2072 replies to this topic

[AplusWebMaster]

FYI...

Something evil on 162.211.231.16
- http://blog.dynamoo....6221123116.html
15 August 2013 - "The server at 162.211.231.16 (IT7 Networks, Canada) is currently being used in injection attacks (example*) which have been going on for some time [1] [2] and uses several domains... All the domains are very recently registered by GoDaddy. The WHOIS details for brigitteunderwear .com (also registered by GoDaddy in 2006) are consistent, but I've seen enough hijacked GoDaddy domains recently to be suspicious that there could be an element of identity theft here, and the named person may well have nothing to do with this attack. I haven't had time to poke around at the payload too much, but this could well be a good IP to block, or alternatively use the list of domains that I have identified below (it may not be comprehensive, though)
Recommended blocklist:
162.211.231.16 ..."
(Long list at the dynamoo URL above.)
* http://urlquery.net/....php?id=4568967

1] https://www.virustot...16/information/

2] http://urlquery.net/...2...8-15&max=50
___

Fake "INCOMING FAX REPORT" SPAM / chellebelledesigns .com
- http://blog.dynamoo....eport-spam.html
15 August 2013 - "A facsimile transmission. How quaint. Of course, it isn't.. the link in the spam goes to a malicious page on chellebelledesigns .com:
From: Administrator [administrator @victimdomain]
Date: 15 August 2013 16:08
Subject: INCOMING FAX REPORT : Remote ID: 1043524020
***********************INCOMINGFAXREPORT*****************
INCOMING FAX REPORT
*********************************************************
Date/Time: 07/25/2013 02:12:11 EST
Speed: 66387 bps
Connection time: 04:06
Pages: 0
Resolution: Normal
Remote ID: 1043524020
Line number: 7
DTMF/DID:
Description: June Payroll
Click here to view the file online
*********************************************************

Note that the spam appears to come "from" the "Administrator" in the victim's own domain. This email address is a forgery, so don't worry about it. If you are daft enough to click the link in the email you go to a legitimate -hacked- site and then on to one of three scripts:
[donotclick]millionaireheaven .com/mable/rework.js
[donotclick]pettigrew .us/airheads/testier.js
[donotclick]www .situ-ingenieurgeologie .de/tuesday/alleviation.js
from there on, the victim is forwarded to a malicious landing page at [donotclick]chellebelledesigns .com/topic/conclusion-western.php using a hacked GoDaddy domain on 173.246.104.55 (Gandi, US). There are other hijacked GoDaddy domains on the same server...
Recommended blocklist:
173.246.104.55 ..."
(More domains listed at the dynamoo URL above.)

- https://www.virustot...55/information/
___

UPS Quantum View Spam
- http://threattrack.t...antum-view-spam
Aug. 15, 2013 - "Subjects Seen:
UPS - Your package is available for pickup ( Parcel <random> )
Typical e-mail details:
You may pickup the parcel at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.

Malicious URLs
chellebelledesigns .com/ponyb/gate.php
1800callabe .com/ponyb/gate.php
abemoussa .com/ponyb/gate.php
keralahouseboatstourpackages .com/FXx.exe

Malicious File Name and MD5:
UPS-Label_<random>.zip (607F7CBD6CEF3DDD5F5DB88612FC91B6)
UPS-Label_<date>.exe
(782D6C5633D139704221E927782195E0)

Screenshot: https://gs1.wac.edge...P4hG1qz4rgp.png

Edited by AplusWebMaster, 16 August 2013 - 04:54 AM.

[AplusWebMaster]

FYI...

Fake ADP SPAM / ADP_week_invoice.zip|exe
- http://blog.dynamoo....oicezipexe.html
16 August 2013 - "This fake ADP spam has a malicious attachment:
Date: Fri, 16 Aug 2013 09:57:59 -0500 [10:57:59 EDT]
From: "run.payroll.invoice @adp .com" [run.payroll.invoice @adp .com]
Subject: ADP Payroll INVOICE for week ending 08/16/2013
Your ADP Payroll invoice for last week is attached for your review. If you have any
questions regarding this invoice, please contact your ADP service team at the number
provided on the invoice for assistance.
Thank you for choosing ADP Payroll.
Important: Please do not respond to this message. It comes from an unattended mailbox.

There is an attachment ADP_week_invoice.zip which in turn contains a malicious executable file ADP_week_invoice.exe. The payload is exactly the same as this* other malicious spam run which is running in parallel."
* http://blog.dynamoo....ices-event.html

ADP Payroll Invoice Spam
- http://threattrack.t...ll-invoice-spam
16 August 2013 - "Subjects Seen:
ADP Payroll INVOICE for week ending 08/16/2013
Typical e-mail details:
Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Thank you for choosing ADP Payroll.

Malicious URLs
hubbywifeco .com/forum/viewtopic.php
hubbywifedesigns .com/forum/viewtopic.php
hubbywifedesserts .com/forum/viewtopic.php
hubbywifefoods .com/forum/viewtopic.php
208.106.130.52 /39UvZmv.exe
demoscreactivo .com/DKM9.exe
roundaboutcellars .com/Utuw1.exe
bbsmfg.biz/VKPqrms .exe
cccustomerctr .com/39UvZmv.exe

Malicious File Name and MD5:
ADP_week_invoice.zip (8C67BC641A95379867C4B9EBAE68446A)
ADP_week_invoice.exe
(6EBF2EA3DB16B3E912068D0A9E33320E)

Screenshot: https://gs1.wac.edge...4lru1qz4rgp.png
___

Fake Wells Fargo SPAM "CEO Portal Statements & Notices Event" -report_{DIGIT[12]}.exe
- http://blog.dynamoo....ices-event.html
16 August 2013 - "This fake Wells Fargo email has a malicious attachment:
Date: Fri, 16 Aug 2013 09:51:17 -0500 [10:51:17 EDT]
From: Wells Fargo Event Messaging Admin [ofsrep.ceosmuigw @wellsfargo .com]
Subject: CEO Portal Statements & Notices Event
Wells Fargo
Commercial Electronic Office (CEO) Portal Statements & Notices Event: Multiple Download Request Available
Your Deposit Adjustment Notices is now available. To access your information please download attached report and open Statements & Notices file.
Date/Time Stamp: Fri, 16 Aug 2013 09:51:17 -0500
Request Name: MM3P85NRLOXLOFJ
Event Message ID: S045-77988311
Please do not reply to this email.

The email has an attachment called report_625859705821.zip which in turn contains an exectuable report_{DIGIT[12]}.exe (which presumably is an error) which has a VirusTotal detection rate of 9/46*. The Malwr report shows that this malware does various things**, inclding an HTTP request to a hijacked GoDaddy domain at [donotclick]hubbywifeco .com/forum/viewtopic.php hosted on 66.151.138.80 (Nuclear Fallout Enterprises, US) which is shared with another -hijacked- domain, hubbywifecakes .com.
From there, another executable is downloaded from one of the following locations:
[donotclick]208.106.130.52 /39UvZmv.exe
[donotclick]demoscreactivo .com/DKM9.exe
[donotclick]roundaboutcellars .com/Utuw1.exe
[donotclick]bbsmfg .biz/VKPqrms.exe
This executable has an even lower detection rate of just 5/46***... Blocking EXE-in-ZIP files like this at your perimeter is an excellent idea if you can do it.
Recommended blocklist:
66.151.138.80
hubbywifeco .com
hubbywifecakes .com
208.106.130.52
demoscreactivo .com
roundaboutcellars .com
bbsmfg .biz "
*
https://www.virustot...sis/1376665654/

** https://malwr.com/an...jgwYmJlMWY3YzU/

*** https://www.virustot...sis/1376666041/

- https://www.virustot...80/information/

- https://www.virustot...52/information/

Edited by AplusWebMaster, 16 August 2013 - 11:19 AM.

[AplusWebMaster]

FYI...

Malware sites to block 19/8/13
- http://blog.dynamoo....lock-19813.html
19 August 2013 - "These sites and IPs belong to this gang*, and this list follows one from this one**..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo....h/label/Amerika

** http://blog.dynamoo....lock-13813.html
___

Fake Facebook SPAM / hubbywifewines .com
- http://blog.dynamoo....fewinescom.html
19 August 2013 - "This fake Facebook spam leads to malware on hubbywifewines .com:
Date: Mon, 19 Aug 2013 16:20:06 +0200 [10:20:06 EDT]
From: Facebook [update+hiehdzge @facebookmail .com]
Subject: You requested a new Facebook password
facebook
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted].net at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes to a legitimate -hacked- site and then loads one or more of these three scripts:
[donotclick]ftp.hotwindsaunausa .com/clingy/concord.js
[donotclick]katchthedeal .sg/stilling/rifts.js
[donotclick]ftp.navaglia .it/gazebo/cowboys.js
The victim is then forwarded to a malware landing page using a hijacked GoDaddy domain at [donotclick]hubbywifewines .com/topic/able_disturb_planning.php hosted on 72.5.102.192* (Nuclear Fallout Enterprises, US) along with another hijacked domain of hubbywifefoods .com
Recommended blocklist:
72.5.102.192
hubbywifewines .com
hubbywifefoods .com
ftp.hotwindsaunausa .com
katchthedeal .sg
ftp.navaglia .it"
* https://www.virustot...92/information/
___

Booking.com Confirmation Spam
- http://threattrack.t...nfirmation-spam
Aug. 19, 2013 - "Subjects Seen:
Confirmation <random>
Typical e-mail details:
BOOKING CONFIRMATION
Issued: 08/18/2013
BEDDING AND INCLUSIONS SHOWN IN ATTACHED FILE
====================================
Confirmation number: <removed>
Booking source: booking.com
(please refer to this brand when
communicating with the guest)
BOOKING SUMMARY
Check in: 29-Aug-2013
Check out: 31-Aug-2013
Total number of rooms: 1 per night
Total number of room nights: 1 (1 room for 1 night each)
Total booking amount: $314.00
Room: 1 Night 1-2 people
Number of guests: Adults: 1 Children: 0
Bedding configuration: One or 2 People
=====Comments=====
Guest comments: non-smoking
Any comments from the guest are by request only and have not been guaranteed...
The guest is also aware that you may require them to provide a security deposit at
check-in to guarantee payment of any incidental charges.
The Team Booking.com

Malicious File Name and MD5:
BOOKING ISSUED 18.Aug.2013.zip (61EE0B0EE92F717D50F42EB0171BAD6E)
BOOKING ISSUED 18.Aug.2013.pdf.exe (948FD2EA728F38886DF824AA2BB7FD3A)

Screenshot: https://gs1.wac.edge...cgl61qz4rgp.png
___

Fake Facebook password SPAM / frankcremascocabinets .com
- http://blog.dynamoo....k-password.html
19 August 2013 - "This fake Facebook spam follows on from this one*, but has a different malicious landing page at frankcremascocabinets .com:
From: Facebook [update+hiehdzge @facebookmail .com]
Date: 19 August 2013 17:38
Subject: You requested a new Facebook password
facebook
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes to a legitimate -hacked- site which then tries to load one or more of the following three scripts:
[donotclick]ftp.hotwindsaunausa .com/clingy/concord.js
[donotclick]katchthedeal .sg/stilling/rifts.js
[donotclick]ftp.navaglia .it/gazebo/cowboys.js
The victim is then directed to a malware payload at [donotclick]frankcremascocabinets .com/topic/able_disturb_planning.php hosted on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines). This domain is a hijacked GoDaddy domain and there are several others on the same server...
Recommended blocklist:
184.95.37.96/28
ftp.hotwindsaunausa .com
katchthedeal .sg
ftp.navaglia .it
giuseppepiruzza .com
frankcremascocabinets .com
gordonpoint .biz
hitechcreature .com
frankcremasco .com "
* http://blog.dynamoo....fewinescom.html

- https://www.virustot...02/information/
___

UK Tax-Themed Spam leads to ZeuS/ZBOT
- http://blog.trendmic...ds-to-zeuszbot/
Aug 19, 2013 - "Tax-themed spam, particularly in the United States, is already considered a staple in the threat landscape. However, a recent spam run targeting taxpayers in the United Kingdom shows that this threat is never exclusive to a region. Besides being timely, these messages contain TSPY_FAREIT, which download a ZeuS/ZBOT variant, notorious for stealing information related to online banking sites. We found sample of an email message that appears to be from HM Revenue and Customs in the UK. It notifies users of their VAT return receipt, something that might appear timely to unsuspecting users since the deadline for VAT returns and payments was last August 7. To further convince users of its validity, the message states that the email was “scanned for viruses”. Sample spam with alleged VAT return “receipt”:
> https://blog.trendmi...son-uk-spam.jpg
The message contains an attachment, which is supposed to be the receipt for the VAT return. But based on our findings, the attachment is (expectedly) a malware detected as TSPY_FAREIT.ADI. Once executed, the malware steals varied information from the system, such as those related to: FTP clients,file managers, and email... The data stealing does not stop there. TSPY_FAREIT.ADI downloads another malware, specifically TSPY_ZBOT.ADD. As expected of any ZeuS/ZBOT variant, the malware downloads configuration file(s) from randomly generated IP addresses. The said file also contains list of targeted online banking and finance-related sites and the URLs where it sends the gathered information. The cybercriminals behind this threat are obviously taking advantage of the recent tax return deadline in the UK. But the real concern here is the severity of the information to be stolen. Aside from the email and FTP credentials, which are profitable in the underground market, the bad guys are also gunning for the victims’ online banking accounts. Once they got hold of users’ banking and financial credentials, they can either sell them on the digital underground or use these to initiate unauthorized money transfers leading to actual financial loss... we noted the increase of online banking malware in the past quarter and how the CARBERP’s “leaked” source code may lead to more variety for this threat. Thus, it is important for users to double-check the messages they receive and to be careful in opening any attachments from unverified sources. As an added precaution, always implement your systems with the latest security updates from vendors..."
___

Fake Citi SPAM / securedoc.zip
- http://blog.dynamoo....ssage-spam.html
19 August 2013 - "This fake Citi spam contains a malicious attachment:
Date: Mon, 19 Aug 2013 20:24:27 +0000 [16:24:27 EDT]
From: "secure.email @citi .com" [secure.email @citi .com]
Subject: You have received a secure message
Read your secure message by opening the attachment, securedoc. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
First time users - will need to register after opening the attachment...

Attached is a file securedoc.zip which in turn contains a malicious executable securedoc.exe which has a very low detection rate at VirusTotal of just 2/46*. The Malwr analysis** (and also ThreatExpert***) shows that the file first connects to [donotclick]frankcremascocabinets .com/forum/viewtopic.php (a -hijacked- GoDaddy domain on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines) as seen before here, and it then tries to downoad additional components from:
[donotclick]lobbyarkansas .com/0d8H.exe
[donotclick]ftp.ixcenter .com/GMMo6.exe
[donotclick]faithful-ftp .com/kFbWXZX.exe
This second part has another very low VirusTotal detection rate of just 3/46****...
Recommened blocklist:
184.95.37.96/28
frankcremascocabinets .com
giuseppepiruzza .com
gordonpoint .biz
gordonpoint .info
hitechcreature .com
frankcremasco .com
lobbyarkansas .com
ftp.ixcenter .com
faithful-ftp .com "
* https://www.virustot...sis/1376945701/

** https://malwr.com/an...jdhNjk5ZDA1MTI/

*** http://www.threatexp...fbf106d28218cf9

**** https://www.virustot...sis/1376946672/

Edited by AplusWebMaster, 19 August 2013 - 05:40 PM.

[AplusWebMaster]

FYI...

Fake Browser Updates drop Shylock Malware
- http://www.threattra...hylock-malware/
August 19, 2013 - "We’re no stranger to fake and often malicious Internet browsers* that are served up on equally fake and malicious Web sites. These latest samples found by... our threat researchers in the AV Labs, are hosted on the domain, browseratrisk(dot)com. It is found that once users access pages on this malicious domain with either Internet Explorer (IE), Firefox or Chrome, it opens a fake “update” page for the said browsers and auto-downloads the fake files. Below are screenshots of these pages:
> http://www.threattra...-shylock-wm.jpg
> http://www.threattra...-shylock-wm.jpg
> http://www.threattra...-shylock-wm.jpg
... Users may find it difficult to close and navigate to other tabs after download, thanks to certain loop commands on the page’s code, which we’ve seen before**. If users choose to install the downloaded fake browser updates, it then drops a variant of either Sirefef or Shylock/Caphaw malware... Win32.Malware!Drop... Shylock had hit the news in January of this year as the banking Trojan capable of using Skype chat to spread. Note that the dropped file may change at roughly every three to four hours. The website server is also known to house Blackhole Exploit kits... If users access browseratrisk(dot)com via their mobile devices and on OSX, they are redirected to FriendFinder, a popular online dating service, via the mirror site, stealthtec(dot)net. When it comes to software updates, it pays to be wary of random sites claiming your current Internet browser needs to be updated. It is best to -ignore- these pages and go straight to official pages..."
* http://www.threattra...g...p;x=12&y=21

** http://www.threattra...serves-malware/

[AplusWebMaster]

FYI...

Fake Facebook SPAM / dennissellsgateway .com
- http://blog.dynamoo....gatewaycom.html
21 August 2013 - "This fake Facebook spam leads to malware on dennissellsgateway .com:
Date: Tue, 20 Aug 2013 15:28:11 -0500 [16:28:11 EDT]
From: Facebook [no-reply @facebook .com]
Subject: Gene Maynard wants to be friends with you on Facebook.
facebook
Gene Maynard wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

This is a "ThreeScripts" attack, with the link first going to a legitimate -hacked- site and then through one of the following three scripts:
[donotclick]ftp.crimestoppersofpinellas .org/jonson/tried.js
[donotclick]italiangardensomaha .com/moocher/pawned.js
[donotclick]www.it-planet .gr/schlepped/suitor.js
From there, the victim ends up on a -hijacked- GoDaddy domain with a malicious payload at [donotclick]dennissellsgateway .com/topic/able_disturb_planning.php on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with some other hijacked domains...
Recommended blocklist:
72.5.102.146
dennissellsgateway .com
justinreid .us
waterwayrealtyteam .us
www.it-planet .gr
italiangardensomaha .com
ftp.crimestoppersofpinellas .org "

>> Update: Another spam is circulating with a different pitch, but the -same- malicious payload:
Dear Customer,
The following is your Credit Card settlement report for Monday, August 19, 2013.
Transaction Volume Statistics for Settlement Batch dated 19-Aug-2013
Batch ID: 108837538
Business Day: 19-Aug-2013
Net Batch Total: 3704.75 (USD)
Number of Charge Transactions: 1
Amount of Charge Transactions: 3704.75
Number of Refund Transactions: 5
Amount of Refund Transactions: 315.74
You can download your full report ...

- https://www.virustot...46/information/
___

Fake Malwarebytes scammer surveys ...
- http://blog.malwareb...urveys-victims/
August 20, 2013 - "... a twitter account pretending to be speaking for Malwarebytes. The twitter account, @ malwarebytesx, has posted heavily over the last couple days about Malwarebytes Anti-Malware being available (both legitimately and a cracked version) at a posted link. They even created a variation of our logo and got 51 people to follow them! The link leads to a blogspot page titled “Malwarebytes Anti-Malware 1.75 Full + Serial” that is covered in our signage and provides a link to download “Malwarebytes Anti-Malware” with text and graphics directly from our own website.
> http://cdn.blog.malw...og-1024x810.png
After clicking on the “Download Now” button, you are presented with a download page requesting a small favor.
> http://cdn.blog.malw...wareAMOFfer.png
... Unfortunately for anyone who has fallen for this scam, this website does -not- belong to Malwarebytes nor is supported by one of our authorized distributors... Don’t become a victim and always download software from legitimate sites. Even if you just Google “Malware” or the phrase “Malware Removal,” legitimate sources to download our product are within the first few results. Tell your friends and if you encounter a survey site, maybe you should try finding your download somewhere else..."
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Malicious Attachment Email Messages - 2013 Aug 21
Fake Secure Message Notification Email Messages - 2013 Aug 21
Fake Confirmation of Payment Information Email Messages - 2013 Aug 21
Fake Money Transfer Notification Email Messages - 2013 Aug 21
Malicious Personal Pictures Attachment Email Messages - 2013 Aug 21
Fake UPS Parcel Notification Email Messages - 2013 Aug 21
Fake Product Solicitation Email Messages - 2013 Aug 21
Fake Product Purchase Request Email Messages - 2013 Aug 21
Fake Money Transfer Notification Email Messages - 2013 Aug 21
(More detail and links at the cisco URL above.)
___

Fake Facebook SPAM / thenatemiller.co
- http://blog.dynamoo....temillerco.html
21 August 2013 - "This fake Facebook spam leads to malware on thenatemiller .co:
Date: Wed, 21 Aug 2013 22:05:38 +0530 [12:35:38 EDT]
From: Facebook [update+hiehdzge@ facebookmail .com]
Subject: You requested a new Facebook password
facebook
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

Nothing good will come from clicking the link. First victims go to a legitimate but -hacked- site that attempts to load the following three scripts:
[donotclick]gemclinicstore .com/admitted/tintinnabulations.js
[donotclick]mathenyadvisorygroup .com/toffies/ceiling.js
[donotclick]www.it-planet .gr/schlepped/suitor.js
From there the victim is directed to a malware landing page at [donotclick]thenatemiller .co/topic/able_disturb_planning.php (.co, not .com) which is a hijacked GoDaddy domain hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with several other hijacked domains...
Recommended blocklist:
72.5.102.146
successchamp .com
dennissellsgateway .com
thenatemiller .co
thenatemiller .info
justinreid .us
waterwayrealtyteam .us
thenatemiller .biz
gemclinicstore .com
mathenyadvisorygroup .com
www.it-planet .gr ..."

- https://www.virustot...46/information/

Edited by AplusWebMaster, 22 August 2013 - 05:13 AM.

[AplusWebMaster]

FYI...

Fake Red Sox Baseball SPAM / lindoliveryct .net
- http://blog.dynamoo....iveryctnet.html
22 Aug 2013 - "This fake Red Sox spam leads to malware on lindoliveryct .net:
Date: Thu, 22 Aug 2013 13:02:19 -0400 [13:02:19 EDT]
From: ticketoffice@ inbound.redsox .com
Subject: Thank You for your order. ( RSXV - 4735334 - 0959187 )
Thank you for your recent ticket purchase. We truly appreciate your support and commitment to Red Sox Baseball. If you have any questions regarding your purchase, please contact our Ticket Services department by calling (toll free) 877-REDSOX9.
Note that you will receive a separate email within the next two business days which will include the vouchers you will need for both parking at the Prudential Center and your Duck Boat ride to the ballpark, included in each End of Summer Family Pack purchase.
Please remember that all sales are final-there are no refunds or exchanges issued on any tickets. Also note that all game times are subject to change. Be sure to visit redsox.com for the latest Red Sox news and any game time updates.
Thanks again! We look forward to seeing you at the ballpark this season.
Boston Red Sox Ticketing Department...

Screenshot: https://1.bp.blogspo...1600/redsox.png

The link goes through a legitimate -hacked- site (in this case using a WordPress flaw) and ends up on [donotclick]www.redsox .com.tickets-service.lindoliveryct.net/news/truck-black.php (report here*) which is actually the domain lindoliveryct .net rather than redsox .com... The WHOIS details for this domain are fake and indicate it is the work of the Amerika gang...
The malicious domain is multihomed on the following IPs which host several other malicious domains:
66.230.163.86 (Goykhman And Sons LLC, US)
86.183.191.35 (BT, UK)
188.134.26.172 (Perspectiva Ltd, Russia)
Recommended blocklist:
66.230.163.86
86.183.191.35
188.134.26.172 ..."
* http://urlquery.net/....php?id=4682777
___

Chase Bank Remittance Spam
- http://threattrack.t...remittance-spam
Aug 22, 2013 - "Subjects Seen:
Remittance Docs <random>
Typical e-mail details:
Please find attached the remittance If you are unable to open the attached file, please reply to this email with a contact telephone number.
The Finance Dept will be in touch in due course.
Vanessa_Rodriquez
Chase Private Banking

Malicious URLs
watch-fp .ca/ponyb/gate.php
watch-fp .com/ponyb/gate.php
watch-fp .info/ponyb/gate.php
watch-fp .mobi/ponyb/gate.php
jatw.pacificsocial .com/VSMpZX.exe
richardsonlookoutcottages .nb .ca/Q5Vf.exe
riplets .net/Qa7nXVT.exe

Malicious File Name and MD5:
Docs_<name>.zip (37A1C5AC9C0090A07F002B0A2ED57D3D)
Docs_<date>.exe
(E9FBB397E66B295F5E43FE0AA3B545D7)

- Screenshot: https://gs1.wac.edge...WuCD1qz4rgp.png
___

Discover Card Account Information Update Spam
- http://threattrack.t...ion-update-spam
Aug 22, 2013 - "Subjects Seen:
Your account login information updated
Typical e-mail details:
Dear Customer,
This e-mail is to confirm that you have updated your log-in information for Discover.com. Please remember to use your new information the next time you log in.
Log In to review your account details or to make additional changes.

Malicious URLs
aywright .com/parables/index.html
intuneuk .com/aspell/index.html
flagitak .poznan.pl/deceptiveness/index.html
carpentryunlimitedvermont .com/slangy/index.html
labs-srl .it/misquotations/index.html
75.103.99.168 /superintend/index.html
watch-fp .ca/topic/able_disturb_planning.php

- Screenshot: https://gs1.wac.edge...eDjI1qz4rgp.png

- http://blog.dynamoo....ount-login.html
22 August 2013 - "This fake Discover card spam leads to malware on abemuggs .com:
Date: Thu, 22 Aug 2013 16:14:59 +0000 [12:14:59 EDT]
From: Discover Card [no-reply@ facebook .com]
Subject: Your account login information updated
Discover
Access My Account
ACCOUNT CONFIRMATION Statements | Payments | Rewards
Your account login information has been updated.
Dear Customer,
This e-mail is to confirm that you have updated your log-in information for Discover.com. Please remember to use your new information the next time you log in.
Log In to review your account details or to make additional changes...

Screenshot: https://3.bp.blogspo...cover-card2.png

The link in the email uses the Twitter redirection service to go to [donotclick]t. co/9PsnfeL8hh then [donotclick]x .co/1neIk then [donotclick]activegranite.com/vocatives/index.html and finally to a set of three scripts as follows:
[donotclick]02aa198 .netsolhost.com/frostbite/hyde.js
[donotclick]96.9.28.44 /dacca/quintilian.js
[donotclick]cordcamera.dakisftp .com/toothsome/catch.js
From this point the victim ends up at the malicious payload at [donotclick]abemuggs .com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.253.139 (Linode, US).
At the moment, I can only see abemuggs .com active on 74.207.253.139, however other domains in the same GoDaddy account may be hijacked as well. If you see unexpected traffic going to the following domains then it may be malicious:
abemuggs .com
abesmugs .com
abemugs .com
andagency .com
mytotaltitle .com
I would strongly recommend the following blocklist:
74.207.253.139
96.9.28.44
abemuggs .com
02aa198.netsolhost .com
cordcamera.dakisftp .com "

- https://www.virustot...39/information/

- https://www.virustot...44/information/
___

Fake Remittance Docs SPAM / Docs_08222013_218.exe
- http://blog.dynamoo....82780-spam.html
22 August 2013 - "This fake Chase spam has a malicious attachment:
Date: Thu, 22 Aug 2013 10:00:33 -0600 [12:00:33 EDT]
From: Jed_Gregory [Jed_Gregory@ chase .com]
Subject: Remittance Docs 2982780
Please find attached the remittance 2982780.
If you are unable to open the
attached file, please reply to this email with a contact telephone number. The
Finance Dept will be in touch in due course. Jed_Gregory
Chase Private Banking Level III Officer
3 Times Square
New York, NY 10036 ...

The attachment is in the format Docs_victimdomain .com.zip which contains an executable Docs_08222013_218.exe (note that the date is encoded into the file). The VirusTotal detection rate for this is a moderate 16/46*. The Malwr analysis** shows that this is a Pony/Gate downloader which attempts to connect to the following URLs:
[donotclick]watch-fp .ca/ponyb/gate.php
[donotclick]www.jatw.pacificsocial .com/VSMpZX.exe
[donotclick]richardsonlookoutcottages .nb .ca/Q5Vf.exe
[donotclick]idyno.com .au/kvdhx2.exe
The downloader then downloads a second part with a much lower detection rate of 6/46***. This appears to be a Zbot variant... The Pony/Gate component is hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) and is a hijacked GoDaddy domain, one of several on that server...
Recommended blocklist:
72.5.102.146 ..."
* https://www.virustot...sis/1377201922/

** https://malwr.com/an...GFiYjY4YjU3ZmY/

*** https://www.virustot...sis/1377202683/

- https://www.virustot...46/information/

Edited by AplusWebMaster, 22 August 2013 - 03:01 PM.

[AplusWebMaster]

FYI...

Fake Wells Fargo SPAM / WellsFargo_08232013.exe
- http://blog.dynamoo....8232013exe.html
23 August 2013 - "This fake Wells Fargo spam has a malicious attachment:
Date: Fri, 23 Aug 2013 09:43:44 -0500 [10:43:44 EDT]
From: Morris_Osborn@ wellsfargo .com
Please review attached documents.
Morris_Osborn
Wells Fargo Advisors
817-718-8096 office
817-610-5531 cell Morris_Osborn@ wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103...

In this case there is an attachment WellsFargo.victimname.zip which contains a malicious executable WellsFargo_08232013.exe (note the date is encoded into the filename). The VirusTotal detection rate is just 4/45*, but the file itself is unusually small (just 21Kb unzipped, 8Kb zipped) when I would normally expect to see the executable closer to 100Kb for this sort of malware. What does it do? Well, the automated reports show it rummaging through various browser and address book data, and the ThreatTrack report [pdf**] shows a DNS lookup of the domain huyontop.com plus what appears to be some peer-to-peer activity... The WHOIS details for the domain huyontop .com appear to be valid (I won't list them here, look them up if you want), however it was only registered a few days ago. I can't tell you exactly what it is doing, but I would treat huyontop .com as being potentially malicious and block it if you can."
* https://www.virustot...sis/1377272785/

** http://www.dynamoo.c...c1acd09feb3.pdf

- https://www.virustot...22/information/
___

Orbit Downloader - DDoS component found
- https://net-security...ews.php?id=2570
Aug 23, 2013 - "... The DDoS component has been discovered by ESET researchers* while doing a routine examination of the software, and subsequent analysis of previous versions has shown that it was added to orbitDM.exe sometime between the release of version 4.1.1.14 (December 25, 2012) and version 4.1.1.15 (January 10, 2013)... ESET has decided to make its AV software detect all versions of Orbit Downloader with DoS functionality. Trend Micro, Kaspersky Land and Ikarus decided to follow suit, at least for the latest version of OD. Users are advised to deinstall the software and choose another one for their needs."

* http://www.welivesec...wnloading-tool/
21 Aug 2013

** https://www.virustot...23ec6/analysis/

Edited by AplusWebMaster, 23 August 2013 - 11:36 AM.

[AplusWebMaster]

FYI...

Fake UPS SPAM / UPS Invoice 74458652.zip
- http://blog.dynamoo....4458652zip.html
26 August 2013 - "This fake UPS invoice has a malicious attachment:
From: "UPSBillingCenter @ups .com" [UPSBillingCenter@ ups .com]
Subject: Your UPS Invoice is Ready
New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center. Download the attachment. Invoice will be automatically shown by double click.

Attached is a file UPS Invoice 74458652 which in turn contains a file called UPS Invoice {DIGIT[8]}.exe which presumably isn't meant to be named like that..
The VirusTotal detection rate is a so-so 18/46*. The Malwr analysis** is that this is a trojan downloader that attempts to download bad things from the following locations:
[donotclick]gordonpoint .org/forum/viewtopic.php
[donotclick]mierukaproject .jp/PjSE.exe
[donotclick]programcommunications .com/WZP3mMPV.exe
[donotclick]fclww .com/QdytJso0.exe
[donotclick]www .lajen .cz/tPT8oZTB.exe
The VirusTotal detection rate for the downloaded file is not great at just 9/46***.
The domain gordonpoint .org is a hijacked GoDaddy domain on 74.207.229.45 (Linode, US) along with several other -hijacked- domains...
Recommended blocklist:
74.207.229.45
gordonpoint .org
hitechcreature .com
industryseeds .ca
infocreature .com
itanimal .com
itanimals .com
jngburgerjoint .ca
jngburgerjoint .com
johnmejalli .com
mierukaproject .jp
programcommunications .com
fclww .com
www.lajen .cz "
* https://www.virustot...sis/1377553766/

** https://malwr.com/an...jgxYzUzY2NlOTg/

*** https://www.virustot...sis/1377552510/

- https://www.virustot...45/information/
___

PayPal Protection Services Spam
- http://threattrack.t...n-services-spam
Aug 26. 2013 - "Subjects Seen:
Resolution of case #<random>
Typical e-mail details:
Our records indicate that you never responded to requests for additional information about this claim. We hope you review the attached file and solve the situation amicably.
For more details please see on the page View all details
Sincerely,
Protection Services Department

Malicious URLs
8744f321834af6ba.lolipop .jp/monetary/index.html
scentsability .org/interlocks/index.html
batcoroadlinescorporation .com/misfire/index.html
gordonpoint .org/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edge...8gPk1qz4rgp.png

Edited by AplusWebMaster, 26 August 2013 - 05:39 PM.

[AplusWebMaster]

FYI...

Fake email - Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake FedEx Parcel Delivery Failure Notification Email Message - 2013 Aug 27
Fake Money Transfer Notification Email Messages - 2013 Aug 27
Fake Bank Payment Notice Email Messages - 2013 Aug 27
Fake Account Payment Notification Email Messages - 2013 Aug 27
Fake Bank Payment Transfer Notification Email Messages - 2013 Aug 27
Fake Package Shipping Notification Email Messages - 2013 Aug 27
Fake Business Complaint Notification Email Messages - 2013 Aug 27
Fake Tax Return Information Email Messages - 2013 Aug 27
Email Messages with Malicious Attachments - 2013 Aug 27
Fake Product Purchase Order Request Email Messages - 2013 Aug 27
Fake Tax Documentation Email Messages - 2013 Aug 27
Fake Product Services Specification Request Email Messages - 2013 Aug 27
(More detail and links at the cisco URL above.)
___

UPS Email scam delivers Backdoor
- http://blog.trendmic...ivers-backdoor/
Aug 27, 2013 - "... most users can easily detect spammed messages, particularly those that attempt (and fail) at looking like legitimate email notifications... We recently found an email sample spoofing the popular mail courier service UPS. The email poses as a package delivery notification, containing links to the tracking site and .PDF copy of the shipping invoice. This is definitely not the first time we received such an email. However, what makes this spam stand out is the way it hides its true, malicious intent.
> https://blog.trendmi...spamrun_825.png
As seen in the email screenshot above, the malware-hosting site is hyperlinked to the legitimate UPS URL where the .PDF version of the shipping invoice can be downloaded. For users, this URL may seem safe; however, when they clicked the URL it leads to the downloading of the malicious ZIP file. To further convince users of its legitimacy, the recipient’s email address were created to closely resemble the actual UPS email address. The ZIP file contains a malicious file which Trend Micro detects as BKDR_VAWTRAK.A. This backdoor steals stored information in several FTP clients or file manager software. In addition, BKDR_VAWTRAK.A also steals email credentials from Outlook, PocoMail, IncrediMail, Windows Live Mail, and The Bat! among others. In order to avoid detection on the system, this backdoor deletes certain registry keys related to Software Restriction Policies... this attack was moderate in number, constituting approximately 1 in every 300-400 thousand spam on the day of the outbreak based on the estimate. To give this a baseline of comparison, the recent Royal Baby spam outbreak consisted of 1 in every 200 spam on the days of that outbreak. This email campaign also appears to be targeting specific organizations, which stresses the importance of social engineering training and how to make it effective in a workplace setting. This includes training like “social” penetration training, which is basically having someone play an attacker and attempt to lure employees via social engineering..."

Edited by AplusWebMaster, 27 August 2013 - 05:59 PM.

[AplusWebMaster]

FYI...

High Profile Domains under Siege
- http://blog.opendns....ns-under-siege/
August 27, 2013 - "We are actively seeing several high profile domains being -hijacked- at the DNS level and are actively blocking all requests from the apparent attackers’ name servers. The attacker looks to have compromised domain name registrar MelbourneIT. Reported domains include Share This, Twitter, Huffington Post, and the New York Times. We’re not linking to those sites for obvious reasons. The IP addresses and domains that have been involved in -redirection- have been blocked by OpenDNS... We are now blocking all requests that are coming from the known bad name servers... screenshots show the bad name server, 141.105.64.37, which is currently hosting domains including malware and phishing along with the domains affected by today’s attack..."
(Screenshots at the opendns URL above.)

- https://www.virustot...37/information/

- https://isc.sans.edu...l?storyid=16451
Last Updated: 2013-08-27 21:09:58 UTC

- http://www.theregist..._domain_hijack/
27 August 2013

- http://arstechnica.c...of-their-sites/
Aug 27 2013, 10:10pm EST

Edited by AplusWebMaster, 29 August 2013 - 07:18 AM.

[AplusWebMaster]

FYI...

Sendori software update - malware...
- https://isc.sans.edu...l?storyid=16466
Last Updated: 2013-08-29 04:27:07 UTC - "Reader Kevin wrote in to alert us of an interesting discovery regarding Sendori. Kevin stated that two of his clients were treated to malware via the auto-update system for Sendori. In particular, they had grabbed Sendori-Client-Win32/2.0.15 from 54.230.5.180 which is truly an IP attributed to Sendori via lookup results. Sendori's reputation is already a bit sketchy; search results for Sendori give immediate pause but this download in particular goes beyond the pale. With claims that "As of October 2012, Sendori has over 1,000,000 active users" this download is alarming and indicates something else is likely afoot with Sendori's site and/or updater process. The URL path (to be considered hostile) is: hxxp ://upgrade.sendori .com/upgrade/2_0_16/sendori-win-upgrader.exe...
VirusTotal results currently nine malware hits (9/46*). Malwr results** are rather damning, and as Kevin stated, Zeus-like... Other filenames for this sample as seen in the wild:
sendori-win-upgrader.exe
SendoriSetup-2.0.15.exe
update_flash_player.exe
14542884
output.14542884.txt
Update_flash_player.exe ...
Sendori replied to Kevin's notification with; they are engaged and investigating:
'Hi Kevin, we have engaged our network and security team. They will analyze and take appropriate action to resolve this issue. They will contact if they need any additional information from you.
Thanks again for bringing this to our notice.
Thanks Sendori Support team' ...
Comment(1): I checked again this morning and the file sendori-win-upgrader.exe they are hosting has now changed to a smaller version with MD5 771f2382ce00d6f8378f56510fa0da43.
I was hoping that meant the Sendori folks cleaned things up but VirusTotal still throws 4 malware hits on the file, and a fresh Malwr analysis looks as evil as before. It looks like whoever is exploiting Sendori's auto-update system has just "freshened up" the file for better AV evasion. I updated my ticket with Sendori Support. My first sighting of this issue was on 2013-08-28 at 4:58pm EST when my first client was nailed with it.
Kevin Branch..."

... sendori .com/consumer_problem.html
"Sendori software works in tandem with web browsers to dramatically speed access to tens of thousands of the most popular websites..."

* https://www.virustot...b441d/analysis/

** https://malwr.com/an...DVlMDcyMjk2NGU/
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake eFax Message Notification Email Messages - 2013 Aug 29
Fake Account Payment Notification Email Messages - 2013 Aug 29
Fake Purchase Order Request Email Messages - 2013 Aug 29
Fake Payment Notification Email Messages - 2013 Aug 29
Fake Payment Information Email Messages - 2013 Aug 29
Fake Shipping Information Email Messages - 2013 Aug 29
Fake Product Order Email Messages - 2013 Aug 29
Fake Account Information Request Email Messages - 2013 Aug 29
Fake Photo Sharing Email Messages - 2013 Aug 29
Fake Product Purchase Request Email Messages - 2013 Aug 29
Fake Invoice Notification Email Messages - 2013 Aug 29
Fake Payment Notification Email Messages - 2013 Aug 29
Email Messages with Malicious Attachments - 2013 Aug 29
Fake Account Deposit Notification Email Messages - 2013 Aug 29
Fake Package Delivery Failure Notification Email Messages - 2013 Aug 29
Fake Product Services Specification Request Email Messages - 2013 Aug 29
Fake Product Purchase Order Email Messages on August 28, 2013 - 2013 Aug 29
Malicious Personal Pictures Attachment Email Messages - 2013 Aug 29
Fake Scanned Document Attachment Email Messages - 2013 Aug 29
(More detail and links at the cisco URL above.)

Edited by AplusWebMaster, 29 August 2013 - 01:33 PM.

[AplusWebMaster]

FYI...

Visa/PayPal Spam
- http://threattrack.t...isa-paypal-spam
Aug 30, 2013 - "Subjects Seen:
Resolution of case #PP<random>
Typical e-mail details:
Dear Visa card holder,
Our records indicate that you never responded to requests for additional information about this claim. We hope you review the attached file and solve the situation amicably.
For more details please see on the page View all details on the Usa.visa.com/personal/
Visa does not tolerate fraud or illegal activities. Your complaint has been noted in the record of the Visa card holder you reported. If we find this user has violated our policies, we will investigate and take appropriate action. If this occurs, you may be contacted in the future about the status of this complaint.
To make sure future transactions proceed smoothly, we suggest you visit the PayPal site and click the Security Center link located at the top of any page. There you will find tips on how to avoid fraudulent sellers in the “Fraud Prevention Tips for Buyers” section.

Malicious URLs
dp56148868.lolipop .jp/brassing/index.html
rossizertanna .it/occupancy/index.html
abesgrillnbar .com/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edge...fxum1qz4rgp.png
___

Paychex Insurance Spam
- http://threattrack.t...-insurance-spam
Aug 30, 2013 - "Subjects Seen:
Paychex Insurance Agency
Typical e-mail details:
The security of your personal information is of the utmost importance to Paychex, so we have sent the attached as a secure electronic file.
For more details please see on the page. View all details »
Note: The attached file contains encrypted data. In order to view the file, you must have already installed the decryption software that was previously provided by Paychex.
If you have any question please call us at 800-472-0072, option 4. Representatives are available to assist you Monday through Thursday between 8:00 a.m. and 8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.
Paychex Insurance Agency

Malicious URLs
ftp(DOT)willetthofmann .com/logistically/index.html
ftp(DOT)willetthofmann .com/shadiest/index.html
abesonthego .com/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edge...NzEx1qz4rgp.png
___

Federal Reserve Suspicious Activity Spam
- http://threattrack.t...s-activity-spam
Aug 30. 2013 - "Subjects Seen:
FW: IMPORTANT - Suspicious Activity <random>
Typical e-mail details:
Greetings, addressing you is Ariel Howe, Superior Accounting Officer at Federal Reserve. We have received an inquiry from your Financial Institution regarding an incoming money transfer from Harvey Norman Holdings Ltd. retail with concern on the company’s current activity which is valued as “High Risk Activity”. In order to release the funds to your account please complete the attached form “IIMT Form 401”.
Please note if no further action will be taken the funds will be remain locked in the Federal Reserve System or returned to the Money transfer initiator.
Ariel Howe
Superior Accounting Officer
Office of Inspector General
c/o Board of Governors of the Federal Reserve System

Malicious File Name and MD5:
Case_<random>.zip (35C95C02EB974CA2302D2BA3EB7E5322)
Case_<date>.exe (F9A37404F1150C48AEC238BAC44977FC)

Screenshot: https://gs1.wac.edge...Y9v51qz4rgp.png

Edited by AplusWebMaster, 30 August 2013 - 04:07 PM.

[AplusWebMaster]

FYI...

Malware sites to block 2/9/13
- http://blog.dynamoo....block-2913.html
2 Sep 2013 - "These IPs and domains are associated with this gang* and should all be considered as malicious. This list follows on from this earlier one**..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo....h/label/Amerika

** http://blog.dynamoo....lock-19813.html
___

Fake Facebook SPAM / london-leather .com
- http://blog.dynamoo....leathercom.html
2 Sep 2013 - "This fake Facebook spam leads to malware on london-leather .com:
Date: Mon, 2 Sep 2013 19:59:52 +0300 [12:59:52 EDT]
From: Facebook [update+hiehdzge @facebookmail .com]
Subject: Victoria Carpenter commented on your status...
Hello,
Victoria Carpenter commented on your status.
Victoria wrote: "so cute;)"
Go to comments
Reply to this email to comment on this status.
See Comment
This message was sent to [redacted]...

In this case the link in the spam appears to use some sort of URL shortening service, first going to [donotclick]jdem .cz/5xxb8 then [donotclick]93.93.189.108 /exhortation/index.html where it attempts to load one of the following three scripts:
[donotclick]codebluesecuritynj .com/mummifies/stabbed.js
[donotclick]mobileforprofit .net/affected/liberal.js
[donotclick]tuviking .com/trillionth/began.js
These scripts in turn direct the visitor to a malicious payload site at [donotclick]london-leather .com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which hosts a number of malicious domains, also hijacked from GoDaddy...
Recommended blocklist:
173.246.104.184
london-leather .com
kitchenwalla .com
kidswalla .com
jerseyluggage .com
jerseycitybags .com
kiddypals .com
kennethcolenyoutlet .com
codebluesecuritynj .com
mobileforprofit .net
tuviking .com"

- https://www.virustot...84/information/
___

MONK SPAM tries to profit from WAR threat
- http://blog.dynamoo....t-from-war.html
2 Sep 2013 - "The MONK (Monarchy Resources Inc) pump-and-dump spam continues*. This time though, the spammers are trying to capitalise on the threat of war in the Middle East:
From: belova04@ jeel .com
Date: 2 September 2013 17:32
Subject: This Stock just released Big News!
Are you interested in enriching yourself by means of war? It`s the very
time to do it! As soon as the first bombs get to the earth in Syria,
stone oil prices will move up the same as MONARCHY RESOURCES INC
(M-ON_K) share price. Go make money on Mon, Sep 2, 2013, get M-ON_K
shares!!!...

As previously discussed*, the stock price for this company has tanked** and is unlikely to get any better. If you attempt to do some war profiteering on this stock then you will lose out, and frankly you won't get any sympathy from me. Here are some other variants of the same scummy email:

You can make money on war!!! It`s right time to make it. The
moment the first rockets descend to Syria, oil prices will
rise the same as MONARCHY RESOURCES INC. (M O N_K) bond
price!!! Begin earning profits on Monday, September 02, 2013,
grab M O N_K shares.
It`s your turn to make money on war! It`s the very time to make it.
As soon as the first bombs touch the ground in Syria, black gold
prices will skyrocket as well as MONARCHY RESOURCES, INC (M-O-N K)
bond price. Start making money on Mon, Sep 02, 2013, get M-O-N K
shares...

* http://blog.dynamoo....c-pump-and.html

** http://www.nasdaq.co...;charttype=line

Edited by AplusWebMaster, 02 September 2013 - 01:04 PM.

[AplusWebMaster]

FYI...

Fake PayPal SPAM / londonleatheronline .com
- http://blog.dynamoo....ronlinecom.html
3 Sep 2013 - "This fake PayPal spam leads to malware on londonleatheronline .com:
Date: Tue, 3 Sep 2013 09:43:09 +0400 [01:43:09 EDT]
From: PayPal [service@ int .paypal .com]
Subject: Identity Issue #PP-716-472-864-836
We are writing you this email in regards to your PayPal account. In accordance with our "Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your identity by completing the attached form.
Please print this form and fill in the requested information. Once you have filled out all the information on the form please send it to verification@ paypal .com along with a personal identification document (identity card, driving license or international passport) and a proof of address submitted with our system ( bank account statement or utility bill ).
For more details please see on the page View all details
Your case ID for this reason is PP-U3PR33YIL8AV
For your protection, we might limit your account access. We apologize for any inconvenience this may cause.
Thanks,
PayPal ...

The link in the email goes to a legitimate -hacked- site and then loads one of these three scripts:
[donotclick]ftp.casacalderoni .com/liquids/pythias.js
[donotclick]tuviking .com/trillionth/began.js
[donotclick]walegion.comcastbiz .net/wotan/reuses.js
These scripts then try to deliver the victim to a malicious payload at [donotclick]londonleatheronline .com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which is the same server as used in this attack* ...
Recommended blocklist:
173.246.104.184
jerseycitybags .com
jerseyluggage .com
kennethcolenyoutlet .com
kiddypals .com
kidswalla .com
kitchenwalla .com
london-leather .com
londonleatheronline .com
ftp.casacalderoni .com
tuviking .com
walegion.comcastbiz .net "
* http://blog.dynamoo....leathercom.html

- https://www.virustot...84/information/
___

Breaking Bad Spam lurks - note pasting site
- http://www.threattra...e-pasting-site/
Sep 3, 2013 - "... fresh links being dumped across a site designed to let users paste notes and images then share with their friends, in a similar manner to Pastebin... frantic posting of links galore... The site itself has Bidvertiser ads placed above and below the “watch now” graphic, which may cause end-users to think they’re related to the image. Not so – clicking the “Download” button took us to an internet speed test. Clicking the Breaking Bad image took us to a second Tumblr which is so excited about offering up ads that it ends up sliding a scroll ad right behind the survey splash.
> http://www.threattra.../bbadpaste3.jpg
... They just can’t decide what they want you to click on first! Another link takes end-users to a video player install complete with various advertising related additions.
> http://www.threattra.../bbadpaste4.jpg
...
> http://www.threattra.../bbadpaste5.jpg
... As with all of these spam runs, you’re better off avoiding. At best, you’ll end up with some terrible grainy rip of a TV show on some free file host (after filling in a bunch of offers); at worst, you’ll end up with no TV show, unwanted installs and advert clickthroughs which lead to who-knows-where (after filling in a bunch of offers)."
___

Facebook News feed Suggestion Spam
- http://threattrack.t...suggestion-spam
Sep 3, 2013 - "Subjects Seen:
Hi <name>, here are some Pages you may like
Typical e-mail details:
Like these Pages to get updates in your News Feed...

Malicious URLs
iecc .com .au/complying/index.html
pictondental .com .au/hilda/index.html
ladiscoteca .org/john/index.html
bonway-onza .com/thalami/index.html
watchfp .mobi/topic/able_disturb_planning.php
mvwebsites .com .au/bmSe4BN.exe
mystatesbororealestate .com/rhdkD6.exe
mit-stolz-vorbei-dollbergen .de/w8BDM.exe
petrasolutions .com/JpVsf.exe

Screenshot: https://gs1.wac.edge...lk5B1qz4rgp.png

Edited by AplusWebMaster, 03 September 2013 - 02:04 PM.

[AplusWebMaster]

FYI...

Facebook SPAM / watchfp .net
- http://blog.dynamoo....watchfpnet.html
4 Sep 2013 - "All this malware-laden Facebook spam is boring. Here's another one, leading to a malicious payload on watchfp .net:
Date: Tue, 3 Sep 2013 11:37:14 -0700 [14:37:14 EDT]
From: Facebook [notification+zrdohvri=vd1 @facebookmail .com]
Subject: Blake Miranda tagged 5 photos of you on Facebook
facebook
Blake Miranda added 5 photos of you.
See photos
Go to notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

Blake is pretty feminine looking for a bloke:
> https://lh3.ggpht.co...0/facebook4.png
The photograph is stolen from the website of Ashot Gevorkyan [some pictures perhaps nsfw] who has quite a nice porfolio. Anyway.. the link in the email uses a shortening service:
[donotclick]u .to/r05nBA which goes to
[donotclick]www.rosenberger-kirwa .de/triassic/index.html which loads one of the following:
[donotclick]safbil .com/stashed/flout.js
[donotclick]ftp.spectrumnutrition .ca/sunscreens/copping.js
[donotclick]schornsteinfeger-helmste .de/covetously/turk.js
The final step is that the victim ends up on a malware landing page at [donotclick]watchfp .net/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 192.81.134.241 (Linode, US) along with some other hijacked domains listed in italics below. The attack is characteristic of the ThreeScripts series of malicious spam emails.
Recommended blocklist:
192.81.134.241
watchfp .org
watchfp .mobi
watchfp .net
safbil .com
ftp.spectrumnutrition .ca
schornsteinfeger-helmste .de "
___

Something evil on 174.140.168.239
- http://blog.dynamoo....4140168239.html
4 Sep 2013 - "The server at 174.140.168.239 (DirectSpace Networks LLC, US) is currently hosting a large number of hijacked GoDaddy domains and is being used to distribute malware [1] [2] [3].
It looks like this server has been active for a couple of months and has been used for a variety of evil purposes, I strongly recommend blocking the following:
174.140.168.239 ..."
(More listed at the dynamoo URL above.)

1) http://urlquery.net/...1...-04&max=400

2) https://www.virustot...39/information/

3) http://blog.dynamoo....98zip-fail.html
___

Something very wrong with Gandi US (AS29169 / 173.246.96.0/20)
- http://blog.dynamoo....h-gandi-us.html
4 Sep 2013 - "Recently I have been suggesting reader block quite a few individual IPs at Gandi in the US, but I hadn't noticed exactly how many IPs I had been suggesting until a couple of days ago. The problem seems to exist in the 173.246.96.0/20 block of AS29169 (173.246.96.0 - 173.246.111.255), a range of IP addresses that houses very many legitimate domains. Unfortunately, it also houses several malicious servers in the 173.246.102.0/24, 173.246.103.0/24 and 173.246.104.0/24 ranges, alongside legitimate sites... the warnings I have given about this IP range just in this blog alone* (ignoring all external sources)... Google prognosis**... there are a load of legitimate sites interspersed with the malware. Of course, you may want to block chunks of this IP range anyway and live with the collateral damage.. if you are hosted in this range then I suggest it is time to look for a new host. Over the past 12 months there have been at least 25 malware servers in this block, with 173.246.102.0/24 hosting 5, 173.246.103.0/24 hosting 8 and 173.246.104.0 hosting 9. Something must be seriously wrong at Gandi to allow this to happen.
Recommended blocklist:
173.246.102.2
173.246.102.202
173.246.102.223
173.246.102.250
173.246.103.47
173.246.103.191
173.246.103.232
173.246.104.52
173.246.104.55
173.246.104.104
173.246.104.128
173.246.104.154
173.246.104.184
173.246.104.185 ..."
(Long list of URLs at the dynamoo URL above.)
* http://blog.dynamoo....rch/label/Gandi

** http://www.google.co...c?site=AS:29169
___

Fake PayPal SPAM / dshapovalov .info
- http://blog.dynamoo....ovalovinfo.html
4 Sep 2013 - "This fake (and badly formatted) fake PayPal spam email leads to malware on dshapovalov .info:
Date: Wed, 4 Sep 2013 08:33:25 -0500 [09:33:25 EDT]
From: PayPal [service@ int. paypal .com]
Subject: History of transactions #PP-011-538-446-067
ID
Transaction: { figure } {SYMBOL }
On your account malicious activity , for 1 hour was filmed around $ 100 , in small amounts In order to avoid blocking the account you need to go in. Authenticate Now
Sincerely, Services for protection
Department
PayPal does not tolerate fraud or illegal activities. Your complaint It was noted in the minutes of PayPal user you reported . If we find that This user has violated our policies , we will investigate and take appropriate action. In this case , you can contact in the future status this complaint.
To ensure that future transactions proceed smoothly, we suggest you visit PayPal site and click the Security Center link located at the top of any page. There you will find tips on how to avoid scammers " Fraud Prevention Tips for Buyers " section.
Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance , log in to your PayPal account and click the Help link in the upper right corner of any page PayPal.
Copyright © 1999-2013 PayPal. All rights reserved.
PPID PP {DIGIT } The history of monetary transactions

The link in the email goes through a URL shortening service at [donotclick]url7 .org/KRh - one annoying feature with this service is that you have to click through a form to get the link, so it isn't easy to see where you are going to land. In this case it is [donotclick]184.168.56.23 /observatories/index.html and then it runs one of the following three scripts:
[donotclick]81.143.33.169 /garrotting/rumples.js
[donotclick]northeastestateagency .co .uk/queues/relaxes.js
[donotclick]mineralmizer.webpublishpro ,com/peps/dortmund.js
From there, the victim is sent to a hijacked GoDaddy domain at [donotclick]dshapovalov.info/topic/able_disturb_planning.php hosted on 192.81.134.241 (Linode, US) which is the same server used in this attack*. There are other hijacked GoDaddy domains on the same domain...
Recommended blocklist:
192.81.134.241
watchfp .org
watchfp .mobi
journeyacrossthesky .com
dshapovalov .info
watchfp .net
dshapovalov .info
mineralmizer.webpublishpro .com
northeastestateagency .co .uk
81.143.33.169 "
* http://blog.dynamoo....watchfpnet.html

Current PayPal related Spam Ploys
- http://threattrack.t...ated-spam-ploys
Sep 4, 2013 - "Subjects Seen:
Resolution of case #PP-<random>
With your balance was filmed - 500 $ -Resolution of case #PP-<random>
Identity Issue #PP-<random>
History of transactions #PP-<random>
Typical e-mail details:
Resolution of Case:
Our records indicate that you never responded to requests for additional information about this claim. We hope you review the attached file and solve the situation amicably. For more details please see on the page View all details
Sincerely,
Protection Services Department ..."

Malicious URLs
ervinscarpet .com/impartially/index.html
jp-intarsia .de/concurred/index.html
hadjis-law .com/creamy/index.html
taylorandgregory .co .uk/assent/index.html
shiing01.x-y .net/stopping/index.html
fonotape.com .ar/bosun/index.html
fonotape.com .ar/supplicate/index.html
dshapovalov .info/topic/able_disturb_planning.php
dshapovalov .info/forum/viewtopic.php
petrasolutions .com/JpVsf.exe
mystatesbororealestate .com/rhdkD6.exe
mvwebsites .com .au/bmSe4BN.exe

Screenshots: https://gs1.wac.edge...WOF91qz4rgp.png

- https://gs1.wac.edge...tvkm1qz4rgp.png

- https://gs1.wac.edge...sH031qz4rgp.png

- https://gs1.wac.edge...pOP01qz4rgp.png
___

Fake HSBC SPAM / Original Copy (Edited).zip
- http://blog.dynamoo....-editedzip.html
4 Sep 2013 - "This fake HSBC spam links to a malicious ZIP file:
Date: Wed, 4 Sep 2013 01:45:17 -0700 [04:45:17 EDT]
From: HSBC Wire Advising service [wireservice@ hsbc .com .hk]
Reply-To: hsbcadviceref@mail.com
Subject: HSBC Payment Advice Ref: [H6789000] / ACH Credits / Customer Ref: [PO780090] (Edited)
Dear Sir/Madam,
The attached payment advice is issued at the request of our customer. The advice is for your reference only.
Kindly Accept Our apology On the copy we sent earlier.
1 attachments (total 586 KB)
View slide show (1)
Download all as zip
Yours faithfully,
Global Payments and Cash Management
HSBC ...

Screenshot: https://lh3.ggpht.co.../s1600/hsbc.png

The link in the email goes to a file sharing site at [donotclick]ge .tt/api/1/files/1AFpS3r/0/blob?download and then downloads a file Original Copy (Edited).zip which contains a malicious executable Original Copy (Edited).scr (actually a renamed .EXE file, not a screensaver). The VirusTotal detection rate is 14/16*. The malware uses various techniques to prevent being analysed in a sandbox, but the ThreatExpert report** shows some network activity including a suspect connection to ftp.advice .yz i.me (185.28.21.26, Hostinger International US) which might be worth blocking."
* https://www.virustot...sis/1378306613/

** http://www.threatexp...898215a282488de

- https://www.virustot...26/information/

Edited by AplusWebMaster, 04 September 2013 - 11:53 AM.