2072 replies to this topic

[AplusWebMaster]

FYI...

Fake ADP Fraud Secure Update Spam
- http://threattrack.t...ure-update-spam
Dec 20, 2013 - "Subjects Seen:
    ALERT! From ADP: 2013 Anti-Fraud Secure Update
Typical e-mail details:
    Dear Valued ADP Client,
    We are pleased to announce that ADP Payroll System released secure upgrades to your computer.
    A new version of secure update is available.
    Our development division strongly recommends you to download this software update.
    It contains new features:
    The certificate will be attached to the computer of the account holder, which disables any fraud activity
    Any irregular activity on your account is detected by our safety centre. Download the attachment. Update will be automatically installed by double click.
    We value our partnership with you and take pride in the confidence that you place in us to process payroll
    on your behalf. As always, your ADP Service Team is happy to assist with any questions you may have.

Malicious File Name and MD5:
    2013 Anti-Fraud Secure Update.zip (EFF54DFFF096C439D07B50A494D6B435)
    2013 Anti-Fraud Secure Update.exe  (D4CBC4F2BE31277783F63B3991317AFE)

Screenshot: https://gs1.wac.edge...EEtA1r6pupn.png

Tagged: ADP, Upatre
___

Fake Dept. of Treasury - Notice of Outstanding Obligation Spam
- http://threattrack.t...ding-obligation
Dec 20, 2013 - "Subjects Seen:
    Department of Treasury Notice of Outstanding Obligation - Case L3FY2OH7CD1N9OS
Typical e-mail details:
    Important  please review and sign the attached document!
    We have received notification from the Department of the Treasury,
    Financial Management Service (FMS) that you have an outstanding
    obligation with the Federal Government that requires your immediate
    attention.
    In order to ensure this condition does not affect any planned
    contract or grant activity, please review and sign the attached document and if
    you are unable to understand the attached document please call FMS at 1-800-304-3107
    to address this issue.  Please make sure the person making the telephone call has the
    Taxpayer Identification Number available AND has the authority/knowledge
    to discuss the debt for the contractor/grantee.

Malicious File Name and MD5:
    FMS-Case-L3FY2OH7CD1N9OS.zip (D82A734CC165A85D1C19C65A6A9EA2A7)
    FMS-.exe (167744869CBD5560810B7CF2A03BD6FF)

Screenshot: https://gs1.wac.edge...kkd51r6pupn.png

Tagged: Upatre, Department of Treasury
___

Fake AT&T voicemail - malware...
- http://www.hoax-slay...l-malware.shtml
Dec 20, 2013 - "... Message purporting to be from telecommunications company AT&T claims that a new voicemail could not be delivered to the recipient. The email includes an attached file that supposedly contains the voicemail.
Analysis: The message is not from AT&T and the attached file does not contain a missed voicemail. Instead, the attachment harbours a malicious .exe file hidden within a .zip file. Opening the .exe file can install malware on the user's computer...
> http://www.hoax-slay...l-malware-1.jpg
This attack is similar to another malware distribution that claims that WhatsApp users have a new voicemail waiting. Clicking the "Play" button in the -bogus- email will open a malicious website that harbours malware..."
 

Edited by AplusWebMaster, 23 December 2013 - 07:42 AM.

[AplusWebMaster]

FYI...

Fake QuickBooks SPAM / Invoice.zip
- http://blog.dynamoo....invoicezip.html
23 Dec 2013 - "This -fake- QuickBooks spam has a malicious attachment:
    Date:      Mon, 23 Dec 2013 07:54:35 -0800 [10:54:35 EST]
    From:      QuickBooks Invoice [auto-invoice@ quickbooks .com]
    Subject:      Important - Payment Overdue
    Please find attached your invoices for the past months. Remit the payment by 12/23/2013 as outlines under our "Payment Terms" agreement.
    Thank you for your business,
    Sincerely,
    Randal Owen ...

Attached to the message is a file Invoice.zip which has a VirusTotal detection rate of 5/44*, which in turn contains a malicious executable Invoice.exe with a detection rate of 5/49**. Automated analysis... shows an attempted connection to wifordgallery .com on 174.127.73.250 (Hosting Services Inc, US), it appears to be the only domain on that server so blocking the IP or domain itself may give you some protection against this current run of malware."
* https://www.virustot...sis/1387814800/

** https://www.virustot...e9d88/analysis/
___

More Email scams, spam...
- https://isc.sans.edu...l?storyid=17276
Last Updated: 2013-12-23 20:27:58 - "... new wave of email making the rounds, with a message that looks as follows:
> https://isc.sans.edu...s/images/c1.jpg
...  The subject seems to be one of "Delivery Canceling", "Express Delivery Failure" or "Standard Delivery Failure". Next to Costco, the same scam is currently ongoing for BestBuy and Walmart, maybe others. The links are (appear to be) random or encoded, there is no repeat occurrence of the URL and "package number" for the entire sample set that we have. It could well be that the BASE64 portion of the URL contains an encoded hash of the email address to which the phish was sent, so when you play with one of the samples, be mindful that you could be confirming the email address back to the bad guys... For a change, clicking on the link doesn't bring up a web form asking for your credit card number. Instead, it quite bluntly downloads a ZIP which contains an EXE. What makes this particular version more cute than others is that the EXE inside the ZIP is re-named on the fly, based on the geolocation of your download request. In my case, this spoiled the fun some, because "CostcoForm_Zürich.exe" and "CostcoForm_Hamburg.exe" didn't look all that credible: There are no Costcos in Switzerland or Germany ... As for the malware:  Lowish detection as usual, Virustotal 12/44*. Malwr/Cuckoo analysis**. The malware family so far seems to have a MUTEX of "CiD0oc5m" in common, and when run, it displays a Notepad that asks the user to try again later (while the EXE installs itself in the background)... Hosts currently seen pushing the malware include:
bmaschool .net Address: 61.47.47.35
bright-color .de Address: 78.46.149.229
am-software .net Address: 64.37.52.95
artes-bonae .de Address: 81.169.145.149
automartin .com Address: 46.30.212.214
almexterminatinginc .com Address: 50.63.90.1
brandschutz-poenitz .de Address: 81.169.145.160
All these sites have been on the corresponding IP addresses since years, which suggests that these are legitimate web sites that have been compromised/hacked, and are now being abused to push malware..."
* https://www.virustot...sis/1387825985/

** https://malwr.com/an...TJlMWRjYmM0NzU/
"... Hosts: IP 95.101.0.114 ..."
- https://www.virustot...14/information/

Keywords: malware scam
___

Fake Court hearing SPAM - Court_Notice_Jones_Day_Wa#8127.zip
- http://blog.dynamoo....urt-nr6976.html
23 Dec 2013 - "... malicious attachment:
     Date:      Mon, 23 Dec 2013 10:05:38 -0500 [10:05:38 EST]
    From:      Notice to Appear [support.6@ jonesday .com]
    Subject:      Hearing of your case in Court NR#6976
     Notice to Appear,
       Hereby you are notified that you have been scheduled to appear for
       your hearing that
       will take place in the court of Washington in January 9, 2014 at 10:00
       am.
       Please bring all documents and witnesses relating to this case with
       you to Court on your hearing date.
       The copy of the court notice is attached to this letter.
       Please, read it thoroughly.
       Note: If you do not attend the hearing the judge may hear the case in
       your absence.
       Yours truly,
       Alison Smith
       Clerk to the Court.

There is an attachment Court_Notice_Jones_Day_Wa#8127.zip which in turn contains an executable Court_Notice_Jones_Day_Washington.exe which is presumably malicious, but I can't analyse it. The VirusTotal detection rate for the ZIP is 4/49*."
* https://www.virustot...sis/1387815631/

Same stuff D.D.: https://isc.sans.edu...l?storyid=17279
Last Updated: 2013-12-24 00:54:04
Keywords: scam spam malware
 

Edited by AplusWebMaster, 26 December 2013 - 09:54 AM.

[AplusWebMaster]

FYI...

Fake Apple reactivation email - phishing attempt
- http://blog.mxlab.eu...ishing-attempt/
Dec 30, 2013 - "MX Labs... intercepted a phishing email from the spoofed email address “Service Apple <client@ apple .com>” with the subject “Reactivation No: A3556P325LL346E?” and the following body:
    Dear (e) client (e)
    We inform you that your account is about to expire in less than 48 hours, it is imperative to conduct an audit of your information now, otherwise your account will be deleted.
    Download the attached form and open it in your browser and make your request.
    Why you email he sent?
    The sending of this email applies when the date of expiration of your account will terminate.
    Thank you,
    Assistance Apple customers

Screenshot: http://img.blog.mxla...ple_phish_1.gif

The email comes with the attachment Apple.html. Once opened you will have the following screen:
> http://img.blog.mxla...ple_phish_2.gif
The HTML page contains code to use an -iframe- and the real web form is hosted on hxxp ://photosappl.bbsindex .com:89/apple .com/ca/index.html.
Once all the details are filled in, the user is -redirected- to the official log in page of Apple at https ://secure2.store.apple .com/es/sign_in/."
___

Fake Tesco phish ...
- http://www.welivesec...tesco-shoppers/
Dec 30, 2013 - "... -scam- message again, just for comparison.
Dear Valued Customer,
NatWest is giving out free shopping vouchers for your favorites stores for Christmas.
This offer is only for NatWest Credit Card Online Services users and it will be valid to use until the 31st of December, 2013
To Qualify for this opportunity, Kindly Click here now.
After validation your voucher will be sent via text message or posted to your Mailbox.
Yours Sincerely,
NatWest Credit Card Services.

The example below – with the subject header “Free Tesco Vouchers for Christmas.” – is a little more sophisticated. For a start, it has the festive Tesco Bank logo currently in use, complete with Google-ish party hat on the ‘O’. And since TESCO is probably better known for its supermarkets than for its banking and insurance services, even to people who never use it, it’s rather more credible that the bank might be offering vouchers for Tesco stores, rather than the vague and ungrammatical ‘your favorites stores’...
> http://www.welivesec.../tesco-logo.png
Dear Valued Customer,
Tesco Bank is giving you a chance to shop for free at any of our tesco outlets or online by giving out free tesco vouchers for Christmas.
This offer is only for Tesco Credit Card and Tesco Savings/Loan owners and it will be valid to use until the 31st of December,2013.
SAVINGS OR LOAN CUSTOMER CLICK THE LINK BELOW
Savings/Loan Click here to Claim
CREDIT CARD CUSTOMER CLICK THE LINK BELOW
Credit Card Click here to Claim
After validation your voucher will be sent via text message or posted to your Mailbox.
Tesco Personal Finance Online Service

Most bank phishing messages come in waves/campaigns, and they’re not particularly topical. The scammers keep sending out material that falls into one of the same set of social engineering categories... While they want you to respond immediately (before you have time to think about it, and before the link disappears because security researchers have found it and taken action), the content isn’t particularly topical. This one, however, resembles the sort of topical approach we associate with other kinds of malicious activity (botnets, fake AV, charity/disaster relief scams and so on) where social engineering is based on a current seasonal event (Xmas, Valentine’s Day, Cyber Monday) or news item (real or fake)..."
___

Snapchat security issues ...
- http://www.darkreadi...endly=this-page
Dec 27, 2013 - "Snapchat, the popular photo messaging service, got a visit from the privacy Grinch this Christmas season after researchers released details of an exploit that abuses Snapchat's "Find My Friends" feature. The visit was the work of Gibson Security*, which first notified Snapchat of this and other security issues back in August. According to the group, Snapchat did not respond, compelling Gibson Security to publicly release more details and some proof-of-concept code on Christmas Eve. The first target: Snapchat's Find My Friends feature. Typically, Find My Friends enables users to look up their friends' usernames by uploading the phone numbers in their devices' address book and searching for accounts that match those numbers. The researchers, however, were able to abuse that capability to do that on a massive scale... researchers say an attacker could use the Snapchat API to write an automated program that generates phone numbers and searches them against the Snapchat database as a step toward building a database of social networking profiles that could be sold to others..."
* http://gibsonsec.org/
 

Edited by AplusWebMaster, 30 December 2013 - 09:58 AM.

[AplusWebMaster]

FYI...

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Deposit Statement Email Messages - 2014 Jan 02
Fake Business Complaint Notification Email Messages - 2014 Jan 02
Fake Personal Picture Email Messages - 2014 Jan 02
Fake Hotel Reservation Request Email Messages - 2014 Jan 02
Fake Account Payment Information Email Messages - 2014 Jan 02
Fake Product Purchase Request Email Messages - 2014 Jan 02
Fake Online Purchase Email Messages - 2014 Jan 02
Fake Account Information Request Email Messages - 2014 Jan 02
Fake Payment Notification - 2014 Jan 02
Fake Job Offer Documents Email Messages - 2014 Jan 02
Fake Account Refund Email Messages - 2014 Jan 02
Fake Court Appearance Request Email Messages - 2014 Jan 02
Fake Product Order Email Messages - 2014 Jan 02
(More detail and links at the cisco URL above.)
 

[AplusWebMaster]

FYI...

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Email Messages with Malicious Images - 2014 Jan 03
Fake Financial Document Delivery Email Messages - 2014 Jan 03
Fake Product Order Inquiry Email Messages - 2014 Jan 03
Fake Court Hearing Documents Email Messages - 2014 Jan 03
Fake Product Purchase Order Email Messages - 2014 Jan 03
Fake Shipping Information Email Messages - 2014 Jan 03
Fake Payroll Invoice Email Messages - 2014 Jan 03
Fake Bank Transfer Notification Email Messages - 2014 Jan 03
Fake Account Bill Statement Email Messages - 2014 Jan 03
Fake Court Appearance Request Email Messages - 2014 Jan 03
Fake Financial Report Email Messages - 2014 Jan 03
Fake Order Details Email Messages - 2014 Jan 03
Fake Invoice Statement Attachment Email Messages - 2014 Jan 03
Fake Account Payment Confirmation Email Messages - 2014 Jan 03
Fake Personal Photos Email Messages - 2014 Jan 03
Fake Online Order Details Email Messages - 2014 Jan 03
Fake Document Delivery Email Messages - 2014 Jan 03
Fake Court Documents Email Messages - 2014 Jan 03
Fake Services Invoice Email Messages - 2014 Jan 03
(More detail and links at the cisco URL above.)
 

[AplusWebMaster]

FYI...

Malicious Ads from Yahoo
- https://isc.sans.edu...l?storyid=17345
Last Updated: 2014-01-04 13:49:34 UTC - "According to a blog post from fox-it.com*, they found ads.yahoo .com serving malicious ads from Yahoo's home page as early as December 30th. The malicious traffic appeared to come from the following subnets 192.133.137.0/24 and 193.169.245.0/24. Most infections seem to be in Europe. Yahoo appears to be aware and addressing the issue, according to the blog..."
* http://blog.fox-it.c...rved-via-yahoo/
Jan 3, 2014 - "... Clients visiting yahoo.com received advertisements served by ads.yahoo .com. Some of the advertisements are malicious. Those malicious advertisements are iframes... Upon visiting the malicious advertisements users get redirected to a “Magnitude” exploit kit via a HTTP redirect to seemingly random subdomains of:
    boxsdiscussing .net
    crisisreverse .net
    limitingbeyond .net
    and others
All those domains are served from a single IP address: 193.169.245.78 *. This IP-address appears to be hosted in the Netherlands. This exploit kit exploits vulnerabilities in Java and installs a host of different malware including:
    ZeuS
    Andromeda
    Dorkbot/Ngrbot
    Advertisement clicking malware
    Tinba/Zusy
    Necurs
The investigation showed that the earliest signs of infection were at December 30, 2013. Other reports suggest it might have started even earlier... it’s unclear why those countries are most affected, it is likely due to the configuration of the malicious advertisements on Yahoo.
> http://foxitsecurity...jpg?w=448&h=387
... Block access to the following IP-addresses of the malicious advertisement and the exploit kit:
    Block the 192.133.137/24 subnet
    Block the 193.169.245/24 subnet
Also closely inspect network traffic for signs of successful exploits for any of the dropped malware. Yahoo is aware of the issue and looking into it.
Please watch this page for updates.
Update: January 3, 1815 (GMT+1): It appears the traffic to the exploit kit has significantly decreased. It looks like Yahoo is taking steps to fix the problem."

* https://www.virustot...78/information/

- http://help.yahoo.co..._US&id=SLN22569
Update on ads 1/5/14
 

Edited by AplusWebMaster, 06 January 2014 - 11:42 AM.

[AplusWebMaster]

FYI...

Fake Amazon account phish
- http://blog.dynamoo....our-amazon.html
6 Jan 3024 - "... new wave of phishing emails, here's a new one looking for Amazon credentials.
    Date:      Mon, 6 Jan 2014 08:19:39 -0000 [03:19:39 EST]
    From:      Amazon [noreply@ trysensa .com]
    Case- 91289-90990
    Unauthorized Activity on your Amazon account.
    We recently confirmed that you had unauthorized activity on your Amazon account.
    Please be assured that because your card includes "zero-liability fraud protection" , you are not responsible for unauthorized use of your card.
    Unfortunately, we have not confirmed your complete information , please follow the instructions below.
    Click the link below to validate your account information using our secure server:
    Click Here To Active Your Amazon Account
    For your protection, you must verify this activity before you can continue using your account
    Thank You.
    Amazon LTD Security System

The link in the email goes to [donotclick]immedicenter .com/immedicenter/images/yootheme/menu/Amazon/index.php and comes up with a convincing-looking Amazon login page:
> http://2.bp.blogspot...zon-login-1.png
The next page phishes for even more information... it goes after your credit card information... then gets sent to the genuine Amazon .com website. In most email clients, floating over the link would clearly demonstrate that this was not the legitimate amazon.com website, and certainly once visited (not something I would recommend) then the address bar at the top of the browser would clearly indicate it is -not- amazon .com. If you have accidentally clicked through this email and provided all the details then you should contact your bank immediately and also change your Amazon password plus any other places that you use that same username/password combination."
___

The $9.84 Credit Card Hustle
- http://krebsonsecuri...it-card-hustle/
Jan 6, 2014 - "Over the holidays, I heard from a number of readers who were seeing strange, unauthorized charges showing up on their credit and debit cards for $9.84... repeatedly advised readers to keep a close eye on their bank statements for -bogus- transactions. It’s still not clear how consumers’ card numbers are being stolen here, but the fraud appears to stem from an elaborate network of affiliate schemes that stretch from Cyprus to India and the United Kingdom. One reader said the $9.84 charge on her card came with a notation stating the site responsible was eetsac .com. I soon discovered that there are -dozens- of sites complaining about similar charges from similarly-constructed domains; for example, this 30-page thread* at Amazon’s customer help forums includes gripes from hundreds of people taken by this scam.
> http://krebsonsecuri...4/01/homecs.png
... A closer look at some of those domains reveals a few interesting facts. Callscs .in, for example, is a Web site for a call center and a domain that has been associated with these $9.84 fraudulent charges. Callscs .in lists as its local phone number 43114300. That number traces back to a call center in India, Call Connect India, Inc., which registers its physical address as Plot No 82, Sector 12 A, Dwarka. New Delhi – 110075... this is not a new type of fraud, nor is this particular fraud a recent occurrence — although the bogus $9.84 charges do appear to have spiked around the holidays. Most of the domains involved in this scheme were registered a year ago or more, and a quick search on the amount $9.84 shows that the fraudsters responsible for this scheme have been at it since at least the first half of 2013. If you see a charge like this or any other activity on your credit or debit card that you did not authorize, contact your bank and report the fraud immediately. I think it’s also a good idea in cases like this to request a new card in the odd chance your bank doesn’t offer it: After all, it’s a good bet that your card is in the hands of crooks, and is likely to abused like this again..."
(More detail at the krebsonsecurity URL above.)
* http://www.amazon.co...Tx2EME4IL59BUP4

> http://www.scambook....&sort=relevance
___

Zeus spoofing Bitdefender AV ...
- http://www.webroot.c...it-defender-av/
Jan 6, 2014 - "... noticed a large amount of -Zeus- infections that are -spoofing- the Bitdefender name. While infections spoofing AV companies aren’t unusual, it’s been a while since we have seen such a spike on one particular vendor in such a short time period. Most of the names are slight variations, but the numbers are impressive – Overall, we have seen 40,000 unique MD5`s in the last week alone! The infection being dropped is from the Zeus family of infections, which are banking Trojans designed to steal login information when the user logs into their online banking website... This infection can get onto a user’s PC via a number of different methods, but the most common is through an exploit kit. The commonly used Blackhole exploit kits uses Java Exploits to drop and execute a file. Unless the user is very alert, they typically won’t even notice they are infected. Once executed, the infection will try a number of methods to make sure it is automatically ran on start-up... the infection may connect to a remote server and receive updates and it can also download other infections (Cryptolocker/ICE and other Rogue AV`s)... Due to the infection route of this particular infection, it is advisable to have the latest version of Java installed and preferably use a modern secure browser with the latest Windows updates installed. The latest build of Firefox disables Java plugins by default, which should help stop this particular attack vector... this infection has also been seen to be spread by email... Always be alert to any email attachments, even if they’re from friends/relatives, and especially executable files that are inside a zip file..."
 

Edited by AplusWebMaster, 06 January 2014 - 04:52 PM.

[AplusWebMaster]

FYI...

Spam... trends of 2013
- http://blog.trendmic...trends-of-2013/
Jan 7, 2014 - "... still saw traditional types of spam, we also saw several “improvements” which allowed spammers to avoid detection and victimize more users. We also saw spam utilized more to carry malware since the start of the year.
Spam volume from 2008...
> http://blog.trendmic...spam-volume.jpg
... In 2013, we saw 198 BHEK spam campaigns, a smaller number compared to the previous year... In this particular spam run, the volume of spammed messages reached up to 0.8% of all spam messages collected during the time period.
> http://blog.trendmic...1/2013-BHEK.jpg
... The number of BHEK spam runs dwindled until there was none in December... the use of malware attachments remains constant in the threat landscape. This suggests that there are users who still fall prey to simple techniques (such as urging users to click on an attachment). We noticed that the number of spam with malicious attachments fluctuated throughout the year, before it steadily increased in the latter months.
Volume of spam messages with -malicious- attachments
> http://blog.trendmic...-attachment.jpg
From the first to third quarter of the year, ZBOT/ZeuS was the top malware family distributed by spam. This family is known for stealing financial-related information. Halfway into the third quarter, however, we noticed that TROJ_UPATRE* unseated ZBOT and became the top malware attachment. In November, about 45% of all malicious spam with attachments contained UPATRE malware. UPATRE became notorious for downloading other malware, including ZBOT malware and ransomware, particularly CryptoLocker. This type of attack is doubly risky for users because not only will their information be stolen, their files will also become inaccessible..."
* http://about-threats...TROJ_UPATRE.VNA
___

64-bit ZBOT leverages Tor - improves evasion techniques
- http://blog.trendmic...ion-techniques/
Jan 7, 2014 - "... we have confirmed that several ZBOT 32-bit samples (detected as TSPY_ZBOT.AAMV) do have an embedded 64-bit version (detected as TSPY64_ZBOT.AANP). However, our investigation also lead us to confirm other noteworthy routines of the malware, including its antimalware evasion techniques... Like any ZBOT variant, TSPY_ZBOT.AAMV injects its code into the normal process explorer.exe. If the running process is 64-bit, the malware then loads the 64-bit version of the malware. If not, it will continue to execute the 32-bit version. The other notable feature of this ZBOT variant is its Tor component, which can hide the malware’s communication to its command-and-control (C&C) servers... This 64-bit version for ZeuS/ZBOT is an expected progression for the malware, especially after ZeuS source code was leaked back in 2011. Since then, we have seen several reincarnations of the malware, most notably in the form of KINS and its involvement with other malware such as Cryptolocker and UPATRE. Adding other functionalities such as rootkit capability and the use of a Tor component are further proof that we can see more modifications in the future, particularly those that help circumvent or delay antimalware efforts..."
___

Wells Fargo Important Documents Spam
- http://threattrack.t...-documents-spam
Jan 7, 2014 - "Subjects Seen:
    ATTN: Important Bank Documents
Typical e-mail details:
    We have received this documents from your bank, please review attached documents.
    Lanny Hester
    Wells Fargo Advisors

Malicious File Name and MD5:
    BankDocs-4F17B9844A.zip (1A493400DBDE62CC64AB2FC97985F07B)
BankDocuments_FE0274A4593F58683C1949896834F32939859835947694653298321744361597236489231640913264.pdf.exe (8F24720E4D08C986C0FE07A66CCF8380)

Screenshot: https://gs1.wac.edge...PzwB1r6pupn.png

Tagged: wells fargo, Upatre
___

'Adobe License Service Center Order NR’ and ‘Notice to appear in court’ themed malicious spam ...
- http://www.webroot.c...tercepted-wild/
Jan 7, 2014 - "... Despite the lack of blog updates over the Holidays, we continued to intercept malicious campaigns over the same period of time, proving that the bad guys never take holidays... The first campaign successfully impersonates Adobe’s License Service Center, in an attempt to trick users into thinking that they’ve successfully purchased a Creative Suite 6 Design Standard software license key.
Sample screenshot of the first spamvertised campaign:
> https://www.webroot....ngineering1.png
Detection rate for the spamvertised attachment: MD5: 10dbbaaceda4dce944ebb9c777f24066 *  TrojanDownloader:Win32/Kuluoz.D.
The second campaign, attempts to trick users into thinking that they’ve received a notice to appear in court.
Sample screenshot of the spamvertised attachment:
> https://www.webroot....Engineerig1.png
Detection rate for the spamvertised attachment: MD5: c77ca2486d1517b511973ad1c923bb7d **  TrojanDownloader:Win32/Kuluoz.D; Backdoor.Win32.Androm.bket.
Once executed the sample phones back to:
... 109.169.87.141... also known to have responded to 200.98.141.0 ... Two more MD5s are known to have responded to the same C&C IP in the past..."
* https://www.virustot...sis/1389006917/

** https://www.virustot...sis/1389008875/
 

Edited by AplusWebMaster, 07 January 2014 - 04:46 PM.

[AplusWebMaster]

FYI...

More malicious "Voice Message from Unknown" SPAM
- http://blog.dynamoo....known-spam.html
8 Jan 2014 - "Another bunch of fake "voice message" spams with a malicious payload are doing the rounds, for example:
    Subject: Voice Message from Unknown (996-743-6568)
    Subject: Voice Message from Unknown (433-358-8977)
    Subject: Voice Message from Unknown (357-973-7738)
    Body:
    - - -Original Message- - -
    From: 996-743-6568
    Sent: Wed, 8 Jan 2014 12:06:38 +0000
    To: [redacted]
    Subject: Important Message to All Employees

Attached is a file VoiceMessage.zip which in turn contains VoiceMessage.exe which has a VirusTotal detection rate of 11/47*. Automated analysis tools... show an attempted connection to casbir .com .au on 67.22.142.68 (Cologlobal, Canada). This appears to be the only server on this IP address, so blocking or monitoring it for the time being may be prudent."
* https://www.virustot...sis/1389191399/
___

jConnect Fax Spam
- http://threattrack.t...onnect-fax-spam
Jan 8, 2014 - "Subjects Seen:
    jConnect fax from “<phone number>” - 21 page(s), Caller-ID: <phone number>
Typical e-mail details:
    Fax Message [Caller-ID: <phone number>]
    You have received a 21 page(s) fax at 2012-12-17 05:25:32 EST.
    * The reference number for this fax is lax3_did10-1514386087-4062628129-11.
    This message can be opened using your PDF reader. If you have not already installed j2 Messenger, download it for free: j2.com/downloads
    Please visit j2 .com/help if you have any questions regarding this message or your j2 service.
    Thank you for using jConnect!

Malicious File Name and MD5:
    FAX_93-238738192_19.zip (3A8CAA5972CF72CCEB0C40531C28B5AB)
    FAX_93-238738192_19.exe (CA2628B955CAC2C8B6BD9F8C4C504FA4)

Screenshot: https://31.media.tum...XLm51r6pupn.png

Tagged: jconnect, Upatre
___

LinkedIn Makes Federal Case Out of Fake Accounts
- http://blogs.wsj.com...-fake-accounts/
Jan 7, 2014 - "LinkedIn, the business-focused social network, charged in a federal civil lawsuit that 10 unnamed people had created thousands of fake accounts that can be used to pass on malicious computer code or puff up users’ profiles. In a suit filed Monday in U.S. District Court for the Northern District of California, LinkedIn said it had deleted the abusive accounts and traced them to an Amazon Web Services account. It’s asking the cloud computing giant to hand over the names of the owners of the web-services accounts. Amazon Web Services offers computing power for rent via the Internet. An Amazon spokeswoman did not immediately respond to a request for comment. LinkedIn accuses the unnamed people of violating its user agreement by creating multiple fake accounts that stole data from legitimate LinkedIn profiles through a method called scraping*..."
* http://www.hotforsec...ators-7594.html
Jan 8, 2014 - "... In November, Bitdefender warned about fake LinkedIn profiles that gather personal details**  and lead users to dangerous websites..."
** http://www.hotforsec...ffers-7362.html
Nov 21, 2013 - "... As many users speak English and a native language, the scam aims at most countries in the world especially the US, where over 84 million users are active on LinkedIn. The fake recruiter spreads the link to the scam using URL shortening techniques. The bogus profile of “Annabella Erica” was already injected into authentic LinkedIn groups such as Global Jobs Network, which includes 167,000 users worldwide. Members of the social network are now sharing insights on more than 2.1 million groups, so the number of victims exposed to the scam could be a lot higher. The fake employment website is registered on a reputable “.com” domain to avoid raising doubts as to its authenticity. Scammers gather e-mail addresses and passwords they may later use for identity theft. Fraudsters usually register websites for longer periods and sometimes make their pages look even better than legitimate websites..."
___

inTuit/TurboTax phish
- http://security.intu.../alert.php?a=95
1/7/14 - "Here is a copy of the phishing email people are receiving. Be sure -not- to open the attachment.

TurboTax Alert: Your $4,120.55 Tax Refund!
> http://security.intu...ges/ttphish.jpg
Dear Customer,
You've received a Tax Refund of $4,120.55.
Kindly find attached file to view your Refund Confirmation from TurboTax.
Please keep this refund confirmation for your records.
NOTE: TurboTax/IRS will not request your banking details through email, sms or telephone.
Thank you for using TurboTax

This is the end of the -fake- email.
Steps to Take Now:
 Do -not- open the email attachment...
 Delete the email."
 

Edited by AplusWebMaster, 08 January 2014 - 01:24 PM.

[AplusWebMaster]

FYI...

Fake Browser update site installs Malware
- http://www.symantec....nstalls-malware
9 Jan 2014 - "In the first week of 2014, we came across a website using tried and tested social engineering techniques to coerce victims into installing malware. The domain http ://newyear[REMOVED]fix .com, was registered on Dec 30, 2013. Based on our research, 94 percent of  attacks appear to be targeting users based in the United Kingdom through advertising networks and free movie streaming and media sites... This particular social engineering attack is not novel, and plays on victims’ fear of needing to install urgent updates. Since the domain was registered only last week, it appears the attacker thought of this scheme at the very last minute, as the holiday season starts winding down. The website, which is hosted in the -Ukraine- uses a dual hybrid Web server setup by Apache and Nginx, with the latter identifying the victim’s browser and performing a redirect. The user will see the Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer templates...
Page displayed to Chrome users
> http://www.symantec....er Update 1.png
Page displayed to Firefox users
> http://www.symantec....er Update 2.png
Page displayed to Internet Explorer users
> http://www.symantec....er Update 3.png
JavaScript loop button which requires 100 clicks to close
> http://www.symantec....er Update 4.png
At the time of this blog post, the Internet Explorer version of the Web page is no longer functional. The Chrome download page serves up Chromeupdate.exe while the Firefox download page serves up Firefoxupdate.exe. Both of these samples are detected by Symantec as Trojan.Shylock*..."
* http://www.symantec....-092916-1617-99
___

Spam Overdose Yields Fareit, Zeus and Cryptolocker
- http://www.f-secure....s/00002655.html
Jan 9, 2014 - "... massive spam surge with the same subjects and attachments in our spam traps.
>> http://www.f-secure....ives/emails.PNG
>>> http://www.f-secure..../emailstats.png
The binary attachment is a threat that is often referred to as Fareit. Fareit is known to steal information such as credentials and account information from installed FTP clients and cryptocurrency wallets, and stored passwords in browsers. For the two samples coming from these spam, we've seen them connecting to these to send information:
• networksecurityx .hopto .org
• 188.167.38.131
• 94.136.131.2
• 66.241.103.146
• 37.9.50.200
In addition to stealing data, these samples download other malware including Zeus P2P... Other malware seen installed in the system was Cryptolocker.
> http://www.f-secure....rchives/btc.PNG
... Samples are detected as Trojan.Pws.Tepfer and Trojan.GenericKD variants."

- http://google.com/sa...site=hopto.org/

- https://www.virustot...31/information/

- https://www.virustot....2/information/

- https://www.virustot...46/information/

- https://www.virustot...00/information/
___

JPMorgan Chase SecureMail Spam
- http://threattrack.t...securemail-spam
Jan 9, 2014 - "Subjects Seen:
    You have a new encrypted message from JPMorgan Chase & CO.
Typical e-mail details:
    You have received a secure e-mail message from JPMorgan Chase & CO..
    We care about your privacy, JPMorgan Chase & CO. uses this secure way to exchange e-mails containing personal information.
    Read your secure message by opening the attachment. You will be prompted to save (download) it to your computer.
    If you have concerns about the validity of this message, please contact the sender directly.
    First time users - will need to register after opening the attachment.

Malicious File Name and MD5:
    Secureinformation.zip (19CCB0B5FCF8D707671E5F98AC475D36)
    Secureinformation.exe (7F81501C468FF358DE1DA5B1F1AD150B)

Screenshot: https://31.media.tum...HloB1r6pupn.png

Tagged: Chase, Upatre
___

IRS Tax Return Spam
- http://threattrack.t...tax-return-spam
Jan 9, 2014 - "Subjects Seen:
    IRS: Early 2013 Tax Return Report!
Typical e-mail details:
    Dear Member
    Here is a report on your early 2013 Federal Tax return report. Kindly download the attachment to view your report and start filling for 2013 return as early as second week of December.
    Thanks
    Internal Revenue Service

Malicious File Name and MD5:
    Early2013TaxReturnReport_D0E7937B80.zip (E76B91B9010AE7ABDC264380B95BF86D)
    Early2013TaxReturnReport_983456948574980572398456324965984573984509324.pdf.exe (FE20A23BEC91B7EC1E301B571CE91100)

Screenshot: https://31.media.tum...wRXE1r6pupn.png

Tagged: IRS, Fareit
___

- http://blog.mxlab.eu...ontains-trojan/

- https://www.virustot...18bd5/analysis/
Early2013TaxReturnReport_ ...
Analysis date: 2014-01-10 12:55:07 UTC

- https://malwr.com/an...2Y1OTU4MDdhODQ/
 

Edited by AplusWebMaster, 10 January 2014 - 07:38 AM.

[AplusWebMaster]

FYI...

Fake Bank Statement SPAM
- http://threattrack.t...-statement-spam
Jan 10, 2014 - "Subjects Seen:
    Bank Statement. Please read
Typical e-mail details:
    Hello <email name>,
    I attached the December Invoice that contains the Property Tax and the other document showing the details mentioned below.
    I am at your disposal for any further question.
    Waiting for your instructions concerning the document attached.
    Goldie Oliver

Malicious File Name and MD5:
    USBank_December_2013_17F9968085.zip (5A2E558A7DC17998A11A0FBFB34AACF9)
    USBank - December 2013_ID39485394562093456309847589346598237598320471237481923427583450.pdf.exe (2089EAC526883C98D67D399449B461DB)

Screenshot: https://31.media.tum...V1p11r6pupn.png

Tagged: Bank Statement, Fareit
___

Junk Mail vs Scam Mail
- http://www.bbb.org/b...l-vs-scam-mail/
Jan 10, 2014 - "Many of the items sent to consumers in-boxes these days are little more than junk mail. But BBB warns a growing number of spam emails are designed to inflict harm. While it may seem like this topic comes up frequently, unfortunately, scammers find a way to catch users off guard. Right after the Target store hacking of some 40 million credit and debit cards, BBB issued a warning* about emails claiming to be from Target but were disguised as malware designed to steal identity information. The warning was issued in light of all the scam emails on internet right now. The hard part is telling the difference between a legitimate email from a vendor you do subscribe to and one that looks like the vendor but isn’t... Check for misspellings and grammatical errors. Silly mistakes and sloppy copy – for example, an area code that doesn’t match an address – often are giveaways that the site is a scam. Messaging like, “Just tell us where to send this $1,100” -or- “a delivery was cancelled because of problems with the mailing addressed and to please provide a correct address” is another giveaway. Companies typically do not use this type of language. A recent trend in scam emails are asking users to select a link on a state where they are to send the money or to send the correct address. This link will then lead to a site where a thief will use the information for their own use. It isn’t wise to select the links or open attachments in emails you aren’t familiar with especially ones you haven’t solicited from. When in doubt, check with the company before you respond to any website that asks you to enter personal identifying information. Bottom line, unless you’ve done business with the company or are on a mailing list with them – do -not- click on email links even if they appear to be from legitimate companies. Far too many times these days, it’s all just a scam."
* http://www.bbb.org/b...et-data-breach/
___

Google linking of social network contacts to email raises concerns
- http://www.reuters.c...EA081NH20140110
Jan 9, 2014 - "A new feature in Google Inc's Gmail will result in some users receiving messages from people with whom they have not shared their email addresses, raising concerns among some privacy advocates. The change, which Google announced on Thursday, broadens the list of contacts available to Gmail users so it includes both the email addresses of their existing contacts, as well as the names of people on the Google+ social network. As a result, a person can send an email directly to friends, and strangers, who use Google+. Google is increasingly trying to integrate its Google+, a two-and-a-half-year old social network that has 540 million active users, with its other services. When consumers sign up for Gmail, the company's Web-based email service, they are now automatically given a Google+ account. Google said the new feature will make it easier for people who use both services to communicate with their friends... Some privacy advocates said Google should have made the new feature "opt-in," meaning that users should explicitly agree to receive messages from other Google+ users, rather than being required to manually change the setting... A Google spokeswoman said the company planned to send an email to all Google+ users during the next two days alerting them to the change and explaining how to change their settings..."
 

Edited by AplusWebMaster, 10 January 2014 - 03:52 PM.

[AplusWebMaster]

FYI...

Sefnit-added Tor service ...
- https://net-security...ews.php?id=2673
Jan 10, 2014 - "... the Sefnit click-fraud Trojan... has been around since 2009... This rapid rise in Tor connections has served to see just how many computers were infected with the malware, and the number was staggering: over four million. Since then, Microsoft has been working to diminish that number... Microsoft has decided to retroactively clean the machines that still had the Sefnit-added Tor service, and practically managed to do so for half of them - around 2 million - in just two months...
> http://www.net-secur...0012014-big.jpg
... two million cleaned computers is better than none, two million more remain at risk... In order to help these users, Microsoft has compiled a short step-by-step guide* on how to do it..."
* http://blogs.technet...tor-hazard.aspx
9 Jan 2014
 

 

[AplusWebMaster]

FYI...

Fake Dept. of Treasury SPAM
- http://blog.dynamoo....-notice-of.html
13 Jan 2014 - "This US Treasury spam (but apparently sent from salesforce .com) has a malicious attachment:
    Date:      Mon, 13 Jan 2014 18:54:16 +0700 [06:54:16 EST]
    From:      "support@salesforce .com" [support@salesforce .com]
    Subject:      Department of Treasury Notice of Outstanding Obligation - Case H6SYVMK704BX4AL
    Important  please review and sign the attached document!
    We have received notification from the Department of the Treasury,
    Financial Management Service (FMS) that you have an outstanding
    obligation with the Federal Government that requires your immediate
    attention.
    In order to ensure this condition does not affect any planned
    contract or grant activity, please review and sign the attached document and if
    you are unable to understand the attached document please call FMS at 1-800-304-3107
    to address this issue.  Please make sure the person making the telephone call has the
    Taxpayer Identification Number available AND has the authority/knowledge
    to discuss the debt for the contractor/grantee.
    Questions should be directed to the Federal Service Desk ...

Attached is a file FMS-Case-H6SYVMK704BX4AL.zip (VirusTotal detection rate 7/47*) which in turn contains a malicious executable FMS-Case-{_Case_DIG}.exe (detection rate also 7/47**)... analysis shows an attempted connection to anggun.my .id on 38.99.253.234 (Cogent, US). This seems to be the only domain on that server, blocking either may be prudent."
* https://www.virustot...sis/1389622089/

** https://www.virustot...sis/1389622087/
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Financial Tips Attachment Email Messages - 2014 Jan 13
Fake Account Payment Information Email Messages - 2014 Jan 13
Fake Court Appearance Request Email Messages - 2014 Jan 13
Fake Product Catalog Email Messages - 2014 Jan 13
Fake Company Complaint Email Messages - 2014 Jan 13
Fake Bank Account Statement Email Messages - 2014 Jan 13
Fake Package Tracking Information Email Messages - 2014 Jan 13
Fake Payroll Invoice Email Messages - 2014 Jan 13
Fake Bank Payment Notification Email Messages - 2014 Jan 13
Fake Invoice Statement Attachment Email Messages - 2014 Jan 13
(More detail and links at the cisco URL above.)
 

 

Edited by AplusWebMaster, 13 January 2014 - 06:10 PM.

[AplusWebMaster]

FYI...

Fake HSBC SPAM / Payment Advice.exe
- http://blog.dynamoo....am-payment.html
14 Jan 2014 - "This -fake- HSBC spam comes with a malicious attachment:
    Date:      Tue, 14 Jan 2014 11:57:29 -0300 [09:57:29 EST]
    From:      HSBC Advising Service [advising.service.738805677.728003.693090157@ mail.hsbcnet.hsbc .com]
    Subject:      Payment Advice - Advice Ref:[G72282154558] / Priority payment / Customer Ref:[63 434S632U9I]
    Sir/Madam
    The attached payment advice is issued at the request of our customer. The advice is for your reference only.
    Yours faithfully
    Global Payments and Cash Management
    HSBC ...

The is an attachment Payment Advice [G72282154558].zip which contains an executable Payment Advice.exe with a VirusTotal detection rate of 12/48*. Automated analysis... shows an attempted connection to thebostonshaker .com on 206.190.147.139 (Salt Lake City Hosting, US). It is the only site on this IP address, blocking either temporarily may give some protection."
* https://www.virustot...sis/1389713473/
___

Unsolicted SPAM...
- http://blog.dynamoo....-to-adware.html
14 Jan 2014 - "... plagued with these over the past few days, emails coming in with the following subjects:
Underground XXX files
Free porno torrents
Uncensored download
The body text contains just a link to [donotclick]goinst .com/download/getfile/1205000/0/?q=Uncensored%20download
In turn this downloads a file Uncensored download__3516_i263089565_il6090765.exe and of course that's about as trustworthy as a van with "FREE CANDY" ... A quick look at the EXE in VirusTotal* indicates that it's some sort of Adware, probably pay-per-install. An examination of the binary shows a digital signature for Shetef Solutions & Consulting (1998) Ltd who are probably -not- behind the spam run, but are probably inadvertently paying the spammers for installations. Avoid."
* https://www.virustot...sis/1389715495/
___

More WhatsApp Message Spam
- http://threattrack.t...pp-message-spam
Jan 14, 2014 - Subjects Seen:
    Missed voice message, “4:27”PM
Typical e-mail details:
    New voicemessage.
    Please download attached file
    Description
    Jan 09 2:44PM PM
    08 seconds

Malicious File Name and MD5:
    Missed-message.zip (687C8BE7F4A56A00AF03ED9DFC3BFB76)
    Missed-message.exe (BF1411F18EA12E058BFB05692E422216)

Screenshot: https://gs1.wac.edge...1KF81r6pupn.png

Tagged: WhatsApp, Upatre
___

Fake ADP invoice w/ Fiserv document - TROJAN
- http://blog.mxlab.eu...iserv-document/
Jan 14, 2014 - "... intercepting different type of emails with an attached Gen:Variant.Strictor.49180.
> ADP Invoice - This email is send from the spoofed address “payroll.invoices@ adp .com” while the SMTP from is “fraud@ aexp .com”, comes with the subject “Invoice #3164342? and has the following body:
    Attached is the invoice (Invoice_ADP_3164342.zip) received from your bank.
    Please print this label and fill in the requested information. Once you have filled out
    all the information on the form please send it to payroll.invoices@ adp .com.
    For more details please see the attached file.
    Please do not reply to this e-mail, it is an unmonitored mailbox!
    Thank you ,
    Automatic Data Processing, Inc...
The attached ZIP file has the name Invoice_ADP_3164342.zip and contains the 19 kB large file Invoice_ADP_01142014.exe.

> Fiserv attached document - This email is send from the spoofed address “Fiserv <Debra_Drake@ fiserv .com>” while the SMTP from is “fraud@ aexp .com”, comes with the subject “FW: Scanned Document Attached” and has the following body:
    Dear Business Associate:
    Protecting the privacy and security of client, company, and employee
    information is one of our highest priorities. That is why Fiserv has
    introduced the Fiserv Secure E-mail Message Center – a protected e-mail
    environment designed to keep sensitive and confidential information
    safe. In this new environment, Fiserv will be able to send e-mail
    messages that you retrieve on a secured encrypted file.
    You have an important message from Debra_Drake@ fiserv .com. To see your message, use the following password to decrypt attached file: JkSIbsJPPai
    If this is your first time receiving a secure file from the
    Fiserv Secure E-mail Message Center, you will be prompted to set up a
    user name and password... If you have any questions, please contact your Fiserv representative...
The attached ZIP file has the name FSEMC.Debra_Drake.zip and contains the 19 kB large file FSEMC_01142014.exe. The trojan is known as Gen:Variant.Strictor.49180 by most of the virus engines but also as PWSZbot-FMO!5B171D420618, Heuristic.LooksLike.Win32.Suspicious.J!81, TrojanDownloader:Win32/Upatre.A or PE:Malware.FakePDF@CV!1.9C28. At the time of writing, 12 of the 48 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...7bb92/analysis/

- https://malwr.com/an...GUyNmJjOTEyZDg/

- https://www.virustot...42/information/

- https://www.virustot...15/information/
___

Fake PG&E SPAM
- http://blog.dynamoo....ement-spam.html
14 Jan 2014 - "This -fake- spam from the Pacific Gas & Electric company is presumably meant to have a malicious payload, but all I get is a server error..
    From:     PG&E [do_not_reply@ sourcefort .com]
    Reply-To: PG&E [do_not_reply@ sourcefort .com]
    Date:     14 January 2014 22:37
    Subject:     Gas and Electric Usage Statement
    PG & E ENERGY STATEMENT             Account No: 718198305-5
                                                    Statement Date: 01/10/2014
                                                    Due Date: 02/01/2014
    Your Account Summary
    Amount Due on Previous Statement           $344.70
    Payment(s) Recieved Since Last Statement   0.0
    Previous Unpaid Balance                    $344.70
    Current Electric Charges                   $165.80
    Current Gas Charges                        49.20   
    Total Amount Due BY 02/01/2014 $559.7
    To view your most recent statement, please click here You must log-in to your account or register for an online account to view your statement...
     
Screenshot: http://2.bp.blogspot...A/s1600/pge.png

To give PG&E full credit, they have a link on their homepage about it and a full warning here*. These scam emails seem to have been doing the rounds for quite a few days now."
* http://www.pgecurren...m-emails-calls/
 

Edited by AplusWebMaster, 14 January 2014 - 09:58 PM.

[AplusWebMaster]

FYI...

Fake Staples order SPAM...
- http://blog.dynamoo....s-awaiting.html
15 Jan 2014 - "This -fake- Staples spam has a malicious attachment:
    Date:      Wed, 15 Jan 2014 15:40:44 +0800 [02:40:44 EST]
    From:      Staples Advantage Orders [Order@ staplesadvantage .com]
    Subject:      Your order is awaiting verification!
    Order Status: Awaiting verification
    Order #: 5079728
    Your order has been submitted and is awaiting verification from you.
    Order #:     5079728
    Order Date and Eastern Time:     2/19/2013 12:28 PM
    Order Total:     $152.46
    This is potentially due to missing or invalid order or payment information. If you receive this status message, please call Customer Service immediately for assistance....

Screenshot: https://lh3.ggpht.co...00/staples2.png

Attached is a ZIP file Order_5079728.zip which in turn contains a malicious executable  Order_{_partorderb}.exe which has a VirusTotal detection rate of 23/47*. The Malwr report is pretty inconclusive, so presumably the binary is hardened against automated analysis tools."
* https://www.virustot...sis/1389799070/

- http://threattrack.t...rification-spam
Jan 15, 2014 - "Subjects Seen:
    Your order is awaiting verification!
Typical e-mail details:
    Your order has been submitted and is awaiting verification from you.
    Order #:     1178687
    Order Date and Eastern Time:     2/19/2013 12:28 PM
    Order Total:     $271.74
    This is potentially due to missing or invalid order or payment information. If you receive this status message, please call Customer Service immediately for assistance...

Malicious File Name and MD5:
    Order_1178687.zip (312C682B547215FB1462C7C46646A1B7)
    Order_{_partorderb}.exe (1D85D2CC51AC6E1A2805366BB910EF70)

Screenshot: https://gs1.wac.edge...cJYM1r6pupn.png

Tagged: Staples, Upatre
___

Fake RBS pwd reset SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
15 Jan 2014 - "... another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Of course the RBS Bankline Password Reset Form is not from RBS or any other bank. Once the scammers and  malware purveyors find a new or different scam they will use every bank they can to try to infect as many users as they can. Normally when you see an attachment or email  with a subject like RBS Bankline Password Reset Form, you automatically think that it is another phishing attempt. In this case it is not phishing but a very nasty malware- virus-trojan. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
Please find the Re-activation form attached, send one per user ensuring only one box is selected in section 3. A signatory on the bank mandate must sign the form. Fax to 0845 878 9791 or alternatively email a scanned copy of the form to banklineadministration@ rbs .co .uk, on receipt of the completed form we will respond to the request within 2 working hours and communicate this to the user by email. <<RBS_Bankline_Password_Reactivation.pdf>> Please note – The life-span of an activation code is 21 days; after this time, the activation code will expire and a new one must be ordered. Please be aware when choosing a new pin and password for the service, it is important not to use pin/passwords that you have used before but to use completely different details. If you are the sole Administrator may I take this opportunity to suggest when you are reinstated on the system, to set up another User in an Administrator role. This will prevent you being locked out completely and allow you to order a new activation code from within the system and reset your security sooner. If you require any further assistance then please do not hesitate to contact us...
Regards
Bankline Product Support ...

RBS_Bankline_Password_Reactivation.zip extracts to RBS_Bankline_Password_Reactivation.exe. Current Virus total detections: 2/48*. MALWR Auto Analysis**... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
* https://www.virustot...d3e0c/analysis/

** https://malwr.com/an...mFjMTE5MTA1NGM/

38.102.226.94
- https://www.virustot...94/information/

- http://google.com/sa...tic?site=AS:174
___

Compromised Sites pull Fake Flash Player from SkyDrive
- http://www.f-secure....s/00002659.html
Jan 15, 2014 - "On most days, our WorldMap* shows more of the same thing. Today is an exception... One infection is topping so high in the charts that it pretty much captured our attention. Checking the recent history of this threat, we saw that these past few days, it has been increasing in infection hits...  It wasn't long before we saw that a lot of scripts hosted in various websites got compromised. Our telemetry actually showed that almost 40% of the infected websites were hosted in Germany. In those sites, malicious code has been appended to the scripts... Successful redirection leads to a fake flash download site that look similar to these pages:
> http://www.f-secure....es/5_flash1.PNG  
... The user would have to manually click on the Download Now link before a file called flashplayer.exe could be downloaded from a certain SkyDrive account. When the malicious flashplayer.exe is executed, this message is displayed to the user.
> http://www.f-secure....es/7_dialog.PNG
While in the background, it is once again connecting to the same SkyDrive account in order to download another malware... Initial analysis showed that the sample is connecting to these locations.
> http://www.f-secure....ives/9_post.PNG ..."

* http://worldmap3.f-secure.com/

- https://www.virustot...55/information/

- https://www.virustot...49/information/
 

Edited by AplusWebMaster, 15 January 2014 - 05:25 PM.