2072 replies to this topic

[AplusWebMaster]

FYI...

Fake IRS SPAM / oooole .org
- http://blog.dynamoo....inder-spam.html
30 Sep 2013 - "This fake IRS spam leads to malware on oooole .org:
Date: Mon, 30 Sep 2013 03:44:12 -0800 [07:44:12 EDT]
From: "Fire@irs.gov" [burbleoe9@ irs .org]
Subject: Invalid File Email Reminder
9/30/2013
Valued Transmitter,
We few weeks agoreceived your electronic file(s) of information returns; but, the file(s) contained errors. As of the date of this email, we have not received a good replacement file. If we do not receive the replacement file within the allowed time from your transmission, late filing payoff may be applied. For further clarification on sending a timely filed replacement, please see Publication 1220, Part B, Section 7.03. The following is a list of your incorrect file(s) that need to be replaced:
Filename # of Times
Email Has
Been Sent Tax
Year
ORIG.62U55.2845 2 2012...

The link in the email goes through a legitimate -hacked- site and then -redirects- through one of the following three scripts:
[donotclick]savingourdogs .com/boneheads/meditatively.js
[donotclick]solaropti.manclinux3.ukdns .biz/resonators/sunbonnet.js
[donotclick]polamedia .se/augusts/fraudulence.js
The next step is a malware landing page on a hijacked GoDaddy domain at [donotclick]oooole .org/topic/latest-blog-news.php hosted on 75.98.172.238 (A2 Hosting, US) along with several other hijacked domains...
Recommended blocklist:
75.98.172.238 ..."

- https://www.virustot...38/information/
___

Fake Wells Fargo SPAM - malicious ZIP file
- http://blog.dynamoo....ments-spam.html
30 Sep 2013 - "This fake Wells Fargo spam comes with a malicious attachment:
Date: Mon, 30 Sep 2013 11:54:15 -0600 [13:54:15 EDT]
From: Bryon Faulkner [Bryon.Faulkner@ wellsfargo .com]
Subject: Important Documents
Please review attached documents.
Bryon Faulkner
Wells Fargo Advisors
817-527-6769 office
817-380-3921 cell Bryon.Faulkner@wellsfargo.com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...

The attached document is starts with "Documents_" and then has the first part of the recipient's email address as part of the filename. Or that's the way it is meant to work because in practice it will probably be a different recipient in the same domain. Inside is an executable file with the date encoded into the filename (in this case Documents_09302013.exe). The executable file is (obviously) malware, and has a VirusTotal detection rate of just 3/48*... attempted connection to the site demandtosupply .com on 84.22.177.37 (ioMart, UK) which is a server spotted in a similar attack a few weeks ago**. Unfortunately, where more than one domain on a server is compromised then it looks like the bad guys have complete control of the server and can do what they like. There are a number of legitimate sites (including one IT security company) on this box... so exercise caution if deciding to block them.
Recommended blocklist:
84.22.177.37
demandtosupply .com
ce-cloud .com"
* https://www.virustot...sis/1380564661/

** http://blog.dynamoo....ached-spam.html

- https://www.virustot...37/information/

Edited by AplusWebMaster, 30 September 2013 - 03:54 PM.

[AplusWebMaster]

FYI...

Fake AMEX phish ...
- http://threattrack.t...edentials-phish
Oct 1, 2013 - "Subjects Seen:
Fraud Alert : Irregular Card Activity
Typical e-mail details:
Dear Customer,
We detected irregular card activity on your American Express
Check Card on 1st October, 2013.
As the Primary Contact, you must verify your account activity before you can
continue using your card, and upon verification, we will remove any restrictions
placed on your account.
To review your account as soon as possible please.
Please click on the link below to verify your information with us:
americanexpress.com
If you account information is not updated within 24 hours then your ability
to access your account will be restricted.
We appreciate your prompt attention to this important matter.

Malicious URLs
kaindustries.comcastbiz .net/boulevards/index.html
theswordcoast.awardspace .com/catalepsy/index.html
i37raceway .com/hovers/index.html
pizzapluswindsor .ca/americanexpress/

Screenshot: https://gs1.wac.edge...p01I1r6pupn.png
___

Fake NACHA SPAM - malware on thewalletslip .com
- http://blog.dynamoo....malware-on.html
1 Oct 2013 - "This fake NACHA spam leads to malware on thewalletslip .com:
Date: Tue, 1 Oct 2013 15:05:56 +0330 [07:35:56 EDT]
From: ACH Network [markdownfyye396@ nacha .org]
Subject: Your ACH transfer
The ACH processing (ID: 428858072307), recently was made from your bank account (by you or any other person), was rejected by the other financial institution.
Aborted transfer
ACH transfer ID: 428858072307
Reason of Cancellation Notice information in the report below
Transaction Report View Report 428858072307
About NACHA ...

Screenshot: https://lh3.ggpht.co...s1600/nacha.png

The link in the email goes through a legitimate -hacked- site and then runs one of three scripts:
[donotclick]theodoxos .gr/hairstyles/defiling.js
[donotclick]web29.webbox11.server-home .org/volleyballs/cloture.js
[donotclick]www.knopflos-combo .de/subdued/opposition.js
Then the victim is directed to a malware landing page at [donotclick]thewalletslip .com/topic/latest-blog-news.php and if you follow this blog regularly then you will not be at all surprised to find that it has been hijacked from GoDaddy... It is hosted on 75.98.172.238 (A2 Hosting, US) which is the same server spotted yesterday*."
Recommended blocklist:
75.98.172.238 ..."
* http://blog.dynamoo....inder-spam.html

- https://www.virustot...38/information/
___

Apple spikes as Phishing Target
- http://blog.trendmic...hishing-target/
Oct 1, 2013 - "... Apple is now the most valuable brand in the world. One party that would agree: cybercriminals, who are now targeting Cupertino in increasing numbers. Earlier in the year, the number of identified Apple phishing sites would only be in the hundreds per month, as seen in the chart below:
Number of identified Apple-related phishing sites
> http://blog.trendmic...apple-graph.png
Some cases of these Apple-related threats just use Apple as social engineering bait. For example, here, the need to “verify” one’s Apple products or services is used to phish email services:
Phishing site
> http://blog.trendmic...ple-phish-2.gif
... Apple ID itself is now being targeted for theft. For users of all Apple products – whether they be Macs, iOS devices, or just the iTunes store – the Apple ID is a key ingredient in how they use these products. For example, it can be used to control the data stored in your iCloud account, make purchases of both music and apps, and even manage your iOS or Mac device. Not only that, users from all over the world are being targeted. For example, this phishing site is in French:
Apple ID phishing site
> http://blog.trendmic...sh-france-4.gif
... It would appear that cybercriminals are using Apple-related rumors as a gauge of potential interest from users/victims and increase the number of their attacks as needed. This growth in Apple-related threats highlights how Apple users, far from being safe, are continuously targeted by threats today as well..."
___

Pinterest Facebook Friend Spam
- http://threattrack.t...ook-friend-spam
Oct 1, 2013 - "Subjects Seen:
Your Facebook friend <removed> joined Pinterest
Typical e-mail details:
Your Facebook friend <removed> just joined Pinterest. Help welcome <removed> to the community!

Malicious URLs
ats.webd .pl/caskets/index.html
theodoxos .gr/hairstyles/defiling.js
web29.webbox11.server-home .org/volleyballs/cloture.js
knopflos-combo .de/subdued/opposition.js
pizzapluswindsor .ca/topic/latest-blog-news.php

Screenshot: https://gs1.wac.edge...7D5p1r6pupn.png
___

Tens of thousands of fake Twitter accounts passed off and sold as 'followers'
- https://www.virusbtn.../2013/09_20.xml
20 Sep 2013
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Email Messages with Malicious Attachments - 2013 Oct 01
Fake Commissions Statement Notification Email Messages - 2013 Oct 01
Fake Product Order Request Email Messages - 2013 Oct 01
Fake Purchase Order Notification Email Messages - 2013 Oct 01
Fake Product Order Delivery Information Email Messages - 2013 Oct 01
Fake Multimedia Message Delivery Email Message - 2013 Oct 01
Fake Product Order Email Messages - 2013 Oct 01
Fake Bank Payment Notification Email Messages - 2013 Oct 01
Fake Court Document Email Messages - 2013 Oct 01
Fake Document Filing Notification Email Messages - 2013 Oct 01
Fake Debt Collection Notification Email Messages - 2013 Oct 01
Fake Account Payment Notification Email Messages - 2013 Oct 01
Fake Product Purchase Order Email Messages - 2013 Oct 01
Fake Product Specification Request Email Messages - 2013 Oct 01
Fake Bank Payment Transfer Notification Email Messages - 2013 Oct 01
Fake Shipment Invoice Email Messages - 2013 Oct 01
Fake Payment Information Email Messages - 2013 Oct 01
Blank Email Messages with Malicious Attachments - 2013 Oct 01
(More detail and links at the cisco URL above.)

Edited by AplusWebMaster, 01 October 2013 - 03:19 PM.

[AplusWebMaster]

FYI...

Fake T-Mobile message emails lead to malware
- http://www.webroot.c...s-lead-malware/
Oct 2, 2013 - "A circulating malicious spam campaign attempts to trick T-Mobile customers into thinking that they’ve received a password-protected MMS. However, once gullible and socially engineered users execute the malicious attachment, they automatically compromise the confidentiality and integrity of their PCs, allowing the cybercriminals behind the campaign to gain complete control of their PCs. Detection rate for the spamvertised sample – MD5: 5d69a364ffa8d641237baf4ec7bd641f – * W32/Trojan.XTWU-6193; TR/Sharik.B; Trojan.DownLoader9.22851
Once executed, the sample phones back to networksecurityx.hopto .org – 69.65.19.117 ... subdomains are also known to have phoned back to the same IP in that past... malicious MD5s are also known to have phoned back to the same domain/IP in the past..."
* https://www.virustot...sis/1379599644/
___

Fake Facebook Mobile Page Steals Credit Card Details
- http://blog.trendmic...t-card-details/
Oct 1, 2013 10:28 pm (UTC-7) - "... a mobile phishing page that looks very similar to the official Facebook mobile page. However, looking closely into the URL address, there are noticeable differences. The real Facebook page is located at https://m.facebook.com/login and has the lock icon to show that the page is secured.
Fake vs. legitimate Facebook mobile page
> http://blog.trendmic...gvsreal-pag.gif
This page tries to steal more than Facebook credentials. Should users actually try to log in, the page then prompts users to choose a security question. This may sound harmless, but these same security questions might be used across several different sites, and can compromise your security as well.
Fake Facebook security page
> http://blog.trendmic...curity-page.gif
Once users are done, they are led to another page, this time asking for their credit card details.
Page asking for credit card details
> http://blog.trendmic...ge-creditca.gif
In cases like these, users should always be careful and double-check the URLs of sites they are entering personal information into, particularly those that claim to belong to a particular service. In addition, Facebook does -not- ask for a user’s credit card information unless they are making a purchase..."
___

"microsoft support" calls - now with ransomware
- https://isc.sans.edu...l?storyid=16703
Last Updated: 2013-10-02 04:16:32 UTC - "Most of us are familiar with the "microsoft support" call. A phone call is received, the person states they are from "microsoft support" and they have been alerted that your machine is infected. The person will assist you by having you install a remote desktop tool such as teamviewer or similar (we have seen many different versions). Previously they would install software that would bug you until you paid the "subscription fee". As the father of a friend found out the other day, when he received a call. They now install -ransomware- which will lock the person out of their computer until a fee has been been paid. In this instance it was done quite early in the "support" call so even disconnecting when smelling a rat it was too late. The ransomware itself looks like it replaced some start up parameters to kick in the lockout rather than encrypting the drive or key elements of the machine. However for most users that would be enough to deny access. So in the spirit of Cyber Security Awareness Month make this month one where you let your non-IT friends and family know two things. Firstly, BACKUP YOUR STUFF. Secondly, tell them "when you receive a call from "microsoft support", the correct response is to hang up."
___

Fake Staples SPAM leads to malware on tootle .us
- http://blog.dynamoo....malware-on.html
2 Oct 2013 - "This fake Staples spam leads to malware on a site called tootle .us:
Date: Wed, 2 Oct 2013 08:40:11 -0500 [09:40:11 EDT]
From: support@ orders.staples .com
Subject: Staples order #: 1353083565
Thank you for shopping Staples.
Here's what happens next:
Order No.:1353083565
Customer No.:1278823232 Method of Payment:Credit or Debit Card
Track order: Track your order
Delivery Address:
Caleb Lewis
41 COMMERCE ST
GREENFIELD WA 092980135
Item1 Qty. Subtotal
DELL 1320 BLACK TONER
Item No.:744319Price:$60.38/each
Expected delivery:10/4/2013byUPS 2 $125.26
Item2 Qty. Subtotal
DELL RY854 CYAN TONER
Item No.:717860Price:$61.87/each
Expected delivery:10/4/2013byUPS 2 $124.03
Subtotal:: $243.59
Delivery: FREE
Tax: $17.66
Total: $250.35
Your order is subject to review ...

Screenshot: https://lh3.ggpht.co...600/staples.png

The link in the email goes to a legimate (but hacked site) and then attempt to load one of the following three scripts:
[donotclick]algmediation .org/inventory/symphony.js
[donotclick]apptechgroups .net/katharine/bluejacket.js
[donotclick]ctwebdesignshop .com/marquetry/bucket.js
From there the victim is redirected to a malware landing page at [donotclick]tootle .us/topic/latest-blog-news.php hosted on 23.92.22.75 (Linode, US) which is yet another -hijacked- GoDaddy domain (there are some more on this server...)..."
Recommended blocklist:
23.92.22.75
tootle .us ..."

- https://www.virustot...75/information/

Edited by AplusWebMaster, 02 October 2013 - 10:14 AM.

[AplusWebMaster]

FYI...

Fake Amazon SPAM - uses email address harvested from Comparethemarket .com
- http://blog.dynamoo....il-address.html
3 Oct 2013 - "This fake Amazon spam was sent to an email address only used for the UK price comparison site Comparethemarket .com.
From: Amazon.com [ship-confirm@ amazon .com]
Reply-To: "Amazon.com" [ship-confirm@ amazon .com]
Date: 3 October 2013 15:43
Subject: Your Amazon.com order of "Canon EOS 60D DSLR..." has shipped!
Amazon .com
Kindle Store
| Your Account | Amazon.com
Order Confirmation
Order #159-2060285-0376154 ...

Screenshot: https://lh3.ggpht.co...1600/amazon.png

How the email address was extracted from Comparethemarket.com is not known. The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:
[donotclick]berkahabadi .de/unclear/unsettle.js
[donotclick]sigmarho.zxq .net/ragas/sextant.js
[donotclick]wni9e7311.homepage.t-online .de/creel/eccentrically.js
This redirects the victim to a malware page at [donotclick]globalrealty-nyc .info/topic/latest-blog-news.php which is a hijacked GoDaddy domain hosted on 96.126.103.252 (Linode, US). This is currently the only domain that I can detect on this computer, but the usual pattern is that there will be several others so blocking that IP address would be prudent.
Recommended blocklist:
96.126.103.252 ..."

- https://www.virustot...52/information/
___

USPS Express Services Spam
- http://threattrack.t...s-services-spam
Oct 3, 2013 - "Subjects Seen:
USPS - Your package is available for pickup ( Parcel <random> )
USPS - Missed package delivery
Typical e-mail details:
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
Label: <random>
Print this label to get this package at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
USPS Logistics Services.

Malicious File Name and MD5:
USPS_Label_<random>.zip (43BA7C2530EF2F69DEF845FE5E10C6C7)
USPS_Label_<date>.exe (7EAC25BFC4781CA44C5D991115AAF0B4)

Screenshot: https://gs1.wac.edge...MMFH1r6pupn.png

Edited by AplusWebMaster, 03 October 2013 - 11:47 AM.

[AplusWebMaster]

FYI...

Fake Dropbox SPAM - leads to malware on adelect .com
- http://blog.dynamoo....malware-on.html
4 Oct 2013 - "This fake Dropbox spam leads to malware:
Date: Fri, 4 Oct 2013 16:24:30 +0330 [08:54:30 EDT]
From: Dropbox [no-reply@ dropboxmail .com]
Subject: Please update your Expired Dropbox Password
Hi [redacted].
We noticed that you recently tried to login in to Dropbox with a password that you haven't changed more than 90 days. Your old password has expired and you'll need to create a new one to log in.
Please visit the page to update your password
Reset Password
Thanks!
- The Dropbox Team

Screenshot: https://lh3.ggpht.co...600/dropbox.png

The link in the email goes through a legitimate hacked site and then on to a set of three scripts:
[donotclick]12.158.190.75 /molls/smudgier.js
[donotclick]freetraffic2yourweb .com/palermo/uneconomic.js
[donotclick]www.bathroomchoice .com/huntsmen/bestsellers.js
From there the victim is delivered to a malware landing page at [donotclick]adelect .com/topic/latest-blog-news.php which follows a predictable pattern of being a hijacked GoDaddy domain hosted on 66.150.155.210 (Nuclear Fallout Enterprises, US). There are some other hijacked domains on this same server..."
Recommended blocklist:
66.150.155.210
wrightleasing .com
renewalbyandersendayton .com
adelect .com
12.158.190.75
freetraffic2yourweb .com
www .bathroomchoice .com"

- https://www.virustot...10/information/

Edited by AplusWebMaster, 04 October 2013 - 08:27 AM.

[AplusWebMaster]

FYI...

Fake National Bankruptcy Services SPAM
- http://threattrack.t...y-services-spam
Oct 7, 2013 - "Subjects Seen:
6253-9166
Typical e-mail details:
Please see the attached Iolta report for 6253-9166.
We received a check request in the amount of $19,335.05 for the above referenced file. However, the attached report reflects a $0 balance. At your earliest convenience, please advise how this request is to be funded.
Thanks.
Milton_Forrest *
Accounts Payable
National Bankruptcy Services, LLC

Malicious File Name and MD5:
6253-9166.zip (47E464919165F040B03160BAA38FD5E3)
report_<date>.exe (0798687A993B98EBF5E87A6F78311F32)

Screenshot: https://gs1.wac.edge...Cgf21r6pupn.png
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Account Complaint Resolution Document Email Messages - 2013 Oct 07
Fake Payment Receipt Notification Email Messages - 2013 Oct 07
Fake Payment Confirmation Notification Email Messages - 2013 Oct 07
Fake Account Payment Notification Email Messages - 2013 Oct 07
Fake Commissions Invoice Email Messages - 2013 Oct 07
Fake Hotel Reservation Confirmation Email Messages - 2013 Oct 07
Fake Product Order Email Messages - 2013 Oct 07
Fake Bank Payment Transfer Notification Email Messages - 2013 Oct 07
Fake Financial Document Email Messages - 2013 Oct 07
Malicious Personal Pictures Attachment Email Messages - 2013 Oct 07
Fake Shipping Notification Email Messages - 2013 Oct 07
Fake Document Attachment Email Messages - 2013 Oct 07
Fake Payment Confirmation Email Messages - 2013 Oct 07
Fake Product Quote Request Email Messages - 2013 Oct 07
Fake Electronic Payment Cancellation Email Messages - 2013 Oct 07
Fake Bank Account Details Inquiry Email Messages - 2013 Oct 07
Fake Personal Picture Sharing Notification Email Messages - 2013 Oct 07
Fake Portuguese Personal Picture Notification Email Messages - 2013 Oct 07
Fake Order Shipment Tracking Information Email Messages - 2013 Oct 07
Fake Business Complaint Notification Email Messages - 2013 Oct 07
(More detail and links at the cisco URL above.)

Edited by AplusWebMaster, 07 October 2013 - 04:03 PM.

[AplusWebMaster]

FYI...

Fake Well Fargo SPAM - malicious attachment / lasub-hasta .com
- http://blog.dynamoo....comes-with.html
8 Oct 2013 - "This fake Wells Fargo spam is a retread of this one*, but comes with a slightly different attachment:
Date: Mon, 7 Oct 2013 19:56:29 +0100 [10/07/13 14:56:29 EDT]
From: "Harry_Buck@ wellsfargo .com" [Harry_Buck@ wellsfargo .com]
Subject: Documents - WellsFargo
Please review attached files.
Harry_Buck
Wells Fargo Advisors
817-487-2882 office
817-683-6287 cell Harry_Buck@ wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...

Attached is a ZIP file containing a malicious EXE file. The VirusTotal detection rate is a fairly healthy 27/48**. Automated analysis... shows that the malware tries to phones home to lasub-hasta .com on 205.251.152.178 (Global Net Access, US). A quick look at that server shows that it has several hundred sites on, most of which are probably legitimate.. but there is a great deal of suspect activity*** on this server which you might want to take into account if you are thinking of -blocking- this IP."
* http://blog.dynamoo....ments-spam.html

** https://www.virustot...sis/1381222163/

*** https://www.virustot...78/information/
___

Spoofed APEC 2013 email mixes old threat tricks
- http://blog.trendmic...-threat-tricks/
Oct 8, 2013 - "... threat actors have found another high-profile political event to leverage their schemes. The APEC 2013 Summit – an annual meeting of 21 Pacific Rim countries – in Indonesia can be the perfect veil for their spoofed emails. The threat arrives as an email purportedly from “Media APEC Summit 2013” containing two attached Excel files. The sender, message and the recipients of the email lead us to believe that this threat is aimed at individuals who would be interested in the summit (both attendees and non-attendees).
> http://blog.trendmic...ummit-email.jpg
... the email contains two attachments. Both are disguised as “APEC media list”, however only one of them (APEC Media List 2013 Part 1) was found malicious. The other, non-malicious file serves as a decoy document. Based on our analysis, the malware exploits an old Microsoft Office vulnerability (CVE-2012-0158*), an old vulnerability that was also exploited in other targeted attacks... This malware then triggers a series of multiple malware dropping and connects to various command-and-control (C&C) servers. Once done, the exploit drops and executes the file dw20.t. The said file is a dropper, which drops another file in C:\Program Files\Internet Explorer\netidt.dll. This dropped file also communicates to specific C&C servers and sends/receives encrypted data containing system information and infection status. This allows netidt.dll to download the executable _dwr6093.exe. This malware is another dropper that drops and executes downlink.dll. This final dropper leads to the final payload (netui.dll and detected as BKDR_SEDNIT.SM) and responsible for its automatic execution (by creating autostart registry entries). BKDR_SEDNIT.SM steals information via logging keystrokes and executes commands from its C&C servers. The malicious actors behind this threat can then use the malware to gather exfiltrate important data, leading to serious repercussions to the targeted parties..."
* https://web.nvd.nist...d=CVE-2012-0158 - 9.3 (HIGH)
Last revised: 03/07/2013 - "... triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability"..."
___

Fake "Voicemail" SPAM ...
- http://www.threattra...cate-winwebsec/
Oct 7, 2013 - "... fake WhatsApp email messages leading to various forms of mobile infection. Over the last day or so, our Labs have noticed a shift into other realms – namely, Fake AV. Whenever we see Kuluoz, it is typically using compromised boxes to host payloads – and those payloads are usually Winwebsec and Medfos. Fake emails are the name of the game, and as you can see the run the full range of wedding invites, airline spam, DHL / Fedex notifications and more besides. In this case, we begin with the now familiar WhatsApp spam email messages:
> http://www.threattra.../winwebsec0.jpg
Instead of links taking end-users to malicious mobile downloads, they’ll be taken to a .biz.ua URL offering up a Kuluoz.B executable file which will download WinWebSec onto the target PC. Winwebsec has been signed by a valid cert, which is increasingly becoming a problem where Malware is concerned. The Winwebsec variant is fairly recent, dating from mid to late August. It downloads Fareit and Ursnif, which are both infostealers (of course, the Fake AV – called Antivirus Security Pro – will try to convince end-users to pay up for non-existent infection removal. It will completely ignore the genuine infections dropped on the PC, but you wouldn’t expect anything less really).
> http://www.threattra.../winwebsec1.jpg
... At time of writing, Virustotal has the Kuluoz pegged at 16/48... VIPRE Antivirus will find it is detected as Trojan.Win32.Generic.pak!cobra. Fake voicemail messages are a great way for scammers to target individuals and corporations, especially if sent to less technologically inclined victims. Expect the payloads of these spam messages to keep changing, and be very wary of running any executable files sent via email – no matter how tempting the supposed message waiting for you is..."
___

Verizon Wireless Picture Messaging Spam
- http://threattrack.t...-messaging-spam
Oct 8, 2013 - "Subjects Seen:
No Subject
Typical e-mail details:
This message was sent using the Picture and Video Messaging service from Verizon Wireless!

Malicious File Name and MD5:
<random>Img_Picture.zip (0FF888E38099617CBD03451DA72F5FC4)
<random>Img_Picture.jpeg.exe
(67355A28A8EA584D0A08F17BE10E251E)

Screenshot: https://gs1.wac.edge...J0sn1r6pupn.png
___

Mileage Reimbursement Form Spam
- http://threattrack.t...ement-form-spam
Oct 8, 2013 - "Subjects Seen:
Annual Form - Authorization to Use Privately Owned Vehicle on State Business
Typical e-mail details:
All employees need to have on file this form STD 261 (attached). The original is retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement.
The form can be used for multiple years, however it needs to re-signed annually by employee and supervisor.
Please confirm all employees that may travel using their private car on state business (including training) has a current STD 261 on file. Not having a current copy of this form on file in Accounting may delay a travel reimbursement claim.

Malicious File Name and MD5:
Form_<e-mail domain>.zip (00D3C33F37DEE0B3AB933C968BE8043A)
Form_20130810.exe
(6828091CBF4AACEC10195EDBFA804FA7)

Screenshot: https://gs1.wac.edge...HE2x1r6pupn.png

Edited by AplusWebMaster, 08 October 2013 - 02:55 PM.

[AplusWebMaster]

FYI...

Fake Business form SPAM / warehousesale .com .my
- http://blog.dynamoo....ion-to-use.html
9 Oct 2013 - "This oddly-themed spam has a malicious attachment:
Date: Tue, 8 Oct 2013 11:49:49 -0600 [10/08/13 13:49:49 EDT]
From: Waldo Reeder [Waldo@ victimdomain .com]
Subject: Annual Form - Authorization to Use Privately Owned Vehicle on State Business
All employees need to have on file this form STD 261 (attached). The original is
retained by supervisor and copy goes to Accounting. Accounting need this form to approve
mileage reimbursement.
The form can be used for multiple years, however it needs to re-signed annually by
employee and supervisor.
Please confirm all employees that may travel using their private car on state business
(including training) has a current STD 261 on file. Not having a current copy of this
form on file in Accounting may delay a travel reimbursement claim.

The is a ZIP file attached which includes the victim's domain name as part of the filename. Inside is an exectuable file with an icon to make it look like a PDF file, and the date is encoded into the filename. VirusTotal detections are not bad at 25/48*. Automated analysis... shows an attempted connection to warehousesale .com .my hosted on 42.1.61.90 (Exa Bytes Network, Malaysia). There are no other sites on that server that I can see and I recommend that you -block- both the IP and domain as a precaution.
Recommended blocklist:
warehousesale .com .my
42.1.61.90"
* https://www.virustot...sis/1381305964/
File name: Form_20130810.exe

- https://www.virustot...90/information/
___

Fake GMail emails lead to pharmaceutical scams
- http://www.webroot.c...ceutical-scams/
Oct 9, 2013 - "Pharmaceutical scammers are currently mass mailing tens of thousands of fake emails, impersonating Google’s GMail in an attempt to trick its users into clicking on the links found in the spamvertised emails. Once users click on them, they’re automatically exposed to counterfeit pharmaceutical items, with the scammers behind the campaign attempting to capitalize on the ‘impulsive purchase’ type of social engineering tactic typical for this kind of campaign.
Sample screenshot of the spamvertised email:
> https://www.webroot....al_Scams_01.png
Sample screenshot of the landing pharmacautical scams page:
> https://www.webroot....tical_Scams.png
... Landing URL: shirazrx .com – 85.95.236.188 – Email: ganzhorn@ shirazrx .com ... pharmaceutical scam domains are also known to have responded to the same IP (85.95.236.188)... This isn’t the first, and definitely not the last time pharmaceutical scammers brand-jack reputable brands in order to trick users into clicking on the links found in the fake emails, as we’ve already seen them brand-jack Facebook’s Notification System, YouTube, as well as the non-existent Google Pharmacy. Thanks to the (natural) existence of affiliate networks for pharmaceutical items, we expect that users will continue falling victim to these pseudo-bargain deals, fueling the the growth of the cybercrime economy. Our advice? Never bargain with your health, spot the scam and report it."

- https://www.virustot...88/information/

Edited by AplusWebMaster, 09 October 2013 - 01:19 PM.

[AplusWebMaster]

FYI...

Malware served up by Bad Bing Ads
- http://www.threattra...d-bad-bing-ads/
Oct 10, 2013 - "We’re seeing our old friend “rogue ads in Bing” doing the rounds – should you go searching for “Youtube” and click on the rogue ad (in this case, the one in the bottom right hand corner under “Ads related to Youtube”) you’ll be taken to a site which redirects to an exploit.
> http://www.threattra...ingexploit1.png
The scammers behind this could well be targeting other keywords... The exploit attempts to drop Sirefef, which we’ve seen being used in malicious Bing adverts back in March 2013..."
___

Fake Payroll Intuit email
- http://security.intu.../alert.php?a=89
10/10/13 - "Here is a copy of the phishing email people are receiving. Be sure -not- to click any links in the email.

Dear,
We received your payroll on October 9, 2013 at 4:59 PM .
Attached is a copy of your Remittance. Please click on the attachment in order to view it.
Please note the deadlines and status instructions below:
If your payroll is received BEFORE 5 p.m., your Direct Deposit employees will be paid two (2) banking days from the date received or on your paycheck date, whichever is later.
If your payroll is received AFTER 5 p.m., your employees will be paid three (3) banking days from the date received or on your paycheck date, whichever is later.
YOUR BANK ACCOUNT WILL BE DEBITED THE DAY BEFORE YOUR CHECKDATE.
Funds are typically withdrawn before normal banking hours so please make sure you have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.
Intuit must receive your payroll by 5 p.m., two banking days before your paycheck date or your employees will not be paid on time.
Intuit does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Sincerely,
Intuit Payroll Services
___
This is the end of the fake email.
Steps to Take Now:
Do -not- open the attachment in the email...
Delete the email..."
___

vBulletin exploit in the wild
- http://www.net-secur...ld.php?id=15743
9 Oct 2013 - "vBulletin is a popular proprietary CMS that was recently reported to be vulnerable to an unspecified attack vector. vBulletin is currently positioned 4th in the list of installed CMS sites on the Internet... Although vBulletin has not disclosed the root cause of the vulnerability or its impact, we determined the attacker’s methods. The identified vulnerability allows an attacker to abuse the vBulletin configuration mechanism in order to create a secondary administrative account. Once the attacker creates the account, they will have full control over the exploited vBulletin application, and subsequently the supported site... Although vBulletin has not disclosed the root cause of the vulnerability or the impact on customers, they did provide a workaround in a blog post* encouraging customers to delete the /install, /core/install in vBulleting 4.x and 5.x respectively..."
(More detail at the URL above.)
* http://www.vbulletin...4-1-vbulletin-5
___

Fake 'Companies House' SPAM
- http://blog.dynamoo....ouse-phish.html
10 Oct 2013 - "This fake Companies House spam appears to be some sort of phishing attempt:
Date: Thu, 10 Oct 2013 11:57:31 +0300 [04:57:31 EDT]
From: Companies House [contact@ companieshouse .co .uk]
Subject: Compulsory Companies House WebFiling Update #90721
Compulsory Companies House WebFiling Update #90721
This is an important notice to inform you as a registered company to update your details.
This will make it easier to update our database and keep records of our company...

Screenshot: https://lh3.ggpht.co...ies-house-1.png

The link in the email goes to [phish]www.misspanama .net/respaldo/ukcompany/CompaniesHouse.htm which asks only for a Company Name, email address and password.
> https://lh3.ggpht.co...ies-house-2.png
Once the credentials have been harvested, the victim is sent to a genuine Companies House webpage at www.companieshouse .gov .uk/forms/introduction.shtml
> https://lh3.ggpht.co...ies-house-3.png
So, what is being harvested here? There seems to be no malware involved, so perhaps the bad guys are actually trying to hijack company identities for some evil purpose. It turns out that Companies House have a webpage all about this type of threat and recommend that you forward offending emails to phishing@companieshouse .gov .uk. Just remember.. sometimes phishers are after something a lot less obvious than your bank details!"

Edited by AplusWebMaster, 10 October 2013 - 01:29 PM.

[AplusWebMaster]

FYI...

Fake Facebook App - Phishers Use Malware
- http://www.symantec....ke-facebook-app
9 Oct 2013 - "Phishers frequently introduce -bogus- applications to add new flavor into their phishing baits... In this particular scam, phishers were trying to steal login credentials, but their means of data theft wasn’t with the phishing bait alone. Their ploy also used malware for harvesting users’ confidential information. The phishing site spoofed the login page of Facebook and was hosted on a free web hosting site.
> http://www.symantec....1/figure1_0.png
The phishing site boasted that the application would enable users to view a list of people who visited their profile page. The site offered two options to activate the fake app. The first option was by downloading software containing the malware and the second was by entering user credentials and logging into Facebook. A message on the phishing page encouraged users to download the software that would allegedly send notifications to the user when someone visited their Facebook profile. If the download button was clicked, a file download prompt appeared. The file contained malicious content detected by Symantec as Infostealer. On the other hand, if user credentials were entered, the phishing site -redirected- to a legitimate Facebook page... If users fell victim to the phishing site by entering their login credentials, the phishers would have successfully stolen their information for identity theft purposes..."
___

Twitter still being used by Hacks...
- http://blog.trendmic...-shady-hackers/
Oct 10, 2013 - "... Twitter said it has 218 million monthly active users, three-quarters of which have accessed the site from a mobile device. It’s not a surprise that some of these users are malicious. What is uncommon is that some of these malicious accounts do try to “engage” with other accounts – even those of security vendors like Trend Micro... Recently, we came across four accounts that added the @TrendLabs Twitter account to various lists. This would not have been unusual, except -all- four accounts were clearly malicious:
Accounts/lists added:
> http://blog.trendmic...witter-list.png
Upon further investigation, these accounts led to more malicious sites offering a variety of hacking tools targeting sites like Facebook and Twitter, as well as a scam site offering free iPhone 5s...
> http://blog.trendmic...witter-tool.jpg
It’s highly likely that these malicious sites are scam sites, offering none of the supposed “tools” that are on offer. Cybercriminals are not below stealing from other would-be online crooks and attackers as well. Unfortunately, this is not the first (or the last) threat that we can encounter on popular social networking sites. Previously, incidents like survey scams, rogue apps, and other threats were frequent, although recent improvements by these sites were able to keep these threats at bay. However, as the popularity of mobile devices grew, cybercrmininals have found a new platform to use in their schemes. Just recently, we found a fake Facebook mobile page* that asks users to disclose credit card details. Cybercriminals may either sell or use these to initiate unauthorized transactions. We advise would-be “curious” users to avoid these sites and profiles completely, and if possible to report these accounts to site administrators (if possible, using the automated block/report features of these services)..."
* http://blog.trendmic...t-card-details/

Edited by AplusWebMaster, 11 October 2013 - 04:36 AM.

[AplusWebMaster]

FYI...

Phish take to the Skies
- http://www.threattra...sh-takes-skies/
Oct 14, 2013 - "FlyingBlue, the frequent flyer program of Air France and KLM, are sending emails to members warning of a phishing campaign...
“Some Flying Blue members report receiving an e-mail in which they are advised to secure their “Air France-KLM account” by clicking on a link and logging into the “secured Flying Blue network”. This e-mail was not sent by AIR FRANCE, KLM or Flying Blue. Do not log in using this link. Please make sure that you only log into your Flying Blue account if you are in the trusted Flying Blue environment. If you clicked on a link in the fake Flying Blue e-mail, we advise you to check your account now. If you cannot access your account, please contact the Flying Blue Service Centre.”
You can see what one of the phish pages looked like, courtesy of Urlquery(dot)net*.
“We need to verify your email address to confirm you are the owner of this account. In order to protect your privacy, we will never store your password or send emails without your consent”
It seems likely they were after email accounts at a minimum and email & airmiles accounts at a maximum, with airmiles being particularly useful to scammers the World over. We don’t need to tell you how bad it would be to have your email address compromised (or maybe we do!) but many would overlook the significance of having their airmiles targeted. Whether you collect them for business, pleasure or both you should be cautious of -any- emails asking you to login to confirm details. If in doubt, always type the URL into your browser and visit a site directly rather than click blindly and hope for the best. You can see a little more information about the scam currently in circulation by reading the notice on the Flying Blue homepage**..."
* https://urlquery.net....php?id=6411611

** http://www.flyingblu...ue-e-mails.html

> https://urlquery.net....php?id=6411611

- https://www.virustot...09/information/

- http://google.com/sa...c?site=AS:24940
___

Fake T-Mobile themed emails ...
- http://www.webroot.c...s-lead-malware/
Oct 14, 2013 - "The cybercriminals behind last week’s profiled fake T-Mobile themed email campaign* have resumed operations, and have just spamvertised another round of tens of thousands of malicious emails impersonating the company, in order to trick its customers into executing the malicious attachment, which in this case is once again supposedly a legitimate MMS notification message. Detection rate for the spamvertised attachment: MD5: 8a9abe065d473da9527fdf08fb55cb9e ** ... Trojan.DownLoader9.22851; UDS:DangerousObject.Multi.Generic
Once executed, the sample creates the following Mutexes on the affected hosts:
CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004 / ShimCacheMutex / 85485515
It then (once again) phones back to networksecurityx.hopto .org. The most recent MD5 (MD5: 014543ee64491bac496fabda3f1c8932***) that has phoned back to the same C&C server (networksecurityx.hopto .org) is also known to have phoned back to dahaka.no-ip .biz (89.136.186.200)..."
* https://www.webroot....s-lead-malware/

** https://www.virustot...e09ad/analysis/

*** https://www.virustot...f1f3a/analysis/

Edited by AplusWebMaster, 14 October 2013 - 11:45 AM.

[AplusWebMaster]

FYI...

Fake USPS SPAM / Label_ZFRLOADD5PGGZ0Z_USPS.zip
- http://blog.dynamoo....z0zuspszip.html
15 Oct 2013 - "This fake USPS spam has a malicious attachment:
Date: Tue, 15 Oct 2013 09:36:02 -0500 [10:36:02 EDT]
From: USPS Express Services [service-notification@ usps .com]
Subject: USPS - Missed package delivery
Notification
Our company's courier couldn't make the delivery of package.
REASON: Postal code contains an error.
DELIVERY STATUS: Sort Order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: USPSZFRLOADD5PGGZ0Z
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.

There is an attachment Label_ZFRLOADD5PGGZ0Z_USPS.zip which contains a malicious executable Label_101513_USPS.exe (note the date encoded into the filename). VirusTotal shows just 4/46* vendors detect it at present. Automated analysis... shows an attempted communication with traderstruthrevealed .com on 103.8.27.82 (SKSA Technology, Malaysia). There is also another email using this format with the same payload."
Recommended blocklist:
103.8.27.82
traderstruthrevealed .com"
* https://www.virustot...sis/1381850132/

- https://www.virustot...82/information/
___

Fake Intuit SPAM / payroll_report_147310431_10112013.zip
- http://blog.dynamoo....ntuit-spam.html
15 Oct 2013 - "This fake Intuit spam comes with a malicious attachment:
Date: Tue, 15 Oct 2013 16:20:40 +0000 [12:20:40 EDT]
From: Intuit Payroll Services IntuitPayrollServices@ payrollservices.intuit .com]
Subject: Payroll Received by Intuit
Dear, [redacted]
We received your payroll on October 11, 2013 at 4:41 PM .
Attached is a copy of your Remittance. Please click on the attachment in order to view it.
Please note the deadlines and status instructions below: If your payroll is received
BEFORE 5 p.m., your Direct Deposit employees will be paid two (2) banking days from the
date received or on your paycheck date, whichever is later. If your payroll is received
AFTER 5 p.m., your employees will be paid three (3) banking days from the date received
or on your paycheck date, whichever is later. YOUR BANK ACCOUNT WILL BE DEBITED THE DAY
BEFORE YOUR CHECKDATE. Funds are typically withdrawn before normal banking hours so
please make sure you have sufficient funds available by 12 a.m. on the date funds are to
be withdrawn. Intuit must receive your payroll by 5 p.m., two banking days before your
paycheck date or your employees will not be paid on time. Intuit does not process
payrolls on weekends or federal banking holidays. A list of federal banking holidays can
be viewed at the Federal Reserve website. Thank you for your business.
Sincerely, Intuit Payroll Services...

The attachment is payroll_report_147310431_10112013.zip which in turn contains payroll_report_10112013.exe (note the date is encoded into those files). That executable currently has a detection rate of 9/46* at VirusTotal. Automated analysis shows that it attempt to make a connection to mtfsl .com on 184.22.215.50 (Network Operations Center, US). Blocking those temporarily may give some protection against any additional threats using that server."
* https://www.virustot...sis/1381861232/

- https://www.virustot...50/information/

Edited by AplusWebMaster, 15 October 2013 - 08:14 PM.

[AplusWebMaster]

FYI...

Fake Pinterest SPAM - alenikaofsa .ru
- http://blog.dynamoo....-hernandez.html
16 Oct 2013 - "This fake Pinterest spam leads to a malicious download on alenikaofsa .ru:
Date: Wed, 16 Oct 2013 12:03:11 -0300 [11:03:11 EDT]
From: Pinterest [pinbot@ pinterest .biz]
Subject: Your Facebook friend Andrew Hernandez joined Pinterest
A Few Updates...
[redacted]
Andrew Hernandez
Your Facebook friend Andrew Hernandez just joined Pinterest. Help welcome Carol to the community!
Visit Profile
Happy pinning! ...

Screenshot: https://lh3.ggpht.co.../pinterest2.png

... The link in the email goes through a legitimate hacked site and then ends up on a fake browser download page (report here*) that attempts to download [donotclick]alenikaofsa .ru:8080/ieupdate.exe which has a VirusTotal detection rate of just 1/48** (only Kaspersky detects it.. again)... alenikaofsa .ru is registered to the infamous Russian "private person" and is hosted on the following IPs:
62.75.246.191 (Intergenia AG, Germany)
69.46.253.241 (RapidDSL & Wireless, US)
The domain alionadorip .ru is also hosted on these IPs. What's interesting is that 69.46.253.241 was seen here months ago, which makes this look like the unwelcome return of the RU:8080 gang after a long absence.
Recommended blocklist:
62.75.246.191
69.46.253.241
alenikaofsa .ru
alionadorip .ru
Footnote:
The malware page uses a similar script to that used here*** although with the rather cheeky comment
// It's "cool" to let user wait 2 more seconds :/ ..."
* http://urlquery.net/....php?id=6856407

** https://www.virustot...sis/1381951170/

*** http://blog.dynamoo....bicyclenet.html
___

Fake LinkedIn SPAM / Contract_Agreement_whatever.zip
- http://blog.dynamoo....ntwhatever.html
16 Oct 2013 - "This fake LinkedIn spam has a malicious attachment:
Date: Wed, 16 Oct 2013 11:57:55 -0600 [13:57:55 EDT]
From: Shelby Gordon [Shelby@ linkedin .com]
Attached is your new contract agreements.
Please read the notes attached, then complete, sign and return this form.
Shelby Gordon
Contract Manager
Online Division - LinkedIn
Shelby.Gordon@ linkedin .com ...

The attachment has the format Contract_Agreement_recipientname.zip and in turn contains a malicious executable Contract_Agreement_10162013.exe (note the date encoded into the filename). VirusTotal detections are 10/48*. Automated analysis tools... show an attempted connection to miamelectric .com on 209.236.71.58 (Westhost, US). I recommend that you block outbound traffic to that particular domain."
* https://www.virustot...sis/1381954740/
___

Fake job offer - Atlantics Post LLC
- http://blog.dynamoo....-job-offer.html
16 Oct 2013 - "A bit of Money Mule recruiting that isn't really trying very hard..
Date: Wed, 16 Oct 2013 14:54:34 -0300 [13:54:34 EDT]
From: Atlantics Post [misstates7@ compufort .com]
Subject: Career with Atlantics Post LLC
Atlantics Post LLC is now hiring for a Shipping Clerk. If You are young, enthusiastic person. Looking for a great job opportunity with a stable in come this job is for you.
Duties:
Receive packages at workplace (out of home possition);
Transfer the packages to our business partners nationwide;
Keeping accurate records of operations and report them
Requirements:
- Thorough knowledge of quality improvement techniques and experience with process and service delivery improvement.
- Strong ability to analyze, organize and simplify complex processes and data.
- Exceptional attention to detail.
- Considerable experience with data reporting systems.
- Leisure business experience an asset.
- Flexible, adaptable to change, and resourceful in the face of shifting priorities and demands ...
Originating IP is 181.165.70.97 in Argentina. Avoid."

Edited by AplusWebMaster, 17 October 2013 - 03:14 AM.

[AplusWebMaster]

FYI...

Flash exploits, Fake browser updates - Mass iFrame injection campaign...
- http://www.webroot.c...flash-exploits/
Oct 17, 2013 - "We’ve intercepted an ongoing malicious campaign, relying on injected/embedded iFrames at Web sites acting as intermediaries for a successful client-side exploits to take place... a social engineering campaign pushing fake browser updates... iFrame URL: mexstat210 .ru – 88.198.7.48 ... Sample detection rate for the malicious script: MD5: efcaac14b8eea9b3c42deffb42d59ac5 * ... Trojan-Downloader.JS.Expack.sn; Trojan:JS/Iframe.BS ... malicious MD5s are also known to have been hosted on the same IP (88.198.7.48)... Client-side exploits serving URL: urkqpv.chinesenewyeartrendy .biz:39031/57e2a1b744927e0446aef3364b7554d2.html – 198.50.225.114
Domain name reconnaissance: chinesenewyeartrendy .biz - 46.105.166.96 known to have responded to the same IP is also appearancemanager .biz ...
... the iFrame injected/embedded URL includes a secondary iFrame pointing to a, surprise, surprise, Traffic Exchange network. Not surprisingly, we also identified a related threat that is currently using the same infrastructure as the official Web site of the Traffic Exchange.
> https://www.webroot....its_Malware.png
Secondary iFrame: mxdistant .com – 213.239.231.141 ... Once executed, it phones back to anyplace-gateway .info – 76.72.165.63 – info@remote-control-pc .com... Moreover, updbrowser .com is also directly related to worldtraff .ru, as it used to push fake browser updates**, similar to the MD5s at bank7 .net and ztxserv .biz..."
(More detail at the webroot URL above.)
* https://www.virustot...3cc75/analysis/

** http://stopmalvertis...cal-update.html

- https://www.virustot...41/information/

- https://www.virustot...63/information/

- https://www.virustot...96/information/

- https://www.virustot...14/information/

- https://www.virustot...48/information/
___

Fake Flash update serves multitude of Firefox Extensions
- http://www.threattra...fox-extensions/
Oct 17, 2013 - "“Update your Flash player”, they said:
> http://www.threattra...ashfirefox1.png
Specifically, “Version 11.9.900.117″ because “if you’re not using the latest version of Flash Player your version may contain vulnerabilities which can be used to attack your computer”. Above, we’re visiting updatedflashplayer(dot)com with Firefox. Running the file will offer up a wide selection of programs that don’t tend to come with what are supposed “security updates”:
> http://www.threattra...airinstall1.png
“After clicking next you will be presented with several great third party offers that can be skipped by pressing decline”
There’s no update to the latest version of Flash – merely something you can use to watch Flash videos with and a bunch of bundled programs. Here’s a few, starting with Fast Free Converter, an Adware plug-in:
> http://www.threattra...airinstall4.png
... Below you can see a typical install, with everything loaded up and ready to roll in your Firefox browser:
> http://www.threattra...10/installs.jpg
... As for the above “Flash Player update”, you can see some more information about it over on VirusTotal where it is currently pegged at 9/48*..."
* https://www.virustot...sis/1381940695/
File name: setup.exe
Detection ratio: 9/48
___

Fake Xerox WorkCentre SPAM / A136_Incoming_Money_Transfer_Form.exe
- http://blog.dynamoo....entre-spam.html
17 Oct 2013 - "The malware spammers are suffering from a chronic lack of imagination with this familiar fake printer spam:
Date: Thu, 17 Oct 2013 13:01:52 -0600 [15:01:52 EDT]
From: Incoming Fax [Incoming.Fax3@ victimdomain .com]
Subject: Scan from a Xerox WorkCentre
Please download the document. It was scanned and sent to you using a Xerox multifunction device.
File Type: pdf
Download: Scanned from a Xerox multi~9.pdf
multifunction device Location: machine location not set
Device Name: Xerox1552
For more information on Xerox products and solutions, please visit http ://www .xerox .com

Attached is an executable file Scanned from a Xerox multi~6.zip which in turn contains a file A136_Incoming_Money_Transfer_Form.exe which has a VirusTotal detection rate of 6/48*. Automated analysis... shows a connection to cushinc .com on 209.236.71.58 (Westhost, US). This is the same server as seen yesterday**, so my best guess is that the server is compromised and potentially all the 600+ domains on it are too. Blocking that IP address may be prudent."
* https://www.virustot...sis/1382037428/

** http://blog.dynamoo....ntwhatever.html

- https://www.virustot...58/information/

Edited by AplusWebMaster, 17 October 2013 - 09:14 PM.

[AplusWebMaster]

FYI...

Fake MS Update phish ...
- http://blog.dynamoo....date-phish.html
18 Oct 2013 - "A random and untargeted attempt at phishing with a Windows Update twist.
From: Microsoft Office [accounts-updates@ microsoft .com]
Date: 17 October 2013 02:54
Subject: Microsoft Windows Update
Dear Customer,
Evaluation period has expired. For information on how to upgrade your windows software please Upgrade Here.
Thank you,
Copyright © 2013 Microsoft Inc. All rights reserved.

The email originates from 66.160.250.236 [mail.andrustrucking .com] which is a trucking company called Doug Andrus Distributing... perhaps they have had their email system compromised (maybe by someone using the same phishing technique)... the link in the email goes to a legitimate but -hacked- site and then lands on a phishing page hosted on [donotclick]www.cycook .com/zboard//microsoft-update/index.php.htm. Despite the email saying "Windows Update", the landing page has had Office branding crudely pasted into it.
Screenshot: https://lh3.ggpht.co...600/msphish.png
Entering your credentials simply takes you to a genuine Microsoft page:
> https://lh3.ggpht.co...00/msphish2.png
Phishing isn't restricted to stuff like bank accounts, the spammers also like a fresh supply of email accounts to abuse, so as ever.. exercise caution."

Also see recent post: http://forums.whatth...=...st&p=834574

... and:
- https://isc.sans.edu...l?storyid=16838
Last Updated: 2013-10-17 22:19:09 UTC
> https://isc.sans.edu...osoft-phish.jpg
___

Rogue ads lead to toolbar PUA (Potentially Unwanted Application)
- http://www.webroot.c...ed-application/
Oct 18, 2013 - "Potentially Unwanted Applications (PUAs) continue to visually social engineer users into installing virtually useless applications. They monetize each and every install by relying on ‘bundling’ which often comes in the form of a privacy-violating toolbar or third-party application. We recently intercepted a rogue ad that entices users into downloading the Mipony Download Accelerator that is bundled with the privacy-invading FunMoods toolbar PUA, an unnecessary bargain with the integrity and confidentiality of your PC.
Sample screenshot of the landing page:
> https://www.webroot....Application.png
Detection rate for the PUA: MD5: 023e625cbb1b30565d46f7533ddc03db * ... W32/InstallCore.R4.gen!Eldorado; Install Core Click run software.
Domain name reconnaissance: ultimatedownloadaccelerator .com – 50.19.220.248; 174.129.22.118; 23.21.144.61; 23.23.144.245
Upon execution, it phones back to:
cdneu.ultimatedownloadaccelerator .com – 65.254.40.36
os-test.ultimatedownloadaccelerator .com – 54.244.230.64
cdnus.ultimatedownloadaccelerator .com – 199.58.87.155
img.ultimatedownloadaccelerator .com – 199.58.87.155 ...
> https://www.webroot....lication_01.png
Detection rate for the FunMoods Toolbar: MD5: 592f35f9954a7ec4c0b4985857f81ad8 ** Win32/InstallCore; PUP.Optional.Funmoods
Once executed, it phones back to:
os.funmoodscdn .com 54.245.235.34
cdneu.funmoodscdn .com 146.185.27.53
cdnus.funmoodscdn .com 199.58.87.155 ...
Despite the fact that most modern day PUAs include uninstall instructions, our advice is to -not- install them in the first place, instead, seek a legitimate — often free but this time fully featured and working — alternative to their pseudo-unique value propositions..."
* https://www.virustot...sis/1381837813/

** https://www.virustot...sis/1381929038/

- https://www.virustot...55/information/

- https://www.virustot...53/information/

- https://www.virustot...34/information/

- https://www.virustot...64/information/

- https://www.virustot...36/information/

- https://www.virustot...48/information/

- https://www.virustot...18/information/

- https://www.virustot...61/information/

- https://www.virustot...45/information/
___

Fake Avaya "Voice Mail Message" SPAM - malicious payload
- http://blog.dynamoo....-spam-with.html
18 Oct 2013 - "This fake voice mail message appears to originate from within the victim's own domain (although that is just a forgery):
Date: Fri, 18 Oct 2013 09:19:42 -0600 [11:19:42 EDT]
From: Voice Mail Message [1c095eb9-fa18-74e5-b@ victimdomain .com]
Subject: Voice Mail Message ( 45 seconds )
This voice message was created by Avaya Modular Messaging. To listen to this voice
message,just open it.

Attached is a file VoiceATT0685424.zip which in turn contains a malicious executable VoiceMessageTT.exe with an icon to make it look like an audio file. This trick can work if users have decided to hide the extensions of files in Windows, a stupid default setting that has no doubt infected millions of Windows users over the years.
Screenshot: https://lh3.ggpht.co...oicemessage.png
Of course, the .exe file is malware with a pretty low detection rate of just 3/48* at VirusTotal. Automated analysis... shows a connection to a domain called adamdevarney .com on 209.236.71.58 (Westhost, US) which has been seen twice before**. This means that there are potentially hundreds of compromised domains on the same server, blocking traffic to the IP address will be the most effective way of giving yourself some protection."
* https://www.virustot...sis/1382114301/
File name: VoiceMessageTT.exe
Detection ratio: 3/48

** http://blog.dynamoo....entre-spam.html

** http://blog.dynamoo....ntwhatever.html

- https://www.virustot...58/information/
___

Fake Dropbox SPAM - dynamooblog .ru
- http://blog.dynamoo....re-on-errr.html
18 Oct 2013 - "Two days ago I wrote about the apparent return of the RU:8080.. it appears that in order to celebrate their return, they've acknowledged my acknowledgement in the form of a malware landing page of dynamooblog .ru... this is the latest spam email purportedly from Dropbox, and using the same template as used in this ThreeScripts spam run*.
Screenshot: https://lh3.ggpht.co...00/dropbox2.png
The attack and payload is exactly the same as this one**, and the executable is unchanged but now has a better VirusTotal detection rate of 29/48***. The domain dynamooblog .ru was registered yesterday to the infamous Russian "Private Person" and is hosted on a lot of IPs that have been serving up Zbot for some time... this is my recommended blocklist:
dynamooblog .ru, 12.46.52.147, 41.203.18.120, 62.76.42.58, 69.46.253.241, 70.159.17.146, 91.205.17.80, 94.102.14.239, 111.68.229.205, 114.32.54.164, 118.163.216.107, 140.174.98.150, 163.18.62.51, 182.237.17.180, 202.6.120.103, 203.80.16.81, 203.114.112.156, 210.56.23.100, 210.166.209.15, 212.154.192.122, 213.5.182.144, 213.143.121.133, 213.214.74.5 "
* http://blog.dynamoo....malware-on.html

** http://blog.dynamoo....-hernandez.html

*** https://www.virustot...sis/1382130555/
File name: ieupdate.exe
Detection ratio: 29/48

Edited by AplusWebMaster, 18 October 2013 - 04:45 PM.