2072 replies to this topic

[AplusWebMaster]

FYI...

Fake voicemail SPAM / Voice_Mail.exe  
- http://blog.dynamoo....-mail-spam.html
7 Nov 2013 - "This -fake- voice mail spam has a malicious attachment:
    Date:      Thu, 7 Nov 2013 15:58:15 +0100 [09:58:15 EST]
    From:      Microsoft Outlook [no-reply@ victimdomain .net]
    Subject:      You received a voice mail
    You received a voice mail : N_58Q-ILM-94XZ.WAV (182 KB)
    Caller-Id:
    698-333-5643
    Message-Id:
    80956-84B-12XGU
    Email-Id:
    [redacted]
    This e-mail contains a voice message.
    Double click on the link to listen the message.
    Sent by Microsoft Exchange Server 

Screenshot:  https://lh3.ggpht.co...0/voicemail.png

Attached is a zip file in the format Voice_Mail_recipientname.zip which in turn contains a malicious file Voice_Mail.exe which has an icon to make it look like an audio file. VirusTotal detection for that is 7/47* and automated analysis tools... show an attempted connection to amazingfloorrestoration .com on 202.150.215.66 (NewMedia Express, Singapore). Note that sometimes other sites on these servers have also been compromised, so if you see any odd traffic to this IP then it could well be malicious."
* https://www.virustot...sis/1383838216/

- https://www.virustot...66/information/
___

Visa Recent Transactions Report Spam
- http://threattrack.t...ons-report-spam
Nov 7, 2013 - "Subjects Seen:
    VISA - Recent Transactions Report
Typical e-mail details:
    Dear Visa card holder,
    A recent review of your transaction history determined that your card was used in possible fraudulent transactions. For security reasons the requested transactions were refused. Please carefully review electronic report for your VISA card.
    For more details please see the attached transaction report.
    Dion_Andersen
    Data Protection Officer
    VISA EUROPE LIMITED
    1 Sheldon Square
    London W2 6WH
    United Kingdom

Malicious File Name and MD5:
    payment.exe (A4D868FB8A01CA999F08E5739A5E73DC)

Screenshot: https://gs1.wac.edge...IxPM1r6pupn.png
___

DocuSign - Internal Company Changes Spam
- http://threattrack.t...ny-changes-spam
Nov 7, 2013 - "Subjects Seen:
    Please DocuSign this document : Company Changes - Internal Only
Typical e-mail details:
    Sent on behalf of <email address>.
    All parties have completed the envelope ‘Please DocuSign this document: Company Changes - Internal Only..pdf’.
    To view or print the document download the attachment. (self-extracting archive, Adobe PDF)
    This document contains information confidential and proprietary to <email domain>

Malicious File Name and MD5:
    Company Changes - Internal Only.PDF.zip (1B853B2962BB6D5CAA7AB4A64B83EEFF)
    Company Changes - Internal Only.PDF.exe (03C3407D732A94B05013BD2633A9E974)

Screenshot: https://gs1.wac.edge...r8NO1r6pupn.png
___

My FedEx Rewards Spam
- http://threattrack.t...ex-rewards-spam
Nov 7, 2013 - "Subjects Seen:
    Your Rewards Order Has Shipped
Typical e-mail details:
    This is to confirm that one or more items in your order has been shipped. Note that multiple items in an order may be shipped separately.             
    You can review complete details of your order on the Order History page             
    Thanks for choosing FedEx.

Malicious File Name and MD5:
    Order history page.zip (EE074EAACC3D444563239EF0C9F4CE0D)
    Order history page.pdf.exe (DF86900EC566E13B2A8B7FD9CFAC5969)

Screenshot: https://gs1.wac.edge...G7MY1r6pupn.png
 

Edited by AplusWebMaster, 07 November 2013 - 03:18 PM.

[AplusWebMaster]

FYI...

Malware sites to block - (Nuclear EK)
- http://blog.dynamoo....13-nuclear.html
8 Nov 2013 - "The IPs and domains listed below are currently in use to distribute the Nuclear exploit kit (example*). I strongly recommend blocking them or the 142.4.194.0/30 range in which these reside. Many (but not all) of them are already flagged as being malicious by SURBL and Google. The domains are being used with subdomains, so they don't resolve directly. I have identified -3768- domains in this OVH range... The subdomains can found in this file [csv**] but as it is almost definitely incomplete it is simpler to use the blocklist below:
142.4.194.0/30 ..."
(More domains listed at the dynamoo URL above.)
* http://urlquery.net/....php?id=7517029

** http://www.dynamoo.c...te-customer.csv
___

Fake Voicemail SPAM / MSG00049.zip and MSG00090.exe
- http://blog.dynamoo....049zip-and.html
8 Nov 2013 - "Another day, yet another -fake- voicemail message spam with a malicious attachment:
    Date:      Fri, 8 Nov 2013 15:15:20 +0000 [10:15:20 EST]
    From:      Voicemail [user@ victimdomain .com]
    Subject:      Voicemail Message
    IP Office Voicemail redirected message

Attached is a file MSG00049.zip which in turn contains a malicious executable MSG00090.exe. Virus detection on VirusTotal is a so-so 12/47*. Automated analysis... shows an attempted connection to seminyak-italian .com on 198.1.84.99 (Unified Layer / Websitewelcome, US). There are 7 or so legitimate sites on that server, I cannot vouch for them being safe or not".
* https://www.virustot...sis/1383936341/

- https://www.virustot...99/information/
___

Shylock/Caphaw Drops Blackhole for Styx and Nuclear
- http://www.threattra...yx-and-nuclear/
Nov 8, 2013 - "In early October, news of the arrest of “Paunch” and his cohorts in Russia... Because of this, experts in the security industry had noticed the lack of new updates for the BHEK. Our experts in the Labs also concurred a possible dropping of threats involving the BHEK. With this in mind, it’s highly likely for online criminals to look for other alternatives...
> http://www.threattra...-to-exploit.jpg
... Sutra TDS has been associated with a number of Web threats, such as exploits (BHEK), rogue AV and ransomware among others as part of their infection and/or propagation tactics for years. Even phishers have jumped into the bandwagon... steps you can take in protecting yourself against Styx-based threats:
• Make sure to update all your software in real-time. You might be better off using a patch management software to assist on this. Such programs run in the background and prompts users whenever it detects new updates for software users have installed on systems.
• Keep your antivirus software also up-to-date.
• Block or filter off URLs with patterns that resemble Sutra TDS landing pages. Please ask assistance from someone if you need to."
___

Key Bank Secure Message Spam
- http://threattrack.t...re-message-spam
Nov 8, 2013 - "Subjects Seen:
    You have received a secure message
Typical e-mail details:
    Read your secure message by opening the attachment, Secure_Message.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile @ res. cisco .com to receive a mobile login URL.
    If you have concerns about the validity of this message, please contact the sender directly. For questions about Key’s e-mail encryption service, please contact technical support at 888.764.7941.
    First time users - will need to register after opening the attachment.

Malicious File Name and MD5:
    Secure_Message.zip (4301BE522A5254DBB5DBCF96023526B9)
    Secure_Message.exe (8E0E9C0995B220FA8DFBC8BFFA54759F)

Screenshot: https://gs1.wac.edge...EbVl1r6pupn.png
 

Edited by AplusWebMaster, 08 November 2013 - 03:22 PM.

[AplusWebMaster]

FYI...

Typhoon Scams... Email, Telephone, Door to Door
- http://www.threattra...hone-door-door/
Nov 11, 2013 - "In the wake of Typhoon Haiyan, both law enforcement and members of the public are coming forward to make timely reminders related to donation scams.
1) Police in Huntsville, Ontario have warned of individuals from unverified donation campaigns* going door to door.
Sudden arrivals on your doorstep asking for donations related to any form of disaster should always be viewed with suspicion, and keep in mind that any form of ID can be faked convincingly. If the person is particularly pushy about you handing over money in a short period of time, be extra suspicious...
2) Anxious friends and relatives of those who have gone missing are apparently posting up too much personal information on social networks in their quest to re-establish contact... Avoid posting personal details to sites such as Twitter and Facebook.
3) In the US, cold calling from individuals claiming to be from the Salvation Army asking for Typhoon relief donations has begun. I did a little digging on the phone number listed, and it appears on a Snopes page*** related to Hurricane Sandy FEMA cleanup crews... If you want to donate through Salvation Army, you should visit their donation page** and keep cold calls to your telephone line on the back burner.
4) Scam emails are already in circulation. Expect the majority of these to ride on the coat-tails of efforts by organisations such as The Red Cross. One particularly devious tactic to watch out for is scammers giving you a real, genuine domain as a reply email to send your bank details to but including a fake as a CC address..."
(More detail at the threattracksecurity URL above.)

* http://moosefm.com/c...al-typhoon-scam

** https://donate.salva...g/TyphoonHaiyan

*** http://www.snopes.co...t/femasandy.asp
___

- https://www.us-cert....e-Antivirus-and
Nov 12, 2013
___

Adware sites to block / "Consumer Benefit Ltd" ...
- http://blog.dynamoo....e-sites-to.html
11 Nov 2013 - "A couple of network blocks came to my attention after investigating some adware ntlanmbn.exe (VirusTotal report*) and GFilterSvc.exe (report**) both in C:\WINDOWS\SYSTEM32. The blocks are 212.19.36.192/27 and 82.98.97.192/28 ... Many of the domains currently or recently hosted in these IP ranges are clearly deceptive in nature... the following domains and IPs are all part of these "Consumer Benefit Ltd" ranges and appear to be adware-related and have unclear ownership details. If you block adware sites on your network then I would recommend using the following blocklist:
212.19.36.192/27
82.98.97.192/28 ..."
(More detail and URLs listed at the dynamoo URL above.)

* https://www.virustot...sis/1384162704/

** https://www.virustot...sis/1384162774/
___

Fake Confidential Message SPAM / To All Employees 2013.zip.exe
- http://blog.dynamoo....al-message.html
11 Nov 2013 - "This -fake- "all employees" email comes with a malicious attachment:
    Date:      Mon, 11 Nov 2013 11:28:29 +0000 [06:28:29 EST]
    From:      DocuSign Service [dse@ docusign .net]
    Subject:      To all Employees - Confidential Message
        Your document has been completed
                       Sent on behalf of administrator@victimdomain.                          
        All parties have completed the envelope 'Please DocuSign this document:
                To All Employees 2013.doc'.
        To view or print the document download the attachment .                                     
                  (self-extracting archive, Adobe PDF)                                                      This document contains information confidential and proprietary to spamcop .net
          DocuSign. The fastest way to get a signature. If you have questions regarding this notification or any enclosed documents requiring yoursignature, please contact the sender     directly...

The attachment to the email is called To All Employees 2013.zip which contains To All Employees 2013.zip.exe which has an icon that makes it look like a PDF file. This malicious file has a VirusTotal detection rate of 7/47*. Automated analysis... shows a callback to trc-sd .com on 121.127.248.74 (Sun Network, Hong Kong). This IP address hosts several legitimate sites, so bear that in mind if you block the IP."
* https://www.virustot...sis/1384175853/

- https://www.virustot...74/information/
___

Fake Paypal SPAM / Identity_Form_04182013.zip
- http://blog.dynamoo....1-587-spam.html
11 Nov 2013 - "For some reason EXE-in-ZIP attacks are all the rage at the moment, here is a -fake-  spam pretending to be from PayPal with a malicious attachment:
Date:      Mon, 11 Nov 2013 19:14:10 +0330 [10:44:10 EST]
From:      Payroll Reports [payroll@ quickbooks .com]
Subject:      Identity Issue #PP-716-097-521-587
We are writing you this email in regards to your PayPal account. In accordance with our
"Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your
identity by completing the attached form. Please print this form and fill in the
requested information. Once you have filled out all the information on the form please
send it to verification@paypal.com along with a personal identification document
(identity card, driving license or international passport) and a proof of address
submitted with our system ( bank account statement or utility bill )
Your case ID for this reason is PP-D503YC19DXP3
For your protection, we might limit your account access. We apologize for any
inconvenience this may cause.
Thanks, PayPal...

Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which as you might guess is malicious. VirusTotal detections are 16/47*, and automated analysis...  shows an attempted connection to trc-sd .com which is the same domain seen in this attack**."
* https://www.virustot...sis/1384185446/

** http://blog.dynamoo....al-message.html
___

American Express Suspicious Activity Report Spam
- http://threattrack.t...ity-report-spam
Nov 11, 2013 - "Subjects Seen:
    Recent Activity Report - Incident #6U7X67B05H6NGET
Typical e-mail details:
    As part of our security measures, we deliver appropriate monitoring of transactions and customers to identify potentially unusual or suspicious activity and transactions in the American Express online system.
    Please review the “Suspicious Activity Report” document attached to this email.
    Your Cardmember information is included in the upper-right corner of this document to help you recognize this as a customer service e-mail from American Express. To learn more about e-mail security or report a suspicious e-mail, please visit us at americanexpress .com/phishing
    Thank you for your Cardmembership.
    Sincerely,
    Lindsey_Oneal
    Tier III Support
    American Express Account Security
    Fraud Prevention and Detection Network

Malicious File Name and MD5:
    Incident#<random>.zip(14F92A367A01C5AD8F0C4A7062000FE6)
    Incident#.exe (77F23BC4F0ECB244FAA61163B07EAEC7)

Screenshot: https://gs1.wac.edge...4fCm1r6pupn.png

Tagged:
American Express: http://threattrack.t...merican-Express
Upatre: http://threattrack.t...m/tagged/Upatre
 

Edited by AplusWebMaster, 12 November 2013 - 02:11 PM.

[AplusWebMaster]

FYI...

Dynamic DNS sites you might want to block ...
- http://blog.dynamoo....ht-want-to.html
12 Nov 2013 - "These domains are used for dynamic DNS and are operated by a company called Dyn who offer a legitimate service, but unfortunately it is -abused- by malware writers. If you are the sort of organisation that blocks dynamic DNS IPs then I recommend that you consider blocking the following... listed in yellow have been identified as having some malware by Google, ones listed in red are blocked by Google. Ones listed in italics are flagged as malicious by SURBL*. The links go to the Google diagnostic page."
(Long list at the dynamoo URL above.)
* http://www.surbl.org/lists
___

Fake HMRC SPAM - HMRC_Message.zip and qualitysolicitors .com
- http://blog.dynamoo....sages-from.html
12 Nov 2013 - "This fake HMRC spam comes with a malicious attachment. Because the spammers have copied-and-pasted the footer from somewhere random it also effectively joe jobs an innocent site called qualitysolicitors .com:
    Date:      Tue, 12 Nov 2013 05:29:28 -0500 [05:29:28 EST]
    From:      "noreply@hmrc .gov .uk" [noreply@hmrc .gov .uk]
    Subject:      You have received new messages from HMRC
    Please be advised that one or more Tax Notices (P6, P6B) have been issued.
    For the latest information on your Tax Notices (P6, P6B) please open attached report.
    Please do not reply to this e-mail.
1.This e-mail and any files or documents transmitted with it are confidential and
    intended solely for the use of the intended recipient. Unauthorised use, disclosure or
    copying is strictly prohibited and may be unlawful. If you have received this e-mail in
    error, please notify the sender at the above address and then delete the e-mail from your
    system.
2. If you suspect that this e-mail may have been intercepted or amended, please
    notify the sender. 3. Any opinions expressed in this e-mail are those of the individual
    sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that
    this e-mail and any attachments have been created in the knowledge that internet e-mail
    is not a 100% secure communications medium. It is your responsibility to ensure that they
    are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson
    for any loss or damage arising from the receipt of this e-mail or its contents.
    QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU
    Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,
    TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough
    TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
    Solicitors Regulation Authority (57864). A full list of Partners names is available from
    any of our offices...

... there's a ZIP file called HMRC_Message.zip which in turn contains a malicious executable HMRC_Message.exe which has a VirusTotal detection rate of 12/47*. Automated analysis tools... show that it attempts to communicate with alibra .co .uk on 78.137.113.21 (UKfastnet Ltd, UK) and then it attempts to download additional components from:
[donotclick]synchawards .com/a1.exe
[donotclick]itcbadnera .org/images/dot.exe
a1.exe has a detection rate of 16/47**, and Malwr reports further HTTP connections to:
[donotclick]59.106.185.23 /forum/viewtopic.php
[donotclick]new.data.valinformatique .net/5GmVjT.exe
[donotclick]hargobindtravels .com/38emc.exe
[donotclick]bonway-onza .com/d9c9.exe
[donotclick]friseur-freisinger .at/t5krH.exe
dot.exe has a much lower detection rate of 6/47***... various types of activity including keylogging and credential harvesting. There are also many, many HTTP connections to various hosts, I suspect this is attempting to mask the actual C&C servers it is connecting to.
a1.exe downloads several more files, all of which appear to be the same. The VirusTotal detection rate for these is 5/47***, Malwr reports several attempted IP connections that look a bit like peer-to-peer Zeus."
Recommended blocklist:
59.106.185.23 ..."
(More URLS listed at the dynamoo URL above.)
* https://www.virustot...sis/1384264864/

** https://www.virustot...sis/1384265605/

*** https://www.virustot...sis/1384266070/
___

Fake "Outlook Settings" SPAM - Outlook.zip
- http://blog.dynamoo....tings-spam.html
12 Nov 2013 - "This spam email has a malicious attachment:
    Date:      Tue, 12 Nov 2013 16:22:38 +0100 [10:22:38 EST]
    From:      Undisclosed Recipients
    Subject:      Important - New Outlook Settings
    Please carefully read the attached instructions before updating settings.
    This file either contains encrypted master password, used to encrypt other files. Key archival has been implemented, in order to decrypt the file please use the following password: PaSdIaoQ
    This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@victimdomain and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.

The body text of the spam contains a faked email address made to look like helpdesk@ the victim's domain. Attached to the email is a password-protected ZIP file Outlook.zip that has to be decoded with the PaSdIaoQ key in the body text of the email (hopefully intelligent people will realise that you wouldn't send the password with the encrypted attachment.. you'd have to be really daft to do that). Unzipping the file gives a malicious executable Outlook.exe which has an icon designed to look like Microsoft Outlook.
Screenshot: https://lh3.ggpht.co...utlook-icon.png
The detection rate at VirusTotal is 5/45*. Automated analysis tools... show an attempted connection to dchamt .com on 216.157.85.173 (Peer 1 Dedicated Hosting, US). That IP address contains about 70 websites which may or may not be clean."
* https://www.virustot...sis/1384270918/

- https://www.virustot...73/information/

- http://threattrack.t...k-settings-spam
Nov 12, 2013 - "Subjects Seen:
    Important - New Outlook Settings
Typical e-mail details:
    Please carefully read the attached instructions before updating settings.
    This file either contains encrypted master password, used to encrypt other files. Key archival has been implemented, in order to decrypt the file please use the following password: PaSdIaoQ
    This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at <sender e-mail address> and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.

Malicious File Name and MD5:
    Outlook.zip (4D0A70E1DD207785CB7067189D175679)
    Outlook.exe (C8D22FA0EAA491235FA578857CE443DC)

Screenshot: https://gs1.wac.edge...vTYV1r6pupn.png
___

Fake Tax/Accountant SPAM / tax 2012-2013.exe
- http://blog.dynamoo....ccountants.html
12 Nov 2013 - "This -fake- tax spam comes with a malicious attachment:
    Date:      Wed, 13 Nov 2013 00:44:46 +0800 [11:44:46 EST]
    From:      "support@ salesforce .com" [support@ salesforce .com]
    Subject:      FW: 2012 and 2013 Tax Documents; Accountant's Letter
    I forward this file to you for review. Please open and view it.
    Attached are Individual Income Tax Returns and W-2s for 2012 and 2013, plus an accountant's letter.
    This email message may include single or multiple file attachments of varying types.
    It has been MIME encoded for Internet e-mail transmission.

Attached to the file is a ZIP file called dlf2365.zip which contains a malicious executable file tax 2012-2013.exe which has an icon to make it look like a PDF file.
> https://lh3.ggpht.co...00/tax-icon.png
VirusTotal detection rates are 17/47*. Automated analysis tools... show an attempted connection to nishantmultistate .com on 216.157.85.173 (Peer 1, US). This is the same server as used in this attack**, and you can safely assume that the whole server is compromised. Blocking this IP is probably a good idea."
* https://www.virustot...sis/1384287261/

** http://blog.dynamoo....tings-spam.html
___

Department of Treasury Outstanding Obligation Spam
- http://threattrack.t...obligation-spam
Nov 12, 2013 - "Subjects Seen:
    Department of Treasury Notice of Outstanding Obligation - Case <random>
Typical e-mail details:
    We have received notification from the Department of the Treasury,
    Financial Management Service (FMS) that you have an outstanding
    obligation with the Federal Government that requires your immediate
    attention.
    In order to ensure this condition does not affect any planned
    contract or grant activity, please review and sign the attached document and if
    you are unable to understand the attached document please call FMS at 1-800-304-3107
    to address this issue.  Please make sure the person making the telephone call has the
    Taxpayer Identification Number available AND has the authority/knowledge
    to discuss the debt for the contractor/grantee.

Malicious File Name and MD5:
    FMS-Case-<random>.zip (55D31D613A6A5A57C07D496976129068)
    FMS-Case-{_Case_DIG}.zip.exe (B807F603C69AEA97E900E59EC99315B5)

Screenshot: https://gs1.wac.edge...YMit1r6pupn.png
 

Edited by AplusWebMaster, 12 November 2013 - 07:58 PM.

[AplusWebMaster]

FYI...

Fake PayPal "Identity Issue" SPAM / Identity_Form_04182013.zip
- http://blog.dynamoo....quickbooks.html
13 Nov 2013 - "This -fake- PayPal (or is it Quickbooks?) spam has a malicious attachment:
    Date:      Wed, 13 Nov 2013 02:27:39 -0800 [05:27:39 EST]
    From:      Payroll Reports [payroll@ quickbooks .com]
    Subject:      Identity Issue #PP-679-223-724-838
    We are writing you this email in regards to your PayPal account. In accordance with our
    "Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your
    identity by completing the attached form. Please print this form and fill in the
    requested information. Once you have filled out all the information on the form please
    send it to verification@paypal.com along with a personal identification document
    (identity card, driving license or international passport) and a proof of address
    submitted with our system ( bank account statement or utility bill )
    Your case ID for this reason is PP-TEBY66KNZPMU
    For your protection, we might limit your account access. We apologize for any
    inconvenience this may cause.
    Thanks,
    PayPal ...

Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which has an icon to make it look like a PDF file.
> https://lh3.ggpht.co...entity-form.png
The detection rate for this at VirusTotal is 9/47*, automated analysis tools... shows an attempted connection to signsaheadgalway .com on 78.137.113.21 (UKfastnet Ltd, UK) which is the same server used in this attack**, so you can safely assume that the whole server is compromised and I recommend that you block that particular IP."
* https://www.virustot...sis/1384340556/

** http://blog.dynamoo....sages-from.html
___

CareerBuilder Notification Spam
- http://threattrack.t...tification-spam
Nov 13, 2013 - "Subjects Seen:
    CareerBuilder Notification
Typical e-mail details:
    Hello,
   I am a customer service employee at CareerBuilder. I found a vacant position that you may be interested in based on information from your resume or a recent online submission you made on our site.
    You can review the position on the CareerBuilder by downloading the attached PDF file.
    Attached file is scanned in PDF format.
    Adobe®Reader® can be downloaded from the following URL: adobe.com
    Best wishes in your job search !
    Savannah_Moyer
    Careerbuilder Customer Service Team

Malicious File Name and MD5:
    CB_Offer_<random>.zip (B61D44F18092458F7B545A16D2FF77D6)
    CB_Offer_<random>.exe (40AB8B0050E496FB00F499212B600DDB)

Screenshot: https://gs1.wac.edge...dQrQ1r6pupn.png

Tagged:
CareerBuilder: http://threattrack.t...d/CareerBuilder
Upatre: http://threattrack.t...m/tagged/Upatre
___

Facebook Password Request Spam
- http://threattrack.t...rd-request-spam
Nov 13, 2013 - "Subjects Seen:
    You requested a new Facebook password!
Typical e-mail details:
    Hello,
    You have received a secure message. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
    Read your secure message by opening the attachment, Facebook-SecureMessage.zip.

Malicious File Name and MD5:
    Facebook-SecureMessage.zip (FE3AB674A321959B3EA83CF54666A763)
    Transaction_{_tracking}.exe (95191C75EF4A87CBFA46C0818009312E)

Screenshot: https://gs1.wac.edge...KvP31r6pupn.png

Tagged:
Facebook: http://threattrack.t...tagged/Facebook
Upatre: http://threattrack.t...m/tagged/Upatre
___

EXE-in-ZIP SPAM storm continues
- http://blog.dynamoo....-continues.html
13 Nov 2013 - "Two more EXE-in-ZIP spams.. the first is a terse one with a subject "Voice Message from Unknown Caller" or "Voicemail Message from unknown number" not much else with a malicious EXE-in-ZIP (VoiceMessage.zip) attachment with VirusTotal score of 7/46* which calls home... to amandas-designs .com on 80.179.141.8 (012 Smile Communications Ltd., Israel)

The second one is a -fake- Wells Fargo spam similar to this:
     We have received this documents from your bank, please review attached documents.
    Lela Orozco
    Wells Fargo Advisors
    817-232-5887 office
    817-067-3871 cell Lela.Orozco@ wellsfargo .com
    Investments in securities and insurance products are:
    NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
    Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
    FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...

In this case the EXE-in-ZIP attachment (BankDocs.zip) has a VirusTotal detection rate of 14/47** and calls home... to kidgrandy .com on 184.154.15.190 (Singlehop, US). Given the massive onslaught of EXE-in-ZIP spam, I would strongly recommend blocking ZIP files with executables in them at the perimeter."
* https://www.virustot...sis/1384377409/

** https://www.virustot...sis/1384377605/

- https://www.virustot....8/information/

- https://www.virustot...90/information/
 

Edited by AplusWebMaster, 13 November 2013 - 04:51 PM.

[AplusWebMaster]

FYI...

Google Drive phish...
- http://www.threattra...-uri-technique/
Nov 14, 2013 - "... interesting mail which arrived in my inbox earlier today. It came from a Gmail address tied to a Google+ account which appears to be Chinese in origin, and had me BCC’d in.
> http://www.threattra.../cheedrive1.jpg
The email is called “Document”... This might look convincing to the unwary, but a simple hover over the link reveals that this isn’t going to take you to Google Drive:
bashoomal(dot)com/redirect.html
The end-user will be presented with a -fake- Google Drive login page which asks them to fill in their email address / password.
> http://www.threattra.../cheedrive2.jpg
As you can see from the URL bar, this is another -phish- that tries to take advantage of the Data URI scheme... The Google account sending the mails appears to have been around since 2007, and also has a Youtube account – it seems likely that it has been compromised, and is being used to further the spread of malicious links..."

- https://isc.sans.edu...l?storyid=17018
2013-11-13
___

Malware sites to block - (Caphaw)
- http://blog.dynamoo....013-caphaw.html
14 Nov 2013 - "These domains and IPs appear to be involved in a Caphaw malware attack, such as this one*. All the IPs involved belong to Hetzner in Germany, and although some also host legitimate sites I would strongly recommend blocking them.
Recommended blocklist:
141.8.225.5
46.4.47.20
46.4.47.22
88.198.57.178 ..."
(More listed at the dynamoo URL above.)
* http://urlquery.net/....php?id=7696954

- http://www.virusrada...w.K/description
 

Edited by AplusWebMaster, 14 November 2013 - 10:54 AM.

[AplusWebMaster]

FYI...

More Malware sites to block - (Caphaw)
- http://blog.dynamoo....013-caphaw.html
15 Nov 2013 - "Thanks to a tip to investigate 199.68.199.178 I discovered that the Caphaw network I looked at yesterday* is much bigger than I thought. The following IPs and domains can all be regarded as malicious (.SU domains are normally a dead giveaway for evil activity). The recommended blocklist is at the end of the post (highlighted). These are the hosts involved either now or recently with hosting these Caphaw domains..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo....013-caphaw.html

- https://www.virustot...78/information/

- http://www.virusrada...2_Caphaw/detail
___

Fake BoA fax message SPAM / 442074293440-1116-084755-242.zip
- http://blog.dynamoo....ax-message.html
15 Nov 2013 - "This -fake- fax message email has a malicious attachment:
    Date:      Fri, 15 Nov 2013 12:05:36 -0500 [12:05:36 EST]
    From:      RingCentral [notify-us@ ringcentral .com]
    Subject:      New Fax Message on 11/15/2013 at 09:51:51 CST
    You Have a New Fax Message
    From
    Bank of America
    Received:     11/15/2013 at 09:51:51 CST
    Pages:     5
    To view this message, please open the attachment.
    Thank you for using Ring Central .

Screenshot: https://lh3.ggpht.co...ringcentral.png

There is an attachment 442074293440-1116-084755-242.zip which unzips into a malicious exectuable 442074293440-1116-084755-242.exe which has a VirusTotal detection rate of 11/47*. Automated analysis tools... show an attempted connection to aspenhonda .com on 199.167.40.33 (FAM Info Systems / ServInt, US). The domain in question has been -hacked-, it is not possible to tell if the entire server is compromised but there are other legitimate sites on that box."
* https://www.virustot...sis/1384537461/

- https://www.virustot...33/information/
___

Citigroup Secure Message Spam
- http://threattrack.t...re-message-spam
Nov 15, 2013 - "Subjects Seen:
    You have a new encrypted message from Citigroup Inc.
Typical e-mail details:
    You have received a secure e-mail message from Citigroup Inc..
    We care about your privacy, Citigroup Inc. uses this secure way to exchange e-mails containing personal information.
    Read your secure message by opening the attachment. You will be prompted to save (download) it to your computer.
    If you have concerns about the validity of this message, please contact the sender directly.
    First time users - will need to register after opening the attachment.

Malicious File Name and MD5:
    SecureMessage.zip (969AEFFE28BC771C8453BF849450BC6A)
    SecureMessage.exe(C2CD447FD9B19B7F062A5A8CF6299600)

Screenshot: https://gs1.wac.edge...ugMb1r6pupn.png

Tagged: CitiGroup, Upatre
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Authorization Form Email Messages - 2013 Nov 15
Fake Product Purchase Order Email Messages - 2013 Nov 15
Fake Payment Receipt Email Messages - 2013 Nov 15
Malicious Personal Pictures Attachment Email Messages - 2013 Nov 15
Fake Bank Payment Notification Email Messages - 2013 Nov 15
Fake Product Order Email Messages - 013 Nov 15
Fake Meeting Invitation Email Messages - 2013 Nov 15
Fake Payroll Invoice Notification Email Messages - 2013 Nov 15
Fake Product Quote Request Email Messages - 2013 Nov 15
Fake Shipping Order Information Email Messages - 2013 Nov 15
Fake Shipping Notification Email Messages - 2013 Nov 15
Fake Product Inquiry Email Messages - 2013 Nov 15
Fake Payment Receipt Email Messages - 2013 Nov 15
Fake Tax Document Email Messages - 2013 Nov 15
Fake Travel Information Email Messages - 2013 Nov 15
Email Messages with Malicious Attachments - 2013 Nov 15
(More detail and links at the cisco URL above.)
 

Edited by AplusWebMaster, 18 November 2013 - 05:49 AM.

[AplusWebMaster]

FYI...

Phone SCAM - (08445715179)
- http://blog.dynamoo....8445715179.html
18 Nov 2013 - "This is a particularly insidious scam that relies on mobile phone users in the UK not knowing that an 0844 number is much, much more expensive than a normal phone call. The scam SMS goes something like this:
    ATTENTION! We have tried to contact you, It is important we speak to you today. Please call 08445715179 quoting your reference 121190. Thank You.

In this case the sender's number was +447453215347 (owned by Virgin Media Wholesale Ltd, but operated by a third party). The catch is that the calls to an 0844 number can cost up to 40p per minute (see more details here*), a large chunk of which goes into the operator's pockets. So what happens when you ring back? You get put on hold.. and left on hold until you have racked up a significant bill. Sadly, I don't know who is behind this scam, and in this case it was -illegally- sent to a TPS-registered number**. If you get one of these, you should forward the spam and the sender's number to your carrier. In the case of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints. You should also send a complaint to the ICO*** who may be able to take more serious action against these spammers."
* http://www.moneysavi...mium-rate-calls

** http://www.tpsonline...umber_type.html

*** http://www.ico.org.u...nts/marketing/2
___

Freenters Hit By Breach, Student Data Leaked
- http://www.threattra...h-student-data/
Nov 18, 2013 - "If you’re a student who signed up to the Freenters free printing service, you may want to go and ensure your logins are safe and sound, as it appears they were compromised pretty badly.
> http://www.threattra.../printpwn11.jpg
... Affected students were sent two separate emails which added to the confusion, with one stating “Passwords were secure” with a follow up advising them “we highly recommend you change your password for other accounts”... This might be a perfect time to ensure you’re not sharing passwords across sites and services, and think about using a password manager..."
___

PlayStation 4 and Xbox One Survey Scams ...
- http://blog.trendmic...-scams-spotted/
Nov 18, 2013 - "... We found a Facebook page that advertised a PS4 raffle. Users were supposed to visit the advertised site, as seen below:
> http://blog.trendmic...13/11/ps4-1.jpg
The site urges users to “like” or “follow” the page, and then share it on social media sites. This could be a way for scammers to gain a wider audience or appear more reputable.
> http://blog.trendmic...13/11/ps4-2.jpg
Afterwards, users are required to enter their name and email address. Instead of a raffle, they are led to a survey scam:
> http://blog.trendmic...13/11/ps4-3.jpg
... Scams are also using the Xbox One as bait. However, the site in this currently inaccessible. Since the Xbox One has yet to be released, scammers could be waiting for the official launch before making the site live.
> http://blog.trendmic...13/11/xbox1.jpg
The scams were not limited to Facebook. We spotted a site that advertised a Xbox One giveaway. Like the PS4 scam, users are encouraged to promote the giveaway through social media. Once they click the “proceed” button, they are led to a site that contains a text file they need for the raffle. But like other scams, this simply leads to a survey site.
> http://blog.trendmic...13/11/xbox2.jpg
... Product launches have become a tried-and-tested social engineering bait. Earlier in the year, we saw scams that used Google Glass as a way to trick users. Early last year, the launch of the iPad 3 became the subject of many scams and spam. Users should always be cautious when it comes to online raffles and giveaways, especially from unknown or unfamiliar websites. If the deal seems too good to be true, it probably is..."
___

Netflix on your PC - Beware of Silverlight exploit
- http://blog.malwareb...rlight-exploit/
Nov 15, 2013 - "A vulnerability affecting Microsoft Silverlight 5 is being used in the wild to infect PCs that visit compromised or malicious websites... The flaw, which exists in versions prior to 5.1.20125.0, allows attackers to execute arbitrary code on the affected systems without any user interaction. Microsoft patched the flaw (CVE-2013-0074*) on March 12, 2013. The Silverlight exploit was first spotted in the Angler exploit kit by @EKWatcher and later documented by Kafeine. The screenshot below summarizes the attack:
> http://cdn.blog.malw...3-11-13_016.png
... those that already have an older version of Silverlight can still watch Netflix and may not be aware that their computers are at risk. Please ensure that you are running the latest version available (5.1.20913.0) and that it is set to install updates automatically:
> http://cdn.blog.malw...silverlight.png "

* http://technet.micro...lletin/ms13-022
___

IRS Tax Payment Rejection Spam
- http://threattrack.t...-rejection-spam
Nov 18, 2013 - "Subjects Seen:
    Your FED TAX payment ( ID : 6LHIRS930292818 ) was Rejected
Typical e-mail details:
     *** PLEASE DO NOT RESPOND TO THIS EMAIL ***
    Your federal Tax payment (ID: 6LHIRS930292818), recently sent from your checking account was returned by the your financial institution.
    For more information, please download notification, using your security PIN 55178.
    Transaction Number:     6LHIRS930292818
    Payment Amount:     $ 2373.00
    Transaction status:     Rejected
    ACH Trace Number:     268976180630733
    Transaction Type:     ACH Debit Payment-DDA

Malicious File Name and MD5:
    FED TAX payment.zip (661649A0CA9F13B06056B53B9BC3CBA7)
    FED TAX payment.exe (157BBC283245BBE5AB2947C446857FC9)

Screenshot: https://gs1.wac.edge...HbhC1r6pupn.png

Tagged: IRS, Upatre
 

Edited by AplusWebMaster, 18 November 2013 - 08:30 PM.

[AplusWebMaster]

FYI...

Fake ‘Sent from my iPhone’ themed emails - expose users to malware
- http://www.webroot.c...-users-malware/
Nov 19, 2013 - "Cybercriminals are currently mass mailing tens of thousands of malicious emails, supposedly including a photo attachment that’s been “Sent from an iPhone”. The social engineering driven spam campaign is, however, the latest attempt by a cybercriminal/group of cybercriminals that we’ve been monitoring for a while, to attempt to trick gullible users into unknowingly joining the botnet operated by the malicious actor(s) behind the campaign. Detection rate for the spamvertised attachment: MD5: 46e077f058f5a6eddee3c851f8e56838 – * ... Trojan.Win32.Neurevt.jl; Trojan:Win32/Neurevt.A... Once executed, the sample attempts to contact the following C&C servers:
91.109.14.224
31.7.35.112
49.50.8.93
173.0.131.15
209.50.251.101
88.198.7.211
64.120.153.69
219.94.206.70
173.231.139.57
next to the well known by now, networksecurityx.hopto .org (1) a C&C host..."
* https://www.virustot...sis/1384441224/

Diagnostic page for hopto .org
1) http://google.com/sa...site=hopto.org/
"... Part of this site was listed for suspicious activity 731 time(s) over the past 90 days... Malicious software includes 817 exploit(s), 113 trojan(s), 59 virus. Successful infection resulted in an average of 5 new process(es) on the target machine. This site was hosted on 80 network(s)... Over the past 90 days, hopto .org appeared to function as an intermediary for the infection of 140 site(s)... this site has hosted malicious software over the past 90 days. It infected 210 domain(s)..."
___

Fake Snapchat downloads in Search Engine Ads
- http://www.threattra...rch-engine-ads/
Nov 19, 2013 - "Hot on the heels of fake Snapchat Adware installs*, we have advert results in both Google and Bing adverts leading to non-existent downloads of Snapchat in return for an Adware bundle. Here’s Google:
> http://www.threattra...ooglesearch.png
The site in question here is soft1d(dot)com
> http://www.threattra...oft1dprompt.jpg
Here’s Bing:
> http://www.threattra...snapadsbing.jpg
The ad in question is the one in the bottom right hand corner for download-apps(dot)org/snapchat
> http://www.threattra...d-apps-snap.jpg
Both sites lead to the same install. Comments from Matthew, one of our researchers in the Labs who discovered this: 'When you run the installer it precedes to install Fast Media Converter (Zango/Pinball Corp/BlinkX/LeadImpact) and LyricsViewer (Crossrider) with the only notice being from the page shown in the “prompt” screenshots. After loading those, it proceeds to offer you some more: a Conduit Toolbar and Dealply. In the end there is no Snapchat install or even a replacement for Snapchat'...
> http://www.threattra...tion-snap-1.png
.
> http://www.threattra...tion-snap-3.png
VirusTotal has this one pegged at 4/47** ..."

* http://www.threattra...l-leads-adware/
Nov 1, 2013

** https://www.virustot...04b40/analysis/
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Job Offer Notification Email Messages - 2013 Nov 19
Fake Monthly Report Notification Email Messages - 2013 Nov 19
Fake Invoice Attachment Email Messages - 2013 Nov 19
Fake Picture Sharing Email Messages - 2013 Nov 19
Fake Payment Information Notification Email Messages - 2013 Nov 19
Email Messages with Malicious Attachments - 2013 Nov 19
Fake Picture Sharing Email Messages - 2013 Nov 19
Fake Fax Message Delivery Email Messages - 2013 Nov 19
Fake Product Quote Request - 2013 Nov 19
Fake Fax Message Delivery Email Messages - 2013 Nov 19
Fake Payment Confirmation Email Messages - 2013 Nov 19
Fake Personal Photo Sharing Email Messages - 2013 Nov 19
Fake Payment Invoice Email Messages - 2013 Nov 19
Fake Shipment Tracking Information Email Messages - 2013 Nov 19
Fake Product Order Notification Email Messages - 2013 Nov 19
Fake Scanned Image Notification Email Messages - 2013 Nov 19
Fake Product Purchase Order Email Messages - 2013 Nov 19
Fake Product Purchase Order Email Messages - 2013 Nov 19
Fake Bank Payment Notification Email Messages - 2013 Nov 19
Fake Customer Complaint Attachment Email Messages - 2013 Nov 19
(More info and links at the cisco URL above.)
 

Edited by AplusWebMaster, 19 November 2013 - 09:24 PM.

[AplusWebMaster]

 FYI...

Fake mileage reimbursement email leads to malware ...
- http://www.webroot.c...s-lead-malware/
Nov 20, 2013 - "Want to file for mileage reimbursement through a STD-261 form? You may want to skip the tens of thousands of -malicious- emails currently in circulation, attempting to trick users into executing the malicious attachment. Once downloaded, your PC automatically joins the botnet operated by the cybercriminal(s) behind the campaign, undermining the confidentiality and integrity of the host.
Sample screenshot of the spamvertised email:
> https://www.webroot....are-1024x64.png
Detection rate for the spamvertised attachment: MD5: 3aaa04b0762d8336379b8adedad5846b – * ...  Trojan.Win32.Bublik.bkri; TrojanDownloader:Win32/Upatre.A. Once executed, the sample starts listening on ports 8412 and 3495... It then attempts to phone back to the following C&C servers... (long list of IP's listed at the first webroot URL above)..."
* https://www.virustot...sis/1384525049/
___

Red Cross 419 Scam exploits Typhoon Haiyan
- http://www.threattra...typhoon-haiyan/
Nov 20, 2013 - "There are a number of emails currently in circulation attempting to cash in on the generosity of individuals and organisations wanting to assist the Typhoon Haiyan relief efforts. Another one just landed in our spamtraps, and reads as follows:
> http://www.threattra...iyanmail-wm.jpg
... If the poor spelling and generally dreadful formatting of the mail doesn’t give the game away, hopefully the free Yahoo email address will help to tip the balance. This is absolutely a scam, and one that should be directed to the recycle bin / spam folder with all due haste. Elsewhere, Trend Micro are seeing missives related to fake Navy donations* and Symantec are dealing with one “Andrew Stevens” who is asking for donations** via Western Union. You can be sure more of these will emerge in the coming weeks, so please be cautious and don’t reply to any email sent out of the blue. No matter how convincing the mail appears to be, there’s a very good chance your money is going to end up with someone other than who you intended it for."
* http://blog.trendmic...on-haiyan-scams

** http://www.symantec....kes-philippines
___

Bitcoin Boom leads to Malware Badness
- http://www.threattra...alware-badness/
Nov 20, 2013 - "... you may be tempted to mine some Bitcoins via the art of downloading random files from the internet... The are certainly more than enough options to choose from; Youtube videos, promo sites, Pastebin posts – you name it, they’re all out there and they’re all clamouring for your attention. Just keep in mind that you never really know what you’re signing up to when playing the random download game... Scammers are promoting “no survey Bitcoin generators”, which come with -surveys- attached regardless.
> http://www.threattra...1/bitcoins3.jpg
If no survey is available, you’re encouraged to pay for a premium account to access the download.
> http://www.threattra...1/bitcoins4.jpg
Elsewhere, the below Pastebin page directs individuals to a Mediafire download. Note that they claim it is “legit”, but the file isn’t theirs and they won’t accept responsibility for any “inconvenience”. Never a good sign, really.
> http://www.threattra...1/bitcoins1.jpg
...
> http://www.threattra...1/bitcoins2.jpg
... VirusTotal currently flagging it at 8/47*. We’re also seeing a number of files on MEGA, which claim to be Bitcoin Generators (with one claiming to offer up 0.06975 mBTC “every couple of hours” in return for filling in some CAPTCHA codes)... An additional file below (also hosted on MEGA) already flags up at 17/47** on VirusTotal, and we also detect this as Trojan.Win32.Generic!BT... trying to go down the fast and easy route ensures there’s a lot to lose too. If you’re late to the Bitcoin party, bandwagon jumping may result in a nasty fall."
* https://www.virustot...7aa24/analysis/

** https://www.virustot...cff38/analysis/
 

Edited by AplusWebMaster, 20 November 2013 - 11:13 AM.

[AplusWebMaster]

FYI...

Fake ADP Anti-Fraud Secure Update Spam
- http://threattrack.t...ure-update-spam
Nov 21, 2013 - "Subjects Seen:
    ALERT! From ADP: 2013 Anti-Fraud Secure Update
Typical e-mail details:
    Dear Valued ADP Client,
    We are pleased to announce that ADP Payroll System released secure upgrades to your computer.
    A new version of secure update is available.
    Our development division strongly recommends you to download this software update.
    It contains new features:
    The certificate will be attached to the computer of the account holder, which disables any fraud activity
    Any irregular activity on your account is detected by our safety centre
    Download the attachment. Update will be automatically installed by double click.
    We value our partnership with you and take pride in the confidence that you place in us to process payroll on your behalf.  As always, your ADP Service Team is happy to assist with any questions you may have.

Malicious File Name and MD5:
    2013 Anti-Fraud Secure Update.zip (7DF767E9225803F5CA6C1ED9D2B5E448)
    2013 Anti-Fraud Secure Update.exe (6A9D66DF6AE25A86FCF1BBFB36002D44)

Screenshot: https://gs1.wac.edge...ErG21r6pupn.png

Tagged: ADP, Upatre.
 

[AplusWebMaster]

FYI...

Fake WhatsApp SPAM - exposes users to malware ...
- http://www.webroot.c...-users-malware/
Nov 22, 2013 - "... intercepted a currently circulating malicious spam campaign impersonating WhatsApp — yet again — in an attempt to trick its users into thinking that they’ve received a voice mail. Once socially engineered users execute the malicious attachment found in the fake emails, their PCs automatically join the botnet operated by the cybercriminal(s) behind the campaign.
Sample screenshot of the spamvertised malicious email:
> https://www.webroot...._Cybercrime.png
Detection rate for the spamvertised attachment: MD5: 41ca9645233648b3d59cb52e08a4e22a – * ... TrojanDownloader:Win32/Kuluoz.D. Once executed, it phones back to:
hxxp ://103.4.18.215:8080 /460326245047F2B6E405E92260B09AA0E35D7CA2B1
70.32.79.44
84.94.187.245
172.245.44.180
103.4.18.215
172.245.44.2 ...
* https://www.virustot...sis/1384979533/
___

Watch where you’re logging in ...
- http://www.threattra...-youre-logging/
Nov 22, 2013 - "If you do your online banking with TESCO, or indeed have a credit card with them you may want to be on the lookout for the following website which is hosting a rather large tally of login pages. The site in question is:
mrqos(dot)com(dot)au/kate/tess/tescr/login(dot)html
and that particular site was flagged not so long ago in the Zone-H defacement mirror, with “KEST” compromising it on or around the 15th of October, 2013.
> http://www.threattra...3/11/tesco0.jpg
Here’s 100 or so identical HTML pages in one directory offering up a TESCO credit card login:
> http://www.threattra...3/11/tesco3.jpg
All of the above pages present end-users with the following login screen:
> http://www.threattra...3/11/tesco4.jpg
The page asks end-users to login to “Tesco bank online banking” with “credit card” mentioned in the top right hand corner. After entering a username, the page asks for more information... you should only ever log in on the homepage of your bank or credit card. Visiting it from URLs in emails or random messages sent your way just won’t cut the mustard – physically type in the URL, ensure there’s a padlock and the connection is encrypted. You won’t find padlocks or encryption on the above pages..."
___

Pokemon X and Y Tumblrs: Warn your Kids
- http://www.threattra...blrs-warn-kids/
Nov 22, 2013 - "A gentle reminder not to leave your kids alone with their best friend ever, the internet. Pokemon X and Y is by all accounts a raging success, and if the smaller members of your household go Googling for things related to said title, they may well end up on a site such as the below promising a PC download of the new game.
pokemonxetyromemulateur(dot)tumblr(dot)com
> http://www.threattra...kedownload1.jpg
This site intends to direct the end-user to a cookie-cutter blog located at
pokemonxyemulator(dot)blogspot(dot)ro
The site pops a -survey- with offers likely dictated by region. What’s worrying here is if kids arrive on this site given the Pokemon theme, they could well be presented with survey questions asking for personal information alongside the more typical installs (and installs aren’t really something you want to be presenting kids with either).
> http://www.threattra...kedownload2.jpg
In this case, one of the links leads to an iLivid install.
> http://www.threattra...kedownload3.jpg
... it mentions a -toolbar- install which is pre-ticked in the next screen... What’s on offer here isn’t a big deal, but there’s no way you can predict what will be on the other end of a survey popup – everything from personal information requests and ringtone offers to Adware and (occasionally) Malware have all been sitting in wait on the other side of that “Complete this” button. While adults may hopefully steer clear of a lot of these antics, any kids going click happy in Pokemon land (or any other themed set of search engine queries) probably won’t be so lucky..."
 

Edited by AplusWebMaster, 22 November 2013 - 09:10 AM.

[AplusWebMaster]

FYI...

Fake PayPal Spam
- http://threattrack.t...on-of-case-spam
Nov 25, 2013 - "Subjects Seen:
    Resolution of case #PP-016-353-161-368
Typical e-mail details:
    Transaction ID: 27223374MSB9Y6FV6
    Our records indicate that you never responded to requests for additional
    information about this claim. We hope you review the attached file and solve the situation amicably.
    For more details please see the attached file (Case_9503665.zip)
    Sincerely,
    Protection Services Department

Malicious File Name and MD5:
    Case_9503665.zip (040D3AA61ADB6431576D27E14BA12E43)
    Case_.exe (8DB3C24FCD0EF4A660636250D0120B23)

Screenshot: https://gs1.wac.edge...DtlR1r6pupn.png

Tagged: PayPal, Upatre
___

Fake HSBC emails - malware
- http://www.webroot.c...-users-malware/
Nov 25, 2013 - "HSBC customers, watch what you execute on your PCs. A circulating malicious spam campaign attempts to socially engineer you into thinking that you’ve received a legitimate ‘payment e-Advice’. In reality, once you execute the attachment, your PC automatically joins the botnet operated by the cybercriminal(s) behind the campaign.
Sample screenshot of the spamvertised email:
> https://www.webroot....us_Software.png
Detection rate for the spamvertised attachment: MD5: 2fbf89a24a43e848b581520d8a1fab27 – * ...Trojan.Win32.Bublik.blgc. Once executed, the sample starts listening on ports 3670 and 6652..."
* https://www.virustot...sis/1385042183/
___

.gov, .edu - Phish ...
- http://www.threattra...v-edu-phish-oh/
Nov 25, 2013 - "We’ve noticed a couple of .cn URLs which customers of ANZ will probably want to steer clear of.
> http://www.threattra...3/11/cnanz0.jpg
syftec(dot)gov(dot)cn
... appears to be a site about the county-level city Shangyu. One of the URLs on the site is
syftec(dot)gov(dot)cn/images/online/
... which takes users to:
rh(dot)buaa(dot)edu(dot)cn/js/online
... which is a .Edu URL called “China Domestic Research Project for ITER”, with the sub-heading “Key technologies research for remote handling manipulator using in nuclear environment”.
Here’s the frontpage, minus the js/online directory:
> http://www.threattra...3/11/cnanz1.jpg
Here’s what is located at the rh(dot)buaa(dot)edu(dot)cn/js/online URL:
> http://www.threattra...3/11/cnanz2.jpg
The page asks for name, DOB, address, card number, expiration date and security code. Hitting the log on button will direct users to the genuine ANZ website. The URL has already been blacklisted by Google Safebrowsing:
> http://www.threattra...3/11/cnanz4.jpg
What’s interesting here is if the URL forwarding end-users from the .gov site to the .edu page is supposed to be there, or it too has been compromised to direct more users to the ANZ “login”. It’s possible the .gov site once forwarded them to a formerly legitimate page on the .edu portal which has since been compromised. However, the .edu page isn’t on Internet Archive so it’s hard to say one way or the other. What we can say for certain is that customers of ANZ should only log in on the genuine ANZ website*, and that .gov URLs are prime targets..."
* https://www.anz.com/
 

Edited by AplusWebMaster, 25 November 2013 - 07:32 PM.

[AplusWebMaster]

FYI...

Fake Facebook pwd SPAM - Recoverypassword.zip and Facebook-SecureMessage.exe
- http://blog.dynamoo....k-password.html
26 Nov 2013 - "This -fake- Facebook message comes with a malicious attachment:
    Date:      Tue, 26 Nov 2013 04:58:18 +0300 [11/25/13 20:58:18 EST]
    From:      Facebook [update+hiehdzge@ facebookmail .com]
    Subject:      You requested a new Facebook password!
    facebook
    Hello,
    You have received a secure message. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
    Read your secure message by opening the attachment, Facebook-SecureMessage.zip.
    Didn't request this change?
    If you didn't request a new password, let us know immediately.
    This message was sent to [redacted] at your request.
    Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

Screenshot: https://lh3.ggpht.co...0/facebook3.png

The attachment is Recoverypassword.zip which in turn contains a malicious executable Facebook-SecureMessage.exe which has a VirusTotal detection rate of 16/42*. Automated analysis tools... shows attempted connections to developmentinn .com on 38.102.226.252 (Cogent, US) and spotopia .com on 199.229.232.99 (Enzu, US). Note that the servers on those IPs host dozens of legitimate sites and I cannot say for certain if they are all compromised or not."
* https://www.virustot...sis/1385474059/

- https://www.virustot...99/information/
___

Xerox Incoming Fax Spam
- http://threattrack.t...coming-fax-spam
Nov 26, 2013 - "Subjects Seen:
    INCOMING FAX REPORT : Remote ID: 633-553-5385 [/i]
Typical e-mail details:
    INCOMING FAX REPORT
    Date/Time: 11/26/2013 04:51:31 EST
    Speed: 17766 bps
    Connection time: 07:01
    Pages: 3
    Resolution: Normal
    Remote ID: 633-553-5385
    Line number: 633-553-5385
    DTMF/DID:
    Description: Сost sheet for first half of 2013.pdf

Malicious File Name and MD5:
    IncomingFax.zip (A5E6AB0F6ECF230633B91612A79BF875)
    IncomingFax.exe (B048E178F86F6DBD54D84F488120BB9B)

Screenshot: https://gs1.wac.edge...V45y1r6pupn.png

Tagged: Xerox, Upatre
___

Something evil on 46.19.139.236
- http://blog.dynamoo....4619139236.html
26 Nov 2013 - "46.19.139.236 (Private Layer Inc, Switzerland) seems to be serving up some sort of Java -exploit- kit via injection attacks which is utilising hijacked legitimate domains, but the domains in use seem to rotate pretty quickly and I haven't got a copy of the payload, but VirusTotal has some examples* ..."
(More detail at the dynamoo URL above.)
* https://www.virustot...36/information/
___

Fake Loan site delivers adware
- http://www.threattra...ancial-dot-org/
Nov 26, 2013 - "...  a fake loan page from an equally fake financial institution called “Trust Financial Group”.
> http://www.threattra...E96C52913E1.jpg
Once users visit trustfinancial(dot)org, they are -redirected- to a default page serving a loan decision document. In order for visitors to see its unblurred version, they have to install a “secure loan viewer” application. Unfortunately, users will find out that the name of the program is actually called “Search Smarted and Search Assistor” and is signed by a verified publisher called Access Financial Resources, Inc.
> http://www.threattra...9FFC1704ACD.jpg
Here’s another sample that we have acquired:
> http://www.threattra...B49590EE75C.jpg
A quick search on Google for the name points me to a small company of financial planners in Oklahoma, but I can’t find connections to any legitimate software it’s involved in or to “Trust Financial Group”. We can count on the idea that whoever is behind the bogus page and brand had used the name of a legitimate small financial company to make the certificate appear more authentic, which in turn makes the applications seem legit. Unfortunately, this is -not- the case. The files are not document viewer applications, but they are -adware- programs that, once installed, -injects- ads into search engine results.
> http://www.threattra...50F9F6D03F2.jpg
... Eric Howes, ThreatTrack Security’s Principal Lab Researcher, “The domains used here are all anonymously registered. And while this attack technically isn’t a phishing attack, it is exploiting users’ trust and faith in financial institutions to trick them into installing adware.” Our researchers have further determined that the ads being injected are pulled through the domain, ez-input(dot)info, which was also registered anonymously..."
___

Blackshades Rat usage on the rise...
- http://www.symantec....-alleged-arrest
Nov 25, 2013 - "... Blackshades RAT, detected by Symantec products as W32.Shadesrat, will gather passwords and credentials from infected systems, sending them back to the malicious command-and-control (C&C) server. This increase in activity prompted us to investigate the main C&C servers that manage the latest infections. Upon investigation, we found a connection to the Cool Exploit Kit, which has been used to distribute W32.Shadesrat, but also several -other- malware families.
Shadesrat evolution since July 2013:
> http://www.symantec....l Exploit 1.png
For the last few years we have seen a spectacular increase of attacks against Web servers using recently discovered vulnerabilities to target industries, think tanks, government institutions and users. In all cases, the attacker’s goal is very clear; to execute a malicious payload on the user’s computer. The attackers managed to do this using different exploit kits. When Symantec observed the increase of W32.Shadesrat infections, we identified hundreds of C&C servers being used to gather credentials from compromised computers. W32.Shadesrat targets a wide variety of credentials including email services, Web services, instant messaging applications, and FTP clients. Spammers looking for new mail credentials, attackers trying to continue their security breaches with access to new servers and services, and attackers looking for specific information to exfiltrate might be interested in this kind of information. During our research, we found that nearly all of the C&C servers have hosted exploit kits at some point, and until the arrest of the author of the Blackhole Exploit Kit and the Cool Exploit Kit, the latter has been the most prevalent. These kits try to exploit different vulnerabilities in the user’s computer to execute a malicious payload and infect them. Underground teams have a wide range of resources to perform their attacks.
> http://www.symantec....l Exploit 2.png
We also observed that after the arrest of the author of the Blackhole Exploit Kit and Cool Exploit Kit, both exploit kits have nearly disappeared, leaving Neutrino as the new kit of choice.
> http://www.symantec....l Exploit 3.png
Once an unsuspecting user has been compromised, -multiple- payloads are downloaded and used to retain control by using Remote Administration Tools or downloaders that enable them to install additional malware with new functionalities. The C&C servers also spread the following other malware threats.
> http://www.symantec....l Exploit 4.png
... The distribution of the threats suggests that the attackers attempted to infect as many computers as possible. The attackers do not seem to have targeted specific people or companies. This demonstrates how complete the threat landscape is, as well as the resources that attackers have at their disposal. Don’t forget to make sure that your software is up-to-date and that your antivirus solution has the latest definitions."
 

Edited by AplusWebMaster, 27 November 2013 - 08:37 AM.

[AplusWebMaster]

FYI...

Fake ADP SPAM - Reference #274135902580" / Transaction.exe
- http://blog.dynamoo....02580-spam.html
27 Nov 2013 - "Is it Salesforce or ADP? Of course.. it is -neither- ...
    Date:      Wed, 27 Nov 2013 11:50:07 +0100 [05:50:07 EST]
    From:      "support@ salesforce .com" [support@ salesforce .com]
    Subject:      ADP - Reference #274135902580
    We were unable to process your recent transaction. Please verify your details and try again.
    If the problem persists, contact us to complete your order.
    Transaction details are shown in the attached file.
    Reference #274135902580
    This e-mail has been sent from an automated system.
    PLEASE DO NOT REPLY...

Attached is a file Transaction_274135902580.zip which in turn contains a malicious executable named Transaction.exe which has an icon to make it look like a PDF file and a VirusTotal detection rate of 8/48*...
> https://lh3.ggpht.co...transaction.png
 Malwr reports an attempted connection to seribeau .com on 103.6.196.152 (Exa Bytes Network, Malaysia). This IP has several -hundred- legitimate web sites on it, and it is not possible to determine if these are clean or infected."
* https://www.virustot...sis/1385558999/

- https://www.virustot...52/information/
___

Dun & Bradstreet iUpdate Spam
- http://threattrack.t...et-iupdate-spam
Nov 27, 2013 - "Subjects Seen:
    D&B iUpdate : Company Request Processed
Typical e-mail details:
    Thank you,
    Your request has been successfully processed by D&B.
    All information has been reviewed and validated by D&B.
    Please Find your Order Information attached.

Malicious File Name and MD5:
    CompanyInfo.zip (22CC978F9A6AEE77E653D7507B35CD65)
    CompanyInfo.exe (2F3C1473F8BCF79C645134ED84F5EF62)

Screenshot: https://gs1.wac.edge...IRwc1r6pupn.png

Tagged: Dun & Bradstreet, Upatre
___

Tax Return Accountant’s Letter Spam
- http://threattrack.t...nts-letter-spam
Nov 27, 2013 - "Subjects Seen:
    FW: 2012 and 2013 Tax Documents; Accountant’s Letter
Typical e-mail details:
    I forward this file to you for review. Please open and view it.
    Attached are Individual Income Tax Returns and W-2s for 2012 and 2013, plus an accountant’s letter.

Malicious File Name and MD5:
    <e-mail recipient>.zip (BC8FC4D02BB86F957F5AE0818D94432F)
    TaxReturn.exe (E85AD4B09201144ACDC04FFC5F708F03)

Screenshot: https://gs1.wac.edge...s2ka1r6pupn.png

Tagged: Tax Return, Upatre
___

Russian Photo Attachment Spam
- http://threattrack.t...attachment-spam
Nov 27, 2013 - "Subjects Seen:
    Hello
Typical e-mail details:
    Hi
    My name is Yulia.
    I am from Russia.
    Look my photo in attachment.

Malicious File Name and MD5:
    DSC_0492(copy).jpg.zip (41B37B08293C1BFE76458FA806796206)
    DSC_0492(copy).jpg.exe (AC7CD2087014D9092E48CE465E4F902D)

Screenshot: https://gs1.wac.edge...o5Ih1r6pupn.png

Tagged: Photo, Sirefef, .
 

Edited by AplusWebMaster, 29 November 2013 - 02:16 PM.