wbhektable2.png
... These recent developments regarding this particular exploit kit can certainly be disconcerting, but nothing particularly new in regards to BHEK being used in new, unpredictable ways. What we can glean from this, however, is that even such an old approach is still effective in getting victims, which means that more users need to be protected about this threat... Infection can be avoided by extra vigilance by users on not clicking on the links that present themselves through suspicious mails such as these. Other precautions include: always installing the latest Java security update... and using a web reputation security product..."
___

UPS Package Pickup Spam
- http://threattrack.t...age-pickup-spam
Aug. 1, 2013 - "Subjects Seen:
UPS - Your package is available for pickup ( Parcel <removed> )
Typical e-mail details:
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.

Malicious URLs
bettersigns .net/ponyb/gate.php
50.57.185.72 :8080/ponyb/gate.php
arki .com :8080/ponyb/gate.php
web1w3.nfrance .com/bzfBGWP.exe
serw.myroitracking .com/kQYjoPqY.exe
442594-web1.youneedmedia .com/MM75.exe
ftp(DOT)jason-tooling .com/nhdx.exe

Malicious File Name and MD5:
UPS_Label_<date>.zip (199C2A4EED41CF642FBDDF60949A1DD3)
UPS-Label_<date>.exe (E1388381884E7434A0A559CAED63B677)

Screenshot: https://gs1.wac.edge...WDl91qz4rgp.png

Edited by AplusWebMaster, 01 August 2013 - 12:31 PM.

[AplusWebMaster]

FYI...

Fake American Express Alerts
- https://isc.sans.edu...l?storyid=16285
Last Updated: 2013-08-02 16:20:31 UTC - "Right now we are seeing -fake- American Express account alerts*. The alerts look very real, and will trick the user into clicking on a link that may lead to malware. As many of these attacks, the exact destination will heavily depend on the browser used. Antivirus does recognize the intermediate scripts as malicious and should warn the user if configured to inspect web content."
* https://isc.sans.edu....._08_22 PM.png

American Express Spending Notification Spam
- http://threattrack.t...tification-spam
Aug. 2, 2013 - "Subjects Seen:
Account Alert: Recent Charge Approved
Typical e-mail details:
Dear Customer,
Spend Activity since your last statement close date has reached the notification amount you set for your account.

Malicious URLs
blackamber .net/ulnq.html
medialifegroup .com/~medialifeyerel/xkaq.html
drstephenlwolman .com/topic/sessions-folk-binds.php
northernforestcanoetrail .com/adobe/update_flash_player.exe

Screenshot: https://gs1.wac.edge...1PGc1qz4rgp.png
___

MoneyGram Payment Notification Spam
- http://threattrack.t...tification-spam
Aug. 2, 2013 - "Subjects Seen:
Payment notification email
Typical e-mail details:
Dear client!
You are receiving this notification because of you have been received the payment.
It may take a few moment for this transaction to appear in the Recent Activity list on your account page.
Payment details
Transaction sum: 950 USD
Transaction date: 2013/08/02
View the details of this transaction online
Thank you for using MoneyGram services!

Malicious URLs
blackamber .net/ulnq.html
medialifegroup .com/~medialifeyerel/xkaq.html
drstephenlwolman .com/topic/sessions-folk-binds.php
northernforestcanoetrail .com/adobe/update_flash_player.exe

Screenshot: https://gs1.wac.edge...4BM61qz4rgp.png
___

NACHA Direct Deposit was Declined Spam
- http://threattrack.t...s-declined-spam
2 August 2013 - "Subjects Seen:
Direct Deposit payment was declined
Typical e-mail details:
Attn: Chief Accountant
Please be informed, that your most recent Direct Deposit payment (<removed>) was cancelled,because your business software package was out of date. Please use the link below to enter the secure section of our web site and see the details::
Click here for more information
Please refer to your financial institution to obtain your updated version of the software needed.
Sincerely yours
ACH Network Rules Department

Malicious URLs
24-7datura .com/wp-sts.php?2HWU2JNHOTU80DVU
zippierearliest .in/closest/i9jfuhioejskveohnuojfir.php

Screenshot: https://gs1.wac.edge...TrzI1qz4rgp.png
___

Fake Discover Card SPAM / capitalagreements .com
- http://blog.dynamoo....t-has-been.html
2 August 2013 - "This fake Discover Card spam leads to malware on capitalagreements .com:
Date: Fri, 2 Aug 2013 20:41:09 +0200 [14:41:09 EDT]
From: Discover Card [dontrply @service.discovercard .com]
Reply-To: dontrply @service.discovercard .com
Discover
Access My Account
ACCOUNT CONFIRMATION Statements | Payments | Rewards
Your most recent payment has been processed.
Dear Customer,
This e-mail is to confirm that we have processed your most recent payment. Please remember to use your new information the next time you log in.
To view more details please click here.
Log In to review your account details or to make additional changes...

Screenshot: https://lh3.ggpht.co...scover-card.png

The link in the email goes to a legitimate -hacked- site and then one to three scripts as follows:
[donotclick]ekaterini.mainsys .gr/overspreading/hermaphrodite.js
[donotclick]sisgroup .co .uk/despairs/marveled.js
[donotclick]psik.aplus .pl/christian/pickford.js
After that, the victim is directed to the malware landing page at [donotclick]capitalagreements .com/topic/regard_alternate_sheet.php which is a hijacked GoDaddy domain hosted on 66.228.60.243 (Linode, US), along with several other hijacked domains.
The attack is fundamentally the same as this American Express themed malspam run described here*.
Recommended blocklist:
66.228.60.243
northernforestcanoetrail .com
northforestcanoetrail .org
yourcaribbeanconnection .com
capitalagreements .com
buyfranklinrealty .com
franklinrealtyofcc .com
frccc. com
sellcitruscountyrealestate .com "
* http://techhelplist....pproved-malware

Edited by AplusWebMaster, 02 August 2013 - 02:37 PM.

[AplusWebMaster]

FYI...

Fake Apple Store Gift Card SPAM ...
- http://threattrack.t...-gift-card-spam
August 9, 2013 - "Subjects Seen:
Apple Store Gift Card
Typical e-mail details:
Apple Store Gift Card
Dear client! You got our $100 Apple Store Gift Card.
Apple Store Gift Cards can be applied to buy Apple hardware and accessories at any Apple Retail Store, the Apple Online Store,
or over the phone by calling 1-800-MY-APPLE.
Please follow the link or read the attachment to get the Apple Store Gift Card code.

Malicious URLs
kidscareinternationalschool .com/f2eyvyj.html
nsmontessoricenter .com/fz13t.html
stevecozz .com/topic/sessions-folk-binds.php

Malicious File Name and MD5:
GiftCard28493.zip (F4B3986EE1828BDCDD46EE412BE0BA61)
Apple gift card.exe (74CFF87704AEC030D7AD1171366AFF87)

Screenshot: https://gs1.wac.edge...ZiMr1qz4rgp.png

- http://blog.webroot....ts-and-malware/
August 9, 2013 - "Apple Store users, beware! A currently ongoing malicious spam campaign is attempting to trick users into thinking that they’ve successfully received a legitimate ‘Gift Card’ worth $200. What’s particularly interesting about this campaign is that the cybercriminal(s) behind it are mixing the infection vectors by relying on both a malicious attachment and a link to the same malware found in the malicious emails. Users can become infected by either executing the attachment or by clicking on the client-side exploits serving link found in the emails...
Sample screenshot of the spamvertised email:
> http://webrootblog.f...engineering.png
... MD5: 74cff87704aec030d7ad1171366aff87 * ... UDS:DangerousObject.Multi.Generic; PWSZbot-FBX!74CFF87704AE.
... sampled client-side exploit: MD5: 91cb051d427bd7b679e1abc99983338e ** ... Mal/ExpJava-F..."
(More detail at the websense URL above.)
* https://www.virustot...2a794/analysis/
File name: Apple gift card.exe
Detection ratio: 24/44
Analysis date: 2013-08-09 14:03:28 UTC
** https://www.virustot...a9a36/analysis/
File name: java-exploit-from-173.246.105.15.jar
Detection ratio: 4/45
Analysis date: 2013-08-11 05:11:11 UTC

- https://www.virustot...15/information/

Diagnostic page for AS29169 (GANDI-AS)
- http://google.com/sa...c?site=AS:29169
"... over the past 90 days, 204 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-08-12, and the last time suspicious content was found was on 2013-08-11... we found 12 site(s) on this network... that appeared to function as intermediaries for the infection of 71 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 91 site(s)... that infected 407 other site(s)..."

Edited by AplusWebMaster, 12 August 2013 - 05:49 AM.

[AplusWebMaster]

FYI...

Hack threatens outdated Joomla sites
- http://krebsonsecuri...d-joomla-sites/
Aug. 12, 2012 - "If you run a site powered by the Joomla content management system and haven’t yet applied a critical update for this software released less than two weeks ago, please take a moment to do that: A trivial exploit could let users inject malicious content into your site, turning it into a phishing or malware trap for visitors. The patch* released on July 31, 2013 applies to Joomla 2.5.13 and earlier 2.5.x versions, as well as Joomla 3.1.4 and earlier 3.x versions... For sites powered by unsupported versions of Joomla (1.5.x, and a cursory Google search indicates that there are tens of thousands of these 1.5.x sites currently online), attackers do not even need to have an account on the Joomla server for this hack to work... Earlier this month, security firm Arbor Networks warned** that it was tracking a Web site botnet dubbed “Fort Disco” which was made up of hacked Joomla and WordPress sites. Earlier in the year, Web site security firm Incapsula*** said it had tracked more than 90,000 Web sites powered by WordPress that were backdoored with malicious code."
* http://developer.joo...horised-uploads

** http://www.arbornetw...force-campaign/

*** http://krebsonsecuri...rdpress-botnet/

- https://net-security...ld.php?id=15407
14 August 2013

- https://secunia.com/advisories/54326/
Release Date: 2013-08-02
Where: From remote
Impact: System access
Solution Status: Vendor Patch
Software: Joomla! 2.x, 3.x
... vulnerability is confirmed in version 3.1.4 and reported in versions prior to 2.5.14 and 3.1.5.
Solution: Update to version 2.5.14 or 3.1.5 *

- https://atlas.arbor....ndex#-740710151
High Severity
August 16, 2013 23:24
Joomla is a hot target for attackers of varying motives. This recent security patch should be installed in order to reduce attacks.
Analysis: Thousands of compromised Joomla sites are currently being used in botnets and vulnerabilities like this make the attackers job even easier. The fact that this security hole was used to attack financial users in Europe, the Middle East and Asia and re-direct them to the popular Black Hole Exploit Kit is a testament to the criminal value of such security holes. Financial users mean money and bank accounts and other types of access so it is a smart attack on the part of the attackers but could be very damaging for any user that was out of date and subject to exploitation which could lead to installs of malware such as Zeus, P2P Zeus, Citadel or other banking malware.
Source: http://threatpost.co...ea-banks/101976
___

Virgin Media Bill Spam
- http://threattrack.t...media-bill-spam
Aug. 12, 2012 - "Subjects Seen:
Your Virgin Media bill is ready
Typical e-mail details:
Hello,
Your Virgin Media bill is ready and waiting for you.

Malicious File Name and MD5:
latest bill ref.<random>.pdf.zip (547845B4164A7029E19CB8D5FEC97234)
latest bill ref.<random>.pdf.exe (8D44660D20DF2A03DB9F1A981902A392)

Screenshot: https://gs1.wac.edge...PBWr1qz4rgp.png
___

Fake Facebook SPAM / guterhelmet .com
- http://blog.dynamoo....rhelmetcom.html
12 August 2013 - "This fake Facebook spam leads to malware on guterhelmet .com:
Date: Mon, 12 Aug 2013 17:51:17 -0200 [15:51:17 EDT]
From: Facebook [update+zj433fgc2_aay @facebookmail .com]
Subject: Willie Powell wants to be friends with you on Facebook.
facebook
interesting pages on facebook
mark as favorite web pages that interest you to receive their updates in your news feed.
Willie Powell
Bao Aguliar
Bibi Akel
Eleanora Casella
Murray Carsten
Jordana Fiqueroa
Jona Fiorelli
Leisha Heape
Lacresha Hautala
Monnie Carrillo
Missy Carreiro
find more pages
go to facebook
the message was sent to {mailto_username} @ {mailto_domain}...

Is it me, or does everyone look the same?
> https://lh3.ggpht.co...0/facebook3.png
... The link in the email goes through a legitimate -hacked- site and then on to one of three scripts:
[donotclick]golift .biz/lisps/seventeen.js
[donotclick]fh-efront .clickandlearn.at/parboiled/couplets.js
[donotclick]ftp.elotus .org/products/cleats.js
From there, the victim is -redirected- to a -hijacked- GoDaddy domain with a malicious payload at [donotclick]guterhelmet .com/topic/able_disturb_planning.php hosted on 192.81.135.132 (Linode, US) along with a number of other hijacked domains...
Recommended blocklist:
192.81.135.132
golift .biz
fh-efront.clickandlearn .at
ftp.elotus .org
guterglove .com
grandrapidsleaffilter .com
greenbayleaffilter .com
guterhelmet .com
guterprosva .com "

- https://www.virustot...32/information/
___

Gap between Google Play and AV vendors on adware classification
- http://research.zsca...s-x-none_8.html
August 8, 2013 - "Two critical items impacting mobile use are privacy and a positive user experience. The mobile app market is built on trust. Questionable mobile advertising practices, such as apps employing deceptive adware practices, negatively impact the end user’s perception of both privacy and the user experience. Doing things like capturing personal information such as email addresses, device IDs, IMEIs, etc. without properly notifying users and modifying phone settings and desktops without consent, is annoying and unacceptable for mobile users. While the majority of mobile ads are not malicious, they are undesirable for most. Zscaler regularly analyzes applications in the Google Play store to profile apps and identify those presenting security and privacy risks. By studying this data, we have come up with some interesting statistics concerning the prevalence of ‘adware’ in apps permitted into the Google Play store... Why are AV vendors flagging a huge number of applications as adware while Google is freely permitting them into the Google Play store? The excessive use of advertisements can negatively impact customer privacy and result in a -negative- user experience. On the other hand, advertisements are necessary for app developers looking to earn money when providing free apps. So where should the line be drawn? Google has clearly chosen to be very -lenient- with aggressive advertising practices, while Apple has taken the opposite approach, as they have shown that they’re willing to sacrifice advertising revenue to provide a positive user experience, even restricting the ability of advertisers to track device IDs and MAC addresses. How do we define adware? We feel that adware exhibits one or more of the following intrusive behaviors without requesting appropriate user consent (ref- Lookout Blog*)..."
(More detail and graphic charts at the zscaler URL above.)
* https://blog.lookout...ssified-adware/
___

Central Tibetan admin website strategically compromised as part of Watering Hole Attack
- https://www.secureli...ing_Hole_Attack
August 12, 2013 - "A snippet of code on the Central Tibetan Administration website redirects CN speaking visitors to a Java exploit that drops an APT-related backdoor. For some context, the site claims the administration itself as "...the Central Tibetan Administration (CTA) of His Holiness the Dalai Lama, this is the continuation of the government of independent Tibet." The selection of placement for the malicious code is fairly extraordinary... The attack itself is precisely targeted, as an appended, embedded iframe redirects "xizang-zhiye(dot)org" visitors (this is the CN-translated version of the site) to a java exploit that maintains a backdoor payload. The english and Tibetan versions of the website do not maintain this embedded iframe on the Chinese version (please do not visit at this time). At this point in time, it seems that the few systems attacked with this code are located in China and the US, although there could be more. The Java exploit being delivered is the 212kb "YPVo.jar" (edd8b301eeb083e9fdf0ae3a9bdb3cd6), which archives, drops and executes the backdoor as well. That file is a 397 kb win32 executable "aMCBlHPl.exe" (a6d7edc77e745a91b1fc6be985994c6a) detected as "Trojan.Win32.Swisyn.cyxf". Backdoors detected with the Swisyn verdict are frequently a part of APT related toolchains, and this one most certainly is... The Java exploit appears to attack the older CVE-2012-4681 vulnerability, which is a bit of a surprise, but it was used by the actor distributing the original CVE-2012-4681 0day Gondzz.class and Gondvv.class in August of last year... The Payload.main method contains some interesting but simple capabilities that enable an attacker to download the payload over https and AES decrypt it using Java's built-in AES crypto libraries, but the package is not configured to use that code in this case. Instead, a couple of lines in its configuration file direct the exploit to drop and execute the jar file's win32 exe resource. The backdoor itself is detected by most of the AV crowd as variants of gaming password stealers, which is flatly incorrect. The related C2 is located at news.worldlinking .com (59.188.239.46)... This threat actor has been quietly operating these sorts of watering hole attacks for at least a couple of years and also the standard spearphishing campaigns against a variety of targets that include Tibetan groups. Our KSN community recorded related events going back to at least a busy late 2011 season. We also show Apple related Java exploits from this server targeting the more recent CVE-2013-2423..."

- https://www.virustot...46/information/

- http://google.com/sa...c?site=AS:17444

Edited by AplusWebMaster, 19 August 2013 - 07:15 AM.

[AplusWebMaster]

FYI...

Malware sites to block 13/8/13
- http://blog.dynamoo....lock-13813.html
13 August 2013 - "These IPs and domains belong to this gang* and this list follows on from the one I made last week**..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo....h/label/Amerika

** http://blog.dynamoo....block-6813.html
___

Pharma sites to block
- http://blog.dynamoo....s-to-block.html
13 August 2013 - "These fake pharma sites and IPs seem related to these malware domains*, and follows on from this list last week**..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo....lock-13813.html

** http://blog.dynamoo....block-6813.html
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Unpaid Debt Invoice Email Messages - 2013 Aug 13
Malicious Attachment Email Messages - 2013 Aug 12
Fake Money Transfer Notification Email Messages - 2013 Aug 12
Fake Account Payment Notification Email Messages - 2013 Aug 12
Fake Product Order Notification Email Messages - 2013 Aug 12
Fake Package Delivery Failure Notification Email Messages - 2013 Aug 12
Fake Payment Notification Email Messages - 2013 Aug 12
Fake Bank Details Reconfirmation Email Messages - 2013 Aug 12
Fake Documents Attachment Email Messages - 2013 Aug 12
Fake Portuguese Electrical Equipment Invoice Notification Email Messages - 2013 Aug 12
Fake Bank Payment Transfer Notification Email Messages - 2013 Aug 12
Fake Banking Account Information Email Messages - 2013 Aug 12
(More detail and links at the cisco URL above.)
___

LinkedIn Connection Spam
- http://threattrack.t...connection-spam
Aug. 13, 2013 - "Subjects Seen:
Invitation to connect on LinkedIn
Typical e-mail details:
<removed> wants to connect with you on LinkedIn.

Malicious URLs
bobbiler.corewaysolution .com/images/wp-gdt.php?x95S4F4MY33PRBG0W
sharperspill .biz/closest/i9jfuhioejskveohnuojfir.php

Screenshot: https://gs1.wac.edge...qsx91qz4rgp.png
___

CNN Breaking News Rehtaeh Parsons Spam
- http://threattrack.t...eh-parsons-spam
Aug. 13, 2013 - "Subjects Seen:
CNN: ” Canadian teenager Rehtaeh Parsons”
Typical e-mail details:
2 face charges in case of Canadian girl who hanged self after alleged rape
Canadian teenager Rehtaeh Parsons
Two 18-year-old men face child pornography charges in connection with the case of a 17-year-old girl who hanged herself after she was allegedly gang-raped and bullied online, Canadian authorities said Thursday evening. Full story »

Malicious URLs
retailers.truelinkswear .com/rundown/index.html
dp56148868.lolipop .jp/numeracy/index.html
ftp(DOT)equinejournal .com/apogee/index.html
ead-togo .com/croons/index.html
guterprotectionperfection .com/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edge...wH431qz4rgp.png
___

Fake Bank of America SPAM / Instructions Secured E-mail.zip
- http://blog.dynamoo....structions.html
13 August 2013 - "This fake Bank of America spam has a malicious attachment:
Date: Tue, 13 Aug 2013 09:35:13 -0500 [10:35:13 EDT]
From: "Alphonso.Wilcox" [Alphonso.Wilcox @bankofamerica .com]
Subject: Instructions Secured E-mail.pdf
I will be forwarding the application through a secure e-mail. Attached are instructions for you to create a password to open the secure e-mails from us. Just a bit of security for when we transmit confidential information.
Thanks,
Amado.Underwood
Bank of America
Principal Business Relationship Manager...

Attached to the message is a file Instructions Secured E-mail.zip which contains an executable file Instructions Secured E-mail.exe with an icon to make it look like a PDF file.
The detection rate for this initial malware is just 9/45 at VirusTotal**.
This is a pony/gate downloader which attempts to download from [donotclick]guterprotectionperfection.com/ponyb/gate.php on 192.81.135.132 (Linode, US). This is the same IP as used in this attack*, and it also utilises a -hijacked- GoDaddy domain.
The download then attempts to download a second stage from the from the following locations (as well as installing all sorts of hooks into your system):
[donotclick]Missionsearchjobs .com/D5F7G.exe
[donotclick]betterbacksystems .com/kvq.exe
[donotclick]www.printdirectadvertising .com/vfMJH.exe
[donotclick]S381195155.onlinehome .us/vmkCQg8N.exe
The second stage has an even lower detection rate of just 3/45*** ...
Recommended blocklist:
192.81.135.132
guterprotectionperfection .com
Missionsearchjobs .com
betterbacksystems .com
www .printdirectadvertising .com
S381195155.onlinehome .us "
* http://blog.dynamoo....rhelmetcom.html

** https://www.virustot...sis/1376406778/

*** https://www.virustot...sis/1376407672/

Edited by AplusWebMaster, 13 August 2013 - 10:28 AM.

[AplusWebMaster]

FYI...

Bogus Firefox updates
- https://net-security...ews.php?id=2559
Aug. 13, 2013 - "A series of Internet campaigns pushing bogus Firefox updates onto unwary users have been spotted by researchers, and among them is one that lures them in through “Green Card Lottery” ads... According to ThreatTrack's analysis*, the website is capable of detecting which browser the user uses and to recommend an update for it. Nevertheless, the offered "update" is always the same: Firefox v13 (long outdated - the current version is 23), with several "add-ons, adware, toolbars and other malicious and irritating accompaniments" also trying to get installed via the installation wizard:
> http://www.net-secur...tt-13082013.jpg
Among this tag-along software is the Delta Toolbar, Webcake (a browser add-on that, among other things, serves ads), Optimizer Pro (a questionable PC-tune-up program), QuickShare (a deceptive browser plugin that steals data and redirects to unwanted websites) and an ad for “unlimited cloud storage”. All this "crapware" is sure to bring grief to the victims. It will slow down their computer, for sure, but the biggest problem is that they will end up with a outdated browser that can be successfully targeted with drive-by-download schemes, more additional malware and they will likely become victims of identity theft in the long run..."
* http://www.threattra...firefox-update/
___

Malicious Spam Targets Virgin Media Patrons, Consul General
- http://www.threattra...consul-general/
Aug. 13, 2013 - "... a fresh campaign of malicious spam that purports to originate from various brands and names but delivers the same malicious attachment to recipients. As of this time of writing, the spam is disguised as a mail coming from Virgin Media* and a notification of an expiring car insurance addressed to the Consul General of Suriname**... detections we have for related malicious files form these spam, as of this writing:
- Both compressed files are detected as Trojan.Zip.Bredozp.b (v).
- The uncompressed .EXE files, which are essentially one and the same, is detected as Win32.Malware!Drop.
The file it downloads is malicious, and it changes at random..."
* http://www.threattra...-media-spam.png

** http://www.threattra...urance-spam.png
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Scanned Document Attachment Email Messages - 2013 Aug 14
Fake MMS Notification Email Messages - 2013 Aug 14
Fake Package Delivery Failure Notification Email Messages - 2013 Aug 14
Fake Package Delivery Information Email Messages - 2013 Aug 14
Fake Payment Confirmation Notification Email Messages - 2013 Aug 13
Fake Secure Message Notification Email Messages - 2013 Aug 13
Fake Debt Collection Notice Email Messages - 2013 Aug 13
Malicious Attachment Email Messages - 2013 Aug 13
Fake Account Payment Notification Email Messages - 2013 Aug 13
Fake Product Purchase Order Email Messages - 2013 Aug 13
Fake Xerox Scan Attachment Email Messages - 2013 Aug 13
Fake UPS Parcel Notification Email Messages - 2013 Aug 13
Fake Bank Payment Transfer Notification Email Messages - 2013 Aug 13
Fake Product Services Specification Request Email Messages - 2013 Aug 13
Fake Unpaid Debt Invoice Email Messages - 2013 Aug 13
(More detail and links at the cisco URL above.)
___

Twitter Spam ...
- http://krebsonsecuri...n-twitter-spam/
Aug 14, 2013 - "The success of social networking community Twitter has given rise to an entire shadow economy that peddles -dummy- Twitter accounts by the thousands, primarily to spammers, scammers and malware purveyors. But new research on identifying bogus accounts has helped Twitter to drastically deplete the stockpile of existing accounts for sale, and holds the promise of driving up costs for both vendors of these shady services and their customers. Twitter prohibits the sale and auto-creation of accounts, and the company routinely suspends accounts created in violation of that policy. But according to researchers from George Mason University and the University of California, Berkeley, Twitter traditionally has done so only -after- these fraudulent accounts have been used to spam and attack legitimate Twitter users..."
(More detail at the krebsonsecurity URL above.)
___

Wells Fargo Important Documents Spam
- http://threattrack.t...-documents-spam
Aug. 14, 2013 - "Subjects Seen:
IMPORTANT Documents - WellsFargo
Typical e-mail details:
Please review attached files.
Eleanor_Wyatt
Wells Fargo Advisors
817-246-9671 office

Malicious URLs
gutterprosmaryland .com/forum/viewtopic.php
gutterhelmetleafguardgutterprotection .com/forum/viewtopic.php
gutterguardbuyersguide .com/forum/viewtopic.php
gutterglovegutterprotection .com/forum/viewtopic.php
dp55197480.lolipop .jp/1ayPTHK.exe
roundaboutcellars .com/Utuw1.exe
bbsmfg .biz/VKPqrms.exe
caribbeancinemas .net/MLEYCY9.exe

- https://www.virustot...14/information/

Malicious File Name and MD5:
DOC_<e-mail>.zip (B1342413F0AEE3E6440453689D26803B)
DOC_{_MAILTO_USERNAME}.exe (ABAFB7DA0F23112064F6BC3A1F93DDF6)

Screenshot: https://gs1.wac.edge...3O4Y1qz4rgp.png
___

Fake ADP SPAM / hubbywifeburgers .com
- http://blog.dynamoo....burgerscom.html
14 Aug 2013 - "This fake ADP spam leads to malware on hubbywifeburgers .com:
Date: Wed, 14 Aug 2013 08:58:12 -0700 [11:58:12 EDT]
From: "ADPClientServices @adp .com" [service @citibank .com]
Subject: ADP Security Management Update
ADP Security Management Update
Reference ID: 39866
Dear ADP Client August 2013
This message is to inform you of the upcoming �Phase 2� enhancement to ADP Security Management (formally ADP Netsecure). This is where you manage your users� access to ADP�s Internet services, and includes the self-service registration process.
Effective August 15th, ADP Security Management will reflect a new user interface. This will include tasks such as Account Maintenance, User Maintenance, and Company Maintenance within Security Management.
Please review the following information:
� Click here to view more details of the enhancements in Phase 2
� Complete the What�s New in Security Management Service here (Expected to take about 15 minutes)... The information contained in this email is intended only for the individual(s) addressed in this message and may contain privileged and/or confidential information that is exempt from disclosure under applicable law.

Screenshot: https://lh3.ggpht.co...0/adp-spam2.png

Yeah.. click the link. What could possibly go wrong? Well, first you go to a legitimate -hacked- site that tried to load one of the following three scripts:
[donotclick]e-equus.kei .pl/perusing/cassie.js
[donotclick]cncnc .biz/pothooks/addict.js
[donotclick]khalidkala .com/immigration/unkind.js
From there, the victim is sent to a malware site that uses a -hijacked- GoDaddy domain at [donotclick]hubbywifeburgers .com/topic/nearby-promptly.php hosted on 199.195.116.51 (A2 Hosting, US - report here*). This IP probably contains other hijacked domains from the same owner.
Recommended blocklist:
199.195.116.51
hubbywifeburgers .com
e-equus.kei .pl
cncnc .biz
khalidkala .com "
* https://www.virustot...51/information/
___

Verizon Wireless Bill Spam
- http://threattrack.t...eless-bill-spam
Aug. 14, 2013 - "Subjects Seen:
Your Bill Is Now Available
Typical e-mail details:
Your current bill for your account is now available online in My Verizon
Total Balance Due: $2477.33
Keep in mind that payments and/or adjustments made to your account after your bill was generated will not be reflected in the amount shown above.
> View and Pay Your Bill
Want to simplify payments?
> Enroll in Auto Pay
Thank you for choosing Verizon Wireless.

Malicious URLs
184.172.58.89 /amaryllis/index.html
lundbergfarmsinc .com/ambiguities/index.html
hubbywifeburgers .com/topic/nearby-promptly.php

Screenshot: https://gs1.wac.edge...Wcq21qz4rgp.png

Edited by AplusWebMaster, 14 August 2013 - 03:47 PM.