2072 replies to this topic

[AplusWebMaster]

FYI...

More Fake Facebook SPAM / kapcotool .com
- http://blog.dynamoo....pcotoolcom.html
5 Sep 2013 - "This fake Facebook spam leads to malware on kapcotool.com:
From: Facebook [no-reply@ facebook .com]
Date: 5 September 2013 15:21
Subject: Michele Murdock wants to be friends with you on Facebook.
facebook
Michele Murdock wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request ...

The -link- in the email uses an obscure URL shortening serving to go first to [donotclick]fenixa .com/97855 and then to [donotclick]magic-crystal .ch/normalized/index.html, and at this point it attempts to load the following three scripts:
[donotclick]00398d0.netsolhost .com/mcguire/forgiveness.js
[donotclick]202.212.131.8 /ruses/nonsmokers.js
[donotclick]japanesevehicles .us/vector/internees.js
The final step is a malware landing page at [donotclick]kapcotool .com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.227.154 (Linode, US) along with some other hijacked domains...
Recommended blocklist:
74.207.227.154
jgburgerlounge .ca
jngburgerjoint .ca
jngburgerjoint .com
johnmejalli .com
justcreature .com
justmonster .com
kalcodistributors .com
kapcotool.com00398d0.netsolhost .com
japanesevehicles .us
202.212.131.8 "

- https://www.virustot...54/information/
___

NACHA SPAM / nacha-ach-processor .com
- http://blog.dynamoo....ocessorcom.html
5 Sep 2013 - "This fake NACHA spam... leads to malware on nacha-ach-processor .com:
From: The Electronic Payments Association - NACHA [leansz35@ inbound .nacha .com]
Date: 5 September 2013 17:55
Subject: Rejected ACH transfer
The ACH transaction (ID: 985284643257), yesterday sent from your account (by one of your account members), was cancelled by the recipient's bank.
Cancelled transaction
ACH ID: 985284643257
Rejection Reason See additional info in the statement below
Transaction Detailed Report View Report 985284643257
About NACHA
NACHA occupies a unique role in the association world, serving as both an industry trade association and administrator of Automated Clearing House (ACH) Network. As the industry trade association that oversees the ACH Network, NACHA provides services in three key functional areas:
The NACHA Operating Rules provide the legal foundation for the exchange of ACH payments and ensure that the ACH Network remains efficient, reliable, and secure for the benefit of all participants. In its role as Network administrator, NACHA manages the rulemaking process and ensures that proposed ACH applications are consistent with the Guiding Principles of the ACH Network. The rulemaking process provides a disciplined, well-defined methodology to propose and develop and propose rules amendments to the NACHA voting membership, the decision makers for the NACHA Operating Rules.
NACHA develops and implements a comprehensive, end-to-end risk management framework that includes network entry requirements, ongoing requirements, enforcement, and ACH Operator tools and services. Collectively, the strategy addresses risk and quality in the ACH Network by minimizing unauthorized entries and customer services costs to all Network participants.
14560 Sunny Valley Drive, Suite 204
Herndon, VA 20171
© 2013 NACHA - The Electronic Payments Association

The link in the email goes through a legitimate -hacked- site and then attempts to direct visitors to [donotclick]www.nacha-ach-processor .com/news/ach-report.php (report here**) which is hosted on the following IPs:
66.230.163.86 (Goykhman And Sons LLC, US)
95.111.32.249 (Megalan / Sofia Mobiltel EAD, Bulgaria)
194.42.83.60 (Interoute Hosting, UK)
The IPs in use identify it as belonging to what I call the Amerika gang*. There are several other malicious domains on these same IPs, and they form part of this larger group of dangerous IPs and domains*.
Recommended blocklist:
66.230.163.86
95.111.32.249
194.42.83.60 ..."
(More listed at the dynamoo URL above.)

* http://blog.dynamoo....h/label/Amerika

** http://urlquery.net/....php?id=4976262
___

Citizens Bank Issue File Processed Spam
- http://threattrack.t...-processed-spam
Sep 5, 2013 - "Subjects Seen:
Issue File <random> Processed
Typical e-mail details:
Regarding Issue File <random> -
Total Issue Items # 36 Total Issue Amount $38,043.98
This will confirm that your issue file has been processed. Please verify the information in attached report; if you find there are discrepancies in what you believe your totals should be and what we have reported, please contact the Reconciliation Department at 1-888-333-2909 Option # 3 between the hours of 8:00am and 4:00pm ET not later than 24 hours after you receive this notice.

Malicious File Name and MD5:
issue_report_<random>.zip (1189CEBD553088A94EC3BC2ECB89D34B)
issue_report_<date>.exe (6C66CAE230E0772B75A327AE925F648A)

Screenshot: https://gs1.wac.edge...29LQ1qz4rgp.png
___

Websense - Java/Flash research - Dangerous Update Gap...
- http://community.web...update-gap.aspx
5 Sep 2013 - "... Nearly 50 percent of -enterprise- traffic used a Java version that was more than two years out of date... Nearly 40 percent of users are not running the most up-to-date versions of Flash... nearly 25 percent of Flash installations are more than six months old, close to 20 percent are outdated by a year and nearly 11 percent are two years old..."

Edited by AplusWebMaster, 05 September 2013 - 02:45 PM.

[AplusWebMaster]

FYI...

Something evil on 37.59.164.209 (OVH)
- http://blog.dynamoo....164209-ovh.html
6 Sep 2013 - "37.59.164.209 is a server operated by OVH in France. It has many malicious domains hosted on it, indeed almost everything on it is flagged by Google as being malicious (highlighted in the list below). Blocking access to that IP address is the simplest approach as the malicious sites do seem to be in some flux..."
(Long list of URLs at the dynamoo URL above.)

- https://www.virustot...09/information/
___

CNN Breaking News SPAM: “The United States began bombing!”
- http://threattrack.t...ed-states-began
Sep 6. 2013 - "Subjects Seen:
CNN: “The United States began bombing”
Typical e-mail details:
(CNN) — Pentagon officials said that the United States launched the first strikes against Syria. It was dropped about 15 bomn on stalitsu syria Damascus. Full story »
Rescuing Hannah Anderson
*Sushmita Banerjee was kidnapped and killed in Afghanistan, police say
*No one has claimed responsibility for her death, but police suspect militants
*Banerjee wrote “A Kabuliwala’s Bengali Wife” about her escape from the Taliban

Malicious URLs
nevisconservatories .co .uk/soupy/index.html
axsysfinancial .biz/mingle/index.html
holatorino .it/favor/index.html
luggagepoint .de/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edge...VMT61qz4rgp.png

- http://blog.dynamoo....mbing-spam.html
6 Sep 2013 - "This fake CNN spam leads to malware on luggagepreview .com:
Date: Fri, 6 Sep 2013 11:30:57 -0600 [13:30:57 EDT]
From: CNN [BreakingNews@ mail .cnn .com]
Subject: CNN: "The United States began bombing"
The United States began bombing!
By Casey Wian, CNN
updated 9:01 AM EDT, Wed August 14, 2013 ...

Screenshot: https://lh3.ggpht.co...cnn-bombing.png

The link in the email is meant to go to [donotclick]senior-tek .com/tenth/index.html but the "Full story" link has a typo in and goes to senior-tekcom/tenth/index.html (without the dot) instead which obviously fails. This site then tries to load these three scripts:
[donotclick]crediamo .it/disburse/ringmaster.js
[donotclick]stages2saturn .com/scrub/reproof.js
[donotclick]www.rundherum .at/rabbiting/irritate.js
From there the visitor is sent to a malicious payload at [donotclick]luggagepreview .com/topic/able_disturb_planning.php which is a hacked GoDaddy domain hosted on 174.140.171.207 (DirectSpace LLC, US) along with several other hijacked domains...
Recommended blocklist:
174.140.171.207 ..."

- https://www.virustot...07/information/

- http://www.symantec....targeted-attack
6 Sept 2013
___

"Scanned Document Attached" SPAM / FSEMC.06092013.exe
- http://blog.dynamoo....ached-spam.html
6 Sep 2013 - "This fake financial spam contains an encrypted attachment with a malicious file in it.
Date: Fri, 6 Sep 2013 15:19:37 +0000 [11:19:37 EDT]
From: Fiserv [Lawanda_Underwood@ fiserv .com]
Subject: FW: Scanned Document Attached
Dear Business Associate:
Protecting the privacy and security of client, company, and employee
information is one of our highest priorities. That is why Fiserv has
introduced the Fiserv Secure E-mail Message Center - a protected e-mail
environment designed to keep sensitive and confidential information
safe. In this new environment, Fiserv will be able to send e-mail
messages that you retrieve on a secured encrypted file.
You have an important message from Adam_Paul @ fiserv .com.
To see your message, use the following password to decrypt attached file: JkSIbsJPPai
If this is your first time receiving a secure file from the
Fiserv Secure E-mail Message Center, you will be prompted to set up a
user name and password.
This message will be available until Saturday Sep 07, 2013 at 17:50:42
EDT4
If you have any questions, please contact your Fiserv representative...

Attached is an encrypted ZIP file which contains part of the victim's email address (or somebody else in the same domain) that has to be decrypted with the password JkSIbsJPPai. This in turn contains a malicious executable FSEMC.06092013.exe (note the date is encoded into the filename). The VirusTotal detection rate for this malware is only 6/47*. The malware then phones home to a site ce-cloud.com:443 hosted on 84.22.177.37 (ioMart, UK) and then uploads some data... What happens next is unclear, but you can guarantee that it is nothing good. Blocking access to ce-cloud .com or 84.22.177.37 may provide some protection. Blocking EXE-in-ZIP files is an even more effective approach if you can do it."
* https://www.virustot...sis/1378501983/
___

More new Facebook SPAM / www .facebook.com.achrezervations .com
- http://blog.dynamoo....chrezervat.html
6 Sep 2013 - "This fake Facebook spam leads to malware on www .facebook.com.achrezervations .com:
Date: Fri, 6 Sep 2013 08:07:14 -0500 [09:07:14 EDT]
From: Facebook [notification+puppies9@ mail .facebookmail .net]
Reply-To: noreply [noreply@ postmaster .facebookmail .org]
Subject: Cole Butler confirmed your Facebook friend request
facebook
Cole Butler has confirmed that you're friends on Facebook.
You may know some of Cole's Friends
Daren Douglas
1 mutual friends
Add Friend
Gertrude Souza
14 mutual friends
Add Friend
Brice Kelly
3 mutual friends
Add Friend ...
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe...

Screenshot: https://lh3.ggpht.co...00/facebook.png

The link in the email goes to a legitimate -hacked- site and then to an exploit kit on [donotclick]www.facebook.com.achrezervations .com/news/implement-circuit-false.php (report here*) hosted on the following servers:
66.230.163.86 (Goykhman And Sons LLC, US)
95.111.32.249 (Megalan / Sofia Mobiltel EAD, Bulgaria)
115.78.233.220 (Vietel Corporation, Vietnam)
194.42.83.60 (Interoute Hosting, UK)
The following IPs and domains are all malicious and belong to this gang**, I recommend you block them:
66.230.163.86
95.111.32.249
115.78.233.220
194.42.83.60 ..."
(More URLs listed at the dynamoo URL above.)
* http://urlquery.net/....php?id=4996887

** http://blog.dynamoo....h/label/Amerika
___

Threat Outbreak Alerts cover the latest data regarding malicious email-based and web-based threats, including spam, phishing, viruses, malware, and botnet activity.
- http://tools.cisco.c...Outbreak.x?i=77
Fake Account Payment Notification Email Messages - 2013 Sep 06
Fake Bank Payment Transfer Notification Email Messages - 2013 Sep 06
Fake Product Quote Email Messages - 2013 Sep 06
Fake Order Payment Confirmation Email Messages - 2013 Sep 05
Fake Airline Ticket Order Notification Email Messages - 2013 Sep 05
Email Messages with Malicious Link - 2013 Sep 05
Fake Photo Sharing Email Messages - 2013 Sep 05
Fake Money Transfer Notification Email Messages - 2013 Sep 05
Malicious Personal Pictures Attachment Email Messages - 2013 Sep 05
Fake Product Order Confirmation Email Messages - 2013 Sep 05
Fake Invoice Notification Email Messages - 2013 Sep 05
Fake Document Attachment Email Messages - 2013 Sep 05
Fake Shipping Notification Email Messages - 2013 Sep 05
Email Messages with Malicious Attachments - 2013 Sep 05
Fake Shipping Confirmation Email Messages - 2013 Sep 05
Fake Scanned Document Attachment Email Messages - 2013 Sep 05
Fake Product Purchase Request Email Messages - 2013 Sep 05
Fake Personal Picture Sharing Email Messages - 2013 Sep 05
Fake Product Order Email Messages - 2013 Sep 05
Fake Electronic Payment Cancellation Email Messages - 2013 Sep 05
(More detail and links available at the cisco URL above.)

Edited by AplusWebMaster, 09 September 2013 - 09:41 AM.

[AplusWebMaster]

FYI...

Quotation.zip SPAM with malicious VBS script
- http://blog.dynamoo....-spam-with.html
7 Sep 2013 - "The website dealerbid.co .uk has been compromised and their servers -hacked- in order to send spam to their customer list. Something similar has happened before a few months ago*. In this case the spam email was somewhat mangled, but I am assuming that the spammers know how to fix this. The spam email is as follows:
From: Christopher Rawson [christopher.r@ kema .com]
Date: 7 September 2013 14:04
Subject: Quotation
Hello,
We have prepared a quotation, please see attached
With Kind Regards,
Christopher Rawson,
DNV KEMA Energy & Sustainability ...

DNV KEMA is a real, legitimate company in the energy sector. But they did not send the spam, an examination of the headers shows that the sending IP is 213.171.204.75 which is the same IP as www .dealerbid .co .uk and mail.dealerbid .co .uk. The email is sent to an address ONLY used to register at dealerbid .co .uk. So, the upshot is that this domain is compromised and it is compromised right now. The email is meant to have an attachment called Quotation.zip but in my sample the email was mis-formatted and instead the Base 64 encoded ZIP file was in the main body text... Some copy-and-pasting and work with a Base 64 decoder ended up with a valid ZIP file, containing a somewhat obfuscated VBS script Quotation.vbs with a low VirusTotal detection rate of 4/46**... it attempts to download further components from klonkino.no-ip .org (port 1804) which is hosted on 146.185.24.207 (Hosting Services Inc, UK). I strongly recommend blocking no-ip .org domains in any case, but I certainly recommend the following blocklist:
klonkino.no-ip .org
146.185.24.207 ... "

* http://blog.dynamoo....dcouk-spam.html

** https://www.virustot...sis/1378571897/

- https://www.virustot...07/information/
___

Adware spread with Mevade variants ...
- http://blog.trendmic...mevade-malware/
Sep 6, 2013 - "... rise in the number of Tor users... directly attributed to the Mevade malware... The first batch of Mevade samples (detected as BKDR_MEVADE.A) we gathered was downloaded by a malicious file named FlashPlayerUpdateService.exe (detected as TROJ_DLOADE.FBV). (The legitimate Flash updater uses the same file name.) The two files can be differentiated by examining the file properties. The legitimate version is signed, while the malicious version is not. In addition, the version numbers are different... The backdoor communicates to its C&C server via HTTP to receive commands, which include updating a copy of itself and connecting to a specific location using SSH to secure its communication... The IP addresses that host these C&C servers are located in Russia. Looking into the feedback data provided by the Smart Protection Network, TROJ_DLOADE.FBV was found in multiple countries, with Japan and the United States being the most affected... In addition to the Mevade malware itself, we saw that ADW_BPROTECT had also been downloaded onto affected systems. This is expected for Mevade, as we noted earlier that it is linked to cybercriminals responsible for the distribution of adware. This downloading of adware is consistent with our findings that the Mevade botnet is possibly monetized via installing -adware- and -toolbars- ... Newer versions of Mevade (BKDR_MEVADE.B and BKDR_MEVADE.C) no longer use SSH; instead they use the Tor network to hide their network traffic. This can help cover their activity online, but otherwise the behavior and propagation is identical... How the malware arrives into the system, however, is still under investigation. We will update the blog should we find more information about the infection vector. Still, users must observe best computing practice and to -avoid- visiting and downloading files from unverified websites or links from email, social media etc..."

Edited by AplusWebMaster, 09 September 2013 - 04:27 AM.

[AplusWebMaster]

FYI...

Malware sites to block 9/9/13
- http://blog.dynamoo....block-9913.html
9 Sep 2013 - "These domains and IPs are associated with this gang*, this list supersedes (or complements) the one I made last week**..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo....h/label/Amerika

** http://blog.dynamoo....block-2913.html
___

Malware sites to block 9/9/13, part II
- http://blog.dynamoo....13-part-ii.html
9 Sep 2013 - "Another set of IPs and domains related to this attack* detailed by Sophos, and overlapping slightly with the malicious servers documented here**. I've just listed the main domains, but the attack itself uses thousands of subdomains (e.g. zwgaf72d4erv7g.www5.tohk5ja .cc) to do evil things.
46.20.36.9 (Syslayer.com, Germany)
74.63.229.252 (Limestone Networks / 123systems Solutions, US)
77.81.244.226 (Elvsoft SRL, Netherlands)
173.243.118.198 (Continuum Data Centers, US)
198.52.243.229 (Centarra Networks, US)
199.188.206.183 (Namecheap Inc, US)
206.72.192.31 (Interserver Inc, US)
213.156.91.110 (Ukrainian Special Systems Network, Ukraine)
Blocklist:
46.20.36.9
74.63.229.252
77.81.244.226
173.243.118.198
198.52.243.229
199.188.206.183
206.72.192.31
213.156.91.110 ..."
(Long list at the dynamoo URL above.)
* https://secure2.soph...d-analysis.aspx

** http://blog.dynamoo....block-9913.html
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Shipping Notification Email Messages - 2013 Sep 09
Fake Processed Payment Notification Email Messages - 2013 Sep 09
Fake Account Payment Notification Email Messages - 2013 Sep 09
Fake Important Documents Notification Email Messages - 2013 Sep 09
Fake Anti-Phishing Email Messages - 2013 Sep 09
Fake Product Order Email Messages - 2013 Sep 09
Fake Real Estate Inquiry Email Messages - 2013 Sep 09
Fake Bank Payment Transfer Notification Email Messages - 2013 Sep 09
Fake Shipping Confirmation Email Messages - 2013 Sep 09
Fake Bank Transfer Notice Email Message - 2013 Sep 09
Fake Invoice Statement Attachment Email Messages - 2013 Sep 09
Fake Product Order Quotation Email Messages - 2013 Sep 09
Fake Business Complaint Notification Email Messages - 2013 Sep 09
Fake Product Purchase Order Email Messages - 2013 Sep 09
Fake Product Order Request Email Messages - 2013 Sep 09
Fake Letter of Intent Attachment Email Messages - 2013 Sep 09
Fake Product List Attachment Email Messages - 2013 Sep 09
Fake Account Deposit Notification Email Messages - 2013 Sep 09
Malicious Personal Pictures Attachment Email Messages - 2013 Sep 09
Fake Purchase Order Request Email Messages - 2013 Sep 09
(More detail and links at the cisco URL above.)

Edited by AplusWebMaster, 09 September 2013 - 01:50 PM.

[AplusWebMaster]

FYI...

Fake FISC ACH SPAM / fiscdp.com.airfare-ticketscheap .com
- http://blog.dynamoo....-processed.html
10 Sep 2013 - "This fake FISC ACH spam leads to malware on www.fiscdp.com.airfare-ticketscheap .com:
Date: Tue, 10 Sep 2013 17:05:49 +0530 [07:35:49 EDT]
From: Financial Institution Service [improvehv89@ m.fiscdp .gov]
Subject: ACH file ID "999.107" has been processed successfully
Files FISC Processing Service
SUCCESS Notification
We have successfully handled ACH file 'ACH2013-09-09-62.txt' (id '999.107') submitted by user '[redacted]' on '2013-09-09 12:06:67.7'.
FILE SUMMARY:
Item count: 9
Total debits: $13,365.83
Total credits: $13,365.83 ...

Screenshot: https://lh3.ggpht.co...M/s400/fisc.png

The link in the email goes to a legitimate -hacked- site and then on to a malware landing page at [donotclick]www.fiscdp .com.airfare-ticketscheap .com/news/opens_heads_earlier.php (reports here* and here**) hosted on:
66.230.163.86 (Goykhman And Sons LLC, US)
95.87.1.19 (Trakia Kabel OOD , Bulgaria)
174.142.186.89 (iWeb Technologies)
The WHOIS details for airfare-ticketscheap .com are -fake- and the domain was registered just yesterday... The IPs in use indicate that this campaign forms part of the Amerika spam run. Several other malicious sites are on the same server, and I would recommend that you block the following in conjunction with this list:
66.230.163.86
95.87.1.19
174.142.186.89 ..."
(More URLS listed at the dynamoo URL above.)
* http://urlquery.net/....php?id=5071327

** http://wepawet.isecl...4...965&type=js

- https://www.virustot...89/information/
___

Fake BBB SPAM / Case_0938818_2818.exe
- http://blog.dynamoo....8182818exe.html
10 Sep 2013 - "This fake BBB spam has a malicious attachment:
Date: Tue, 10 Sep 2013 15:07:14 +0100 [10:07:14 EDT]
From: Better Business Bureau [Aldo_Austin@ newyork .bbb .org]
Subject: FW: Case IN11A44X2WCP44M
The Better Business Bureau has received the above-referenced complaint from one of your
customers regarding their dealings with you. The details of the consumer's concern are
included on the reverse. Please review this matter and advise us of your position.
As a neutral third party, the Better Business Bureau can help to resolve the matter.
Often complaints are a result of misunderstandings a company wants to know about and
correct.
In the interest of time and good customer relations, please provide the BBB with written
verification of your position in this matter by September 13, 2013. Your prompt response
will allow BBB to be of service to you and your customer in reaching a mutually agreeable
resolution. Please inform us if you have contacted your customer directly and already
resolved this matter.
The Better Business Bureau develops and maintains Reliability Reports on companies across
the United States and Canada . This information is available to the public and is
frequently used by potential customers. Your cooperation in responding to this complaint
becomes a permanent part of your file with the Better Business Bureau. Failure to
promptly give attention to this matter may be reflected in the report we give to
consumers about your company.
We encourage you to print this complaint (attached file - Case_IN11A44X2WCP44M), answer
the questions and respond to us.
We look forward to your prompt attention to this matter.
Sincerely,
Aldo_Austin
Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201

Attached to the message is a ZIP file Case_IN11A44X2WCP44M.zip which in turn contains an executable Case_0938818_2818.exe which has a shockingly low detection rate of just 1/46* at VirusTotal. Automated analysis of the malware is inconclusive... but it does generate outbound traffic to kwaggle .com port 443 on 64.50.166.122 (Lunar Pages, US). The domain thisisyourwife .co .uk on the same server is also hosting malware, I would therefore be suspicious about some of the other sites on the same box.
Recommended blocklist:
64.50.166.122
kwaggle .com
thisisyourwife .co .uk "
* https://www.virustot...sis/1378823569/

- https://www.virustot...22/information/

Edited by AplusWebMaster, 10 September 2013 - 09:21 AM.

[AplusWebMaster]

FYI...

Threats - Online Bullying ...
- http://www.threattra...nline-bullying/
Sep 11, 2013 - "Three weeks ago... co-founders of social networking site Ask.fm, released a statement regarding some changes on the site’s safety policy in an effort to curb the dramatic increase of cyberbullying occurrences within its platform. Ask.fm boasts at least 57 million registered users, majority of which are teens and tweens. The site’s anonymity feature has sadly become the means for some users to deliberately target and verbally assault others. The proposed changes are no quick fix, nor are they remedies to the deeper problems of what motivates one to bully someone online. However, I believe that it’s a good first step to achieve the objective. Giving users the option to opt out of accepting and entertaining anonymous questions and/or comments could be a big blow to trolls. Some victims of online bullying in Ask.fm have taken upon themselves to resolve the matter of anonymity by attempting to unmask who these people are. How? They look for tools online... that will lead to trouble... We have come across a number of sites hosting files that -pretend- to unmask Ask.fm users. Upon closer inspection, however, they’re malicious in nature at worse. These files can range from simple malware droppers to Bitcoin miners to PUPs bearing a gamified marketing tactic or something more dubious.
> http://www.threattra...8DFA6ABA7AD.jpg
Sadly, such files like the above are easy to find. Users who find themselves installing -any- of these files on their computer will discover that they got something more than what they bargained for..."
___

Fake USPS SPAM / Label_FOHWXR30ZZ0LNB1.zip
- http://blog.dynamoo....zz0lnb1zip.html
11 Sep 2013 - "This fake USPS spam has a malicious attachment:
Date: Wed, 11 Sep 2013 11:19:05 -0500 [12:19:05 EDT]
From: USPS Express Services [service-notification @usps .com]
Subject: USPS - Missed package delivery
Priority: High Priority 1 (High)
Notification
Our company's courier couldn't make the delivery of package.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: Sort Order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: UGLFOHWXR30ZZ0LNB1
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
USPS Global...

There is an attachment Label_FOHWXR30ZZ0LNB1.zip which in turn contains an executable Label_368_09112013_JDSL.exe which has a very low detection rate at VirusTotal of just 2/47*.... attempted connection to a -hijacked- GoDaddy domain drippingstrawberry .com hosted on 64.50.166.122 (LunarPages, US) with quite a lot of other hijacked domains. Blocking or monitoring traffic to this IP could stop the infection, URLquery shows** some of the things going on with this server.
Recommended blocklist:
64.50.166.122 ..."
(More URLs listed at the dynamoo URL above.)
* https://www.virustot...sis/1378926663/

** http://urlquery.net/...6...9-11&max=50

- https://www.virustot...22/information/
___

Xerox WorkCentre Pro SPAM
- http://threattrack.t...centre-pro-spam
Sep 11, 2013 - "Subjects Seen:
Scanned Image from a Xerox WorkCentre
Typical e-mail details:
Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
Sent by: <e-mail domain>
Number of Images: 3
Attachment File Type: ZIP [PDF]
WorkCentre Pro Location: Machine location not set
Device Name:
Attached file is scanned image in PDF format.

Malicious File Name and MD5:
Scan_<random>.zip (1BE34606E5B1D54C5E394982A3DD8965)
scanned_doc_<date>.exe (2E318671CEC024166586943AD04520C1)

Screenshot: https://gs1.wac.edge...9f951qz4rgp.png
___

Fake AVG Android Apps ...
- http://blogs.avg.com...g-android-apps/
Sep 9, 2013 - "Our mobile security research team has found at least 33 applications that contain aggressive advertising components in the official Google Play store. The developers of these applications choose to imitate well-known companies like Google, Microsoft, Twitter, AVG among others. Here’s an example of some applications found in Google Play:
> http://blogs.avg.com...09/Image-11.png
... Below you can see another example of a -fake- AVG anti-virus app that can be found in Google Play:
> http://blogs.avg.com.../09/Image-6.png
Remember, if you want to pay for a PRO version of an app, you absolutely must make sure that it is the legitimate version of the app you’re looking for... When you install one of these fake applications, it requests the user to change configurations related to the search options:
> http://blogs.avg.com...09/Image-31.png
After the user accepts the conditions, commericals for adult services are shown:
> http://blogs.avg.com.../09/Image-4.png
Later, the app itself offers none of the functionality advertised (such as antivirus protection). This is a new advertising vector that takes advantage of people who might not be familiar with official company accounts... when you look for AVG’s Android solutions on Google Play you might find apps that are -not- released by AVG (the official developer is AVG Mobile) but from opportunistic scammers..."

- http://www.fireeye.c...id-malware.html
Sep 10, 2013 - "... Before the advent of advanced malware, we used to see a bunch of fake AV on the windows platform... the same thing will happen in the case of Android malware, where eventually we will start seeing more serious and advanced techniques being employed in mobility. To protect yourself from malicious Android applications, please follow these simple steps:
1. Disable the “Allow installation of apps from Unknown Sources” setting.
2. Always install apps from trusted app markets."

Edited by AplusWebMaster, 11 September 2013 - 02:11 PM.

[AplusWebMaster]

FYI...

Fake QuickBooks SPAM / Invoice_20130912.zip
- http://blog.dynamoo....0130912zip.html
12 Sep 2013 - "This fake QuickBooks spam has a malicious attachment:
Date: Thu, 12 Sep 2013 20:29:17 +0200 [14:29:17 EDT]
From: QuickBooks Invoice [auto-invoice@ quickbooks .com]
Subject: Important - Payment Overdue
Please find attached your invoices for the past months. Remit the payment by 09/16/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Quentin Sprague ...

The attachment is Invoice_20130912.zip which in turn contains a malicious executable Invoice_20130912.exe (note the date is encoded into the filename). The detection rate at VirusTotal is just 3/46*... the file attempt to communicate with the domain leightongriffiths .com on an apparently compromised server at 64.50.166.122 which has been seen before. Given that there are now several domains serving malware on the same server**... it is probably safe to assume that all the domains on that server are malicious and should be blocked.
Recommended blocklist:
64.50.166.122 ..."
* https://www.virustot...sis/1379012535/

** https://www.virustot...22/information/
___

Fake Online Message - Mint Internet Banking
- http://security.intu.../alert.php?a=86
9/12/13 - "People are receiving fake emails with the title "Online Message from Mint Internet Banking' ...
> http://security.intu...images/mint.jpg
... This is the end of the fake email.
Steps to Take Now
Do not open the attachment in the email...
Delete the email..."
___

Fake AV and PRISM warning on hijacked website
- http://research.zsca...n-hijacked.html
Sep 9, 2013 - "While many individuals are concerned about privacy in light of PRISM, some malicious actors are using the program to scare naive users into installing ransomware. Since August 23rd, we have seen about 20 domains that carry FakeAV and Ransomware. These websites seem to have been hijacked. They are all hosting the malicious content over port 972 and use similar URL patterns. Here are a couple examples:
kringpad.websiteanddomainauctions .com:972/lesser-assess_away-van.txt?e=20
miesurheilijaaantidiabetic.conferencesiq .com:972/realism_relinquish-umbrella-gasp.txt?e=21
squamipi.worldcupbasketball .net:972/duty_therefore.txt?e=21
The malicious files seem to be changing. It started with the classic FakeAV, then switched to a fake PRISM warning. In both cases, the goal is to scare the target into paying the attacker to "fix" their computer... FakeAV remains a popular technique to lure targets into paying attackers...
- FakeAV scan of the computer
> https://lh3.ggpht.co...eav-2103-1.jpeg
- FakeAV claims to have found threats
> https://lh3.ggpht.co...eav-2013-2.jpeg
The scan claims to have found 18 threats. Two have been cured, but the victim must -pay- to get the remaining 16 threats taken care of...
PRISM warning... The attacker uses the recent news about PRISM to claim that the victim's computer has been blocked because it accessed illegal pornographic content. The victim has to pay $300 through MoneyPak, a prepaid card service...
- No less than 5 federal agencies are "blocking" your computer!
> https://lh3.ggpht.co...20/prism-1.jpeg
- Victim needs to pay up $300 to get his computer back.
> https://lh3.ggpht.co...00/prism-2.jpeg
Both malware connect to the same couple of IP addresses over ports 80 and 443 that include:
37.139.53.199
64.120.167.162
64.191.122.10
I expect attackers to take advantages of the upcoming UK laws on accessing adult content online to send new types of fake warnings to UK victims."

Edited by AplusWebMaster, 12 September 2013 - 05:47 PM.

[AplusWebMaster]

FYI...

Fake Walls Fargo SPAM- / WellsFargo - Important Documents.zip
- http://blog.dynamoo....-important.html
16 Sep 2013 - "This fake Wells Fargo spam has a malicious attachment:
Date: Mon, 16 Sep 2013 09:26:51 -0500 [10:26:51 EDT]
From: Harrison_Walsh@ wellsfargo .com
Subject: IMPORTANT Documents - WellsFargo
Please review attached documents.
Harrison_Walsh
Wells Fargo Advisors
817-674-9414 office
817-593-0721 cell Harrison_Walsh @wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...

Attached is a ZIP file called WellsFargo - Important Documents.zip which in turn contains a malicious executable WellsFargo - Important Documents.exe which has a very low VirusTotal rate of 2/47*. Automated analysis tools... detect network traffic to [donotclick]www .c3dsolutions .com hosted on 173.229.1.89 (5Nines LLC, US). At present I do not have any evidence of further malware sites on that server."
* https://www.virustot...sis/1379342203/
___

ZeuS/ZBOT: Most Distributed malware by Spam in August
- http://blog.trendmic...spam-in-august/
Sep 16, 2013 - "... resurgence of online banking malware, in particular the increase of ZeuS/ZBOT variants during the quarter. While ZeuS/ZBOT has been around for some times, its prevalence shows that it is still a big threat to end users today. For the month of August, 23% of spam with malicious attachments were found carrying ZeuS/ZBOT variants, while 19% served FAREIT variants. ZeuS/ZBOT variants also had the distinction of being the most distributed malware by IPs related to spam botnets. It is also associated with various worm families that can spread itself or other malware families via email. A system infected with ZeuS/ZBOT may be infected about five other worm variants like WORM_MYDOOM, WORM_VB, and WORM_BAGLE...
Malware families spread by spam
> http://blog.trendmic...-percentage.jpg
... the majority of spam carrying either ZeuS/ZBOT or FAREIT looked more like legitimate messages, and were likely to supposedly come from well-known brands or companies.
> http://blog.trendmic...eit-254x300.jpg
Once installed, Zeus/ZBOT variants are known to monitor users’ browsing behavior pertaining to visits to specific online banking sites. If users visit these sites and tries to login using their credentials, the malware inject additional field for users to fill out and then steal these information. Cybercriminals can then use these stolen data to either initiate unauthorized transactions or sell in the underground market. FAREIT is another data-stealing malware that gathers emails and FTP login credentials. This malware can also download other malware variants, including Zeus/ZBOT..."
___

Fake eFax SPAM / rockims .com
- http://blog.dynamoo....rockimscom.html
16 Sep 2013 - "This fake eFax spam leads to malware on rockims .com:
Date: Mon, 16 Sep 2013 22:43:06 +0400 [14:43:06 EDT]
From: eFax Corporate [message@ inbound .efax .com]
Subject: Corporate eFax message - 1 pages
Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information.
Fax Message [Caller-ID: 854-349-9584]
You have received a 1 pages fax at 2013-16-09 01:11:11 CST.
* The reference number for this fax is latf1_did11-1237910785-2497583013-24.
View this fax using your PDF reader.
Click here to view this message ...
Thank you for using the eFax service! ...

Screenshot: https://lh3.ggpht.co.../s1600/efax.png

The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:
[donotclick]die-web-familie.homepage.t-online .de/quasar/monte.js
[donotclick]dim-kalogeras-ka-lar.schools .ac .cy/initials/casanovas.js
[donotclick]ade-data .com/exuded/midyear.js
These then lead to a malware payload at [donotclick]rockims .com/topic/seconds-exist-foot.php which is a -hijacked- GoDaddy domain hosted on 192.81.133.143 (Linode, US) along with quite a few other hijacked domains...
Recommended blocklist:
192.81.133.143 ..."
(More URLs listed at the dynamoo URL above.)

- https://www.virustot...43/information/

Edited by AplusWebMaster, 16 September 2013 - 03:05 PM.

[AplusWebMaster]

FYI...

Amazon Gift Card -phish- ...
- http://www.threattra...-uri-technique/
Sep 17, 2013 - "Be wary of emails landing in mailboxes claiming to offer up “complimentary £50 gift cards” from Amazon. The mails, which claim to come from redeemATamazon(dot)co(dot)uk...
> http://www.threattra...onfakemail1.jpg
The mails are nice and professional looking, and the only real giveaway is that hovering over the “Redeem gift card” button displays a Tinyurl link -instead- of the expected Amazon URL... Clicking the Tinyurl link takes end-users to a very nice looking set of pages designed to offer up the so-called gift card, then extract personal information including cc number and name / address / dob... Once end-users have selected their card design, they’re suddenly informed that “Our constant security review has shown us that your account has been inactive. Please confirm your updated card information below. Once your details have been confirmed with our system, we will then post your free gift card to you” …along with a message that their card has expired and a billing information update is required... The concept of using this in a phish attack has been around for a while, but it isn’t too often you come across them... Amazon themselves list a lot of scam types on their Security & Privacy page* so you may want to familiarise yourselves with those. As always, if it sounds too good to be true then it probably is..."
* http://www.amazon.co...d...4895&sr=1-1
___

Fake ADP SPAM / ADP_831290760091.zip
- http://blog.dynamoo....0760091zip.html
17 Sep 2013 - "This fake ADP spam has a malicious attachment:
Date: Tue, 17 Sep 2013 20:32:04 +0530 [11:02:04 EDT]
From: ADP ClientServices
Subject: ADP - Reference #831290760091
Priority: High Priority 1 (High)
We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.
Transaction details are shown in the attached file.
Reference #831290760091
This e-mail has been sent from an automated system.
PLEASE DO NOT REPLY...

Attached to the email is a file called ADP_831290760091.zip which in turn contains ADP_Reference_09172013.exe which has a VirusTotal detection rate of 9/48*. Automated analysis [1] [2] [3] shows a connection attempt to awcoomer .com on 78.157.201.219 (UK Dedicated Servers Ltd, UK). I don't have any evidence of further infections on this server, it does host 30+ legitimate UK sites if that helps.."
* https://www.virustot...sis/1379432239/

1) https://malwr.com/an...jEyODIzZjE5YTI/

2) http://camas.comodo....022bd70bf2285ae

3) http://anubis.isecla...amp;format=html
___

FedEx spam FAIL
- http://blog.dynamoo....-spam-fail.html
17 Sep 2013 - "This fake FedEx spam is presumably -meant- to have a malicious payload:
Date: Tue, 17 Sep 2013 13:02:25 +0000 [09:02:25 EDT]
From: webteam@ virginmedia .com
Subject: Your Rewards Order Has Shipped
Headers: Show All Headers
This is to confirm that one or more items in your order has been shipped. Note that multiple items in an order may be shipped separately.
You can review complete details of your order on the Order History page
Thanks for choosing FedEx.
Order Confirmation Number: 0410493
Order Date: 09/15/2013
Redemption Item Quantity Tracking Number
Paper, Document 16 <
fedex.com Follow FedEx:
You may receive separate e-mails with tracking information for reward ordered...

Screenshot: https://lh3.ggpht.co...s1600/fedex.png

Presumably there is meant to be a malicious link or attachment, but there isn't. However, the bad guys will probably use the same template again with a WORKING payload, so please take care."
___

FDIC Spam
- http://threattrack.t...09698/fdic-spam
Sep 17, 2013 - "Subjects Seen:
FDIC: About your business account
FDIC: Your business account
Typical e-mail details:
Dear Business Customer,
We have important information about your bank.
Please View to view detailed information.
This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership

Malicious URLs
data.texosn .ru/insurance.problem.html
no-mice .ru/insurance.problem.html
fdic.gov.horse-mails .net/news/fdic-insurance.php

Screenshot: https://gs1.wac.edge...PKjB1r6pupn.png

- http://blog.dynamoo....e-mailsnet.html
17 Sep 2013 - "This fake FDIC spam leads to malware on www.fdic.gov.horse-mails .net:
Date: Tue, 17 Sep 2013 15:28:52 +0330 [07:58:52 EDT]
From: insurance.coverage@ fdic .gov
Subject: FDIC: About your business account
Dear Business Customer,
We have important news regarding your financial institution.
Please View to see further details.
This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership
FDÌC Questions for FDÌC?
Contact Us...
Federal Insurance Company · 3501 Fairfax Drive · Arlington VA 22225 ...

Screenshot: https://lh3.ggpht.co.../s1600/fdic.png

The link goes through a legitimate -hacked- site and onto a malware landing page at [donotclick]www.fdic.gov.horse-mails .net/news/fdic-insurance.php which belongs to the Amerika gang and is hosted on the following IPs...:
37.221.163.174 (Voxility S.R.L., Romania)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
109.71.136.140 (OpWan SARL, France)
174.142.186.89 (iWeb Technologies, Canada)
216.218.208.55 (Hurricane Electric, US) ...
new feature (pictured below)
> https://lh3.ggpht.co...s-detection.png
Recommended blocklist...:
37.221.163.174
95.111.32.249
109.71.136.140
174.142.186.89
216.218.208.55 ..."

Edited by AplusWebMaster, 17 September 2013 - 03:44 PM.

[AplusWebMaster]

FYI...

Ajax Oracle Quotation Spam
- http://threattrack.t...-quotation-spam
Sep 20, 2013 - "Subjects Seen:
my subject
Typical e-mail details:
Dear Sir/Madam
I am the Purchase Manager of AJAX ORACLE TRADING COMPANY LTD.We are a
major trading company located in Ontario Canada.
We are interested in purchasing your products as exactly shown in the DATA
SHEET as attached in this mail. Please check and get back to us as soon as
possible with your last price, payment terms and delivery time.
Your response will be highly appreciated.
Sincerely Yours.
Danny Davies
Sales Department
Ajax Oracle Trading Co.Ltd

Malicious File Name and MD5:
Quotation.zip (85E02878328919ABE4BB01FDEBD90E6)
Quotation.scr (3B56864260399FBB0259F817749E959C)

Screenshot: https://gs1.wac.edge...zzKD1r6pupn.png
___

WhatsApp "3 New Voicemail(s)" spam and 219.235.1.127
- http://blog.dynamoo....s-spam-and.html
20 September 2013 - "I am indebted to Gary Warner for his analysis* of this malware... This malware is particularly cunning...
> https://lh3.ggpht.co...00/whatsapp.png
... it is possible that clicking the link installs the malware without asking on certain devices. The VirusTotal score for this .apk is a pretty health 21/48**, but who runs anti-virus software on their Android?... the application certainly seems to send traffic to 219.235.1.127 (Shanghai QianWan Network, China) which is probably a darned good candidate for blocking (if you can). This IP has been spotted with PC-based fake AV programs before... Although mobile malware is getting more common, this is the first time that I have seen an attack like this. All smartphone and tablet users need to be aware of the very real risks of malware on thier devices and should take the appropriate steps to keep themselves safe."
(More detail at the dynamoo URL above.)
* http://garwarner.blo...ts-android.html

** https://www.virustot...sis/1379711360/
___

Shylock Financial Malware Back and Targeting Two Dozen Major Banks
- https://atlas.arbor....dex#-1822006250
Elevated Severity
September 20, 2013 21:24
The Shylock banking trojan malware, also known as Caphaw, is active and targeting at least twenty-four banking institutions.
Analysis: Shylock has "man in the browser" capabilities whereby it takes over the users system during banking transactions to commit fraud. As the fraud comes from the authorized user from the authorized system, the deviceprint is no longer a useful indicator of malicious activity. Shylock is increasing in popularity and is now aimed at more targets. Previously, it had a smaller number of regional targets.
Source: http://threatpost.co...or-banks/102343
"... researchers provided the list of 24 banks being targeted..."
___

Beta Bot malware blocks users A/V ...
- http://www.ic3.gov/m...013/130918.aspx
Sep 18, 2013 - "The FBI is aware of a new type of malware known as Beta Bot. Cyber criminals use Beta Bot to target financial institutions, e-commerce sites, online payment platforms, and social networking sites to steal sensitive data such as log-in credentials and financial information. Beta Bot blocks computer users’ access to security websites and disables anti-virus programs, leaving computers vulnerable to compromise. Beta Bot infection vectors include an illegitimate but official looking Microsoft Windows message box named “User Account Control” that requests a user’s permission to allow the “Windows Command Processor” to modify the user’s computer settings. If the user complies with the request, the hackers are able to exfiltrate data from the computer. Beta Bot is also spread via USB thumb drives or online via Skype, where it -redirects- the user to compromised websites...
> https://www.ic3.gov/images/130918.png
Although Beta Box masquerades as the “User Account Control” message box, it is also able to perform modifications to a user’s computer. If the above pop-up message or a similar prompt appears on your computer and you did not request it or are not making modifications to your system’s configuration, do not authorize “Windows Command Processor” to make any changes.
Remediation strategies for Beta Bot infection include running a full system scan with up-to-date anti-virus software on the infected computer. If Beta Bot blocks access to security sites, download the latest anti-virus updates or a whole new anti-virus program onto an uninfected computer, save it to a USB drive and load and run it on the infected computer. It is advisable to subsequently re-format the USB drive to remove any traces of the malware."
- https://atlas.arbor..../index#64584071
Title: FBI Warning Users About Beta Bot Malware
Published: Fri, 20 Sep 2013 21:24:05 +0000
The Beta Bot malware has caught the attention of the FBI, who have issued a warning bulletin.
___

Backdoor installed via Java 6 exploit...
- http://blog.trendmic...a-java-exploit/
Sep 20, 2013 - "... this backdoor is installed using Java exploits; either drive-by downloads or compromised web sites may be used to deliver these exploits to user systems. This affects unsupported Java 6 users, meaning they’re at -extreme- risk since no patch will be available. Our research shows that the servers behind these attacks are mainly centered in Romania and Turkey. Currently, this threat is primarily hitting users in the United States; however it seems that consumers (as opposed to businesses) are the most affected... we found a Java exploit that was used to spread this attack. This particular exploit, detected as JAVA_EXPLOYT.HI, can be used to run arbitrary code. It exploits a vulnerability, CVE-2013-1493*, that has been exploited since February 2013. It was patched in March... The installer attempts to connect to three servers every 3 seconds, until it successfully downloads the backdoor component. If it fails, it will retry up to 32 times before it gives up... it provides instant feedback on the status of the install by accessing a URL on the malicious server, which actually serves as a status report..."
* https://web.nvd.nist...d=CVE-2013-1493 - 10.0 (HIGH)
Last revised: 08/22/2013

Edited by AplusWebMaster, 21 September 2013 - 05:04 PM.

[AplusWebMaster]

FYI...

Fake FDIC emails serve client-side exploits and malware ...
- http://www.webroot.c...ploits-malware/
Sep 23rd, 2013 - "Cybercriminals are mass mailing tens of thousands of malicious Federal Deposit Insurance Corporation (FDIC) themed emails, in an attempt to trick users into clicking on the client-side exploits serving and malware dropping URLs found in the bogus emails...
Sample screenshot of the spamvertised email:
> https://www.webroot....Engineering.png
Sample redirection chain: hxxp ://stranniki-music .ru/insurance.problem.html (62.173.142.30) -> hxxp ://www.fdic .gov.horse-mails .net/news/fdic-insurance.php (174.142.186.89; 216.218.208.55; 109.71.136.140; 37.221.163.174; 95.111.32.249) Email: comicmotors@ writeme .com ... MD5 for a sample served client-side exploit: MD5: 92897ad0aff69dee36dc22140bf3d8a9*. Sample MD5 for the dropped malware: MD5: 7b6332de90e25a5b26f7c75910a22e0c**. Once executed, the sample phones back to... C&C servers..."
(More detail at the webroot URL above.)
* https://www.virustot...0519a/analysis/
Detection ratio: 28/48
** https://www.virustot...5f652/analysis/
Detection ratio: 9/48
___

FBI Ransomware forcing child porn on infected computers
- http://www.webroot.c...cted-computers/
Sep 23, 2013 - "... new, very malicious form of FBI Ransomware that forces the users of infected machines to look at illegal imagery, taking the scare tactics to the next level..."
Video 2:27: https://www.youtube....bed/FAoRSLvtkA4
___

LinkedIn Invitation Spam
- http://threattrack.t...invitation-spam
Sep 23, 2013 - "Subjects Seen:
Invitation to connect on LinkedIn
Typical e-mail details:
<removed> wants to connect with you on LinkedIn.

Malicious URLs
67.215.196.13 /images/wp-gdt.php?x1MVGHILHO0IT6347
exitdaymonthyear .biz/closest/i9jfuhioejskveohnuojfir.php

Screenshot: https://gs1.wac.edge...aHBA1r6pupn.png

- https://www.virustot...13/information/

Tagged: Blackhole, Sirefef, LinkedIn

Edited by AplusWebMaster, 23 September 2013 - 02:17 PM.

[AplusWebMaster]

FYI...

Fake DivX plug-in leads to Malware ...
- http://www.threattra...opping-malware/
Sep 23, 2013 - "Fans of semi-humorous Internet videos be warned: there’s a batch of files doing the rounds which pretend to be image files acting as DivX plug-ins... Sites pushing the files will claim you have the wrong type of DivX Plugin installed, with a new one being required to view the content. The first port of call (now replaced by a page-full of Javascript which we’re taking a look at) is / was located at sjsinternational(dot)com/shirleen
> http://www.threattra.../09/fbdivx1.jpg
“DivX plug-in required!
You don’t have the plugin required to view the video
Save the video and run it locally”
A rogue file – which appears to have been compiled in Russia – will be offered up to the end-user, typically offering up filenames that suggest photographs of a lewd and / or salacious nature. The files come from a .ua URL... one of the oldest tricks in the book is being used here – all the files claim to be gifs, jpegs and tif files, when they are (of course) anything but. Elsewhere on the same domain, we have a page which claims “You need to download and execute the Facebook app to see it! It’s amazing!” with yet another file being offered up. This page is still active, and located at sjsinternational(dot)com/marguerite.html
> http://www.threattra.../09/fbdivx2.jpg
... various URLs serving up the Malware have been very busy... More often than not, “Run this file to see a picture” results in no pictures and lots of files (bad ones, at that). This one is at least a little bit unusual if only because the end-user receives a (not very impressive) “reward” at the end of the hoop jumping. However, that reward comes loaded with Malware and should be avoided at all costs, whether posing as image files, Facebook apps or anything else you care to mention."
___

Fake Wire Transfer SPAM / INTL_Wire_Report-09242013.zip
- http://blog.dynamoo....nsfer-spam.html
24 Sep 2013 - "This fake wire transfer spam has a malicious attachment:
Date: Tue, 24 Sep 2013 10:54:32 -0700 [13:54:32 EDT]
From: Wells Fargo Event Messaging Admin [ofsrep.ceoemigw@ wellsfargo .com]
Subject: International Wire Transfer File Not Processed
We are unable to process your International Wire Transfer request due to insufficient funds in the identified account.
Review the information below and contact your Relationship Manager if you have questions, or make immediate arrangements to fund the account. If funds are not received by 09/24/2013 03:00 pm PT, the file may not be processed.
Please view the attached file for more details on this transaction.
Any email address changes specific to the Wire Transfer Service should be directed to Treasury Management Client Services at 1-800-AT-WELLS (1-800-289-3557).
Event Message ID: S203-8767457
Date/Time Stamp: Tue, 24 Sep 2013 10:54:32 -0700 ...

Attached is a ZIP file called INTL_Wire_Report-09242013.zip which in turn contains a malicious executable INTL_Wire_Report-09242013.exe (note the date in encoded into the filename). The VirusTotal results show a so-so detection rate of 9/48*... network traffic to ta3online .org on 108.168.164.202 (Softlayer, US) which is some sort of compromised legitimate site. Blocking EXE-in-ZIP files at you network perimeter is absolutely the best way of avoid malware attacks like this."
* https://www.virustot...sis/1380058931/
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Wire Transfer Failure Notification Email Messages - 2013 Sep 24
Fake Payment Information Email Messages - 2013 Sep 24
Fake Unpaid Debt Invoice Email Messages - 2013 Sep 24
Email Messages with Malicious Attachments - 2013 Sep 24
Email Messages with Malicious Attachments - 2013 Sep 24
Fake Shipping Order Information Email Messages - 2013 Sep 24
Fake Picture Delivery Email Messages - 2013 Sep 24
Fake Account Payment Notification Email Messages - 2013 Sep 24
Fake Fax Document Delivery Email Messages - 2013 Sep 24
Fake Media File Sharing Email Messages - 2013 Sep 24
Fake Bank Payment Information Email Messages - 2013 Sep 24
Fake Package Delivery Failure Notification Email Messages - 2013 Sep 24
Malicious Personal Pictures Attachment Email Messages - 2013 Sep 24
(More detail and links at the cisco URL above.)

Edited by AplusWebMaster, 24 September 2013 - 06:27 PM.

[AplusWebMaster]

FYI...

Fake Intuit SPAM / Invoice_3056472.zip
- http://blog.dynamoo....3056472zip.html
25 Sep 2013 - "It's an email from a company I have no dealings with, with a ZIP file that contains an EXE file! What could possible go wrong? Oh..
Date: Wed, 25 Sep 2013 09:37:48 -0600 [11:37:48 EDT]
From: Lewis Muller [Lewis.Muller @ intuit .com]
Subject: FW: Invoice 3056472
Your invoice is attached.
Sincerely,
Lewis Muller
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY...

The attachment is Invoice_3056472.zip which in turn contains a malicious file Invoice_092513.exe which has a pretty low VirusTotal detection rate of just 4/48*... the usual sort of badness, including a call home to gidleybuilders .com on 78.157.201.219 (UK Dedicated Servers Ltd, UK) which we also saw being used in an attack last week**. Two compromised domains in a week seems a bit more than a coincidence... legitimate domains are also on that same server..."
* https://www.virustot...sis/1380130529/

** http://blog.dynamoo....0760091zip.html
___

Fake Phish - FW: Invoice 8428502
- http://security.intu.../alert.php?a=87
9/25/2013 - "Here is a copy of the phishing email people are receiving. Be sure -not- to click any links in the email.

Please be advised that that the attachment (Invoice_092513.exe) received with this email was removed in accordance with the Assante Virus policy. If you are aware of the contents of this attachment and you require it for business reasons please contact the IT Helpdesk (its@assante.com OR 888 955 8886). Please contact the sender if you are unsure of the contents or purpose for the attachment.
Your invoice is attached.
Sincerely,
Cliff Jeffers

This is the end of the -fake- email..."
___

Fake AICPA SPAM / children-bicycle .net
- http://blog.dynamoo....bicyclenet.html
25 Sep 2013 - "This fake AICPA spam leads to malware on the domain children-bicycle .net:
From: Reggie Wilkins [blockp12@ clients.aicpa .net]
Date: 25 September 2013 15:03
Subject: Your accountant license can be cancelled.
You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
AICPA logo
Cancellation of Accountant status due to tax return fraud allegations
Valued accountant officer,
We have received a complaint about your recent participation in tax return infringement for one of your employers. According to AICPA Bylaw Subsection 730 your Certified Public Accountant license can be withdrawn in case of the occurrence of filing of a false or fraudulent tax return for your client or employer.
Please familiarize yourself with the notification below and provide your feedback to it within 14 days. The failure to do so within this term will result in cancellation of your CPA license.
Complaint.pdf
The American Institute of Certified Public Accountants...

Screenshot: https://lh3.ggpht.co...s1600/aicpa.png

... The link in the email goes to a legitimate -hacked- site and then on to a malware payload at [donotclick]www.aicpa.org.children-bicycle .net/news/aicpa-all.php (report here*).. but only if the visitor is running Windows (more of which in a moment). The domain children-bicycle .net is registered with fake WHOIS details and the pattern of the domain mark it out as belonging to the Amerika gang... The payload is hosted on the following IP addresses (all also listed here**):
24.111.103.183 (Midcontinent Media, US)
109.71.136.140 (OpWan, France)
184.82.233.29 (Network Operations Center, US)
As I mentioned, the code detects the visitor's OS and only sends the victim to the exploit kit if they are running Windows, others end up at the genuine aicpa .org website:
> https://lh3.ggpht.co.../aicpa-code.png
Recommended blocklist:
24.111.103.183
109.71.136.140
184.82.233.29 ..."
* http://urlquery.net/....php?id=5941489

** http://blog.dynamoo....ck-2492013.html
___

6rf .net and something evil on 198.50.225.121, 85.25.108.10 and 178.33.208.211
- http://blog.dynamoo....ng-evil-on.html
25 Sep 2013 - "Here are a couple of IPs serving exploit kits.. the case in question is a legitimate site that loads code from 6rf .net and this in turn loads an exploit kit from [donotclick]yandex.ru.sgtfnregsnet.ru and [donotclick]l451l.witnessvacant .biz. The .biz domain in this case is hosted on 198.50.225.121 (OVH, Canada) along with subdomains... That IP hosts various exploit kits* and is suballocated to a Russian customer... Those domains are also associated with some other OVH IPs of 178.33.208.211 and 46.105.166.99 (OVH, France). In both those cases, the OVH range is delegated to another Russian customer... But that's not the only infection that 6rf .net is punting, as there is another malicious domain of [donotclick]yandex .ru.sgtfnregsnet.ru in use (report here**) hosted on 85.25.108.10 (Intergenia AG, Germany). There appears to be at least one other malicious domain on the same server (googlebot .ru ***) which is also serving up an exploit kit... It looks like other malware sites have been hosted on that IP in the past, so I would recommend blocking that too, giving this recommended blocklist:
46.105.166.99
85.25.108.10
178.33.208.211
198.50.225.121
6rf .net ..."
(More listed at the dynamoo URL aqbove.)
* http://urlquery.net/...2...9-25&max=50

** http://urlquery.net/....php?id=5939386

*** http://urlquery.net/....php?id=5924098

Edited by AplusWebMaster, 25 September 2013 - 07:42 PM.

[AplusWebMaster]

FYI...

Something evil on 91.231.98.149 and boats .net
- http://blog.dynamoo....198149-and.html
26 Sep 2013 - "This injection attack* [urlquery] on boats .net caught my attention, a nasty bit of injected code pointing to a (now suspended) domain called gamelikeboards .biz hosted on 91.231.98.149 (Neohost.net, Ukraine). Basically, the victim website has code injected pointing to [donotclick]gamelikeboards .biz/_cp/crone/ which cannot be anything good. What do we know about gamelikeboards.biz? As luck would have it, the domain was suspended by the registrar... A look at 91.231.98.0/24 indicates a mix of spammy sites plus a number of local Russian and Ukranian sites... I don't know what the payload is, but the IP address was also used in this recent malware attack**. The IP and domains are definitely malicious, and I would recommend the following blocklist:
91.231.98.149
eschewsramping .biz
gamelikeboards .biz
sixteenups .biz
sorelyzipmagics .biz
technicaltutoring .biz
zarazagorakakaxx1 .org
zarazagorakakaxx2 .com
* http://urlquery.net/....php?id=5960880

** https://malwr.com/an...TU2NDU2NDgzNmE/

Added: it looks like this site has been compromised before*** ..."
*** http://news.softpedi...ck-382161.shtml
___

Print A Tree, Pop An Ad
- http://www.threattra...nt-tree-pop-ad/
Sep 26, 2013 - "... We first noticed this one as part of a larger Installcore bundler from a pop up on a “free video” site:
> http://www.threattra.../treeprint5.png
...
> http://www.threattra.../treeprint6.jpg
Quite what our chosen subject matter has to do with videos I’ve no real idea, but never let relevance detract from an Adware bundle. Here it is during the main install of “FLV Player Setup”, and it is called “Print-A-Tree”.
> http://www.threattra.../treeprint2.jpg
... Some of the other programs installed from the Installcore bundle included Web Connect (Yontoo variant), Bonanza Deals and O-to-Lyrics... This is where things go horribly wrong, because not only do you have ads injected onto numerous websites, you also end up with pop-ups which often lead to additional installs (with additional Adware!)... The pop-up ad promotes a web browser which will offer up more adware at install, to sit alongside whatever applications you happen to have on board from the first bundle... You can see more about the original bundler file over at VirusTotal*, which currently has it pegged at 8/41..."
* https://www.virustot...sis/1380126410/
File name: FlvPlayerSetup.exe_
Detection ratio: 8/41 ...
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Xerox Scan Attachment Email Messages - 2013 Sep 26
Fake Package Delivery Invoice Notification Email Messages - 2013 Sep 26
Fake Account Payment Notification Email Messages - 2013 Sep 26
Fake Package Delivery Failure Notification Email Messages - 2013 Sep 26
Fake Sales Receipt Notification Email Messages - 2013 Sep 26
Fake Product Order Email Messages - 2013 Sep 26
Fake Voice Messages Delivery Email Messages - 2013 Sep 26
Fake Electronic Payment Cancellation Email Messages - 2013 Sep 26
Fake Purchase Order Request Email Messages - 2013 Sep 26
Fake Product Requirements List Email Messages - 2013 Sep 26
Fake Product Sample Request Email Messages - 2013 Sep 26
Blank Email Messages with Malicious Attachments - 2013 Sep 26
Fake Financial Document Delivery Email Messages - 2013 Sep 26
(More detail and links at the cisco URL above.)

Edited by AplusWebMaster, 26 September 2013 - 04:29 PM.

[AplusWebMaster]

FYI...

Fake Facebook SPAM / directgrid .org
- http://blog.dynamoo....ifications.html
27 Sep 2013 - "This fake Facebook spam leads to malware on directgrid .org:
Date: Fri, 27 Sep 2013 16:22:58 +0300 [09:22:58 EDT]
From: Facebook [notification+W85BNFWX @facebookmail .com]
Subject: You have 21 friend suggestions, 11 friend requests and 14 photo tags
facebook
You have new notifications.
A lot has happened on Facebook since you last logged in. Here are some notifications
you've missed from your friends.
3 messages
11 friend requests
21 friend suggestions
14 photo tags
View Notifications
Go to Facebook ...

Screenshot: https://lh3.ggpht.co...0/facebook2.png

The link in the email goes through a legitimate (but hacked) site and then loads one of the following three scripts:
[donotclick]3dbrandscapes .com/starker/manipulator.js
[donotclick]dtwassociates .com/marry/sullies.js
[donotclick]repairtouch .co .za/lollypops/aquariuses.js
This leads to a malware landing page hosted on a -hijacked- GoDaddy domain at [donotclick]directgrid .org/topic/lairtg-nilles-slliks.php hosted on 50.116.10.71 (Linode, US) where there are a number of other hijacked domains...
Recommended blocklist:
50.116.10.71 ..."
(More listed at the dynamoo URL above.)

- https://www.virustot...71/information/

Edited by AplusWebMaster, 27 September 2013 - 03:14 PM.