2072 replies to this topic

[AplusWebMaster]

FYI...

Fake PayPal email - wants card details ...
- http://blog.malwareb...s-card-details/
Feb 24, 2014 - "Be wary of emails bearing gifts – in this case, claiming to reward those who would fill in a so-called Paypal survey to obtain a “£25 reward”. This one is flagged as -spam- in Gmail, but depending on your mail provider it may creep into the Inbox instead of the Spam folder:
> http://cdn.blog.malw...surveyspam1.jpg
... The zipfile, online_form.zip, contains a .htm page which looks like this:
> http://cdn.blog.malw...surveyspam2.jpg
Underneath the entirely pointless “survey questions”, the form asks for name, address, city, postcode, birthday, the “£25 bonus code” and full debit card information which all sits above a handy “Submit” button (top tip: -don’t- hit the submit button). While the people sending this mail have presumably tried to panic recipient into replying quickly (that is one seriously tight deadline), they may find this backfires as would-be victims see “23 February 2014” and send it straight to the trash. Take note of the following advice from the PayPal Security Center*:
* https://www.paypal.c...hishing-outside
"“To help you better identify fake emails, we follow strict rules. We will -never- ask for the following personal information in email:
Credit and debit card numbers
Bank account numbers
Driver’s license numbers
Email addresses
Passwords
Your full name”
If it sounds too good to be true…"
___

Pony botnet steals bitcoins, digital currencies
- http://blog.spiderla...your-coins.html
Feb 24, 2014 - "... discovered yet another instance of a Pony botnet controller. Not only did this Pony botnet steal credentials for approximately 700,000 accounts, it’s also more advanced and collected approximately $220,000 (all values in this post will be in U.S. dollars) worth, at time of writing, of virtual currencies such as BitCoin (BTC), LiteCoin (LTC), FeatherCoin (FTC) and 27 others. According to our data, the cyber gang that was operating this Pony botnet was active between September 2013 and mid-January 2014.  In this ~4 month period, the botnet managed to steal over 700,000 credentials, distributed as follows:
~600,000 website login credentials stolen
~100,000 email account credentials stolen
~16,000 FTP account credentials stolen
~900 Secure Shell account credentials stolen
~800 Remote Desktop credentials stolen
... the one thing you need to know is that BitCoins are stored in virtual wallets, which are essentially pairs of private and public keys. Whoever holds the private key to a wallet is the owner of that wallet and no name, ID or history is associated with the wallet. Again, possession of the private key indicates ownership. This holds true for all the other digital currencies that grew from BTC and now live alongside it—the most popular alternative right now being LiteCoin. BTC started out as an underground currency... The value of a BitCoin fluctuates. As of February 24; a BitCoin is valued at approximately $600. Unfortunately, even though some people may have had more money in their virtual wallet than they did in their bank account, very few had the understanding of how to properly secure their wallets... cybercriminals began developing ways to steal BitCoins, each within their own field of expertise. The most obvious choice for an attacker is to go after websites that offer various trading services. Many of these websites store virtual wallets for their users. A number of attacks on trading websites have popped-up over time. One of the most famous attacks on a trading website was the Sheep Marketplace scam** because of the large amount of BTC stolen... the bots interacted directly with the command-and-control server, which provided us with a little more insight into the geographical distribution of the victims:
Stolen passwords geo location destribution
> http://a7.typepad.co...3d793ddf970d-pi
... most popular websites for which credentials were stolen...
Stolen passwords by domains
> http://a5.typepad.co...116de6e5970c-pi
If you’d like to check your credentials, we’ve created a web tool that will allow you to enter your e-mail address to see whether it was included in the data cache. The tool will only send an e-mail to the address you input... You can find the tool here*..."
* https://www3.trustwa...mised-email.asp

** http://thehackernews...-Silk-Road.html
 

Edited by AplusWebMaster, 24 February 2014 - 04:08 PM.

[AplusWebMaster]

FYI...

Fake Westpac Bill Payment - Phish
- http://www.hoax-slay...hing-scam.shtml
Feb 25, 2014 - "Message supposedly sent by Australian bank Westpac, notifies recipients that a payment to a biller has been successfully processed and invites them to click a link to view transaction details. Westpac did -not- send the email. The message is a phishing scam that attempts to lure Westpac customers into visiting a fraudulent website and providing their account login details. Criminals will use the stolen information to hijack Westpac bank accounts belonging to their victims.
Example:
> http://www.hoax-slay...hing-2014-1.jpg
This email, which was supposedly sent by large Australian bank Westpac, informs recipients that a payment to a biller has been successfully processed. The email includes details of the bill payment and invites recipients to follow a link to view more information about the transaction. The message includes the Westpac logo... It is a -phishing- scam that was created with the goal of tricking recipients into giving their Westpac account login details to cybercriminals. Some Westpac customers who receive the bogus notification may be panicked into clicking the link in the mistaken belief that their accounts have been compromised and used to conduct fraudulent transactions in their names... the criminals responsible for the phishing campaign will collect the submitted login credentials. The criminals can use the stolen credentials to access their victims' bank accounts, transfer funds and commit further fraudulent transactions. If you receive one of these emails, do -not- click any links -or- open any attachments that it contains. Westpac has published information about phishing scams and how to report them on its website*..."
* http://www.westpac.c...s/online-fraud/
___

Fake British Airways e-ticket email - malware ...
- http://www.welivesec...ched-via-email/
Feb 25, 2014 - "If you have received an unexpected email, claiming to come from British Airways, about an upcoming flight that you haven’t booked – please be on your guard. Online criminals are attempting to infect innocent users’ computers with a variant of the malicious Win32/Spy.Zbot.AAU trojan, by disguising their attack as an e-ticket from the airline. To maximise the potential number of victims, the attackers have spammed out messages widely from compromised computers.
> http://www.welivesec...ware-email.jpeg
... Of course, although the email claims to come from British Airways – it is nothing of the sort. In a classic example of social engineering, criminals are hoping that email recipients will worry that their credit card has been fraudulently used to purchase an air ticket, and click on links inside the email to find out more. However, if user download the supposed e-ticket, and launch its contents they will be infecting themselves with a trojan horse that can spy on their computer activity and give malicious hackers third-party access to their data... the malware has been spread via malicious links after cybercriminals forged email headers to make their messages look like they really came from British Airways’s customer service department. But it’s equally possible for attackers to spread their malware via email attachments, or for other disguises to be deployed if those behind the spam blitz believe that they have a greater chance of success. Remember to always be suspicious of clicking on links in unsolicited emails, and the social engineering tricks that are frequently used to lure computer users into making unwise decisions..."
___

WhatsApp desktop client doesn’t exist, used in Spam Attack anyway
- http://blog.trendmic...-attack-anyway/
Feb 25, 2014 - "The popular messaging application WhatsApp recently made headlines when it was acquired by Facebook... Cybercriminals didn’t waste much time to capitalize on this bit of news: barely a week after the official announcement, we saw a spam attack that claims that a desktop version of the popular mobile app is now being tested.
Screenshot of spammed message:
> http://about-threats...acebookspam.jpg
... The message also provides a download link to this version, which is detected as TROJ_BANLOAD.YZV, which is commonly used to download banking malware. (This behavior is the same, whether on PCs or mobile devices). That is the case here; TSPY_BANKER.YZV is downloaded onto the system. This BANKER variant retrieves user names and passwords stored in the system, which poses a security risk for online accounts accessed on the affected system. The use of BANKER malware, coupled with a Portuguese message, indicates that the intended targets are users in Brazil. Feedback from the Smart Protection Network indicates that more than 80 percent of users who have accessed the malicious site do come from Brazil. Although the volume of this spam run is relatively low, it is currently increasing. One of our spam sources reported that samples of this run accounted for up to 3% of all mail seen by that particular source, which indicates a potential spam outbreak. We strongly advise users to be careful of this or similar messages; WhatsApp does -not- currently have a Windows or Mac client, so all messages that claim one exists can be considered -scams- ..."
___

Bitcoin exchange Mt. Gox disappears...
- http://www.reuters.c...EA1O07920140225
Feb 25, 2014 - "Mt. Gox, once the world's biggest bitcoin exchange, looked to have essentially disappeared on Tuesday, with its website down, its founder unaccounted for and a Tokyo office empty bar a handful of protesters saying they had lost money investing in the virtual currency. The digital marketplace operator, which began as a venue for trading cards, had surged to the top of the bitcoin world, but critics - from rival exchanges to burned investors - said Mt. Gox had long been lax over its security. It was not clear what has become of the exchange, which this month halted withdrawals indefinitely after detecting "unusual activity." A global bitcoin organization referred to the exchange's "exit," while angry investors questioned whether it was still solvent..."
- http://www.wired.com...t-gox-implodes/
___

Developers attack code bypasses MS EMET tool
- http://arstechnica.c...protection-app/
Feb 24, 2014 - "Researchers have developed attack code that completely bypasses Microsoft's zero-day prevention software, an impressive feat that suggests criminal hackers are able to do the same thing when exploiting vulnerabilities that allow them to surreptitiously install malware. The exploit code, which was developed by researchers from security firm Bromium Labs, bypasses each of the many protections included in the freely available EMET, which is short for Enhanced Mitigation Experience Toolkit... The Bromium exploit included an example of a real-world attack that was able to circumvent techniques designed to mitigate the damage malicious code can do when targeting security bugs included in third-party applications... The researchers privately informed security personnel at Microsoft before going public with their findings; the software giant plans to credit the research when releasing the upcoming version 5 of EMET..."
 

 

Edited by AplusWebMaster, 25 February 2014 - 01:06 PM.

[AplusWebMaster]

FYI...

Fake AMEX email - phish ...
- http://www.hoax-slay...hing-scam.shtml
Feb 26, 2014 - "Email claiming to be from American Express instructs recipients to visit a website and create a Personal Security Key (PSK) as an account authentication measure. The email is -not- from American Express. Links in the email open a fraudulent website designed to emulate a genuine American Express webpage. The fake website asks users to provide credit card details and other information. The criminals behind the scam will use the stolen data to commit credit card fraud and hijack online accounts. If this message comes your way, do -not- click on any links -or- open any attachments that it contains.
> http://www.hoax-slay...-phishing-1.jpg
According to this email, which purports to be from American Express, users can increase their account security by having a Personal Security Key (PSK). The message invites recipients to click a link to create their PSK. The email is professionally presented and includes seemingly legitimate subscription and copyright information. At first glance, the message may seem like a genuine American Express notification, especially since it supposedly provides information to help customers protect themselves from fraud. American Express does offer customers a PSK system as one of several authentication measures. However, this email is not from American Express. Ironically, considering its content, the email is itself a scam designed to defraud customers. Clicking any of the links in the fake message will take users to a bogus website that asks for their credit card information. Like the email itself, the bogus website looks professional and has been built so that it closely emulates a genuine American Express page. The information provided on the fake website can be collected by scammers and used to commit credit card fraud and identity theft... scammers are likely to create new scam sites and send out more of the scam emails. Phishing scammers continually target American Express and other credit card providers. As such scams go, this is a quite sophisticated attempt. Because of the way it is presented, the scam may catch out even more experienced users. American Express will -never- send customers unsolicited emails that request them to provide their card details or other sensitive personal information by clicking a link. The American Express website* includes information about phishing and how to report scam emails."
* https://www.american...tity-theft.html
___

Android - 98% of all mobile malware targeted this platform...
- https://www.secureli...olution_2013#05
24 Feb 2014 - "... Android remains a prime target for -malicious- attacks. 98.05% of all malware detected in 2013 targeted this platform, confirming both the popularity of this mobile OS and the vulnerability of its architecture..."
Charted: https://www.secureli...ats_2013_02.png

- http://www.theinquir...-mobile-malware
Feb 26 2014 - "... the number of new malicious programs in 2013 -doubled- to over 100,000... The bulk of attacks, 40 percent, target people in Russia. The UK ranks fifth, with three percent of victims. Germany, which lurks just below the UK, is apparently rather susceptible to a premium charge SMS takeover attack... that is unlikely to last for long: given cybercriminals' keen interest in consumer bank accounts, the activity of mobile banking Trojans is expected to grow in other countries in 2014..."
___

Eviction Notice Spam
- http://threattrack.t...ion-notice-spam
Feb 26, 2014 - "Subjects Seen:
    Eviction Notice
Typical e-mail details:
    Urgent notice of eviction,
    We have to inform you about the eviction proceedings against
    you and the decision of the bank to foreclose on your property.
    As a trespasser you need to move out until 20 March 2014
    and leave the property empty of your belongings and any trash.
    Please contact our office without delay to make arrangements for a move out.
    If you do not do this, you could be simply locked out of your home.
    Detailed bank statement as well as our contact information
    can be found in the attachment to this notice.
    Real estate agency,
    Helen Tailor

Malicious File Name and MD5:
    Notice_of_eviction_id65697RE.zip (26660A4FEB6D13BA67BFDBEF486A36FD)
    Urgent_notice_of_eviction.exe (1B7E61B48866A523BF5618F266AC5600)

Screenshot: https://gs1.wac.edge...2f2Y1r6pupn.png

Tagged: Eviction Notice, Kuluoz
___

Tax Season Phishing Scams and Malware Campaigns
- https://www.us-cert....lware-Campaigns
Feb 26, 2014 - "...received reports of an increased number of phishing scams and malware campaigns that seek to take advantage of the United States tax season. The Internal Revenue Service has issued an advisory* on its website warning consumers about potential scams..."
* http://www.irs.gov/u...Scams-Lead-List
 

Edited by AplusWebMaster, 26 February 2014 - 04:39 PM.

[AplusWebMaster]

FYI...

Fake Amazon SPAM / 213.152.26.150
- http://blog.dynamoo....our-online.html
27 Feb 2014 - "This fake Amazon spam leads to something bad.
    Date:      Wed, 26 Feb 2014 13:09:55 -0400 [02/26/14 12:09:55 EST]
    From:      "Amazon.com" [t1na@ msn .com]
    Subject:      Important For Your Online Account Access .
    Your Account Has Been Held
    Dear Customer ,
    We take you to note that your account has been suspended for protection , Where the password was entered more than once .
    In order to protect ,account has been suspended .Please update your Account Information To verify the account...
    Thanks for Update at Amazon .com...

Screenshot: https://lh3.ggpht.co...600/amazon2.png

In the samples that I have seen the link in the email goes to either [donotclick]exivenca .com/support.php or [donotclick]vicorpseguridad .com/support.php both of which are currently -down- but were both legitimate sites hosted on 213.152.26.150 (Neo Telecoms, France). The fact that these sites are down could be because the host is dealing with the problem, however I would expect to see this same email template being used again in the future, so take care.."
___

Fake Royal Mail SPAM
- http://blog.dynamoo....isory-spam.html
27 Feb 2014 - "This -fake- Royal Mail spam has a malicious payload:
    From:     Royal Mail noreply@ royalmail .com
    Date:     27 February 2014 14:50
    Subject:     Royal Mail Shipping Advisory, Thu, 27 Feb 2014
    Royal Mail Group Shipment Advisory
    The following 1 piece(s) have been sent via Royal Mail on Thu, 27 Feb 2014 15:47:17 +0530, REF# GB36187692IE ...

Screenshot: https://lh3.ggpht.co...0/royalmail.png

This is a ThreeScripts attack, the link in the email goes to:
[donotclick]wagesforinterns .com/concern/index.html
and it then runs one or more of the following scripts:
[donotclick]billigast-el .nu/margarita/garlicky.js
[donotclick]ftp.arearealestate .com/telecasted/earners.js
[donotclick]tattitude .co .uk/combines/cartooning.js
in this case the payload site is at
[donotclick]northwesternfoods .com/sg3oyoe0v2
which is hosted on 23.239.12.68 (Linode, US) along with a bunch of hijacked GoDaddy sites... The payload appears to be an Angler Exploit Kit (see this example*).
Recommended blocklist:
23.239.12.68
billigast-el .nu
ftp.arearealestate .com
tattitude .co .uk
n2ocompanies .com
northerningredients .com
northwesternfoods .com
oziama .com
oziama .net "
* http://urlquery.net/....php?id=9660606
 

Edited by AplusWebMaster, 27 February 2014 - 09:40 AM.

[AplusWebMaster]

FYI...

IE10 0-day exploited in widespread Drive-by Downloads
- http://www.symantec....drive-downloads
Updated: 27 Feb 2014 - "... We’ve observed trends suggesting that attacks targeting this vulnerability are no longer confined to advanced persistent threats (APT) — the zero-day attacks are expanding to attack average Internet users as well. We refer to these attacks as drive-by downloads. This is not a surprising result, as the vulnerability’s exploit code received a lot of exposure, allowing anyone to acquire the code and re-use it for their own purposes. Our internal telemetry shows a big uptick in attempted zero-day attacks. The attacks started to increase dramatically from February 22, targeting users in many parts of the world. Our telemetry shows -both- targeted attacks and drive-by downloads in the mix.
Attacks targeting CVE-2014-0322 around the world
> http://www.symantec.... zero day 1.png
... websites either were modified to host the exploit code for the Internet Explorer zero-day vulnerability or were updated with the insertion of an iframe that redirects the browser to another compromised site hosting the exploit code. If the attack is successful, the exploit drops a banking Trojan that steals login details from certain banks... Microsoft has yet to provide a security update to patch the affected vulnerability. However, the company has offered the following solutions to help users protect their computers from exploits that take advantage of this vulnerability:
- Upgrade to Internet Explorer 11
- Install the Microsoft Fix it workaround solution:
> http://support.micro...4088#FixItForMe "
___

Fake Netflix Phish leads to Fake MS Tech Support
- http://blog.malwareb...t-tech-support/
Feb 28, 2014 - "... came across what I first thought was a typical phishing scam targeting Netflix:
> http://cdn.blog.malw...4/02/signin.png
Until I realized it wasn’t, or at least that there was something more to it. Of course it stole my credentials:
> http://cdn.blog.malw...14/02/phish.png
But it also displayed a message saying my account had been suspended:
> http://cdn.blog.malw...2/suspended.png
In order to fix this issue, you are urged to call “Netflix” at a 1-800 number. If you do a bit of a search you will find out this is -not- the official hotline, so this warranted a deeper investigation. Once I called the number, the rogue support representative had me download a “NetFlix Support Software”:
> http://cdn.blog.malw...02/software.png
This is nothing else but the popular remote login program TeamViewer:
> http://cdn.blog.malw...2/downloads.png
After remotely connecting to my PC, the scammer told me that my Netflix account had been suspended because of illegal activity. This was supposedly due to hackers who had infiltrated my computer as he went on to show me the scan results from their own ‘Foreign IP Tracer’, a -fraudulent- custom-made Windows batch script... According to him, there was only one thing to do: To let a Microsoft Certified Technician fix my computer. He drafted a quick invoice and was kind enough to give me a $50 Netflix coupon (fake of course) before transferring me to another technician... During our conversation, the scammers were not idle. They were going through my personal files and uploading those that looked interesting to them, such as ‘banking 2013.doc‘... Another peculiar thing is when they asked me for a picture ID and a photo of my credit card since the Internet is not secure and they needed proof of my identity. I could not produce one, therefore they activated my webcam so that I could show said cards to them onto their screen... This is where it ended as my camera was disabled by default. The scammers were located in India, information gathered from the TeamViewer logfile... -never- let anyone take remote control of your computer unless you absolutely trust them. This scam took place in a controlled environment that had been set up specifically for that purpose..."
___

Upcoming Verizon DBR report ...
- http://www.darkreadi...endly=this-page
Feb 28, 2014 RSA CONFERENCE 2014 San Francisco - "... data breach data gathered by Verizon for its Data Breach Investigations Report shows that the bad guys are winning when it comes to the efficiency of hacking into their victims' systems... Wade Baker, managing principal of RISK Intelligence for Verizon... says... "Less than 25 percent of good guys discovered these incidents in a days or less... The bad guys are winning at a faster rate than the good guys are winning"... Bryan Sartin, director of Verizon's RISK Team, said... "Victims don't even find out on their own. They are finding out from someone else"... U.S. Secret Service special agent Edward Lowery, who heads up the agency's criminal investigative division, said... "They are in it for the profit, and their business model requires that they be surreptitious. It's all about the money"... Verizon's Baker says the bad news from this year's report is that the cyber criminals and other attackers are getting better at what they do, while the security community is not improving its game quickly enough to keep pace..."
 

 

Edited by AplusWebMaster, 28 February 2014 - 03:42 PM.

[AplusWebMaster]

FYI...

The ThreatCon is currently at Level 2: Elevated
- http://www.symantec....eatconlearn.jsp
Mar 2, 2014 - "On February 19, 2014, Microsoft released a security advisory confirming a limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 9 and 10. The exploit is now being used in mass attacks. Customers are advised to update to Internet Explorer 11 or apply the Microsoft Fix it* solution described in the Microsoft Security Advisory. A security patch has yet to be released.
Microsoft Security Advisory (2934088) Vulnerability in Internet Explorer Could Allow Remote Code Execution"
* http://support.micro...4088#FixItForMe

> http://www.netmarket...d=0&qpcustomd=0
Feb 2014 - IE: 58%
___

Fake Companies House SPAM
- http://blog.dynamoo....69670-spam.html
28 Feb 2014 - "This -fake- Companies House spam leads to malware:
    From:     Companieshouse.gov.uk [web-filing@companies-house .gov .uk]
    Date:     28 February 2014 12:55
    Subject:     Spam FW: Case - 6569670
    A company complaint was submitted to Companies House website.
    The submission number is 6569670
    For more details please click : https ://companieshouse .gov .uk/Case?=6569670
    Please quote this number in any communications with Companies House.
    All Web Filed documents are available to view / download for 10 days after their
    original submission. However it is not possible to view copies of accounts that
    were downloaded as templates.
    Companies House Executive Agency may use information it holds to prevent
    and detect fraud. We may also share such information, for the same purpose,
    with other organisations that handle public funds.
    If you have any queries please contact the Companies House Contact Centre ...

Screenshot: https://lh3.ggpht.co...ies-house-4.png

The link in the email goes to:
[donotclick]economysquareshoppingcenter .com/izmir/index.html
in turn this runs one or more of the following scripts:
[donotclick]homedecorgifts .biz/outfitted/mascara.js
[donotclick]www.coffeemachinestorent .co.uk/disusing/boas.js
[donotclick]citystant .com/trails/pulitzer.js
[donotclick]rccol.pytalhost .de/turban/cupped.js
which in turn leads to a payload site at:
[donotclick]digitec-brasil .com.br/javachecker.php?create=3019&void-cat=4467&first-desk=9002
According to this URLquery report*, the payload site has some sort of Java exploit.
Recommended blocklist:
digitec-brasil .com.br
homedecorgifts .biz
coffeemachinestorent .co.uk
citystant .com
rccol.pytalhost .de "
* http://urlquery.net/....php?id=9706278
___

Fake Urgent eviction notification - Asprox...
- http://stopmalvertis...-ecosystem.html
Feb 28, 2014 - "The latest Asprox / Kuluoz spam template consists of an unsolicited email appearing to be from ppmrental .com. Prospectors Property Management is a Real Estate Agency located in Morgan Hill, California. The emails arrive with the subject line "Urgent eviction notification". The spammed out message notifies the recipient that as a trespasser they need to move out from their property before the 21 March 2014 and leave the property empty of their belongings and trash. The addressee must contact the Real Estate without delay in order to make arrangements to move out. Failure to do so could result in being locked out of the house. A detailed bank statement as well as the Real Estate's contact information can be found in the attachment. The executable file inside the ZIP archive poses as a Microsoft Word Document. This is one of the main reasons why you should never trust a file by its icon. Make sure that Windows Explorer is set to show file extensions and always pay attention to the file extension instead. The payload, Urgent_notice_of_eviction.exe will start up an instance of svchost.exe before accessing the internet. A copy of the executable will be copied under a random name to the %User Profile%\Local Settings\Application Data folder. A small downloader - bqoqusgj.exe in our analysis - will be fetched from the C&C together with 3 other files:
    vbxghrke - 66.5 KB (68,161 bytes)
    kqrbfxel - 12.0 KB (12,326 bytes)
    ihxqgwcu.exe - 140 KB (143,360 bytes)
A new start up entry will be created for ihxqgwcu.exe so that the program starts each time Windows starts but the executable isn’t launched yet. In meanwhile bqoqusgj.exe will download two files posing as Updates for the Flash Player: updateflashplayer_9e26d2b2.exe (libs5.8/jquery directory) and UpdateFlashPlayer_266a0199.exe (libs5.8/ajax directory).
> http://stopmalvertis...x-infogram1.jpg
... Updateflashplayer_9e26d2b2.exe will instantly shutdown and reboot the computer. A series of error messages will appear upon reboot as the malicous binary has deleted several critical registry keys belonging to Antivirus / Firewall / HIPS applications...The Asprox ad fraud binary also makes sure that the computer can’t boot in Safe Mode by deleting the corresponding registry entries. As seen below, booting the computer in safe mode results in a blue screen.
> http://stopmalvertis...x-infogram2.jpg
... For an in-depth analysis of Asprox / Kuluoz please refer to: Analysis of Asprox and its New Encryption Scheme*... Email:
> http://stopmalvertis...-infogram10.jpg
... IP Details
        46.161.41.154
        37.221.168.50
        109.163.239.243 ...
    14.54.223.133
     37.193.48.182 (504)
     37.115.155.128
     72.227.178.35
     90.154.249.71
     91.225.93.237
     100.2.223.97
     109.226.203.101
     176.212.145.163
     188.129.241.164
     213.231.48.242 ..."
(More detail at the stopmalvertising URL above.)
* http://stopmalvertis...ion-scheme.html

- http://tools.cisco.c...x?alertId=33147
2014 Mar 03
 

Edited by AplusWebMaster, 04 March 2014 - 08:55 AM.

[AplusWebMaster]

FYI...

Malware sites to block ...
- http://blog.dynamoo....block-2314.html
2 Mar 2014 - "These domains and IPs are all connected with this gang*, some of it appears to be involved in -malware- distribution, -fraud- or other illegal activities. I recommend that you -block- these IPs and domains. Note that some of the IPs listed below are compromised nameservers (marked [ns]) which look like they are insufficiently well locked down. There is a plain list of IPs at the end for copy-and-pasting..."
(Long list at the URL above.)
* http://blog.dynamoo....-job-offer.html
2 Mar 2014
___

Rising use of Malicious Java Code ...
- https://www.trusteer...-infiltration-0
Mar 3, 2014 - "... exploit kits such as the Blackhole and Cool exploit kit were found to be using unpatched Java vulnerabilities... to install malware..."
Extract from the 2014 IBM X-Force Threat Intelligence Quarterly report
Exploited apps - Dec 2013
> https://www.trusteer...reenShot609.png
Java vulnerabilities - 2010-2013
> https://www.trusteer...reenShot610.png
 

Edited by AplusWebMaster, 03 March 2014 - 11:21 AM.

[AplusWebMaster]

FYI...

Phone Phishing, Data Breaches, and Banking Scams
- http://blog.trendmic...-banking-scams/
Mar 4, 2014 - "... I received a rather unusual call that claimed to be from National Australia Bank (NAB), one of the four largest banks in Australia. The caller had my complete name and my address. They claimed that they had flagged a suspicious transaction from my account to an Alex Smith in New Zealand to the tune of 700 Australian dollars. They needed my NAB number to confirm if the transaction was legitimate. There was just one problem with this seemingly plausible call: I wasn’t an NAB customer. I offered to call them back – and when I did so, they simply hung up on me. These sorts of calls are not the only threats that arrive via phone – for example, fake “support” calls that are supposedly from Microsoft* that offer to remove malware from user PCs are sadly commonplace. To most users who simply go about their daily lives, these calls can sound quite convincing and can cause a lot of problems... How did they get that all that information? We don’t know. However, it’s very possible that somebody somewhere had a data breach. They may not have known about it, or they may have decided that since the information “wasn’t critical” – say, they didn’t have my credit card or banking credentials – that it was harmless. However, now you can see how seemingly “harmless” information can be used to carry out real fraud. Since last year, we’ve been pointing out the huge gains in banking malware**. Just as support scams can be thought of as a “real-world” equivalent to ransomware and fake antivirus, so can these sort of phishing calls be the equivalent of these banking malware threats..."
* http://www.microsoft...acy/msname.aspx

** http://blog.trendmic...curity-roundup/
___

Twitter sends password reset emails by mistake, admits it wasn't hacked
- http://www.theinquir...snt-been-hacked
Mar 04 2014 - "... Twitter sent a number of password reset emails on Monday evening due to a system error. The firm contacted users with the sort of messages usually seen when attackers are taking over accounts. Twitter's email has been shared on the microblogging website, of course, and picked up by the Recode website. The missive presented itself as one of those 'you've been hacked' emails, and informed users about their scorched logins. "Twitter believes that your account may have been compromised by a website or service not associated with Twitter," it said. "We've reset your password to prevent accessing your account." Users took to Twitter to fret about the email, and a search on "Twitter hack" turns up a range of panicked missives and messages of thanks to Twitter for its speedy intervention. Later though, in a statement to Recode, the firm admitted that it had been the victim of nothing more than a system error. "We unintentionally sent some password reset notices tonight due to a system error," it said. "We apologise to the affected users for the inconvenience." Users could not be blamed to worrying about the phantom attack, as we have already seen a large number of security breaches this year already..."
___

Orange MMS Message Spam
- http://threattrack.t...ms-message-spam
Mar 4, 2014 - "Subjects Seen:
    MMS message from: +447974******
Typical e-mail details:
     You have received MMS message from: +447974778589
    You can find the contents of the message in the attachment
    If you have any questions regarding this automated message please contact Orange Customer Support

Malicious File Name and MD5:
    MMS_C0BFB6C0B8.zip (3A123E39BDCAC7ED1127206502C1598C)
    MMS_87436598.exe (10F21C0F2C3C587A509590FA467F8775)

Screenshot: https://gs1.wac.edge...fhjQ1r6pupn.png

Tagged: Orange, Androm
___

Bitcoin bank Flexcoin shuts down after theft
- http://www.reuters.c...EA2329B20140304
Mar 4, 2014 - "Bitcoin bank Flexcoin said on Tuesday it was closing down after it lost bitcoins worth about $600,000 to a hacker attack. Flexcoin said in a message posted on its website that all 896 bitcoins stored online were stolen on Sunday. "As Flexcoin does not have the resources, assets, or otherwise to come back from this loss, we are closing our doors immediately," the company said. [ http://www.flexcoin.com/ ] Alberta, Canada-based Flexcoin, which is working with law enforcement agencies to trace the source of the hack, said it would return bitcoins stored offline, or in "cold storage", to users. Cold storage coins are held in computers not connected to the Internet and therefore cannot be hacked... Bitcoin is a digital currency that, unlike conventional money, is bought and sold on a peer-to-peer network independent of central control. Its value soared last year, and the total worth of bitcoins minted is now about $7 billion..."
 

 

Edited by AplusWebMaster, 05 March 2014 - 03:38 AM.

[AplusWebMaster]

FYI...

Fake PayPal 'Cancel Payment' Phishing Scam
- http://www.hoax-slay...hing-scam.shtml
Mar 5, 2014 - "Email purporting to be from PayPal claims that the recipient has sent a payment to a specified merchant and offers instructions for cancelling the payment if required... The email is a phishing scam designed to trick recipients into divulging their PayPal account login details and a large amount of personal and financial information. All of the information supplied will be sent to online criminals and used to commit financial fraud and identity theft. The merchant or seller specified in the messages may vary in different incarnations of the scam. If you receive one of these bogus emails, do not click on any links or open any attachments that it contains...
> http://www.hoax-slay...hing-2014-1.jpg
.
> http://www.hoax-slay...hing-2014-2.jpg
... Those who do click will be taken to a -bogus- website and asked to supply their PayPal email address and password on a fake login box. After logging in, they will be presented with the following web form, which asks for a large amount of personal and financial information:
> http://www.hoax-slay...hing-2014-3.jpg
... All of the information supplied can be harvested by criminals and used to hijack the compromised PayPal accounts, commit credit card fraud and steal the identities of victims... If a PayPal phishing scam email hits your inbox, you can submit it to the company for analysis via the email address listed on the company's phishing information page*. A quick rule of thumb. PayPal emails will ALWAYS address you by your first and last names or business name. They will never use generic greetings such as 'Dear customer'. Nor will they omit the greeting..."
* https://www.paypal.c...D=FAQ2331&m=SRE
 

 

[AplusWebMaster]

FYI...

Deceptive ads expose users to PUA ...
- http://www.webroot.c...ed-application/
Mar 6, 2014 - "Deceptive ads continue to represent the primary distribution vector for the vast majority of Potentially Unwanted Applications (PUAs) that we track. Primarily relying on ‘visual social engineering’ tactics, gullible end users fall victims to these privacy-violating applications, largely due to the fact that they instantaneously agree to the terms in the End User’s Agreement presented to them. We’ve recently spotted yet another variant of the InstallBrain family of Potentially Unwanted Applications (PUA’s), tricking users into installing a bogus PC performance boosting application... actionable intelligence on the domains/IPs and related privacy-violating MD5s known to have shared the same infrastructure as the initial PUA profiled in this post...
Sample screenshot of the landing page:
> https://www.webroot....C_Performer.png
... Sample detection rate for PurpleTech Software Inc’s PC Performer:
MD5: f85a9d94027c2d44f33c153b22a86473* ... Once executed, the sample phones back to:
hxxp:// inststats-1582571262.us-east-1.elb.amazonaws .com – 23.21.180.138
hxxp:// api.ibario .com – 50.22.175.81
hxxp:// 107.20.142.228 /service/stats.php?sv=1
hxxp:// 174.36.241.169 /events
Domain name reconnaissance:
api.ibario .com – 50.22.175.81; 96.45.82.133; 96.45.82.197; 96.45.82.69; 96.45.82.5
thepcperformer .com – 96.45.82.5; 96.45.82.69; 96.45.82.133; 96.45.82.197 ...
... responded to the same C&C server (23.21.180.138) ...
... phoned back to the same IP (50.22.175.81)..."
* https://www.virustot...sis/1394030288/
 

 

[AplusWebMaster]

FYI...

Fake TurboTax: E-file successful email
- http://security.intu...alert.php?a=101
3/7/14 - " People are receiving fake emails with the title "TurboTax: E-file Successful." Below is a copy of the email people are receiving:
> http://security.intu...tsuccessful.jpg
___
This is the end of the -fake- email.
Steps to Take Now
 Do not open any attachment or click any links in the email...
 Delete the email."
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Bank Transaction Statement Email Messages - 2014 Mar 07
Email Messages with Malicious Attachments - 2014 Mar 07
Fake Product Invoice Notification Email Messages - 2014 Mar 07
Fake Account Payment Information Email Messages - 2014 Mar 07
Fake Product Order Notification Email Messages - 2014 Mar 07
Fake Failed Delivery Notification Email Messages - 2014 Mar 07
Fake Fax Message Delivery Email Messages - 2014 Mar 07
Fake Fax Delivery Email Messages - 2014 Mar 07
Fake Payment Transaction Notification Email Messages - 2014 Mar 06...
(Links / more info at the cisco URL above.)
___

Friday (Spam) Roundup
- http://blog.malwareb...y-spam-roundup/
Mar 7, 2014 - "... spam for the weekend?
1) Bitcoin spam: http://cdn.blog.malw...03/bitspam1.jpg
    “Buy and sell Bitcoins!
    Find the best places online to buy / sell Bitcoin currency”
The link just takes clickers to what appears to be a parked domain with sponsored links. In other words, delete / avoid.
2) Skype Team Direct Messages: http://cdn.blog.malw...03/bitspam2.jpg
    “Direct message from Skype Team
    Skype
    Direct Message
    View Message
    Respectfully,
    Skype Service”
3) Pharmacy msgs: http://cdn.blog.malw...03/bitspam3.jpg
4) TV spamblog spam [-not- email based]: ... when scammers try to take advantage of a service like Google Docs they’re going phishing. I saw this and thought it was at least a little unusual – Google Docs being used to spam a cookie-cutter spamblog promising free TV shows. I’m sure you’ve seen those spam posts across the net...
> http://cdn.blog.malw...03/bitspam5.jpg "
 

Edited by AplusWebMaster, 07 March 2014 - 04:08 PM.

[AplusWebMaster]

FYI...

Q4-2013 McAfee Threat Report
- https://net-security...ews.php?id=2727
Mar 10, 2014 - "... By the end of 2013, McAfee Labs saw the number of malicious signed binaries in our database -triple- to more than 8 million suspicious binaries. In the fourth quarter alone, McAfee Labs found more than 2.3 million new malicious signed applications, a 52 percent increase from the previous quarter. The practice of code signing software validates the identity of the developer who produced the code and ensures the code has not been tampered with since the issue of its digital certificate...
> http://www.net-secur...cafee032014.jpg
... Additional findings:
- Mobile malware. McAfee Labs collected 2.47 million new mobile samples in 2013, with 744,000 in the fourth quarter alone. Our mobile malware zoo of unique samples grew by an astounding 197 percent from the end of 2012.
- Ransomware. The volume of new ransomware samples rose by 1 million new samples for the year, doubling in number from Q4 2012 to Q4 2013.
- Suspicious URLs. McAfee Labs recorded a 70 percent increase in the number of suspect URLs in 2013.
- Malware proliferation. In 2013, McAfee Labs found 200 new malware samples every minute, or more than three new threats every second.
- Master boot record-related. McAfee Labs found 2.2 million new MBR-attacks in 2013.
The complete report is available here*."
* http://www.mcafee.co...eat-q4-2013.pdf
___

Facebook scam: naked videos of friends - delivers Trojans instead
- https://net-security...ews.php?id=2728
Mar 10, 2014 - "Bitdefender has discovered that more than 1,000 people have already been tricked into installing Trojan malware after clicking on a new Facebook scam that promises naked videos of their friends. The UK was the second most affected country by number of users and infections were also detected in France, Germany, Italy and Romania.
> http://www.net-secur...ender032014.jpg
The scam, now spreading on the social network, can multiply itself by tagging users’ friends extremely quickly. To avoid detection, cybercriminals vary the scam messages by incorporating the names of Facebook friends alongside “private video,” “naked video” or “XXX private video”... To increase the infection rate, the malware has multiple installation possibilities. Besides the automated and quick drop on the computer or mobile device, it also multiplies itself when users -click- the -fake- Adobe Flash Player update. To make the scam more credible, cybercriminals faked the number of views of the adult video to show that over 2 million users have allegedly clicked on the infected YouTube link..."
___

Malware peddler tryouts: different exploit kits
- https://net-security...ews.php?id=2729
Mar 10, 2014 - "Websense researchers* have been following several recent -email-spam- campaigns targeting users of popular services such as Skype and Evernote, and believe them to be initiated by the infamous ru:8080 gang, which a history of similar spam runs impersonating legitimate Internet services such as Pinterest, Dropbox, etc. These latest campaigns start with -spoofed- emails purportedly alerting the recipients to a message/image they have received on Skype and Evernote, offering an embedded link that leads to compromised sites hosting an exploit kit. In the past, the aforementioned gang's preferred exploit kit was Blackhole, but with the arrest and prosecution of its creator... they have switched first to using the Magnitude, then the Angler and, finally, the Goon exploit kit. This group is currently focusing more on UK users, but targets US and German users as well... This gang typically pushes information-stealing trojans such as Cridex, Zeus GameOver, and click-fraud trojans like ZeroAccess onto the users, but they have also been known to deliver ransomware and worms. In this last few cases, the delivered malware is a Zeus variant that was initially detected by just a handful of commercial AV solutions..."
* http://community.web...ploit-kits.aspx
___

Fake gateway .gov .uk SPAM
- http://blog.dynamoo....govuk-spam.html
10 Mar 2014 - "This -fake- spam from the UK Government Gateway comes with a malicious payload:
    Date:      Mon, 10 Mar 2014 12:04:21 +0100 [07:04:21 EDT]
    From:      gateway.confirmation@ gateway .gov .uk
    Subject:      Your Online Submission for Reference 485/GB3283519 Could not process
    Priority:      High
    The submission for reference 485/GB3283519 was successfully received and was not
    processed.
    Check attached copy for more information.
    This is an automatically generated email. Please do not reply as the email address is not
    monitored for received mail.

Attached is a file GB3283519.zip which in turn contains a malicious executable GB10032014.pdf.scr which has an icon that makes it look like a PDF file. This has a VirusTotal detection rate of 7/50*. Automated analysis tools... show attempted downloads from i-softinc .com on 192.206.6.82 (MegaVelocity, Canada) and icamschat .com on 69.64.39.215 (Hosting Solutions International, US). I would recommend that you -block- traffic to the following IPs and domains:
192.206.6.82
i-softinc .com
icamschat .com "
* https://www.virustot...sis/1394462821/
___

MS Account 'Outlook Web Access' Phish ...
- http://www.hoax-slay...hing-scam.shtml
Mar 10, 2014 - "Email purporting to be from the Microsoft Account Team claims that recipients must click a link to upgrade their email account and set up Outlook Web Access. The email is -not- from Microsoft and the claim that users must click a link to upgrade their email accounts is a lie. The message is a phishing scam designed to trick users into sending their Microsoft account login details to criminals.
Example:
> http://www.hoax-slay...scam-2014-1.jpg
... the email is -not- from Microsoft and the claim that users must follow a link to upgrade their email account is untrue. Instead, the email is a criminal ruse designed to trick people into giving their Microsoft account details to cybercriminals. Those who fall for the trick and click one of the links as instructed will be taken to a -bogus- 'Microsoft' website that displays the following login form:
> http://www.hoax-slay...scam-2014-2.jpg
Once they have added their email address and password, victims will then be presented with a message claiming that their 'Outlook account was updated successfully'. Within a few seconds, they will be redirected to a genuine Microsoft website. Meanwhile, the criminals responsible for the phishing campaign can use the stolen credentials to hijack the real Microsoft accounts belonging to their victims. A 'Microsoft account' is the new name for what was previously known as a 'Windows Live ID.' The one set of login details can be used to access a number of Microsoft services, and are thus a valuable target for scammers..."
 

 

Edited by AplusWebMaster, 10 March 2014 - 11:33 AM.

[AplusWebMaster]

FYI...

DDoS attack - WordPress pingback abuse...
- http://blog.sucuri.n...ice-attack.html
Mar 10, 2014 -  "Distributed Denial of Service (DDOS) attacks are becoming a common trend on our blog lately, and that’s OK because it’s a very serious issue for every website owner... Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites. This is a well known issue within WordPress and the core team is aware of it, it’s not something that will be patched though. In many cases this same issue is categorized as a feature, one that many plugins use..."
* http://it-beta.slash...-into-spotlight
Mar 12, 2014

- http://arstechnica.c...ul-ddos-attack/
Mar 11 2014
___

Malware found in Google Play Store
- http://blog.malwareb...gle-play-store/
Mar 12, 2014 - "Most experts agree the best way to stay safe from Android malware is to stick to trusted sources–specifically the Play Store. Unfortunately, those sources can sometimes be compromised. In the last week there have been -two- malware families found in Google’s Play Store... The first one, found by Lookout Security*, is a remote administration tool called Dendroid.
> http://cdn.blog.malw.../dendriod02.jpg
This particular malware is a variant of the publicly available remote tool AndroRAT. Dendroid was advertised as “Parental Control” in the Play Store... This Play Store version of Dendroid was discovered only a couple of days after Dendroid was uncovered from the underworld by Symantec**, which means Google was -unaware- of the malicious code at the time... The second app was uncovered by Avast*** and is a SMS -Trojan- disguised as a night vision app.
> http://cdn.blog.malw...3/fakecam01.jpg
The Trojan is capable of looking up contact numbers in a social messaging apps like WhatsApp, Telegram, and ChatON. Once the number is collected it’s sent to a remote server and the numbers are used to register for a premium service costing up to $50... Both of these apps have been removed from the Play Store... Android malware continues to increase and at times they’re able to sneak into places we trust..."

* https://blog.lookout...03/06/dendroid/
 

** http://www.symantec....ch-out-dendroid

*** http://blog.avast.co...android-market/
___

Twitter crashes... again
- http://www.reuters.c...EA2A1NY20140311
Mar 11, 2014 -  "Twitter Inc crashed on Tuesday for the second time in nine days when a software glitch stalled the popular messaging service for about one hour. The company apologized to its 250 million users in a status blog, saying it had encountered "unexpected complications" during "a planned deploy in one of our core services." The outage began around 11 a.m. Pacific time and service had "fully recovered" by 11:47 a.m., the San Francisco-based company said..."
___

Beware Bitcoin: U.S. brokerage regulator
- http://www.reuters.c...EA2A1OJ20140311
Mar 11, 2014 - "Bitcoin can expose people to significant losses, fraud and theft, and the lure of a potential quick profit should not blind investors to the virtual currency's significant risks, a brokerage industry watchdog warned on Tuesday. In an investor alert* titled "Bitcoin: More than a Bit Risky,"* the Financial Industry Regulatory Authority (FINRA) said recent events such as the bankruptcy of Bitcoin exchange operator Mt. Gox have spotlighted some of the currency's risks..."
* http://www.finra.org...es/2014/P457519
 

 

Edited by AplusWebMaster, 12 March 2014 - 08:59 PM.

[AplusWebMaster]

FYI...

Exploit Kits - OVH Canada / r5x .org / Penziatki
- http://blog.dynamoo....-penziatki.html
13 Mar 2014 - "Hat tip to Frank Denis (@jedisct1)* for this report** on Nuclear EK's hosted by OVH Canada using their infamous "Penziatki" customer which is linked to black-hat host r5x .org***. The blocks have been identified as belonging to that customer and I would recommend that you block them:
198.27.114.16/30
198.27.114.64/27
198.50.186.232/30
198.50.186.236/30
198.50.186.252/30
198.50.231.204/30
OVH Canada have repeatedly hosted exploit kits for this customer... If you are in a security-sensitive environment then you might simply want to block traffic to the following ranges:
198.27.0.0/16
198.50.0.0/16
Of course this will block many legitimate sites, but if stopping exploit kits is a priority over some user inconvenience then you may want to consider it. If you want a slightly more nuanced blocklist then these ranges contain the biggest concentration of malware:
198.27.114.0/24
198.50.172.0/24
198.50.186.0/24
198.50.197.0/24
198.50.231.0/24 ..."
(More detail at the dynamoo URL above.)

* https://twitter.com/jedisct1

** https://gist.github....edisct1/9509527 - Nuclear Exploit Kit Mar 12

*** http://blog.dynamoo....h/label/R5X.org

> http://google.com/sa...c?site=AS:16276
___

Malware sites to block 13/3/14
- http://blog.dynamoo....lock-13313.html
13 Mar 2014 - "These IPs and domains seem to be involved in injection attacks today. I recommend you block them.
64.120.242.178
188.226.132.70
93.189.46.90 ...
The domains being abused are as follows.. many of them appear to be hijacked legitimate domains..."
(Many others listed at the dynamoo URL above.)
___

Fake Blood count result - fake PDF malware
- http://myonlinesecur...ke-pdf-malware/
13 Mar 2014 - "This email saying IMPORTANT Complete blood count result pretending to come from NICE (National Institute for Health and Care Excellence) has to be the most vicious and evil attempt by any malware purveyor to try to infect a victim. Sending an email saying that you probably have cancer will alarm & distress so many people and is just the most offensive and disgusting attempt to trick a user into opening a malware attachment... another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Other subjects in this evil email attempt to infect you are:
- IMPORTANT:Blood analysis result
- IMPORTANT:Blood analysis
- IMPORTANT:Complete blood count (CBC)result ...
> http://myonlinesecur...t-CBCresult.png
... 13 March 2014: CBC_Result_9B4824B65E.zip  (55kb)  Extracts to CBC_scaned_584444449.pdf.exe
Current Virus total detections: 2/50*... careful when unzipping them and make sure you have “show known file extensions enabled"**, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
* https://www.virustot...sis/1394703905/
 
** http://myonlinesecur...own-file-types/
___

Key Secured Message -fake- PDF malware
- http://myonlinesecur...ke-pdf-malware/
13 March 2014 - "Key Secured Message pretending to come from Payroll Reports <payroll @quickbooks .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details...
> http://myonlinesecur...red-Message.png
... Extracts to NIKON-2013564-JPEG.scr ... Current Virus total detections: 2/50*
This Key Secured Message is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day..."
* https://www.virustot...855c2/analysis/
___

Fake  Sky .com "Statement of account" SPAM
- http://blog.dynamoo....count-spam.html
13 Mar 2014 - "This -fake- Sky .com email comes with a malicious attachment:
    Date:      Thu, 13 Mar 2014 12:23:09 +0100 [07:23:09 EDT]
    From:      "Sky .com" [statement@ sky .com]
    Subject:      Statement of account
    Afternoon,
    Please find attached the statement of account.
    We look forward to receiving payment for the December invoice as this is now due for
    payment.
    Regards, Carmela ...
Wilson McKendrick LLP Solicitors ...

Attached is an archive Statement.zip which in turn contains a malicious executable Statement.scr which has a VirusTotal detection rate of 6/50*. Automated analysis tools... show attempted connections to the following domains and IPs:
188.247.130.190 (Prime Telecom SRL, Romania)
gobemall .com
gobehost .info
184.154.11.228 (Singlehop, US)
terenceteo .com
184.154.11.233 (Singlehop, US)
quarkspark .org
The two Singlehop IPs appear to belong to Host The Name (hostthename .com) which perhaps indicates a problem at that reseller.
Recommended blocklist:
184.154.11.228
184.154.11.233
188.247.130.190
gobemall .com
gobehost .info
terenceteo .com
quarkspark .org "
* https://www.virustot...sis/1394715270/
___

HM Revenue & Customs Spam
- http://threattrack.t...ue-customs-spam
Mar 12, 2014 - "Subjects Seen:
    HMRC Tax Notice
Typical e-mail details:
    Dear <email address>
    Please be advised that one or more Tax Notices (P6, P6B) have been issued.
    For the latest information on your Tax Notices (P6, P6B) please open attached report.
    Document Reference: 6807706.

Malicious File Name and MD5:
    PDF_Scanned_HMRCBBD45F6647.zip (09BA8CF32FDDE3F73EA8F2E6F75BDF1E)
    scaned_7246582_pdf_4364534533.exe (3F347C85BEA303904975FF0A8DE49E7E)

Screenshot: https://gs1.wac.edge...lGe41r6pupn.png

Tagged: HMRC, weelsof
 

 

Edited by AplusWebMaster, 13 March 2014 - 12:27 PM.

[AplusWebMaster]

FYI...

Google Docs users Targeted - Phishing Scam
- http://www.symantec....d-phishing-scam
13 Mar 2014 - "We see -millions- of phishing messages every day, but recently, one stood out: a sophisticated scam targeting Google Docs and Google Drive users. The scam uses a simple subject of "Documents" and urges the recipient to view an important document on Google Docs by clicking on the included link. Of course, the link doesn't go to Google Docs, but it does go to Google, where a very convincing fake Google Docs login page is shown:
Google Docs phishing login page:
> http://www.symantec...._site_image.png
The -fake- page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly-accessible URL to include in their messages. This login page will look familiar to many Google users, as it's used across Google's services. (The text below "One account. All of Google." mentions what service is being accessed, but this is a subtlety that many will not notice.) It's quite common to be prompted with a login page like this when accessing a Google Docs link, and many people may enter their credentials without a second thought. After pressing "Sign in", the user’s credentials are sent to a PHP script on a -compromised- web server. This page then redirects to a real Google Docs document, making the whole attack very convincing. Google accounts are a valuable target for phishers, as they can be used to access many services including Gmail and Google Play, which can be used to purchase Android applications and content..."
___

ABSA Global business - certificate update – fake PDF malware
- http://myonlinesecur...ke-pdf-malware/
Mar 14, 2014 - "ABSA Global business customers 'certificate update' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. ABSA Global is a South African Bank so I wouldn’t expect a high number of US or UK citizens to have accounts with them, so this should be a quite obvious scam, phishing, malware attack to the majority of users. After examination of the malware, although many Antiviruses detect it as a Zbot, It looks more like an Androm version, possibly dropped by Asprox botnet. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
    Attention!
    On March 14, 2014 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
    The changes will concern security, reliability and performance of mail service and the system as a whole.
    For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
    This procedure is quite simple. All you have to do is just to install new server certificate attached to the letter.
    Thank you in advance for your attention to this matter and sorry for possible inconveniences.
    System Administrator ABSA Global

cert p12 install instruction.zip (58kb) - Extracts to ABSA cert p12 install instruction.exe
Current Virus total detections: 11/50* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...65843/analysis/
___

Fake Facebook messages
- http://myonlinesecur...ebook-messages/
Mar 14, 2014 - "... plagued by Fake Facebook messages saying ” somebody commented on your status” (1) or “You requested a new Facebook password” (2) ...
1) http://myonlinesecur...your-status.png
2) http://myonlinesecur...ok-password.png
Always -hover- over the links in these emails and you will see that they do -not- lead to Facebook.  Do not click on the links, just delete the emails as soon as they arrive. Thee is always the very high possibility that one of the other botnets will use these to send you to a malicious site where your computer will be infected, rather than trying to scam you out of money by selling fake medicines that could kill you."
___

Banks to be hit with MS costs for running outdated ATMs
- http://www.reuters.c...N0M345C20140314
LONDON/NEW YORK, March 14, 2014 - "Banks around the world, consumed with meeting more stringent capital regulations, will miss a deadline to upgrade outdated software for automated teller machines (ATMs) and face additional costs to Microsoft to keep them secure. The U.S. software company first warned that it was planning to end support for Windows XP in 2007, but only one-third of the world's 2.2 million ATMs which use the system will have been upgraded to a new platform, such as Windows 7 by the April deadline, according to NCR, one of the biggest ATM makers. To ensure the machines are protected against viruses and hackers many banks have agreed deals with Microsoft to continue supporting their ATMs until they are upgraded, extra costs and negotiations that were avoidable but are now likely to be a distraction for bank executives... Britain's five biggest banks - Lloyds Banking Group , Royal Bank of Scotland, HSBC, Barclays and Santander UK - either have, or are in the process of negotiating, extended support contracts with Microsoft. The cost of extending support and upgrading to a new platform for each of Britain's main banks would be in the region of 50 to 60 million pounds ($100 million), according to Sridhar Athreya, London-based head of financial services advisory at technology firm SunGard Consulting, an estimate corroborated by a source at one of the banks. Athreya said banks have left it late to upgrade systems after being overwhelmed by new regulatory demands in the wake of the 2007-08 financial crisis... Windows XP currently supports around 95 percent of the world's ATMs... many of the banks operating them will still be running their ATMs with Windows XP for a while after the April 8 deadline..."
___

Bogus online casino themed campaigns intercepted in the wild
- http://www.webroot.c...lead-w32casino/
Mar 14, 2014 - "... proliferation of social engineering driven, privacy-violating campaigns serving W32/Casino variants. Relying on affiliate based revenue sharing schemes and spamvertised campaigns as the primary distribution vectors, the rogue operators behind them continue tricking tens of thousands of gullible users into installing the malicious applications. We’ve recently intercepted a series of spamvertised campaigns distributing W32/Casino variants...
Sample screenshots of the landing pages for the rogue casinos:
1) https://www.webroot....cationc_PUA.png
2) https://www.webroot....ionc_PUA_01.png
3) https://www.webroot....ionc_PUA_02.png
4) https://www.webroot....ionc_PUA_03.png
5) https://www.webroot....ionc_PUA_04.png
6) https://www.webroot....05-1024x576.png
Spamvertised URLs:
hxxp ://bit. ly/1brCoxg
hxxp ://bit .ly/1bQRudq
hxxp ://bit .ly/1mLQr5I
hxxp ://bit .ly/MCOyaL
hxxp ://bit .ly/1ec3UMN
hxxp ://bit .ly/1hN6Vbd
hxxp ://bit .ly/1mQ3XFu
hxxp ://bit .ly/17DJ4pZ
hxxp ://bit .ly/1ec2JNa
hxxp ://bit .ly/1fBY6d5
W32.Casino PUA domains reconnaisance:
hxxp ://rubyfortune .com – 78.24.211.177
hxxp ://grandparkerpromo .com – 95.215.61.160
hxxp ://kingneptunescasino1 .com – 67.211.111.169
hxxp ://riverbelle1 .com – 193.169.206.233
hxxp ://europacasino .com – 87.252.217.13
hxxp ://vegaspartnerlounge .com – 66.212.242.136

Sample detection rates for the W32/Casino PUA:
MD5: b80db6ec0e6c968499ce01232fbfdc5c * ... W32/Casino.P.gen!Eldorado
MD5: a2a545adf4498e409f7971f326333333 ** ... Heuristic.BehavesLike.Win32.Suspicious-DTR.S
MD5: a2a545adf4498e409f7971f326333333 *** ... W32/Casino.P.gen!Eldorado
MD5: 1cd6db7edbbc07d1c68968f584c0ac82 **** ... W32/Casino.P.gen!Eldorado
... (More) Known to have been downloaded from the same IP (87.248.203.254) ..."
* https://www.virustot...sis/1394642298/
** https://www.virustot...sis/1394642439/
*** https://www.virustot...sis/1394643637/
**** https://www.virustot...sis/1394643413/
 

 

Edited by AplusWebMaster, 14 March 2014 - 03:59 PM.