2072 replies to this topic

[AplusWebMaster]

FYI...

Cushion Redirect sites using hijacked GoDaddy domains to block
- http://blog.dynamoo....g-hijacked.html
16 Jan 2014 - "... some suspect activity on 194.28.175.129 (BESTHOSTING-AS ON-LINE Ltd, Ukraine) which appears to be hosting some Cushion Redirect domains (explained here*) which is being injected into certain sites such as the one in this URLquery report**... A brief examination of the server shows several subdomains of hijacked GoDaddy domains being used for malicious redirects... The hijacked GoDaddy domains in question are:
allgaysitespassfree .com
amateurloginfree .com
yourchicagocarservice .com
yourchicagogranite .com
yourchicagohummerlimo .com
yourbestpartybus .com
A quick look at the Google stats for AS42655*** indicate to me personally that blocking 194.28.172.0/22 might be a prudent idea if you don't have any reason to send traffic to Ukrainian sites."
* http://malwaremustdi...attempt-to.html

** http://urlquery.net/....php?id=8838865

- https://www.virustot...29/information/

*** http://www.google.co...c?site=AS:42655
___

Script exploits lead to Adscend Media LLC ads
- http://blog.dynamoo....cend-media.html
16 Jan 2014 - "Over the past few days I have seen several cases where legitimate websites have had .js files interfered with in order to serve up something malicious. Here is a case in point.. the German website physiomedicor .de has been hacked to serve up a fake Flash download, as can be seen from this URLquery report*. In this case it's pretty easy to tell what's going on from the URLquery screenshot:
> http://3.bp.blogspot...00/urlquery.jpg
What has happened is that somehow an attacker has altered several .js files on the victim's site and has appened extra code. In this case the code has been appened to [donotclick]www.physiomedicor .de/assets/rollover.js as follows...
> http://4.bp.blogspot.../injection1.png
In this case the code injected tries to load a script from a hijacked site [donotclick]ghionmedia .com/PROjes/goar2RAn.php?id=56356336 but this isn't the first time that I've seen this format of URL injected into a script today as I've seen these other two (also using hijacked sites) as well:
[donotclick]berriesarsuiz .com/ptc84vRb.php?id=117515949
[donotclick]www.karsons .co .uk/qdrX3tDB.php?id=114433444
... Adscend Media has been accused of deceptive advertising practices** before which makes me think that it might be a good candidate for -blocking- on your network, especially as they have private WHOIS details for that domain. If you want to banish these from your network then the following list might help:
199.59.164.5
adscendmedia .com
adshiftclick .com
jmp2 .am
lnkgt .com ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/....php?id=8840002

** http://news.cnet.com...shington-state/

81.169.145.150
- https://www.virustot...50/information/
___

Fake malicious "ACTION REQUIRED" SPAM
- http://blog.dynamoo....as-arrived.html
16 Jan 2014 - "This spam with a lengthy subject has a malicious attachment:
    Date:      Thu, 16 Jan 2014 09:39:28 -0600 [10:39:28 EST]
    From:      "support@salesforce .com" [support@salesforce .com]
    Subject:      ACTION REQUIRED: A document has arrived for your review/approval (Document Flow Manager)
    Priority:      High Priority 2
    This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
    Record ID: HJRQY9PSXBSK334
    Supplier: http ://[victimdomain .com]
    Invoice No.: 5644366804
    Document No.: 3319683775
    Invoice amount: USD 0488.21
    Rejection reason(s): Approval Required
    Please find enclosed a record of invoice that could not be processed. We would like to ask you to assist us in resolving the noted rejection reasons.

Attached is a file SFHJRQY9PSXBSK334.zip which in turn contains a malicious executable SF.EXE which has an icon that makes it look like a PDF file. This file has a very low detection rate at VirusTotal of 2/48*... anaylsis shows an attempted connection to centrum .co .id on 75.98.233.44 (Ceranet, US). This is the only site on that server, blocking either the IP or domain might be useful."
* https://www.virustot...sis/1389889350/

- http://threattrack.t...-malicious-spam
Jan 16, 2014
Screenshot: https://gs1.wac.edge...JQ3n1r6pupn.png
Tagged: Salesforce, Upatre
___

Google+ Local - Thousands Of Hotel Listings Hijacked
- http://searchenginel...le-local-181670
Jan 14, 2014 - "Thousands of hotels listed within Google+ Local appear to have had links leading to their official sites “hijacked” and replaced with ones leading to third-party booking services. Google+ Local listings are what Google depends on to provide results in Google Maps or Google Search, when people look for local businesses... Doing a search on Google for Google+ Local listings using these domains reveals how thousands of hotels appear to have been hit. For example, a search for listings using the “RoomsToBook .Info” domain currently brings up 1,880 listings that appear to have been hijacked:
> http://searchenginel...h-4-600x816.jpg
Postscript: Google has now said that I can confirm it is aware of the issue and is working to fix it."

- http://searchenginel...jackings-181933
Jan 16, 2014 - "... Without offering any substantive comments about the situation Google appears to have cleaned up the problem and mostly if not entirely restored the proper links. There’s been no explanation forthcoming about how this might have happened from the company, though Google acknowledged the incident..."
 

Edited by AplusWebMaster, 17 January 2014 - 10:20 AM.

[AplusWebMaster]

FYI...

Fake Experian Credit Report Malicious Spam
- http://threattrack.t...-malicious-spam
Jan 17, 2014 - "Subjects Seen:
    IMPORTANT - A Key Change Has Been Posted
Typical e-mail details:
    A key change has been posted to one of your three national Credit Reports. Each day we monitor your Experian®, Equifax and TransUnion Credit Reports for key changes that may help you detect potential credit fraud or identity theft. Even if you know what caused your Report to change, you don’t know how it will affect your credit, so we urge you to do the following:
    View detailed report by opening the attachment.    
    You will be prompted to open (view) the file or save (download) it to your computer.    
    For best results, save the file first, then open it in a Web browser.    
    Contact our Customer Care Center with any additional questions.    
    Note: The attached file contains personal data.

Malicious File Name and MD5:
    Credit_Report_4287362163.zip (1B1C6223EC52CE2E2B8CE6C117A15ADA)
    Credit_Report_4287362163.exe (B4101936ED3C8BC09F994223A39E5FE2)

Screenshot: https://31.media.tum...8VC01r6pupn.png

Tagged: Experian, Upatre
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Photograph Sharing Email Messages - 2014 Jan 17
Fake Court Notice Email Messages - 2014 Jan 17
Fake Fax Message Receipt Email Messages - 2014 Jan 17
Fake Credit Report Email Messages - 2014 Jan 17
Fake Fax Message Delivery Email Messages - 2014 Jan 17
Fake Job Offer Notification Email Messages - 2014 Jan 17
Fake Account Payment Information Email Messages - 2014 Jan 17
Fake Failed Delivery Notification Email Messages - 2014 Jan 17
Fake Fax Message Delivery Email Messages - 2014 Jan 17
Fake Incoming Money Transfer Notification Email Messages - 2014 Jan 17
Fake Invoice Statement Attachment Email Messages - 2014 Jan 17
Fake Delivery Express Parcel Notification Email Messages - 2014 Jan 17
Fake Anti-Phishing Email Messages - 2014 Jan 17
Malicious Personal Pictures Attachment Email Messages - 2014 Jan 17
Fake Product Order Notification Email Messages - 2014 Jan 17
(More detail and links at the cisco URL above.)
 

 

Edited by AplusWebMaster, 18 January 2014 - 07:32 AM.

[AplusWebMaster]

FYI...

Spyware attacks against U.S. bloggers ...
- http://www.welivesec...ers-eff-claims/
20 Jan 2014 - "A single anti-government blog post is enough to trigger personalized spyware attacks from hacker groups supporting the Vietnamese communist state, which the Electronic Frontier Foundation claims* targets anti-government bloggers – even those in other countries – with malware, including its staff, and Californian activists... The new campaign, though, used highly targeted attacks aimed at specific critics of the government – including EFF staff... The -malware- was sent out as a link to a Google document, and was sent in emails tailored to targets – the activists were invited to a conference, and an Associated Press journalist was offered a white paper from Human Rights Watch..."
* https://www.eff.org/...e-gets-personal
Jan 19, 2014

 

- https://net-security...ews.php?id=2679
20.01.2014
___

PG&E SPAM - Malware distribution campaign
- https://isc.sans.edu...l?storyid=17459
Last Updated: 2014-01-19 18:41:43 UTC - "Starting about 10 days or so ago, a Spam campaign began targeting Pacific Gas and Energy (PG&E), a large U.S. energy provider. PG&E has been aware of this campaign for about a week, and has informed its customers.
> http://www.pgecurren...m-emails-calls/
... these emails look quite professional and the English is good. The only real issue in the email being formatting of some of the currency figures.
> https://isc.sans.edu...GEStatement.jpg
The header revealed that it was sent from user nf@ www1 .nsalt .net using IP 212.2.230.181, most likely a compromised webmail account. Both the from and the reply-to fields are set to do_not_reply@ nf .kg, an email address that bounces. The 212.2.230.181 IP, the nf .kg domain and the nsalt .net domain - all map to City Telecom Broadband in Kyrgyzstan (country code KG)... the goal of this particular campaign seems to be malware distribution. The "click here" link in the two samples point to different places  
    hxxp ://s-dream1 .com/message/e2y+KAkbElUyJZk38F2gvCp7boiEKa2PSdYRj+YOvLI=/pge
    hxxp ://paskamp .nl/message/hbu8N3ny7oAVfvBZrZWLSrkYv2kTbwArk3+Tspbd2Cg=/pge
Both of these links are now down, but when they were alive they both served up PGE_FullStatement_San_Francisco_94118.zip which contained a Windows executable... Virustotal has a 5/48 detection rate indicating this is most likely a Trojan Dropper:
> https://isc.sans.edu...rustotalpge.jpg ..."

- https://www.virustot...81/information/
___

Spammers buy Chrome extensions - turn them into adware
- https://www.computer...hem_into_adware
Jan 20, 2014 - "... At least two Chrome extensions recently sold by their original developers were updated to inject ads and affiliate links into legitimate websites opened in users' browsers. The issue first came to light last week when the developer of the "Add to Feedly" extension, a technology blogger named Amit Agarwal, reported that after selling his extension late last year to a third-party, it got transformed into adware... A second developer, Roman Skabichevsky, confirmed Monday that his Chrome extension called "Tweet This Page" suffered a similar fate after he sold it at the end of November... According to the Chrome Web Store developer program policies, advertising is allowed in apps hosted in the store, but there are strict criteria for displaying ads on third-party websites..."
___

Bill Me Later Payment Spam
- http://threattrack.t...er-payment-spam
Jan 20, 2014 - "Subjects Seen:
    Thank you for scheduling a payment to Bill Me Later
Typical e-mail details:
    Dear Customer,
    Thank you for making a payment online! We’ve received your
    Bill Me Later® payment of $1201.39 and have applied it to your account.
    For more details please check attached file
    Summary:
    Your Bill Me Later Account Number Ending in: 0759
    You Paid: $1201.39
    Your Payment Date*: 01/20/2014
    Your Payment Confirmation Number: 042075773771348058

Malicious File Name and MD5:
    PP_03357442.zip (93C0326C3D37927E4C38C90016C7F14C)
    PP_03357442.exe (2B68D8CC7CB979EA9A1405D32E30A00A)

Screenshot: https://31.media.tum...AQ2R1r6pupn.png

Tagged: bill me later, Upatre

- http://blog.dynamoo....payment-to.html
20 Jan 2014 - "This -fake- Bill Me Later spam has a malicious attachment:
    Date:      Mon, 20 Jan 2014 14:23:08 +0000 [09:23:08 EST]
    From:      Bill Me Later [service@ paypal .com]
    Subject:      Thank you for scheduling a payment to Bill Me Later
    BillMeLater
    Log in here
    Your Bill Me Later statement is now available!
    Dear Customer,
    Thank you for making a payment online! We've received your
    Bill Me Later® payment of $1603.57 and have applied it to your account.
    For more details please check attached file
    Summary:
    Your Bill Me Later Account Number Ending in: 0266
    You Paid: $1603.57
    Your Payment Date*: 01/20/2014
    Your Payment Confirmation Number: 971892583971968191 ...

Screenshot: https://lh3.ggpht.co...billmelater.png

Attached is an archive file PP_03357442.zip which in turn contains a malicious executable PP_03357442.exe which has a VirusTotal detection rate of just 4/45*. Automated analysis tools... show an attempted connection to jatit .org on 72.9.158.240 (Colo4, US) which appears to be a legitimate (but presumably compromised) site."
* https://www.virustot...sis/1390235463/
___

Fake WhatsApp "A friend of yours has just sent you a pic" SPAM
- http://blog.dynamoo....-just-sent.html
20 Jan 2014 - "This -fake- WhatsApp spam has a malicious attachment:
    Date:      Mon, 20 Jan 2014 06:23:28 -0500 [06:23:28 EST]
    From:      WhatsApp [{messages@ whatsapp .com}]
    Subject:      A friend of yours has just sent you a pic
    Hey!
    Someone you know has just sent you a pic in WhatsApp. Open attachments to see what it is.
    2013 WhatsApp Inc

Screenshot: https://lh3.ggpht.co...00/whatsapp.png

Attached to the message is a an archive file IMG9900882.zip which in turn contains a malicious exectuable IMG9900882.exe which has a VirusTotal detection rate of 20/49*... analysis gives few clues as to what the malware does, other automated analysis tools are inconclusive."
* https://www.virustot...sis/1390244298/
 

Edited by AplusWebMaster, 20 January 2014 - 03:47 PM.

[AplusWebMaster]

FYI...

Fake Apple Account 'Update to New SSL Servers' Phishing Scam/SPAM
- http://www.hoax-slay...hing-scam.shtml
Jan 21, 2014 - "Email purporting to be from Apple claims that the user's online access has been blocked because customers are required to update their information in order to use new ssl servers... The email is not from Apple. It is a phishing scam designed to trick recipients into giving their Apple account details and other personal and financial information to Internet criminals.
> http://www.hoax-slay...vers-scam-1.jpg
... According to an email that -appears- to come from Apple, the recipient's Apple account has been blocked until account information is updated.  The email claims that Apple is implementing new SSL servers to increase customer protection and therefore all customers need to update their details or risk suspension of their accounts. The email includes a link to the "account update process". However, the message is -not- from Apple and the claim that users must update their details is a lie. Instead, the email is a phishing scam designed to steal Apple ID's and a large amount of other personal and financial information. Those who fall for the trick and click the update link in the email will be taken to a fake Apple login page as shown in the following screenshot:
> http://www.hoax-slay...vers-scam-3.jpg
... be wary of any message purporting to be from Apple that claims there is an issue with your account that needs to be rectified or you are required to perform an account update..."

... as in: DELETE.
___

Data-stealing malware targets Mac users in "undelivered courier item" attack
- http://nakedsecurity...er-item-attack/
Jan 21, 2014 - "... you receive an email that claims to be a courier company that is having trouble delivering your article. In the email is a link to, or an attachment containing, what purports to be a tracking note for the item. You are invited to review the relevant document and respond so that delivery can be completed. We've seen a wide variety of courier brands "borrowed" for this purpose, including DHL, the UK's Royal Mail and even, in one bewildering case, a made-up courier company called TNS24, with its very own website... Here's what the emails looked like in this attack, with some details changed or redacted for safety:
> http://sophosnews.fi...png?w=500&h=446
If you are a native speaker of English, you will notice that the wording of the email is clumsy and unidiomatic, and if you were to receive a message like this you might well be suspicious on those grounds alone... The link, of course, doesn't really lead to fedex .com .ch, but instead takes you to a domain name that is controlled by the attackers... If you are using a desktop browser that isn't Safari, you receive a ZIP file containing a Windows program detected by Sophos Anti-Virus as Mal/VBCheMan-C, a vague relative of the Zbot or Zeus malware. But if you are using Safari, you receive Mac malware, delivered as an Application bundle packaged inside a ZIP file. By default, on OS X 10.9.1 (the latest update to Mavericks, Apple's most recent operating system version), Safari directly downloads the file, showing you an -empty- Safari window with the icon of the downloaded file in the Dock at the bottom of the screen:
> http://sophosnews.fi...png?w=500&h=376
Clicking on the download button shows you what -looks- like a PDF file... There is no PDF file, as a visit to the Terminal windows quickly reveals. Safari has automatically unzipped the download, producing an Application bundle (actually just a subdirectory tree with a special structure) that has deliberately been given a PDF icon... the temptation is to click on what looks like a PDF file to see what it contains. OS X does try to advise you that you aren't opening a document, although you can argue that the warning would be more compelling if it explicitly said that you were about to "run a software program", rather than merely to "open" the file... prevention is better than cure. And that "undelivered courier item" almost certainly doesn't exist."
___

Something evil on 5.254.96.240 and 185.5.55.75
- http://blog.dynamoo....d-18555575.html
21 Jan 2014 - "This malware attack appears to be aimed at German speakers, and is presumably spreading through spam although I don't have a sample of the email message. What I -do- have is a nasty EXE-in-ZIP payload that masquerades as a bill or other communication from Deutsche Telekom, Vodafone, Fiducia or Volksbank. URLquery shows one such download in this example*, the victim has been directed to [donotclick]gf-58 .ru/telekom_deutschland which in turn downloads a ZIP file Rechnungsruckstande_9698169830015295.zip which in turn contains a malicious executable Mitteilung, Rechnungsruckstande 9901169820005294 Telekom Deutschland GmbH vom Januar 2014.exe which has a VirusTotal detection rate of 7/48**.
> https://lh3.ggpht.co...600/telekom.png
The malware is downloaded from a server at 5.254.96.240 (Voxility, Romania). Sample URLs on this server according to URLquery*** and VirusTotal****... The Anubis report and ThreatExpert report show that the malware calls home to dshfyyst .ru on 185.5.55.75 (UAB "Interneto vizija", Lithunia). There are some other suspect sites on the same server which may be worth blocking (see below). All these sites are .ru domains registered to the infamous "Private Person" so there are no clues as to their ownership.
Recommended blocklist:
5.254.96.240
gf-58 .ru
uiuim .ru
okkurp .ru
gdevseesti .ru
goodwebtut .ru
mnogovsegotut .ru
185.5.55.75
gossldirect .ru
dshfyyst .ru ..."

* http://urlquery.net/....php?id=8907792

** https://www.virustot...sis/1390310958/

*** http://urlquery.net/...14-01-21&max=50

**** https://www.virustot...40/information/

Update: this appears to be Cridex aka Feodo: http://www.abuse.ch/?p=6713
 

Edited by AplusWebMaster, 21 January 2014 - 12:26 PM.

[AplusWebMaster]

FYI...

Fake PayPal Scams ...
- http://www.hoax-slay...g-message.shtml
Jan 22, 2014 - "Message that circulates via social media and online forums warns users to watch out for an email from PayPal... PayPal is almost continually targeted by phishing scammers using a wide variety of phishing techniques... This warning message has been circulating via various social media channels as well as online forums and blogs since around May 2013. The message warns users to look out for an email from PayPal that claims that £35.50 has been taken from the recipient's PayPal account and used to pay a Skype bill... Since at least 2011 scammers have been using and reusing a phishing technique that comprises scam emails that supposedly notify recipients that a Skype TopUp payment has been made via their PayPal account. Links in the scam emails open -fake- PayPal sites that entice users to enter their PayPal login details, and - in some cases - other personal and financial information... it should also be noted that this particular phishing technique is just one among -dozens- of phishing attacks that continually target PayPal users... Because it conducts its business online and via email, PayPal is a primary target for phishing scammers. A quick rule of thumb. Genuine PayPal emails will always address you by your name, -not- via a generic greeting such as "Dear Customer". If you receive a suspected phishing scam email from PayPal you can submit it for analysis via the address listed on the PayPal website*."
* https://www.paypal.c...pphishingreport
___

Sochi Olympics - Hoax threats
- http://www.reuters.c...N0KW3RT20140122
Jan 22, 2014 - "At least five European countries' Olympic committees and the United States received letters in Russian on Wednesday making a "terrorist threat" before the Sochi Games, but Olympic chiefs said they posed no danger. Despite the assurances, the letters to committees in Italy, Hungary, Germany, Slovenia and Slovakia briefly caused alarm and underlined nervousness about security at the $50 billion event... The U.S. Olympic Committee later confirmed that it also received a letter by email. Suicide bombers killed at least 34 people in a city in southern Russia last month, Islamist militants have threatened to attack the Winter Games and security forces are hunting a woman suspected of planning a suicide bombing and of being in Sochi already..."
___

Facebook Survey Scams
- http://www.hoax-slay...scam-list.shtml
Jan 21, 2014 - Last:
- http://www.hoax-slay...rvey-scam.shtml
Jan 22, 2014
___

Fake NatWest Mortgage Spam
- http://threattrack.t...t-mortgage-spam
Jan 22, 2014 - "Subjects Seen:
    Mortgage update - Completion date
Typical e-mail details:
    NatWest Intermediary Solutions
    Mortgage Ref number: 9080338
    We are pleased to advise that we have received a mortgage completion request from the solicitor acting on the case for your customer named above. The acting solicitor has confirmed that the mortgage will complete on 22.01.2014.
    For more details please check attached file.
    Kind Regards
    NatWest Mortgage Team

Malicious File Name and MD5:
    Morg_9080338.zip (C02B5FA63331394B6ADFF54952646A16)
    Morg_220114.exe (BE295E5E51F2354EF6396AFAB4225783)

Screenshot: https://31.media.tum...xdNK1r6pupn.png

Tagged: NatWest, Upatre
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Email Messages with Malicious Attachments - 2014 Jan 22
Fake Account Payment Notification Email Messages - 2014 Jan 22
Fake Application Confirmation Email Messages - 2014 Jan 22
Fake Transaction Details Notification Email Messages - 2014 Jan 22
Fake Electricity Bill Notification Email Messages - 2014 Jan 22
Fake Court Appearance Request Email Messages - 2014 Jan 22
Fake Product Order Notification Email Messages - 2014 Jan 22
Fake Travel Information Email Messages - 2014 Jan 22
Fake Product Order Email Messages - 2014 Jan 22
Fake UPS Payment Document Attachment Email Messages - 2014 Jan 22
Fake Photograph Sharing Email Messages - 2014 Jan 22
Fake Court Appearance Request Email Messages - 2014 Jan 22
Fake Account Payment Information Email Messages - 2014 Jan 22
Fake Failed Delivery Notification Email Messages - 2014 Jan 22
Fake Company Complaint Email Messages - 2014 Jan 22
Fake Fax Message Delivery Email Messages - 2014 Jan 22
Fake Fax Delivery Email Messages - 2014 Jan 22
Fake Payroll Invoice Email Messages - 2014 Jan 22
Malicious Personal Pictures Attachment Email Messages - 2014 Jan 22
Fake German Payment Form Attachment Email Messages - 2014 Jan 22
(More detail and links at the cisco URL above.)
 

Edited by AplusWebMaster, 22 January 2014 - 01:40 PM.

[AplusWebMaster]

FYI...

Fake "Legal Business Proposal" SPAM ...
- http://blog.dynamoo....l-spam-has.html
23 Jan 2014 - "This email looks like it should be an advanced fee fraud, but instead it comes with a malicious attachment. I love the fact that this is a Legal Business Proposal as opposed to an Illegal one.
    Date:      Thu, 23 Jan 2014 12:45:11 +0000 [07:45:11 EST]
    From:      Webster Bank [WebsterWeb-LinkNotifications@ WebsterBank .com]
    Subject:      Legal Business Proposal
    Hello, I'm Norman Chan Tak-Lam, S.B.S., J.P, Chief Executive, Hong Kong Monetary Authority (HKMA).
    I have a Business worth $47.1M USD for you to handle with me.
     Detailed scheme of business can be seen in the attached file.

Attached is a file business-info.zip which in turn contains a malicious executable business-info.exe with a VirusTotal detection rate of 16/49*. Automated analysis tools...  show attempted connections to dallasautoinsurance1 .com on 38.102.226.239 and wiwab .com on 38.102.226.82. Both those IPs are Cogent Communications ones that appear to be rented out to a small web hosting firm called HostTheName .com. For information only, that host has these other IPs in the same range:
38.102.226.82
38.102.226.5
38.102.226.7
38.102.226.10
38.102.226.12
38.102.226.14
38.102.226.17
38.102.226.19
38.102.226.21 "
* https://www.virustot...sis/1390482190/

- https://www.virustot...82/information/
___

Mint.Com.Uk 'Minimum Credit Card Payment Due' Phish
- http://www.hoax-slay...-phishing.shtml
Jan 23, 2014 - "Message, which pretends to be from UK based credit card provider Mint, claims that the recipient's minimum credit card payment is due and advises that the latest bill can be found in an attached file. The email is -not- from Mint. It is a -phishing- scam designed to trick recipients into divulging their account login details to cybercriminals... According to this message, which purports to be from UK credit card provider Mint, the recipient's minimum credit card payment is now due. The message instructs the recipient to open an attached file to view the latest Mint credit card bill. However, the email is not from Mint and the attachment does not contain a credit card bill. Instead, the email is a typical phishing scam designed to trick Mint customers into giving account login details to cybercriminals. Those taken in by the email will find that clicking the attachment loads a html file in their browser. The file contains a link supposedly leading to the credit card bill. However, clicking the link opens a fraudulent website that asks users to supply their account login details, ostensibly to access the "bill". However, users will never reach the supposed bill. They have instead sent their account login details to criminals who can then use it to hijack their accounts, steal information therein, and conduct further fraud..."
___

Gateway.gov.uk Spam
- http://threattrack.t...way-gov-uk-spam
Jan 23, 2014 - "Subjects Seen:
    Your Online Submission for Reference 435/GB1678208 Could not process
Typical e-mail details:
    The submission for reference 435/GB1678208 was successfully received and was not processed.
    Check attached copy for more information.

Malicious File Name and MD5:
    GB1678208.zip (1BD4797C93A4837777397CE9CB13FC8C)
    GB001231401.exe (05FB8AD05E87E12F5E6E4DAE20168194)

Screenshot: https://31.media.tum...ghEd1r6pupn.png

Tagged: UK Government, Upatre
 

Edited by AplusWebMaster, 23 January 2014 - 12:04 PM.

[AplusWebMaster]

FYI...

Fake 'Customer Service Center' malware Emails
- http://www.hoax-slay...re-emails.shtml
Jan 24, 2014 - "Email claiming to be from the "Customer Service Center" informs recipients that an order has been received and invites them to click a link to find out more about the order.
Brief Analysis: The email is not from any legitimate customer service center. The email is designed to trick users into installing a malicious file on their computer. Clicking the link in the email downloads a .zip file that contains a malware .exe file...
Example:
Subject: Customer Service Center
Hello, Customer
We have got your order and we will process it for 3 days.
You can find specification of the order:
[Link to .zip file removed]
Best regards
Customer Service Center

... The message makes no effort to identify either the company that supposedly sent the message or the product that the recipient supposedly ordered. The message is fraudulent and was not sent by any legitimate customer service center. The goal of the criminals who sent the email is to trick the recipient into downloading and installing malware... Details in different incarnations of the malware emails may vary. Some may claim to be from the "Client Management Department" rather than the "Customer Service Center"..."
___

Fake Amazon Local Spam
- http://threattrack.t...azon-local-spam
Jan 24, 2014 - "Subjects Seen:
    Fwd: Your order report id 2531
Typical e-mail details:
    Hi,
    Thank you for your order. We ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.com.
    Order Details
    Order DA6220062 Placed on December 11, 2013
    Order details and invoice in attached file.

Malicious File Name and MD5:
    report.creditcard2735.zip (333794D9592CE296A6FE15CDF58756EA)
    report.9983.exe (3B81614E62963AC5336946B87F9487FE)

Screenshot: https://31.media.tum...1SLW1r6pupn.png

Tagged: Amazon Local, Androm
 

Edited by AplusWebMaster, 24 January 2014 - 04:38 PM.

[AplusWebMaster]

FYI...

Fake "MVL Company" job offer
- http://blog.dynamoo....-job-offer.html
25 Jan 2014 - "This job offer is a -fake- and in reality probably involves money laundering or handling stolen goods:
    From: Downard Bergstrom [downardkrjbergstrom@ outlook .com]
    Subject: Longmore
    Date: Fri, 24 Jan 2014 18:52:49 +0000
    Hello,
    Today our Company, MVL Company, is in need of sales representatives in United Kingdom.
    Our Company deals with designer goods and branded items. We've been providing our customers with exclusive products for more than five years, and we believe that the applicant for the position must have great communication skills, motivation, desire to earn money and will to go up the ladder. All charges related to this opening are covered by the Company. Your main duties include administrative support on orders and correspondence, controlling purchase orders and expense reports.
    Part-time job salary constitutes 460GBP a week.
    Full-time job is up to 750GBP per week .
    Plus we have bonus system for the best workers!
    To apply for the vacancy or to get more details about it, please email us directly back to this email.
    Hope to hear from you soon!
    Best regards,
    Downard Bergstrom

The spam is somewhat unusual in that it addresses me by my surname, indicating that the email data might have been stolen from a data breach (Adobe perhaps). The email originates from a free Microsoft Outlook .com account and gives no clues as to its real origins. A look at Companies House Webcheck confirms that there is no company of this exact name, although there are several innocent companies with similar names.
Avoid."
 

[AplusWebMaster]

FYI...

Fake Voice Message contains trojan in attachment
- http://blog.mxlab.eu...ached-zip-file/
Jan 27, 2014 - "... intercepted a new trojan distribution campaign by email with the subject Voice Message from Unknown (xxx-xxx-xxxx) – where x is replaced by a phone number. This email is sent from the spoofed address “Unity Messaging System <Unity_UNITY5@ xxx .xxx>”and has the following very short body (where x is replaced by phone number):
    From: xxx-xxx-xxxx
The attached ZIP file has the name VoiceMail.zip and contains the 18 kB large file VoiceMail.exe. At the time of writing, 0 of the 50 AV engines did detect the trojan at Virus Total. Use the Virus Total* permalink and Malwr** permalink for more detailed information..."
* https://www.virustot...a6fba/analysis/

** https://malwr.com/an...zFjMGMxOTBkMmM/
___

Fake "Carnival Cruise Line Australia" job offer
- http://blog.dynamoo....a-fake-job.html
27 Jan 2014 - "This -fake- job offer does NOT come from Carnival Cruise lines:
    From:     Mrs Vivian Mrs Vivian carnjob80@ wp .pl
    Date:     27 January 2014 09:59
    Subject:     JOB ID: AU/CCL/AMPM/359/14-00
    Signed by:     wp.pl
    Carnival Cruise Line Australia
    15 Mount Street North Sydney
    NSW 2060, Australia
    Tel (2) 8424 88000
    http ://www .carnival .com .au/     
    http ://www .carnivalaustralia .com/
    carnivalcareer@ globomail .com
    JOB ID: AU/CCL/AMPM/359/14-00
    What is your idea of a great career? Is it a job that allows you to travel to beautiful destinations on a spectacular floating resort, being part of a multi-cultural team with co-workers from more than 120 different nationalities? Or is it a job that allows you to earn great money while you learn, grow and fulfill your dreams and career ambitions?
    It’s Carnival Cruise Line policy not to discriminate against any employee or applicant for employment because of RACE, COLOR, RELIGION, SEX, NATIONAL ORIGIN, AGE, DISABILITY, MARITAL OR VETERAN STATUS.
    PLEASE NOTE THESE FOLLOWING:
    Employment Type:               Full-Time/Part-Time
    Salary:                                  USD $45,000/ USD $125,000 per annual
    Preferred Language of Resume/Application: English
    Type of work:            Permanent / Temporary
    Status:                        All Vacancies
    Job Location:              Australia
    Contract Period:          6 Months, 1 Year, 2 Years and 3 Years
    Visa Type:                  Three Years working permit
    The management will secure a visa/working permit for any qualified applicant. VISA FEE, ACCOMMODATION & FLIGHT TICKET will be paid by the company
    We have more than 320 different positions available, interested applicants should forward their RESUME/CV or application letter to Mrs Vivian Oshea via email on (carnivalcareer@ globomail .com) so we can forward the list of positions available and our employment application form
    Email: carnivalcareer@ globomail .com
    Note: Applicants from AMERICA, EUROPE, ASIAN, CARIBBEAN and AFRICA can apply for these vacancies.
    Regards
    Management
    Carnival Cruise Line Australia
    carnivalcareer@ globomail .com

Despite the appearance of Carnival's actual web sites in the email, the reply address is NOT a genuine Carnival address and is instead a free email account. The email actually originates from 212.77.101.7 in Poland. The basic idea behind this scam is to offer a job and then charge the applicant for some sort of processing fees or police check or come up with some other reason why the applicant needs to pay money. Once the money has been taken (and perhaps even the victim's passport or other personal documents stolen) then the job offer will evaporate. More information on this type of scam can be found here* and here**."
* http://www.cruiseshi...p-job-scams.htm

** http://www.hoax-slay...ffer-scam.shtml
___

Fake "Your FED TAX payment" SPAM
- http://blog.dynamoo....yment-spam.html
27 Jan 2014 - "This -fake- "Tax payment" spam comes with a malicious attachment:
    Date:      Mon, 27 Jan 2014 14:24:42 +0100 [08:24:42 EST]
    From:      "TaxPro_PTIN@ irs .gov" [TaxPro_PTIN@ irs .gov]
    Subject:      Your FED TAX payment ( ID : 34KIRS821217111 ) was Rejected
    *** PLEASE DO NOT RESPOND TO THIS EMAIL ***
    Your federal Tax payment (ID: 34KIRS821217111), recently sent from your checking account was returned by the your financial institution.
    For more information, please download notification, using your security PIN 55178.
    Transaction Number:     34KIRS821217111
    Payment Amount:     $ 9712.00
    Transaction status:     Rejected
    ACH Trace Number:     768339074172506
    Transaction Type:     ACH Debit Payment-DDA
    Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785.

Screenshot: https://lh3.ggpht.co...A/s1600/irs.png

Attached is a file Tax payment.zip which in turn contains a malicious executable Tax payment.exe which has a VirusTotal detection rate of 11/50*. Automated analysis by Malwr is inconclusive, other analysis tools are currently down or under DDOS at the moment.
* https://www.virustot...sis/1390837447/
___

TNT Courier Service Spam
- http://threattrack.t...er-service-spam
Jan 27, 2014 - "Subjects Seen:
    TNT UK Limited - Package tracking 525933498011
Typical e-mail details:
    TNT COURIER SERVICE (TCS)
    Customer/Delivery Services Department
    Central Pk Est/Mosley Rd, Trafford Park
    Manchester, M17 1TT UK.
    DETAILS OF PACKAGE
    Reg order no: 525933498011
    Your package have been picked up and is ready for dispatch.
    Connote #    :    525933498011
    Service Type    :    Export Non Documents - Intl
    Shipped on    :    25 Jan 13 00:00
    Order No            :    4134172
    Status            :       Driver’s Return Description      :       Wrong Address
    Service Options: You are required to select a service option below.
    The options, together with their associated conditions

Malicious File Name and MD5:
    Label_525933498011.zip (58985CC9AA284309262F4E59BC36E47A)
    Label_27012014.exe (E0595C4F17056E5599B89F1F9CF52D83)

Screenshot: https://gs1.wac.edge...Jn4u1r6pupn.png

Tagged: TNT Courier Service, Upatre
___

Fake "Skype Missed voice message" SPAM
- http://blog.dynamoo....ssage-spam.html
27 Jan 2014 - "This -fake- Skype email has a malicious attachment:
    Date:      Mon, 27 Jan 2014 19:37:11 +0300 [11:37:11 EST]
    From:      Administrator [docs1@ victimdomain .com]
    Subject:      Skype Missed voice message
    Skype system:
    You have received a voice mail message.
    Date 01/27/2014
    Message length is 00:01:18.

Attached to the email message is an archive file Skype-message.zip which in turn contains a malicious executable Voice_Mail_Message.exe which has a VirusTotal detection rate of 13/49*. Malwr reports** that the malware calls home to rockthecasbah .eu on  64.50.166.122 (LunarPages, US). This server has been compromised before and I recommend you -block- traffic to it."
* https://www.virustot...sis/1390858228/

** https://malwr.com/an...mYwMWM1NzIwMDg/

- http://threattrack.t...ed-message-spam
Jan 27, 2014 - "Subjects Seen: Skype Missed voice message..."
Malicious File Name and MD5:
    Skype-message.zip (79FB2E523FE515A6DAC229B236F796FF)
    Voice_Mail_Message.exe (6E4857C995699C58D9E7B97BFF6E3EE6)

Tagged: Skype, Upatre
 

Edited by AplusWebMaster, 27 January 2014 - 03:59 PM.

[AplusWebMaster]

FYI...

Fake Facebook 'Account Verification' Scam/SPAM
- http://www.hoax-slay...2014-scam.shtml
Jan 28, 2014 - "Message purporting to be from the "Facebook Verification Team" claims that users must verify their profiles by March 15th 2014 to comply with the SOPA and PIPA Act. The message is a -scam- and -not- from any official Facebook Verification Team. Those who follow the link will be tricked into installing a rogue Facebook app and participating in -bogus- online surveys. Some variants may attempt to trick users into divulging their Facebook email address and password to criminals. Example:
Warning: Announcement from Facebook Verification Team:
All profiles must be verified before 15th March 2014 to
avoid scams under SOPA and PIPA Act.
Verify your Account by steps below
Invite your friends.
> http://www.hoax-slay...tion-2014-1.jpg
According to a message currently moving round Facebook, all users must verify their profiles by March 15th 2014 in order to comply with the SOPA and PIPA Act. The message, which comes in the form of a graphic, claims to be an announcement from the "Facebook Verification Team".  Users are instructed to click an "Invite your Friends" button to begin the verification process... Users who fall for the ruse and click the button will first be asked to give a Facebook application permission to access their details. Once installed, this rogue app will spam out more fake messages in the name of the user. Victims will then be taken to another fake page where they are again told that that they must verify their account by clicking a further link. However, clicking the link takes them to various survey pages or tries to entice them to sign up for online games. Many of the surveys claim that users must provide their mobile phone number to enter in a prize draw. But, by giving out their number, users are actually signing up for very expensive SMS "subscriptions" charged at several dollars per message sent.  Other surveys may ask victims to provide personal and contact information that will later be shared with third parties and used to inundate them with junk mail, emails, phone calls and text messages. The scammers responsible for the bogus "verification" messages will earn commissions via dodgy affiliate marketing systems each and every time a person participates in a survey or provides their personal information in an online "offer". Reports indicate that some versions of the scam may try to trick victims into divulging their account login details to criminals. The criminals can then -hijack- the compromised accounts and use them to distribute further scam messages..."
___

Fake RingCentral Fax msg SPAM
- http://blog.dynamoo....x-spam-has.html
28 Jan 2014 - "This -fake- RingCentral fax spam has a malicious attachment:
    Date:      Tue, 28 Jan 2014 14:28:24 +0000 [09:28:24 EST]
    From:      Sheila Wise [client@ financesup .ru]
    Subject:      New Fax Message on 01/22/2013
    You Have a New Fax Message
    From:     (691) 770-2954
    Received:     Wednesday, January 22, 2014 at 11:31 AM
    Pages:     5
    To view this message, please open the attachment
    Thank you for using RingCentral.

Screenshot: https://lh3.ggpht.co...ringcentral.png

Attached is a file fax.zip which in turn contains a malicious exectable fax.doc.exe with an icon to make it look like a Word document. The VirusTotal detection rate for the document is 10/50*, and the Malwr analysis** shows an attempted callback to ren7oaks .co .uk on 91.238.164.2 (Enix Ltd, UK). The executable then downloads an apparently encrypted file..."
* https://www.virustot...sis/1390921856/

** https://malwr.com/an...WFhZmUyYzlmOTQ/
___

Fake flash update via .js injection and SkyDrive
- http://blog.dynamoo....ate-via-js.html
28 Jan 2014 - "... ongoing injection attacks that were leading to Adscend Media LLC ads. Adscend say that the affiliate using their ad system was banned, although the ad code is -still- showing in the injection attacks themselves. F-Secure also covered the attacks* from a different aspect... this infection is -still- current..."
(More detail at the dynamoo URL above.)

* http://www.f-secure....s/00002659.html

> http://www.f-secure....es/5_flash1.PNG
___

Fake Flash Update aimed at Turkish users
- http://blog.trendmic...-turkish-users/
Jan 27, 2014 - "... A recent attack that we found starts off with a video link sent to users via Facebook’s messaging system (sent in Turkish). This “video” prompts users to install a Flash Player update; it actually installs a browser extension that blocks access to various antivirus sites. It also sends a link to the “video” to the victim’s Facebook friends via the messaging system, restarting the cycle. This targeting appears to have worked: based on feedback from the Smart Protection Network, 93% of those who accessed pages related to this attack were from Turkey. The browser extension pushed to users was in the format used by Chromium-based browsers like Google Chrome. It would -not- work in other browsers, like Internet Explorer and Mozilla Firefox. It also stops the user from accessing the extension settings page, to prevent the user from removing or disabling the extension.
> http://blog.trendmic...flashplayer.jpg
... The fake update, detected as TROJ_BLOCKER.J, installs the extension (detected as JS_BLOCKER.J) that blocks the antivirus websites. JS_BLOCKER.J then downloads a malicious script which is used to send the Facebook messages with the link to the video. This script is detected as HTML_BLOCKER.K. In addition to Facebook messages, Twitter accounts “promoting” this page were also spotted:
> http://blog.trendmic...ountupdated.jpg
Turkey is one of the world’s most active Facebook-using countries, with 19 million daily active users and 33 million monthly active users... this attack’s behavior – blocking antivirus sites – ... would leave them vulnerable to future attacks..."
___

Malformed FileZilla - login stealer
- http://blog.avast.co...-login-stealer/
Jan 27, 2014 - "Beware of malformed FileZilla FTP client versions 3.7.3 and 3.5.3. We have noticed an increased presence of these malware versions of famous open source FTP clients. The first suspicious signs are bogus download URLs. As you can see, the installer is mostly hosted on -hacked- websites with -fake- content (for example texts and user comments are represented by images.)
> https://blog.avast.c...4/01/web_01.jpg
Malware installer GUI is almost identical to the official version. The only slight difference is version of NullSoft installer where malware uses 2.46.3-Unicode and the official installer uses v2.45-Unicode. All other elements like texts, buttons, icons and images are the same. The installed malware FTP client looks like the official version and it is fully functional! You can’t find any suspicious behavior, entries in the system registry, communication or changes in application GUI.
The only differences that can be seen at first glance are smaller filesize of filezilla.exe (~6,8 MB), 2 dll libraries ibgcc_s_dw2-1.dll and libstdc++-6.dll (not included in the official version) and information in “About FileZilla” window indicates the use of older SQLite/GnuTLS versions. Any attempt to update the application fails, which is most likely a protection to prevent overwriting of malware binaries.
> https://blog.avast.c...out_windows.jpg
We found a hardcoded connection detail stealer after deeper analysis. Malware authors abuse open source code and add their own stealer function to the main code... The algorithm is part of a malformed FileZilla.exe binary, therefore sending stolen log in details which bypasses the firewall. The whole operation is very quick and quiet. Log in details are sent to attackers from the ongoing FTP connection only once. Malware doesn’t search bookmarks or send any other files or saved connections... Malware authors use very powerful and inconspicuous methods to steal FTP log in credentials in this case... We -strongly- recommend to download any software only from official, well-known or trusted sources. Avoid strange looking websites and portals offering software via their own downloaders or installers containing bundled adware and PUP applications..."
 

 

Edited by AplusWebMaster, 28 January 2014 - 10:34 AM.

[AplusWebMaster]

FYI...

Fake "Voice Message" SPAM (again)
- http://blog.dynamoo....spam-again.html
29 Jan 2014 - "This -fake- voice message spam comes with a malicious attachment:
    Date:      Wed, 29 Jan 2014 14:45:36 +0100 [08:45:36 EST]
    From:      Administrator [docs0@ victimdomain .net]
    Subject:      Voice Message from Unknown (644-999-4348)
     Unity Messaging System
    - - -Original Message- - -
    From: 644-999-4348
    Sent: Wed, 29 Jan 2014 14:45:36 +0100
    To: [redacted]
    Subject: Important Message to All Employees

Attached is an archive Message.zip which in turn contains a malicious executable VoiceMessage.exe which has a VirusTotal detection rate of just 6/50*. Automated analysis tools... show attempted connections to kitchenrescue .com on 184.107.74.34 (iWeb, Canada) and ask-migration .com on 173.192.21.195 (Softlayer, US). In particular, it attempts to download some sort of -encrypted- file [donotclick]kitchenrescue .com/login.kitchenrescue.com/images/items/wav.enc which I have not been able to identify."
* https://www.virustot...sis/1391006188/

- https://www.virustot...34/information/

- https://www.virustot...95/information/
___

Neutrino delivers Fake Flash malware hosted on SkyDrive
- http://blog.malwareb...ed-on-skydrive/
Jan 29, 2014 - "As cloud computing becomes more popular, malware authors are also taking interest in using this technology to store their own files—except, of course, their files are usually bad. SkyDrive (recently renamed to OneDrive) is Microsoft’s cloud storage solution, and competes directly with other big-name storage products like Google Drive and Dropbox, all of which provide a convenient solution to accessing your files from virtually any location with internet access. Recently, I found a downloader collected from our honeypot that appears as a -fake- Flash Player installer. These type of programs usually deliver malware and are very successful at making people believe they’re installing or updating the real Flash Player. This particular downloader file currently is detected by 9/50 vendors on Virustotal* ... The downloader binary was a payload from the Neutrino Exploit Kit and delivered via a Java exploit... When the file runs, it beacons out to the SkyDrive URL and presents a dialog that states it’s installing Flash Player, and then says “Installation Finished!” if everything goes well.
> http://cdn.blog.malw...ll_finished.jpg
I visited the download server multiple times and managed to get different samples, each with their own icon (including a creepy skull). Meaning the samples stored on the SkyDrive folder are constantly being updated.
> http://cdn.blog.malw...yer_samples.png
... To be fair to Microsoft, this isn’t the only instance where cloud storage was used for bad things. Last November, we reported on a malicious script that was hosted on Google Drive, and similar things have happened with Dropbox. Regardless, it appears more security measures need to be into place to prevent various malicious files and programs from being uploaded to cloud storage services."
* https://www.virustot...35be8/analysis/
___

Fake Browser updates ...
- http://blog.malwareb...pdate-warnings/
Jan 28, 2014 - "... Any message asking end users to update browsers to ward off security issues can cause problems both at home and in the workplace. Neither “Relative who knows about computers” or the stressed IT guy from the fourth floor wants to waste time rolling back / uninstalling / deleting things from the target PC... I came across a fake browser update site doing the rounds located at
newbrowserversion(dot)org
which has pages for Chrome ©, Firefox (F) and IE (I) users... Here’s what you can expect to see on each of the three pages.
Chrome: http://cdn.blog.malw...rowsupdate2.jpg
.
Firefox: http://cdn.blog.malw...rowsupdate3.jpg
.
IE: http://cdn.blog.malw...rowsupdate4.jpg
.
Regardless of page viewed, they all say the same thing... Should the end-user run the executable file (and all three have a different MD5) the install procedure kicks into gear. Sort of. We’re presented with the standard splash screen, and one would expect to see various offers, programs, maybe the odd toolbar... If you want to check the update status of your browser, rely on the browser itself rather than third-party websites offering up random downloads. More often than not, your browser will tell you about updates by clicking into “Help” and / or “About this browser” options in the various settings menus..."

68.233.240.26
- https://www.virustot...26/information/
 

 

Edited by AplusWebMaster, 29 January 2014 - 03:44 PM.

[AplusWebMaster]

FYI...

Fake Vodafone MMS SPAM - malicious attachment
- http://blog.dynamoo....comes-with.html
30 Jan 2014 - "This -fake- Vodafone MMS spam comes with a nasty payload:
    Date:      Thu, 30 Jan 2014 03:55:04 -0500 [03:55:04 EST]
    From:      mms.service6885@ mms .Vodafone .co .uk
    Subject:      image Id 312109638-PicOS97F TYPE==MMS
    Received from: 447219637920 | TYPE=MMS

Despite the Vodafone references in the header, this message comes from a random -infected- PC somewhere and not the Vodafone network. The email doesn't quite render properly in my sample:
> https://lh3.ggpht.co...odafone-mms.png
The spam is probably preying on the fact that most people have heard of MMS but very rarely use it. Attached is a file IMG0000008849902.zip which in turn contains a malicious executable IMG0000008849902.exe, this has a VirusTotal detection rate of just 2/50*. Automated analysis tools are inconclusive... as the sample appears to time out."
* https://www.virustot...sis/1391073258/
___

s15443877[.]onlinehome-server[.]info ? ...
- http://blog.dynamoo....serverinfo.html
30 Jan 2014 - "Something that caught my eye was this Google Safebrowsing diagnostic for [donotclick]s15443877.onlinehome-server .info * ... Not only are (exactly) one third of the pages crawled hosting -malware- but there are a staggering -198- domains spreading it. Usually it's just a handful of sites, but this is the most I've ever seen. VirusTotal also shows some historical evil** going on with the IP of 212.227.141.247 (1&1, Germany) and a Google of the site contents shows thousands of hits of what appears to be scraped content in Spanish. It's hard to say just what this site is, but with Google diagnostics like that then it is unlikely to be anything good and -blocking- s15443877.onlinehome-server .info or 212.227.141.247 might be prudent."
* http://www.google.co...me-server.info/
"... over the past 90 days, 582 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2014-01-29, and the last time suspicious content was found on this site was on 2014-01-29. Malicious software includes 166 scripting exploit(s), 166 trojan(s), 89 exploit(s). Successful infection resulted in an average of 5 new process(es) on the target machine. Malicious software is hosted on 198 domain(s)... 155 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site..."

** https://www.virustot...47/information/

AS8560 (ONEANDONE-AS)
- http://www.google.co...ic?site=AS:8560
___

Twitter Follower Scam ...
- http://blog.trendmic...-actually-work/
Jan 30 2014 - "... This -scam- tries to attract potential victims by using tweets with the phrase “GET MORE F0LL0WERS” and a URL that is apparently from Google. (In this particular case, Google is just used as a -redirector- to the scammer’s site.) It also uses Twitter’s Discover feature and trending topics to boost its visibility. It also uses tweets that mention random Twitter users.
Sample tweets promoting the site:
> http://blog.trendmic...01/twitter1.jpg
When users click the link in the post, they will be redirected to a “get free followers” site. The site offers two options—a free and a premium service. The free option requires users to authorize a Twitter app named “LAAY PAAY” created by the scammers; this will grant them access to the user’s Twitter account. After the user is returned to the scam site from the app authorization process, the site will show a “processing” page. The user will gain random Twitter followers, including those with private accounts. The premium service boasts new followers per minute, no ads, and instant activation. This service costs five euros and can be paid via PayPal.
> http://blog.trendmic...01/twitter2.jpg
What’s the catch? Yes, they get new followers, but these followers are other users who signed up for this service as well. By agreeing to the service, their accounts will also be used to follow other accounts as well. In addition, spam tweets will also be sent from the victim’s Twitter account. Even paying five euros will not stop these spam tweets. Note that to get more followers you have to log in repeatedly (otherwise you drop off the “list”), repeating the whole cycle... Gaining access to Twitter accounts and sending spam tweets is not the only goal of the scammers here. They also load various advertising-laden affiliate sites in the background, in order to gain pageviews and thus, revenue for the owners of the ads. We’ve seen -35- separate domains in this attack... Users are encouraged to -avoid- clicking links on social media posts unless the source can be verified. Users should also avoid giving access to their social media accounts unless the sites are established and well-known. Lastly, they should always remember that “free” services often aren’t. They may ask for something in exchange, be it information or access to accounts..."
___

Fake  "Last Month Remit" SPAM
- http://blog.dynamoo....remit-spam.html
30 Jan 2014 - "This -fake- "Last Month Remit" spam does a pretty good job of looking like it comes from your own organisation..
    Date:      Thu, 30 Jan 2014 12:22:05 +0000 [07:22:05 EST]
    From:      Administrator [victimdomain]
Subject:      FW: Last Month Remit
File Validity: Thu, 30 Jan 2014 12:22:05 +0000
Company : http ://[victimdomain]
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls ...

Going to to bother of inserting fake mail headers is odd, because anyone who knew enough to check the headers would probably also realise that the attached ZIP file with an EXE in it was probably bad news. In this case, the attachment is called Remit_[victimdomain].zip which in turn contains a malicious executable called Remit.exe which has an icon that makes it look like a PDF file.
> https://lh3.ggpht.co...1600/remit2.png
This file has a VirusTotal detection rate of 10/49*. Automated analysis tools... show an attempted connection to poragdas .com  on 182.18.143.140 (Pioneer Elabs, India) which is a server that has been seen before, and excelbizsolutions .com on 103.13.99.167 on (CtrlS Private, India).
Recommended blocklist:
103.13.99.167
182.18.143.140
poragdas .com
excelbizsolutions .com "
* https://www.virustot...sis/1391089282/
 

 

Edited by AplusWebMaster, 30 January 2014 - 08:56 AM.

[AplusWebMaster]

FYI...

Fake Fax2Email SPAM
- http://blog.dynamoo....email-spam.html
31 Jan 2014 - "... another -fake- Fax spam with a malicious payload:
    Date:      Fri, 31 Jan 2014 10:00:23 +0000 [05:00:23 EST]
    From:      Windsor Telecom Fax2Email [no-reply@ windsor-telecom .co .uk]
    Subject:      Fax Message on 08983092722 from FAX MESSAGE
    You have received a fax on your fax number: 08983092722 from.
    The fax is attached to this email.
    PLEASE DO NOT REPLY BACK TO THIS MESSAGE.

Attached is an archive file FAX MESSAGE.ZIP which in turn contains a malicious executable FAX MESSAGE.EXE with a VirusTotal detection rate of 4/50*. Well, I say malicious but both Malwr and Anubis report that the payload does not execute properly, however that might just be an issue with those particular sandboxes and it does -not- mean that it will fail to run on all systems."
* https://www.virustot...sis/1391163988/
___

Something evil on 192.95.10.208/28
- http://blog.dynamoo....2951020828.html
31 Jan 2014 - "192.95.10.208/28 (OVH, Canada) is being used to deliver -exploit- kits utlising .pw domains, for an example see this URLquery report*. The following domains are being used in these attacks (although there may be more):
(Long list at the dynamoo URL above.)
The IP forms part of a /28 block belonging to a known bad actor:
NetRange:       192.95.10.208 - 192.95.10.223
CIDR:           192.95.10.208/28
OriginAS:       AS16276 ... **
Country:        RU
RegDate:        2014-01-24
I believe that these IPs are connected with a black hat host -r5x .org- and IPs with these WHOIS details are very often used in exploit kit attacks. I would -strongly- recommend that you -block- 192.95.10.208/28 in addition to the domains listed above."
* http://urlquery.net/....php?id=9140970

Diagnostic page for AS16276 (OVH)
** http://google.com/sa...c?site=AS:16276
"... over the past 90 days, 5074 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-01-31, and the last time suspicious content was found was on 2014-01-31... we found 776 site(s) on this network... that appeared to function as intermediaries for the infection of 2156 other site(s)... We found 1092 site(s)... that infected 7551 other site(s)..."

- http://centralops.ne...ainDossier.aspx
canonical name     r5x .org ...
addresses 176.124.111.130 ...
- https://www.virustot...30/information/
___

Lloyds Banking Group 'Online Access Suspended' Phish
- http://www.hoax-slay...hing-scam.shtml
Jan 31, 2014 - "Email that pretends to come from Lloyds Banking Group -claims- that the recipient's online account access has been suspended because login details are incorrectly entered several times... The email is -not- from Lloyds. It is a -phishing- scam designed to trick users into giving their account login details and other personal information to Internet criminals. Example:
> http://www.hoax-slay...scam-2014.1.jpg
... According to this email, which purports to be from the UK's Lloyds Bank, the recipient's bank account has been suspended. Supposedly, account login details were entered several times, so the bank suspended access in order to protect the customer from online fraud attempts... the email itself is the online fraud attempt. The message is a typical phishing scam. Customers who are taken in by the false claims and click the link as instructed will be taken to a fake website where they will be asked to login to their Lloyds online account. After logging in on what they believe is the genuine Lloyds website, victims may then be asked to provide further personal data such as their credit card details and ID information. At the end of the sequence, victims may be automatically redirected to the genuine Lloyds website. Meanwhile, the criminals can hijack their bank accounts, transfer funds, conduct fraudulent transactions and perhaps even steal their identities..."
- http://www.lloydsban...ty/phishing.asp
 

Edited by AplusWebMaster, 31 January 2014 - 05:46 PM.

[AplusWebMaster]

FYI...

Fake Human Rights SCAM/SPAM ...
- http://blog.dynamoo....d-refugees.html
1 Feb 2014 - "This spam email is actually part of an advanced fee fraud setup:
    From:     fernando derossi fernandderossi59@ gmail .com
    To:     fernandderossi59@ gmail .com
    Date:     1 February 2014 13:22
    Subject:     URGENT FOOD STUFF SUPPLY NEED FOR REFUGEES
    Signed by:     gmail .com
    Dear Sir:
    My company has been mandated to look for a company capable of
    supplying food stuffs product listed bellow by the  AFRICAN HUMAN
    RIGHT AND REFUGEES PROTECTION COUNCIL (AHRRPC) for  assisting of the
    refugee within the war affected countries IN middle east and Africa
    like MALI,SYRIA, SOMALIA, CENTRAL AFRICA, and SOUTH SUDAN, which after
    going through your company's profile, have decided to know if your company is interested.

    Below are the list of food Stuffs and the targeted value needed by (AHRRPC) ...
    We will be happy to work with you company only as representing agent
to secure an allocation for your company while in return your company
will give us comission as soon as your receive your contract value. We
will give you more details about the contract when we recieve your reply.
Regards,
Mr.Fernando Derossi
AHRRPC AGENT ...

The email links to a website at www .ahrrpc .8k .com which set off all sorts of -alarms- on my virus scanner, but I think it is just an ad-laden free web hosting site, and purports to be from the African Human Right and Refugees Protection Council (AHRRPC)...
> https://lh3.ggpht.co...1600/ahrrpc.png
Of course, there is no such organisation as this and probably the main thrust of the scam is that there will be an "arrangement fee" payable in order to sell these goods.. and once the fee is paid the scammers will disappear... Give any approaches from the so-called African Human Right and Refugees Protection Council (AHRRPC) a very wide berth. And remember, if you want to verify who a photo actually belongs to then Google Images is an excellent resource."
 

 

[AplusWebMaster]

FYI...

Something evil on 192.95.7.224/28
- http://blog.dynamoo....9295722428.html
3 Feb 2014 - "Another OVH Canada range hosting criminal activity, 192.95.7.224/28 is being used for several malicious .pw domains being used to distribute malware (as used in this attack*). The malware domains seem to rotate through subdomains very quickly, possibly in an attempt to block analysis of their payload. This block is carrying out the same malicious activity that I wrote about a few days ago**. OVH have suballocated this IP block to an entity that I believe is connected with black hat host r5x .org.
CustName:       Private Customer
Address:        Private Residence
City:           Penziatki ...
Country:        RU
RegDate:        2014-01-24 ...
These IPs are particularly active:
192.95.7.232
192.95.7.233
192.95.7.234
There is nothing of value in this /28 block and I recommend that you -block- the entire IP range plus the following domains (which are all already flagged as being malicious by Google)
Recommended blocklist:
192.95.7.224/28
archerbocce .pw
athleticsmove .pw .."
(Long list of .pw domains at the dynamoo URL above.)
* http://urlquery.net/....php?id=9205587

** http://blog.dynamoo....2951020828.html

- https://www.virustot...32/information/
___

Something evil on 64.120.137.32/27
- http://blog.dynamoo....1201373227.html
3 Feb 2014 - "64.120.137.32/27 is a range of IP addresses belonging to Network Operations Center Inc in the US and suballocated to a customer which is currently being used in malware attacks as an intermediate step in sending victims to this malicious OVH range*.You can see an example of some of the badness in action here**. The range was formerly used by a company called TixDepot but may have been hijacked or reassigned. NOC report the following contact details for the block:
network:ID:NET-64.120.137.32/27
network:Auth-Area:64.120.128.0/17
network:network:NET-64.120.137.32/27
network:block:64.120.137.32/27 ...
network:country: US ...
About -half- the domains in this /27 have been flagged as -malicious- by Google, concentrated on the three IP addresses:
64.120.137.53
64.120.137.55
64.120.137.56
I would recommend -blocking- the entire /27, but this is the breakdown by IP address with domains tagged by Google highlighted (there's a plain list here***)"
* http://blog.dynamoo....9295722428.html

** http://urlquery.net/....php?id=9196650

*** http://pastebin.com/hHGvXkJa

- https://www.virustot...53/information/

- https://www.virustot...55/information/

- https://www.virustot...56/information/

___

Something evil on 192.95.43.160/28
- http://blog.dynamoo....2954316028.html
3 Feb 2014 - "More badness hosted by OVH Canada, this time 192.95.43.160/28 which contains pretty much the same set of evil described here*. Here is a typical IP flagged by VirusTotal** and a failed resolution by URLquery*** which frankly gives enough information to make it suspicious. However, the key thing is the registrant details which have been used in -many- malware attacks before****.
CustName:       Private Customer
Address:        Private Residence
Country:        RU
RegDate:        2014-01-24...
I can see the following .pw domains active in this range:
basecoach .pw
crewcloud .pw
boomerangfair .pw
kickballmonsoon .pw
martialartsclub .pw
runningracer .pw
All those domains are flagged by Google as malicious and I recommend that you block them along with 192.95.43.160/28."
* http://blog.dynamoo....9295722428.html

**  https://www.virustot...60/information/

*** http://urlquery.net/....php?id=9209750

**** http://blog.dynamoo....rch?q=Penziatki
___

Fake inTuit/TurboTax/IRS Refund Notice
- http://security.intu.../alert.php?a=97
2/3/14 - "People are receiving -fake- emails with the title "IRS Refund Notice":
Screenshot: http://security.intu...7_tt_refund.jpg
This is the end of the -fake- email.
Steps to Take Now:
 Do -not- open the attachment in the email.
 -Delete- the email..."
___

ANZ 'Upgrade to New System' Phish ...
- http://www.hoax-slay...hing-scam.shtml
Feb 3, 2014 - "Email pretending to be from large Australian and New Zealand bank ANZ claims that customers must click a link to upgrade to a new system technology designed to give users maximum protection... The email is a phishing scam that tries to trick users into divulging their personal information to criminals. The "Log on" button opens a -bogus-  website designed to steal the user's ANZ account login details...
> http://www.hoax-slay...hing-2014-1.jpg
According to this email, which purports to be from the ANZ bank, customers are required to upgrade to a new system by logging into their accounts. The message claims that the new system will offer maximum protection and invites users to click a "Log on" button. The email is formatted with ANZ's logo and colour scheme to make it appear more genuine... the message is -not- from ANZ and the claim that users must login due to a system upgrade is untrue. The email is a simple phishing scam designed to grab account login credentials from unsuspecting ANZ customers... If users enter their customer number and password on the fake page and click the "Log on" button, they will be automatically redirected to the genuine ANZ site. They may believe that they have successfully "upgraded" to the new system and may remain unaware that they have been scammed until the next time they try to login... ANZ has published information about phishing scams on its website*..."
* http://www.anz.com/a...internet-fraud/
___

Fake Evernote - Malware Email
- http://www.hoax-slay...are-email.shtml
Feb 2, 2014 - "Email purporting to be from note taking application Evernote claims that an image has been sent and invites users to click a link to view the image... Evernote did not send the email and has no connection to it. The message is a criminal ruse designed to trick people into downloading and installing malware...
> http://www.hoax-slay...e-malware-1.jpg
According to this email, which purports to be from popular note taking application Evernote, an image addressed to the recipient has been sent. The message includes a clickable "Go to Evernote" button. The name of the supposed image is also clickable. However, Evernote did not send the email. Nor did it send an image as claimed. Clicking the links in the message will not open an image stored in Evernote as suggested in the message. Both links lead to a compromised website that harbours -malware-..."
 

Edited by AplusWebMaster, 03 February 2014 - 01:28 PM.