2072 replies to this topic

[AplusWebMaster]

FYI...

Fake billing SPAM - Remit_10212013.exe
- http://blog.dynamoo....it10212013.html
21 Oct 2013 - "This -bogus- remittance spam comes with a malicious attachment:
Date: Mon, 21 Oct 2013 15:08:15 +0100 [10:08:15 EDT]
From: Administrator [docs9@ victimdomain]
Subject: FW: Last Month Remit
File Validity: 21/10/2013
Company : http://[victimdomain]
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls ...

Screenshot: https://lh3.ggpht.co...s1600/remit.png

The email appears to originate from the victim's own domain, and mentions that domain in the body of the text. The attachment also contains the victims domain in the format Remit_domain.tld.zip which in turn contains a malicious executable with an icon designed to look like a Microsoft Excel file, in this case it is called Remit_10212013.exe but note that the date is encoded into the filename. The malicious payload has a very low detection rate at VirusTotal of just 2/47*. Automated analysis tools... show an attempted connection to p3-sports .com on 192.232.198.101 (Websitewelcome, US). There may be other infected domains on the same IP if previous patterns are repeated. Also, the malware appears to try to connect to the following IPs** demonstrating a peer-to-peer capability."
* https://www.virustot...sis/1382365823/

** https://malwr.com/an...GVhNzQzMzBiYzQ/

Edited by AplusWebMaster, 21 October 2013 - 10:14 AM.

[AplusWebMaster]

FYI...

Rogue ads lead to the ‘EzDownloaderpro’ PUA (Potentially Unwanted Application)
- http://www.webroot.c...ed-application/
Oct 22, 2013 - "We’ve just intercepted yet another rogue ad campaign, attempting to trick users into installing the EzDownloaderpro PUA (Potentially Unwanted Application). Primarily relying on catchy “Play Now, Download Now” banners, the visual social engineering tactic of this campaign is similar to other PUA related campaigns we’ve previously profiled...
Sample screenshot of the landing page:
> https://www.webroot....cy-1024x490.png
Landing URL: lp.ezdownloadpro .info/sspcQA/ssa/ – 46.165.228.246
Domain name reconnaissance of the redirectors:
superfilesdocumentsy .asia/v944/?a=1 – 141.101.117.252; 141.101.116.252
applicationscenterforally .asia/v944/?INm – 108.162.197.34; 108.162.196.34
op.applicationscenterforally .asia/sspcQA/ssa/ ...
The following MD5 is also known to have been downloaded from the same IP (108.162.197.34):
MD5: bc44e23e46fa4c3e73413c130d4f2018 *
Detection rate for the sample ‘pushed’ by the rogue Download page: MD5: e8c9c2db3514f375f74b60cb9dfcd4ef ** PUP.Optional.InstalleRex; Installerex/WebPick (fs)
Once executed, the sample phones back to:
r1.stylezip .info – 198.7.61.118
c1.stylezip .info – 198.7.61.118
i1.stylezip .info – 198.7.61.118
... Detection rate for the original EzDownloadpro executable: MD5: 292b53b745e3fc4af79924a3c11fcff0 *** Win32:InstalleRex-U [PUP]; MalSign.Skodna.Pick; PUP.Optional.EZDownloader.A
Sample screenshot of EzDownloadpro’s official Web site:
> https://www.webroot...._Privacy_01.png
Unique PUA MD5s served based on multiple requests to the same URL (applicationscenterforally .asia/v944/?INm)..."
(More detail at the webroot URL.)

* https://www.virustot...18cdc/analysis/

** https://www.virustot...sis/1381845366/

*** https://www.virustot...c9589/analysis/

- https://www.virustot...46/information/

- https://www.virustot...52/information/

- https://www.virustot...52/information/

- https://www.virustot...34/information/

- https://www.virustot...34/information/

- https://www.virustot...18/information/
___

Fake ADP SPAM / abrakandabr .ru
- http://blog.dynamoo....akandabrru.html
22 Oct 2013 - "This fake ADP spam leads to malware on abrakandabr .ru:
From: ClientService@ adp .com [ClientService@ adp .com]
Date: 22 October 2013 18:04
Subject: ADP RUN: Account Charge Alert
ADP Urgent Communication
Note ID: 33400
October, 22 2013
Valued ADP Partner
Account operator with ID 58941 Refused Yesterday Payroll Operation from your ADP account recently. Report(s) have been uploaded to the website:
Sign In here
Please see the following notes:
• Please note that your bank account will be debited within 1 banking day for the total shown on the Summary(s)...

Screenshot: https://lh3.ggpht.co...0/adp-spam3.png

The link goes through a legitimate hacked site and then onto a malware landing page at [donotclick]abrakandabr .ru:8080/adp.report.php (if running Windows, else they get sent to adp .com). This is hosted on quite a lot of IP addresses:
69.46.253.241 (RapidDSL & Wireless, US)
91.205.17.80 (TOV Adamant-Bild, Ukraine)
111.68.229.205 (NTT Communications, Japan)
114.32.54.164 (Chunghwa Telecom, Taiwan)
118.163.216.107 (Chunghwa Telecom, Taiwan)
163.18.62.51 (TANET, Taiwan)
202.6.120.103 (TSKL, Kiribati)
203.80.16.81 (MYREN, Malaysia)
203.114.112.156(PhetchaboonHospital, Thailand)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.166.209.15 (Prox Communicator, Japan)
212.154.192.122 (Hoster.KZ, Kazakhstan)
213.214.74.5 (BBC Cable, Bulgaria)
As mentioned before, this is either the return of the infamous RU:8080 gang, or it is somebody -pretending- to be the gang. But one rather peculiar factor is that in this case the bad guys only seem to have a small pool of servers that have been compromised for some time, and don't seem to have added any news ones.
Recommended blocklist:
69.46.253.241
91.205.17.80
111.68.229.205
114.32.54.164
118.163.216.107
163.18.62.51
202.6.120.103
203.80.16.81
203.114.112.156
210.56.23.100
210.166.209.15
212.154.192.122
213.214.74.5
abrakandabr .ru
dynamooblog .ru
inkrediblehalk .ru
intro2seo .ru
hankoksuper .ru "

- http://threattrack.t...dp-invoice-spam
Oct 22, 2013 - "Subjects Seen:
Payroll Invoice
Typical e-mail details:
A copy of your ADP TotalSource Payroll Invoice for the following payroll is is attached in PDF file and available for viewing.
Year: 13
Week No: 08
Payroll No: 1

Malicious File Name and MD5:
invoice.zip (5B9EABC34B1A326F6491613E9FD6AAFD)
invoice_<random>.pdf.exe
(12C700409E6DB4A6E043BD3BBD3A1A21)

Screenshot: https://gs1.wac.edge...C2sP1r6pupn.png
___

Fake Xerox WorkCentre emails lead to malware
- http://www.webroot.c...s-lead-malware/
Oct 22, 2013 - "We’ve intercepted a currently circulating malicious spam campaign, tricking users into thinking that they’ve received a scanned document sent from a Xerox WorkCentre Pro device. In reality, once users execute the malicious attachment, the cybercriminal(s) behind the campaign gain complete control over the now infected host.
Sample screenshots of the spamvertised malicious email:
> https://www.webroot....kCentre_Pro.png
Detection rate for the malicious attachment: MD5: 1a339ecfac8d2446e2f9c7e7ff639c56 * ... TROJ_UPATRE.AX; Heuristic.LooksLike.Win32.SuspiciousPE.J!89... phones back to:
smclan .com – 209.236.71.58 ... malicious domains are also currently responding to the same IP ..."
* https://www.virustot...279f0/analysis/

- https://www.virustot...58/information/

Edited by AplusWebMaster, 22 October 2013 - 03:40 PM.

[AplusWebMaster]

FYI...

Fake Voice msg. SPAM / VoiceMessage .exe
- http://blog.dynamoo....known-spam.html
23 Oct 2013 - "These bogus voice message spams have a malicious attachment:
Date: Wed, 23 Oct 2013 19:17:42 +0530 [09:47:42 EDT]
From: Administrator [voice8@ victimdomain]
Subject: Voice Message from Unknown (553-843-8846)
- - -Original Message- - -
From: 553-843-8846
Sent: Wed, 23 Oct 2013 19:17:42 +0530
To: [recipient list at victimdomain]
Subject: Important: to all Employee
- -
Date: Wed, 23 Oct 2013 08:36:24 -0500 [09:36:24 EDT]
From: Administrator [voice3@ victimdomain]
Subject: Voice Message from Unknown (586-898-9333)
- - -Original Message- - -
From: 586-898-9333
Sent: Wed, 23 Oct 2013 08:36:24 -0500
To: [recipient list at victimdomain]
Subject: Employees Only ...

In each case there is an attachment VoiceMessage.zip which in turn contains an executable VoiceMessage.exe with an icon to make it look like an audio file.
> https://lh3.ggpht.co...oicemessage.png
Obviously this is malicious, and the detection rate at VirusTotal is a pretty poor 5/46*. Automated analysis... shows an attempted connection to glyphs-design .com on 212.199.115.173 (012 Smile Communications Ltd, Israel). Blocking that domain is probably prudent, however there are several hundred legitimate domains on the same server, so bear that in mind if you choose to block it."
* https://www.virustot...sis/1382536265/
File name: VoiceMessage.exe
Detection ratio: 5/47

- https://www.virustot...73/information/

- http://threattrack.t...ce-message-spam
Oct 23, 2013 - "Subjects Seen:
Voice Message from Unknown (389-353-7349)
Typical e-mail details:
- - -Original Message- - -
From: 389-353-7349
Sent: Wed, 23 Oct 2013 08:52:48 -0500
To: <e-mail addresses>
Subject: Important: to all Employees

Malicious File Name and MD5:
VoiceMessage.zip (D33AF1A7B51CFA41EAAB6292E0F6EBBE)
VoiceMessage.exe
(535109E4902D32BB6F11F7235FCEC6C4)

Screenshot: https://gs1.wac.edge...NZfU1r6pupn.png

[AplusWebMaster]

FYI...

Fake resume SPAM / Resume_LinkedIn.exe
- http://blog.dynamoo....inkedinexe.html
24 Oct 2013 - "This rather terse spam email message has a malicious attachment:
Date: Thu, 24 Oct 2013 15:45:37 +0200 [09:45:37 EDT]
From: Elijah Parr [Elijah.Parr@ linkedin .com]
Subject: My resume
Attached is my resume, let me know if its ok.
Thanks,
Elijah Parr
------------------------
Date: Thu, 24 Oct 2013 19:14:37 +0530 [09:44:37 EDT]
From: Greg Barnes [Greg.Barnes@ linkedin .com]
Subject: My resume
Attached is my resume, let me know if its ok.
Thanks,
Greg Barnes

The attachment is Resume_LinkedIn.zip which in turn contains a malicious executable Resume_LinkedIn.exe with an icon to make it look like a Word Document rather than an executable. VirusTotal is timing out at the moment, but earlier only one AV engine detected it (Norman). Automated analysis tools... show an attempted connection to homevisitor .co .uk on 64.50.166.122 (Lunarpages, US). This server was distributing malware last month too, so we must assume that it is compromised. Blocking that IP address would probably be a good idea as there are several other compromised domains on that same server [1]* [2]**."
* https://www.virustot...22/information/

** http://urlquery.net/...6...0-24&max=50

- http://threattrack.t...din-resume-spam
Oct 24, 2013 - "Subjects Seen:
My resume
Typical e-mail details:
Attached is my resume, let me know if its ok.
Thanks,
Mike Whalen

Malicious File Name and MD5:
Resume_LinkedIn.zip (AF04ED38D97867F8E773B6AFC14ED9F0)
Resume_LinkedIn.exe
(62F4A3DFE059E9030E2450D608C82899)

Screenshot: https://gs1.wac.edge...qrta1r6pupn.png
___

Fake Company Reports emails lead to malware ...
- http://www.webroot.c...s-lead-malware/
Oct 24, 2013 - "A currently ongoing malicious spam campaign is attempting to trick users into thinking that they’ve received a legitimate Excel ‘Company Reports’ themed file. In reality through, once socially engineered users execute the malicious attachment on their PCs, it automatically opens a backdoor allowing the cybercriminals behind the campaign to gain complete access to their host, potentially abusing it a variety of fraudulent ways.
Sample screenshots of the spamvertised email:
> https://www.webroot....any_Reports.png
Detection rate for the spamvertised attachment: MD5: 5138b3b410a1da4cbc3fcc2d9c223584 * ... Trojan.Win32.Agent.aclil; TSPY_ZBOT.EH ... The sample then phones back to det0nator.com – 38.102.226.14 on port 443, as well as to... C&C servers (-many- listed at the webroot URL above)... MD5s are known to have phoned back to the same IP (38.102.226.14)... MD5s known to have phoned back to the same C&C servers over the last couple of days..."
* https://www.virustot...9360f/analysis/
File name: Company_Report_10222013.exe
Detection ratio: 28/44

- https://www.virustot...14/information/
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Faxed Document Delivery Email Messages - 2013 Oct 24
Fake Payroll Report Email Messages - 2013 Oct 24
Email Messages with Malicious Attachments - 2013 Oct 24
Fake UPS Payment Document Attachment Email Messages - 2013 Oct 24
Fake Financial Account Statement Email Messages - 2013 Oct 24
Email Messages with Malicious Attachments - 2013 Oct 24
Fake Bank Payment Transfer Notification Email Messages - 2013 Oct 24
Fake Invoice Statement Attachment Email Messages - 2013 Oct 24
Fake Payroll Invoice Notification Email Messages - 2013 Oct 24
Fake Product Purchase Order Email Messages - 2013 Oct 24
Fake Payment Confirmation Notification Email Messages - 2013 Oct 24
Malicious Personal Pictures Attachment Email Messages - 2013 Oct 24
Fake Resume Delivery Email Messages - 2013 Oct 24
Email Messages with Malicious Attachments - 2013 Oct 24
Fake Product Quote Request Email Messages - 2013 Oct 24
Email Messages with Malicious Attachments - 2013 Oct 24
Fake Money Transfer Notification Email Messages - 2013 Oct 23
Fake Xerox Scanned Attachment Email Messages - 2013 Oct 23
(More detail and links at the cisco URL above.)

Edited by AplusWebMaster, 24 October 2013 - 02:31 PM.

[AplusWebMaster]

FYI...

Survey Scams - Halloween freebies ...
- http://blog.trendmic...y-survey-scams/
Oct 24, 2013 - "... scams we saw used free Halloween products as bait. Searching for the phrase “Halloween GET FREE” leads to a suspicious YouTube video:
Suspicious YouTube video
> http://blog.trendmic...en-youtube1.jpg
The URL advertised on the video’s page leads users to a scam site that asks for your personal information, including your email address.
Survey site
> http://blog.trendmic...en-youtube2.jpg
Survey scam
> http://blog.trendmic...en-youtube3.jpg
Using similar keywords on Twitter yielded two suspicious accounts. Each account had a Halloween-themed Twitter handle, perhaps to entice users into checking out the accounts.
Two suspicious Twitter accounts
> http://blog.trendmic...n-twitter11.jpg
Each account advertises free Halloween candy with a corresponding URL to get the said candy. The advertised website leads users to survey scams, rather than candy. Facebook also became home to a Halloween-themed survey scam. We spotted a Facebook page that advertises free Halloween candy, like the scam on Twitter. To get the candy, users are supposed to click a link on the page.
Website advertising free candy
> http://blog.trendmic...n-facebook1.jpg
But much like the other scams, this simply leads to a survey site. It’s interesting to note that users are directed to the page used in the YouTube scam mentioned earlier. To further entice users, the site promises Apple products in exchange for finishing the survey.
Apple products as “reward” for completed surveys
> http://blog.trendmic...n-facebook3.jpg
It might be tempting to get free stuff online, but users should always be cautious when encountering these types of promos or deals. Cybercriminals are willing to promise anything and everything just to get what they want. When encountering deals that are too good to be true, users should err on the side of caution and assume that they are..."
* http://blog.trendmic...ts-infographic/
"... Oct 29, 2011... filed under Bad Sites"
___

Fake Lloyds SPAM - Lloyds TSB msg...
- http://blog.dynamoo....lloyds-tsb.html
25 Oct 2013 - "This fake Lloyds TSB message has a malicious attachment:
Date: Fri, 25 Oct 2013 13:55:41 +0200 [07:55:41 EDT]
From: LloydsTSB [noreply@ lloydstsb .co .uk]
Subject: You have received a new debit
Priority: High Priority 1 (High)
This is an automatically generated email by the Lloyds TSB PLC LloydsLink online payments Service.
The details of the payment are attached...

Attached is a zip file in the format Report_recipientname.zip which in turn contains a malicious executable Report_10252013.exe (note the date is encoded into the filename). The file has an icon to make it look like a PDF file, but it isn't. The VirusTotal detection rate is a so-so 13/47*. Automated analysis... shows an attempted connection to www .baufie .com on 173.203.199.241 (Rackspace, US). Often these callbacks indicate a completely compromised server, so it may be possible that there are other sites being abused on the same box."
* https://www.virustot...sis/1382702941/

- https://www.virustot...41/information/

Edited by AplusWebMaster, 25 October 2013 - 07:27 AM.

[AplusWebMaster]

FYI...

Fake "You're a Mercedes-Benz winner!" SPAM
- http://blog.dynamoo....inner-spam.html
27 Oct 2013 - "This is a slightly novel twist on an advanced fee fraud scam:
From: Mercedes-Benz [desk_notification@ yahoo .com]
Reply-To: bmlot20137@ live .com
Date: 27 October 2013 13:44
Subject: You are a Mercedes-Benz winner !!!
Dear Recipient,
You have received a loyalty reward from Mercedes-Benz, Answer the Below question correctly and stand a chance of winning our Promotional Award Grand prize of $4,000,000USD and a Brand New 2013 Mercedes-Benz GLK350 4Matic SUV Car. If you have never had a Mercedes-Benz Product, this is your chance to benefit from our company while if you have any of our products this is your opportunity of enjoying some of our benefits apart from the comfortability and efficiency of our products. Just answer the questions asked below and you could be a winner...
Our aims to support the abilities of the neediest groups to fulfill human dignity and social justice in cooperation with development partners in the world.
Kind Regards,
Mrs.Katherine Dooley
Mercedes-Benz,Online coordinator

The email was sent to a spamtrap address from 41.138.182.219 which is in Lagos, Nigeria via a mail server in the US at 65.40.236.192 (Embarq). You might wonder what the scam is because it looks like a competition.. once you have answered the three trivially easy questions (we all know that Mercedes Benz was founded by Terry Benz in 1946 and is headquartered in the UK, after all) then you will find that you'll need to pay a stiff fee to get your prize.. which will never materialise."
Labels: 419, Advanced Fee Fraud, Scam, Spam

[AplusWebMaster]

FYI...

Fake WhatsApp Voice msg. emails lead to malware
- http://www.webroot.c...lead-malware-2/
Oct 28, 2013 - "... The cybercriminal(s) behind the most recently profiled campaigns impersonating T-Mobile, and Sky, have just launched yet another malicious spam campaign, this time targeting WhatsApp users with fake “Voice Message Notification/1 New Voicemail” themed emails. Once unsuspecting users execute the fake voice mail attachment, their PCs will attempt to drop additional malware on the hosts...
Sample screenshot of the spamvertised email:
> https://www.webroot...._Cybercrime.png
Detection rate for the malicious attachment: MD5: 0458a01e42544eacf00e6f2b39b788e0 * ... Trojan.Win32.Sharik.qhd
... attempts to download additional malware from the well known C&C server at networksecurityx.hopto .org ..."
* https://www.virustot...36964/analysis/
___

Fake AMEX "Fraud Alert" SPAM / steelhorsecomputers .net
- http://blog.dynamoo....alert-spam.html
28 Oct 2013 - "This fake Amex spam leads to malware on steelhorsecomputers .net:
From: American Express [fraud@ aexp .com]
Date: 28 October 2013 14:14
Subject: Fraud Alert : Irregular Card Activity
Irregular Card Activity
Dear Customer,
We detected irregular card activity on your American Express
Check Card on 28th October, 2013.
As the Primary Contact, you must verify your account activity before you can
continue using your card, and upon verification, we will remove any restrictions
placed on your account.
To review your account as soon as possible please.
Please click on the link below to verify your information with us:
https ://www .americanexpress .com/
If you account information is not updated within 24 hours then your ability
to access your account will be restricted.
We appreciate your prompt attention to this important matter.
© 2013 American Express Company. All rights reserved.
AMEX Fraud Department

Screenshot: https://lh3.ggpht.co.../s1600/amex.png

The link in the email goes through a legitimate but -hacked- site and then runs of of the following three scripts:
[donotclick]kaindustries .comcastbiz .net/imaginable/emulsion.js
[donotclick]naturesfinest .eu/eroding/patricians.js
[donotclick]winklersmagicwarehouse .com/handmade/analects.js
From there, the victim is sent to a malware landing page at [donotclick]steelhorsecomputers .net/americanexpress/ which is a hijacked GoDaddy domain hosted on 96.126.102.8 (Linode, US). There are other hijacked GoDaddy domains too..."
Recommended blocklist:
96.126.102.8
8353333 .com ..."

- https://www.virustot....8/information/
___

Past Due Invoice Spam
- http://threattrack.t...ue-invoice-spam
Oct 28, 2013 - "Subjects Seen:
Past Due Invoice
Typical e-mail details:
Your invoice is attached. Please remit payment at your earliest convenience.

Malicious File Name and MD5:
invoice_95836_10282013.zip (7CDBF5827161838D7C5BD0E5B98E01C1)
invoice_95836_10282013.exe (C277EA5A86F25AC0B704CAF5832FC614)

Screenshot: https://gs1.wac.edge...X8gD1r6pupn.png

Edited by AplusWebMaster, 28 October 2013 - 12:21 PM.

[AplusWebMaster]

FYI...

Fake Wells Fargo SPAM / Copy_10292013.zip
- http://blog.dynamoo....-copy-spam.html
29 Oct 2013 - "These fake Wells Fargo spam messages have a malicious attachment:
Date: Tue, 29 Oct 2013 22:34:50 +0800 [10:34:50 EDT]
From: Wells Fargo [Emilio.Hendrix@ wellsfargo .com]
Subject: FW: Check copy
We had problems processing your latest check, attached is a image copy.
Emilio Hendrix
Wells Fargo Check Processing Services
817-576-4067 office
817-192-2390 cell Emilio.Hendrix@ wellsfargo .com
Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103...
--------------------
Date: Tue, 29 Oct 2013 14:41:46 +0000 [10:41:46 EDT]
From: Wells Fargo [Leroy.Dale@ wellsfargo .com]
Subject: FW: Check copy
We had problems processing your latest check, attached is a image copy.
Leroy Dale
Wells Fargo Check Processing Services
817-480-3826 office
817-710-4624 cell Leroy.Dale@ wellsfargo .com
Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103...

Attached is an executable file Copy_10292013.zip which contains an executable file Copy_10292013.exe which is (of course) malicious. Note that the date is encoded into the filenames, so future versions of this will vary. The VirusTotal detection rate is just 3/47*. Automated analysis... shows an attempted connection to allisontravels .com on 69.26.171.181 (Xeex Communications, US) which appears to be the only site currently on this server. I would recommend blocking one or both of these."
* https://www.virustot...sis/1383058267/

- http://threattrack.t...check-copy-spam
Oct 29, 2013 - "Subjects Seen:
FW: Check copy
Typical e-mail details:
We had problems processing your latest check, attached is a image copy...

Malicious File Name and MD5:
Copy_10292013.zip (E0D3B0A7BCCDD0AA79A1F81C79A83784)
Copy_10292013.exe (93CCC1B516EFC3365CECED8AE0B57EE2)

Screenshot: https://gs1.wac.edge...kFaj1r6pupn.png
___

Something evil on 82.211.31.147
- http://blog.dynamoo....8221131147.html
29 Oct 2013 - "Still investigating this one, but 82.211.31.147 (IP-Projects, Germany) appears to be a completely rogue server hosting exploit kits and malware [1] [2]... domains and subdomains are associated with with IP address. I recommend blocking them, or more easily the IP address itself."
(Long list at the dynamoo URL above.)
1) http://urlquery.net/...1...0-29&max=50

2) https://www.virustot...47/information/
___

CookieBomb toolkit ...
- http://community.web...mb-toolkit.aspx
Oct 29, 2013 - "... source of this message is a spambot or script. When looked over with an experienced eye, it becomes apparent this email may just have come from the Kelihos botnet...
46.180.44.231
46.185.22.123
109.162.98.248
Malware evolution is not new: indeed, since the days of Dark Avenger’s polymorphic engine, the Mutation Engine (MtE), obfuscation and evasion have been commonplace within most, if not all malware families... in as little as 6 months, a simple tool for delivering Exploit Kits to end users has not only had its code radically altered, but has split into two distinct campaigns. One campaign is as mentioned above, infecting legitimate hosts via the exploitation of vulnerabilities; the other... piggybacking on the Kelihos Botnet, which is an incredibly sophisticated and effective spam platform, as a means of exposing end users to EKs via blatantly malicious domains. Whether this tool was exclusively rented by/to the BHEK team, or whether in fact it was coded by them, remains to be seen."
- https://www.virustot...31/information/

- https://www.virustot...48/information/
___

Fake Obamacare Websites...
- http://www.hoax-slay...-websites.shtml
Oct 29, 2013 - "... Many fake websites* have been set up to capitalize on the recent launching of the Healthcare.gov website. People who provide information on the fake websites may be opening themselves up to identity theft or other types of scam attempts..."
* http://washingtonexa...article/2537691
23 Oct 2013 - "More than 700 websites have been created with names playing off of Obamacare or Healthcare.gov, making it likely that some Americans will mistakenly hand over private information to unknown third-parties..."
___

Suspect network: 69.26.171.176/28
- http://blog.dynamoo....2617117628.html
29 Oct 2013 - "69.26.171.176/28 is a small network range is suballocated from Xeex to the following person or company which appears to have been compromised.
%rwhois V-1.5:0000a0:00 rwhois.xeex .com (by Network Connection Canada. V-1.0)
network:auth-area:69.26.160.0/19
network:network-name:69.26.171.176
network:ip-network:69.26.171.176/28
network:org-name:MJB Capital, Inc.
network:street-address:8275 South Eastern Avenue
network:city:Las Vegas
network:state:NV
network:postal-code:89123
network:country-code:US
network:tech-contact:Mark Bunnell
network:updated:2013-05-30 10:01:58
network:updated-by:noc@ xeex .com
network:class-name:network

There are three very recent Malwr reports involving sites in this range:
69.26.171.179 - bookmarkingbeast .com
- https://malwr.com/an...jAyYmFjMWRhMTU/
69.26.171.181 - allisontravels .com
- https://malwr.com/an...WJhNDNlZjVjMzA/
69.26.171.182 - robotvacuumhut .com
- https://malwr.com/an...DY5ODRiNWVhM2I/
As a precaution, I would recommend temporarily blocking the whole range... other sites are also hosted in the same block, and if you are seeing unusual traffic going to them then I would suspect that it is a malware infection..."
(More domains listed at the dynamoo URL above.)
___

Fake Unemployment Assistance SPAM / attached_forms.exe
- http://blog.dynamoo....assistance.html
29 Oct 2013 - "This spam comes with a malicious attachment:
Date: Tue, 29 Oct 2013 11:12:18 -0600 [13:12:18 EDT]
From: "info@victimdomain" [info@ victimdomain]
Subject: [No Subject]
A former employee(s) of your company or organization recently filed a claim for benefits
with the Division of Unemployment Assistance (DUA). In order to process this claim, DUA
needs information about each former employee. You are requested to:
Provide Wage and Separation information (Form 1062/1074)
And/or
Provide Separation Pay Information
If you do not provide this information, you may lose your right to appeal any
determination made on the claim.
To provide this information electronically, please print attached claim (file) and
complete any outstanding forms...

Attached is a file with the rather long name of case#976179103613297~9392736683167.zip which contains a malicious executable attached_forms.exe with an icon that makes it look like a PDF file. The VirusTotal detections stand at 8/46* ... I strongly suspect that there is a problem with servers in the 69.26.171.176/28** range so you might want to block those temporarily..."
* https://www.virustot...sis/1383071828/

** http://blog.dynamoo....2617117628.html

Edited by AplusWebMaster, 29 October 2013 - 02:46 PM.

[AplusWebMaster]

FYI...

Fake eFax message SPAM / bulkbacklinks .com and Xeex .com
- http://blog.dynamoo....ssage-spam.html
30 Oct 2013 - "... do people really fall for this "Corporate eFax message" spam? Apparently people do because the spammers keep sending it out.
Date: Wed, 30 Oct 2013 23:33:23 +0900 [10:33:23 EDT]
From: eFax Corporate [message@ inbound . efax.com]
Subject: Corporate eFax message from "673-776-6455" - 2 pages
Fax Message [Caller-ID: 673-776-6455] You have received a 2 pages fax at 2013-30-10
02:22:22 CST.* The reference number for this fax is
latf1_did11-1995781774-8924188505-39.View this fax using your PDF reader.Please visit
www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service..
-----------------------
Date: Wed, 30 Oct 2013 10:04:50 -0500 [11:04:50 EDT]
From: eFax Corporate [message@ inbound .efax.com]
Subject: Corporate eFax message from "877-579-4466" - 5 pages
Fax Message [Caller-ID: 877-579-4466] You have received a 5 pages fax at 2013-30-10
05:55:55 EST.* The reference number for this fax is
latf1_did11-1224528296-8910171724-72.View this fax using your PDF reader.Please visit
www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service...

Attached to the message is a file FAX_10302013_1013.zip which in turn contains FAX_10302013_1013.exe (although the date is encoded into the filename so your version may be different) which has an icon that makes it look like a PDF file. This has a very low detection rate at VirusTotal of just 1/46*. Automated analysis tools... show an attempted connection to a domain bulkbacklinks .com on 69.26.171.187. This is part of the same compromised Xeex address range... Xeex have not responded to notifications of a problem (apart from an AutoNACK). I recommend that you treat the entire 69.26.171.176/28 range as being malicious and you should block according to this list**."
* https://www.virustot...sis/1383148137/

** http://blog.dynamoo....2617117628.html
___

Something evil on 144.76.207.224/28
- http://blog.dynamoo....7620722428.html
30 Oct 2013 - "The network block 144.76.207.224/28 is currently hosting the Magnitude exploit kit (example report*)... This is a Hetzner IP range... Domains hosted on this range include the following, ones in bold are flagged by Google as being malicious (Long list - see the dynamoo URL above)... I would recommend blocking all those domains plus the 144.76.207.224/28 range. Sphere Ltd seem to have some quite big operations in Russia. For information only, these are the other IP address ranges (Also listed at the dynamoo URL above)..."
* http://urlquery.net/....php?id=7281185

[AplusWebMaster]

FYI...

Rogue Ads in Yahoo lead to Sirefef Infection
- http://www.threattra...efef-infection/
Oct 30, 2013 - "Our researchers in the AV Labs are continuing to see fake software being served on unfamiliar sponsored links or ads found in search results. Recently, we found [color=#800000;]an ad for a fake browser[/color] on Yahoo! after doing a search for “google chrome browser”.
> http://www.threattra...o-search-ad.png
Clicking the first ad we highlighted above leads users to the website, softpack(dot)info/chrome/:
> http://www.threattra...chrome-page.png
Below this page are texts that read as follows:
> http://www.threattra...-section-wm.png
... In case you’re not familiar, rogue sites like this usually serve free-to-download software that are modified to install adware. In this case, Google_Chrome_30.0.1599.69.exe, the -fake- browser file, is wholly malicious and [color=#800000;]belongs to the Sirefef/ZeroAccess malware family[/color]. We were able to retrieve two variants of this file...
MD5 9111ebfbf015c3096f650060819f744b – detected as Trojan.Win32.Generic!SB.0 (15/47*)
MD5 60a0e64fec6b5e509b666902e72833ea – detected as Trojan.Win32.Generic.pak!cobra (7/47**)
... We fed the files into our sandbox and found that -both- variants -disable- Windows security features and prevent the OS from updating automatically. Infected systems, especially those that run outdated software and have no added security software in place, face the risk of further infection from other malware. Users are advised to be careful in clicking ads for free software. It is still safer for you... to visit -official- pages of the software you wish to download and install onto your system. You may also consider installing AdBlock Plus*, a software that can be installed in the browser to prevent ads from appearing on sites while you surf..."
* https://www.virustot...sis/1383072130/

** https://www.virustot...0ffbd/analysis/

*** https://addons.mozil...n/adblock-plus/
 

[AplusWebMaster]

FYI...

Fake Snapchat install leads to Adware
- http://www.threattra...l-leads-adware/
Nov 1. 2013 - "Our Labs recently identified numerous files claiming to be Snapchat.exe, which is a popular photo messaging application. These files were most assuredly not Snapchat, so we were curious to find out what was going on. As it turns out, a quick search in Bing brings forth answers:
> http://www.threattra...-optimum-ad.png
The very first entry under the search is an ad, leading to videonechat(dot)com.
> http://www.threattra...pchatdorgem.jpg
The website simultaneously talks about installing Snapchat, while listing the program as “Dorgem” in small letters in the grey box on the top right hand side. At this point, you might want to take a wild guess as to whether you’re going to end up with Snapchat, a hugely popular and current application, or a now discontinued webcam capture program called -Dorgem- which has been bundled with programs you likely don’t need... The install offers up a number of ad serving programs, media players and additional software offered up with no relation to Snapchat whatsoever. During testing, we saw Realplayer, GreatArcadeHits, Optimizer Pro, Scorpion Saver and Word Overview...
> http://www.threattra...edge-snap-7.png
Legitimate programs being bundled with Adware is a common enough tactic, but this is an Optimum Installer bundle where a website serves as clickbait for a deliberately misrepresented app – you most definitely do not get what you’re promised in return for installing numerous pieces of ad-serving software. Don’t fall for this one. VirusTotal pegs this one at 6/47*..."
* https://www.virustot...sis/1383232536/
___

Email Quota Limit Credentials Phish
- http://threattrack.t...edentials-phish
Nov 1, 2013 - "Subjects Seen:
    Email Quota Limit
Typical e-mail details:
    Your mailbox has exceeded the storage limit, you may not be able to send or receive new mail until you re-validate your mailbox mail with the link below.
    System Administrator

Malicious URLs
    suppereasy.jimdo .com

Screenshot: https://gs1.wac.edge...DIa01r6pupn.png
 

Edited by AplusWebMaster, 01 November 2013 - 11:54 AM.

[AplusWebMaster]

 FYI...

Ads lead to SpyAlertApp PUA ...
- http://www.webroot.c...ed-application/
Nov 1, 2013 - "... They promise users the moon, and only ask in return that users install a basic free application. Case in point, our sensors picked up yet another deceptive ad campaign that entices users into installing privacy violating applications, most commonly known as PUAs...
Sample screenshots of the landing page:
> https://www.webroot....on-896x1024.png
Landing URL: spyalertapp .com
Detection rate for the SpyAlertApp PUA: MD5: 183cf05e8846a18dab9850ce696c3bf3 * ... Win32/ExFriendAlert.B; SearchDonkey (fs)
Once executed, it phones back to 66.135.34.182 and 66.135.34.181 ... PUA MD5s are known to have phoned back to these IPs... Want to known who’s tracking your online activities? We advise you to give Mozilla’s Lightbeam**, a try."
* https://www.virustot...sis/1382979505/

** http://www.mozilla.o...n-US/lightbeam/

- https://www.virustot...81/information/

- https://www.virustot...82/information/
 

[AplusWebMaster]

FYI...

Fake SAGE SPAM / Payroll_Report-PaymentOverdue.exe
- http://blog.dynamoo....spond-spam.html
4 Nov 2013 - "This -fake- SAGE spam has a malicious attachment:
    Date:      Mon, 4 Nov 2013 21:00:59 +0600 [10:00:59 EST]
    From:      Payroll Reports [payroll@sage .co .uk]
    Please find attached payroll reports for the past months. Remit the new payment by 11/10/2013 as outlines under our payment agreement.
    Sincerely,
    Bernice Swanson
    This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY...

Attached is a file PaymentOverdue.zip which in turn contains a malicious executable Payroll_Report-PaymentOverdue.exe with a icon that makes it look like an Excel spreadsheet. This malware has a VirusTotal detection rate of just 4/47*, and automated analysis tools... shows an attempted connect to goyhenetche .com on 184.154.15.188 (Singlehop, US), a server that contains many legitimate domains but some more questionable ones** too."
* https://www.virustot...sis/1383579237/

** https://www.virustot...88/information/

Diagnostic page for AS32475 (SINGLEHOP-INC)
- http://google.com/sa...c?site=AS:32475
"... over the past 90 days, 1069 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-11-04, and the last time suspicious content was found was on 2013-11-04... we found 73 site(s) on this network... that appeared to function as intermediaries for the infection of 371 other site(s)... We found 147 site(s)... that infected 543 other site(s)..."

- http://threattrack.t...ue-payment-spam
Nov 4, 2013 - "Subjects Seen:
    Payment Overdue - Please respond
Typical e-mail details:
    Please find attached payroll reports for the past months. Remit the new payment by 11/10/2013 as outlines under our payment agreement.
    Sincerely,
    Shelby Lloyd

Malicious File Name and MD5:
    PaymentOverdue.zip (AF69AE41F500EBCE3A044A1FC8FF8701)
    Payroll_Report-PaymentOverdue.exe (32B2481F9EF7F58D3EF3640ECFC64B19)

Screenshot: https://gs1.wac.edge...PlId1r6pupn.png
___

Ring Central Fax Spam
- http://threattrack.t...entral-fax-spam
Nov 4, 2013 - "Subjects Seen:
    New Fax Message on 11/04/2013
Typical e-mail details:
    To view this message, please open the attachment
    Thank you for using RingCentral.

Malicious File Name and MD5:
    <random #s>.pdf.exe (FE52EE7811D93A3E941C0A15126152AC)
    <random #s>.zip (8728BBFD1ABAC087211D55BB53991017)

Screenshot: https://gs1.wac.edge...LMDn1r6pupn.png
 

Edited by AplusWebMaster, 04 November 2013 - 02:28 PM.

[AplusWebMaster]

 FYI...

Fake ACH SPAM / ACAS1104201336289204PARA7747.zip
- http://blog.dynamoo....end-of-day.html
5 Nov 2013 - "This fake ACH (or is it Paychex?) email has a malicious attachment:
    Date:      Tue, 5 Nov 2013 08:28:30 -0500 [08:28:30 EST]
    From:      "Paychex, Inc" [paychexemail@ paychex .com]
    Subject:      ACH Notification : ACH Process End of Day Report
    Attached is a summary of Origination activity for 11/04/2013 If you need assistance
    please contact us via e-mail at paychexemail@ paychex .com during regular business hours.
    Thank you for your cooperation.

Attached is a file ACAS1104201336289204PARA7747.zip which in turn contains an executable ACAS11042013.exe which has a VirusTotal detection rate of 7/46*. Automated analysis... shows an attempted connection to slowdating .ca on 69.64.39.215 (Hosting Solutions International, US). There are several legitimate sites on this server, however it is possible that the server itself is compromised. The malware drops several files..."
* https://www.virustot...sis/1383665169/

- https://www.virustot...15/information/
___

Fake USPS SPAM / Label_442493822628.zip
- http://blog.dynamoo....3822628zip.html
5 Nov 2013 - "This -fake- USPS spam has a malicious attachment:
    Date:      Tue, 5 Nov 2013 14:24:45 +0000 [09:24:45 EST]
    From:      USPS Express Services [service-notification@ usps .gov]
    Subject:      USPS - Missed package delivery
    The courier company was not able to deliver your parcel by your address.
    Cause: Error in shipping address.
    Label: 442493822628
    Print this label to get this package at our post office.
    Please attention!
    For mode details and shipping label please see the attached file.
    Please do not reply to this e-mail, it is an unmonitored mailbox!
    Thank you,
    USPS Logistics Services...

The attachment is Label_442493822628.zip which in turn contains a malicious executable Label_11052013.exe which has a VirusTotal detection rate of 6/46*. Automated analysis... shows an attempted connection to sellmakers .com on 192.64.115.140 (Namecheap, US). Note that there may be legitimate sites on that IP address, however it is possible that the whole server has been compromised."
* https://www.virustot...sis/1383666106/

- https://www.virustot...40/information/
 

Edited by AplusWebMaster, 06 November 2013 - 07:28 AM.

[AplusWebMaster]

FYI...

Fake invoice SPAM leads to DOC exploit
- http://blog.dynamoo....commercial.html
6 Nov 2013 - "This -fake- invoice email leads to a malicious Word document:
    From: Dave Porter [mailto:dave.porter@blueyonder .co .uk]
    Sent: 06 November 2013 12:06
    To: [redacted]
    Subject: Invoice 17731 from Victoria Commercial Ltd
    Dear Customer :
    Your invoice is attached to the link below:
    [donotclick]http ://www.vantageone .co .uk/invoice17731.doc
    Please remit payment at your earliest convenience.
    Thank you for your business - we appreciate it very much.
    Sincerely,
    Victoria Commercial Ltd

The email originates from bosmailout13.eigbox .net [66.96.186.13] which belongs the Endurance International Group in the US. The malicious .DOC file is hosted at [donotclick]www.vantageone .co .uk/invoice17731 .doc which appears to be a -hacked- legitimate web site.
Detection rates have continued to improve throughout the day and currently stand at 10/47*. The vulnerability in use is CVE-2012-0158 / MS12-027. If your Word installation is up-to-date and fully patched then it should block this attack.
A sandbox analysis confirms that it is malicious, in particular it connects to 158.255.2.60 (Mir Telematiki Ltd, Russia) and the following domains:
feed404.dnsquerys .com
feeds.nsupdatedns .com
It is the same attack as described by Blaze's Security Blog** and I would advise you to look at that posting for more details. In the meantime, here is a recommended blocklist:
118.67.250.91
158.255.2.60 ..."
* https://www.virustot...sis/1383746893/

** http://bartblaze.blo...e-exploits.html

- https://www.virustot...91/information/

- https://www.virustot...60/information/
___

Fake voice mail SPAM / VoiceMail.zip
- http://blog.dynamoo....known-spam.html
6 Nov 2013 - "This -fake- voice mail spam comes with a malicious attachment:
    Date:      Wed, 6 Nov 2013 22:22:28 +0800 [09:22:28 EST]
    From:      Administrator [voice9@ victimdomain]
    Subject:      Voice Message from Unknown (886-966-4698)
    - - -Original Message- - -
    From: 886-966-4698
    Sent: Wed, 6 Nov 2013 22:22:28 +0800
    To: recipients@ victimdomain
    Subject:  Private Message

The email appears to come from an email address on the victim's own domain and the body text contains a list of recipients within that same domain. Attached to the email is a file VoiceMail.zip which in turn contains a malicious executable VoiceMail.exe with an icon to make it look like an audio file. This malware file has a detection rate of 3/47* at VirusTotal. Automated analysis tools... show an attempted connection to twitterbacklinks .com  on 216.151.138.243 (Xeex, US) which is a web host that has been seen before** in this type of attack. Xeex seems to divide up its network into /28 blocks, which would mean that the likely compromised block would be 216.151.138.240/28... domains are consistent with the ones compromised here*** and it is likely that they have all also been compromised."
Recommended blocklist:
69.26.171.176/28
216.151.138.240/28 ..."
(More listed at the dynamoo URL above.)
* https://www.virustot...sis/1383748084/

** http://blog.dynamoo....arch/label/Xeex

*** http://blog.dynamoo....2617117628.html
 

Edited by AplusWebMaster, 06 November 2013 - 10:35 AM.