2072 replies to this topic

[AplusWebMaster]

FYI...

Instagram Scam: Lottery Winners impersonated to offer Money for Followers
- http://www.symantec....money-followers
9 Apr 2014 - "... Instagram scammers have been posting images offering -fake- lottery winnings to followers. They have convinced users to share the posts, give up personal information, and even send money back to the scammers...
> http://www.symantec..../figure1_20.png
... In this -scam- a number of Instagram accounts have been created to impersonate real-life lottery winners from the UK and US. These accounts claim to offer US$1,000 to each Instagram user who follows them and leaves a comment with their email address... It’s clear that these accounts are fraudulent, but users continue to believe that they will be given US$1000 just for following Instagram accounts... if it sounds too good to be true, it is."
___

Something evil on 66.96.223.192/27
- http://blog.dynamoo....9622319227.html
9 Apr 2014 - "There seems to be some exploit activity today on the IP range 66.96.223.192/27 (a customer of Network Operations Center, US). Most domains are already -flagged- as malicious by Google, and I've reported on bad IPs in this range before. A list of the domains I can find in this range, their myWOT ratings and Google and SURBL prognoses can be found here* [csv]. I would recommend applying the following blocklist:
66.96.223.192/27
capcomcom .com
chebuesx .com ..."
(Long list at the dynamoo URL above.)
* http://www.dynamoo.c....223.192-27.csv
___

Fake eBay emails – Pharma SPAM
- http://myonlinesecur...ay-pharma-spam/
9 Apr 2014 - "... we are now seeing fake < Your name >, You have delayed mails from eBay. In exactly the same way as The Fake Facebook Messages, these fake Ebay messages appear to come from eBayNotifier but are being sent by one of the botnets and -not- by Ebay at all. These only have 1 link in them unlike the previous which normally have 2 links in them, that if you are unwise enough to click on them will either take you to a Women’s Health page trying to sell you fake drugs for slimming or other women’s problems. Other days they send you to one of the Canadian or Russian Pharmacy pages  selling Viagra, valium or other illegal drugs. Todays offerings are to a Canadian Pharma spam site. Always hover over the links in these emails and you will see that they do -not- lead to Ebay. Do not click on the links, just -delete- the emails as soon as they arrive. There is always the very high possibility that one of the other botnets will use these to send you to a malicious site where your computer will be infected... Email text will say something like:
Your name,
    You have delayed mail
    View mails
    Yours truly
    eBayNotifier

Screenshot: http://myonlinesecur...s-from-eBay.png ..."
 

 

Edited by AplusWebMaster, 09 April 2014 - 10:57 AM.

[AplusWebMaster]

FYI...

Fake CDS Invoice – fake PDF malware
- http://myonlinesecur...ke-pdf-malware/
10 April 2014 - "Following on from today’s and other recent DHL* and -other- delivery service failure notices, the malware gangs have changed track and are sending out local courier company invoices. CDS Invoice pretending to come from accounts@ cdsgroup .co .uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses...
Dear client
Please find attached your invoice number 168027
If you have any queries with this invoice, please email us... or call us...
For and on behalf ofThe CDS Group of Companies
Crawfords of London | CrawfordsDelivery Services | Media Express |CDS International
Passenger Car Services　Same Day UK Couriers　TV Support Units Overnight & International...
This message and any attachment are confidential and may be privileged...
This email has been scanned...

Screenshot: http://myonlinesecur...cds-invoice.png

9 April 2014: CDS_INVOICE_168027.zip (464 kb): Extracts to CDS_INVOICE_168027.exe
Current Virus total detections: 6/51**. This CDS Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecur...ke-pdf-malware/
10 April 2014

Fake DHL email Screenshot: http://myonlinesecur...very-report.png

** https://www.virustot...sis/1397115564/
___

SCAM: Climate Change And Health Conference ...
- http://blog.dynamoo....and-health.html
10 April 2014 - "This -spam- is a form of an advanced fee fraud scam:
    From:     CCAHC ccahc@ live .com
    Reply-To:     ccahc@ e-mile .co .uk
    Date:     10 April 2014 16:04
    Subject:     Call for Poster
    CCAHC: Climate Change And Health Conference 2014
    Dear Colleague,
    On behalf of the CCAHC Scientific Committee, you are cordially invited to attend the 14th Climate Change & Health Conference to be held in Ibis Garden Hotel, from 16th - 18th May, 2014.
    The CCAHC 2014 event promises unrivalled learning and networking opportunities for the general public. Invited speakers are experts from multiple sectors and disciplines. Case studies of successful collaborations of environment, nutrition and public health across a wide range of issues...
Sincerely yours,
Professor Jon Lloyd
Conference Chair
Maple House, 37-45 City Road, London EC1Y 1AT, United Kingdom

The email originates from 196.46.246.174 (Airtel, Nigeria) via 221.120.96.3 in Bangladesh. Note that the sender is using -free- email addresses rather than one that ties back to an identifiable organisation. The email was sent to a spamtrap... the sting is that there will be visa and hotel fees to pay before going to the conference, and once this money has been sent by Western Union then the scammers will -vanish- taking their mythical conference with them."
___

Fake UPS SPAM - Exception Notification – fake PDF malware
- http://myonlinesecur...ke-pdf-malware/
10 April 2014 - "... UPS Exception Notification pretending to be from UPS Quantum View [auto-notify@ ups .com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. This one has links in the email to download the malware laden zip, rather than an attachment...
UPS
Discover more about UPS:
Visit ups .com
At the request of the shipper, please be advised that delivery of the following shipment has been rescheduled.
Important Delivery Information
Tracking Number:1Z522A9A6892487822 [ clickable URL ]
Rescheduled Delivery Date:14-April-2014
Exception Reason:THE CUSTOMER WAS NOT AVAILABLE ON THE 1ST ATTEMPT. A 2ND ATTEMPT WILL BE MADE
Exception Resolution:PACKAGE WILL BE DELIVERED NEXT BUSINESS DAY.
Shipment Detail ...

Screenshot: http://myonlinesecur...otification.png

... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is..."
 

 

Edited by AplusWebMaster, 10 April 2014 - 03:07 PM.

[AplusWebMaster]

FYI...

Something evil on 62.75.140.236, 62.75.140.237, 62.75.140.238 and 64.120.207.253, 64.120.207.254
- http://blog.dynamoo....6275140237.html
11 April 2014 - "This set of IPs is being used to push the Angler EK [1*] [2**]:
Intergenia, Germany
62.75.140.236
62.75.140.237
62.75.140.238
Network Operations Center (HostNOC), US
64.120.207.253
64.120.207.254
A look at the /24s that these ranges are in indicates a mix of malicious and legitimate sites, but on the whole it might be a good idea to consider blocking traffic to 62.75.140.0/24 and 64.120.207.0/24.
Sites on these IPs consist of hijacked subdomains of (mostly) legitimate domains in the Intergenia range and purely malicious domains in the HostNOC range..."
(Long list of domains at the dynamoo URL above.)
* http://wepawet.isecl...7206144&type=js

** http://urlquery.net/...d=1397206442682
___

Fake UKMail - Proof of Delivery Report – fake PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 April 2014 - "Continuing from yesterday’s theme of parcel & courier email messages, the malware bad guys are continuing with the same theme today. Proof of Delivery Report: 09/04/14-11/04/14, pretending to come from UKMail Customer Services [list_reportservices@ ukmail .com] is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
    Dear Customer,
    Please find attached your requested Proof of Delivery (POD) Download Report
    ………………………………………………………………………………………………………………………
    iMail Logo
    “For creating, printing and posting your next day mail”
    click here to realise the savings that you could make
    Please consider the environment before printing this e-mail or any attachments.
    This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed.
    If you have received this message in error, please notify us and remove it from your system. Any views or opinions expressed are solely those of the author and do not necessarily represent those of UK Mail Group Plc or any of its subsidiaries.
    UK Mail Group Plc is registered and incorporated in England.
    Registered Office: Express House, 120 Buckingham Avenue, Slough, SL1 4LZ, United Kingdom.
    Registered Company No.: 02800218.

11 April 2014: poddel-pdf-2014041103004500.zip (59 kb). Extracts to poddel-pdf-2014041103004500.exe
Current Virus total detections: 2/51*. This Proof of Delivery Report: 09/04/14-11/04/14 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...a8f0d/analysis/
 

 

Edited by AplusWebMaster, 11 April 2014 - 06:17 AM.

[AplusWebMaster]

FYI...

Something still evil on 66.96.223.192/27
- http://blog.dynamoo....9622319227.html
16 April 2014 - "Last week I wrote about a rogue netblock hosted by Network Operation Center* in the US. Well, it's still spreading malware but now there are -more- domains active on this range. A full list of the subdomains I can find are listed here [pastebin**]. I would recommend that you apply the following blocklist:
66.96.223.192/27
andracia .net ..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo....9622319227.html

** http://pastebin.com/RQfE69hn
___

Netflix-themed tech support SCAM ...
- http://blog.malwareb...-more-copycats/
April 16, 2014 - "A few weeks ago we blogged about this Netflix phishing scam -combined- with fake tech support that was extorting private information and money from people. The scam worked by asking unsuspecting users to log into their Netflix account and enter their username and password into a -fraudulent- website. After collecting the personal details, the perpetrators used a fake warning to state the particular account had been suspended. All this effort was really about leading potential victims into a trap, by making them call a 1-800 number operated by -fake- tech support agents ready to social engineer their mark and collect their credit card details. A slightly new variant is once again making the rounds with the same goal of funnelling traffic to -bogus- ‘customer support’ hotlines:
> http://cdn.blog.malw...red_netflix.png
... this time around the scammers behind it are expanding the phishing pages to other online services as well to target a wider audience. Crooks are buying online ads for each brand such as this one on Bing for “netflix tech support number”:
> http://cdn.blog.malw.../04/bingad1.png
... The quality of leads you get from targeted advertising is much higher than that from random cold calls. If you can attract people already looking for help and offer them your service, chances are conversion rates will be higher..."
 

 

Edited by AplusWebMaster, 16 April 2014 - 02:40 PM.

[AplusWebMaster]

FYI...

Fake Facebook Chat Verification used for SPAM
- http://blog.trendmic...-used-for-spam/
Apr 17, 2014 - "Facebook users are once again the target of a malicious scheme—this time in the form of a notification about “Facebook Chat”. The spammed notification pretends to come from the “official Facebook Chat Team.” A notification shows users of a tagged comment to a Facebook Note containing a fake announcement about a Facebook Chat verification requirement.
> http://blog.trendmic...-chat-spam1.jpg
The spam tries to sound urgent to convince users to verify their accounts. To do so, they are first asked to to go to a Pastebin URL and are instructed to copy a specific code. The set of instructions differ depending on what browser is being used (Google Chrome, Mozilla Firefox, or Internet Explorer). Users are then directed to a shortened link and are asked to press a particular function key (F12 for Google Chrome users, for example). After clicking on the console tab, users are supposed to paste the provided Javascript code into the address bar, then press Enter. This actually gives bad guys access to the user’s account, giving them the capability to auto-tag anyone in the users’ friends list and start the cycle of victimizing other account users... From the get-go, users should know that there is -no- product called “Facebook Chat,” let alone a team that sends out a supposed “advisory” to its users. The social media site’s official instant messaging feature is called Facebook Messenger, which also the name of its stand-alone app. Earlier this month, Facebook announced* that Android and iOS users will be required use this stand-alone app by eliminating the chat features of the traditional app versions of the site. Facebook has taken action against threats like this by releasing an official announcement. The official Facebook warning** notes, “This is a variant on the self-XSS attack. By pasting the code in the browser console, the user gives the code access to their account. The code usually posts the same scam on other people’s walls, and subscribes the user to pages controlled by the attacker – but it could do much worse things”..."
* http://mashable.com/...ring-messenger/

** https://www.facebook.com/selfxss
___

Zeus with your coffee ...
- https://www.secureli...ith_your_coffee
Apr 16, 2014 - "Cybercriminals often like to use a bogus letter to trick people into opening malicious attachments. There are two tricks that make this work: a message from a familiar name (a bank, social network, service provider or other organization that might interest the recipient) and an intriguing or alarming subject. An attack based on -fake- messages supposedly from coffee chain Starbucks combined the two.
> https://www.secureli...s_starbucks.jpg
The detected distribution claimed... a recipient's friend made an order for him to celebrate a special occasion in a Starbucks coffee shop. That mysterious friend wished to remain anonymous, enjoying the intrigue he was creating, but was sending out invitations with details of a special menu, which is available in the attachment. In the end they wished the recipient an awesome evening. All the messages were sent out with high importance. Besides, the addresses, created on the Gmail and Yahoo! free mail services, changed from letter to letter and seemed to be randomly generated combinations like incubationg46@, mendaciousker0@ and so on. The attachment was a .exe file and the cybercriminals made no effort to mask it with an archive or double filename extension. They seemed to be sure a happy recipient would open the attachment without any suspicion. Kaspersky Lab detects the attached file as Rootkit.Win32.Zbot.sapu - a modification of one of the most notorious spyware family Zbot (ZeuS). These applications are used by cybercriminals to steal confidential information. This version of Zbot is able to install a rootkit Rootkit.Win32.Necurs or Rootkit.Win64.Necurs, which disrupts the functioning of antiviruses or other security solutions."
___

Google patches Android icon Hijacking vuln
- http://www.securityw...g-vulnerability
Apr 15, 2014 - "Researchers at FireEye have identified a vulnerability affecting Google Android that could be exploited to lead users to malicious sites. According to FireEye*, the issue allows a malicious app with 'normal' protection level permissions to target legitimate icons on the Android home screen and modify them to point to attack sites or the malicious app itself without notifying the user. The issue has been acknowledged by Google, which has released a patch to its OEM partners..."
* http://www.fireeye.c...on_android.html
Apr 14, 2014

- https://atlas.arbor....ndex#-561580891
Elevated Severity
17 Apr 2014
 

Edited by AplusWebMaster, 18 April 2014 - 11:05 AM.

[AplusWebMaster]

FYI...

Fake Santander Bank SPAM – word doc malware
- http://myonlinesecur...rd-doc-malware/
Apr 22, 2014 - "March Invoice pretending to be from Santander bank  with a sender address of Sarah Gandolfo [sgand0395@ aol.com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Please find attached your March invoice, we now have the facility to email invoices, but if you are not happy with this and would like a hard copy please let me know.
    New bank details for BACS payments are Santander Bank Sort Code 271201 Account No 56024641.
    Thanks very much
    Sarah

22April 2014: March invoice 5291.zip ( 10kb) Extracts to March invoice 8912.exe
Current Virus total detections: 1/51* . This March Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...75fbe/analysis/
___

Visa Card phish ...
- http://www.hoax-slay...hing-scam.shtml
Apr 22, 2014 - "... email purporting to be from Visa claims that the recipient's card access has been limited because 'unusual activity' has been detected... The email is -not- from Visa. It is a -scam- designed to steal the recipient's credit card data. A link in the email opens a -fake- website that asks for the user's credit card number, and other information pertaining to the recipient's Visa account...
Example:
Subject: Access to your Visa card has been blocked
Visa Card Status Notification
We are contacting you to Inform you that our Visa Card security department identified some unusual activity in your card. In accordance with Visa Card User Agreement and to ensure that your Visa Card has not been accessed from fraudulent locations, access to your Visa Card has been limited. Your Visa Card access will remain limited until this issue has been resolved please Click My Visa Card Activity to continue.
My Visa Card Activity
We take your online safety seriously, which is why we use state of the art notification systems to identify unusual activity and a challenge process to validate your details.
Thanks for banking with Visa.
Customer Finance Department
© Visa & Co, 2014.

Screenshot: http://www.hoax-slay...hing-scam-1.jpg

The message invites users to -click- a link to resolve the issue and restore access... the message is -not- from Visa and the claim that the account has been limited is a lie... the email is a typical phishing scam designed to extract financial information from users. The email's links open a -bogus- website created to closely mirror the look and feel of a genuine Visa webpage. The fake page will include a 'verification form' that requests users to supply their credit card number and other account details. After supplying the requested information, users will be taken to a second fake page that informs them that the problem has been resolved and restrictions have been removed... of course, there was no problem with the card to begin with..."

___

Fake 'Paintball Booking' SPAM ...
- http://blog.mxlab.eu...er-with-trojan/
Apr 22, 2014 - "... new trojan distribution campaign by email with the subject “Paintball Booking Confirmation”. This email is sent from the spoofed address “”ipguk52@ paintballbookingoffice .com” <ipguk@ paintballbookingoffice .com>” and has the following body:
    Dear client,
    Many thanks for your booking on Saturday 19/04/2014 at our Reading Paintball centre Mapledurham, Reading. Arrival time is 09:15AM prompt.
    Please view the attached booking confirmation, map and important game day documents prior to attending.
    Kind regards,
    Leigh Anderson
    Event Co-ordinator...

The attached ZIP file has the name Booking Confirmation 2826-66935.zip, once extracted a folder Booking Confirmation 0414-28921 is created which contains the 14 kB large file Booking Confirmation 0414-28921.exe. The trojan is known as Win32:Dropper-gen [Drp], W32/Trojan.ZLGD-2681, Trojan:W32/Zbot.BBLB or HEUR/Malware.QVM07.Gen. At the time of writing, 4/51 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 4c69e3b6d2f7dbaf78eacfd60f2de685da9d942fdf9c1ff7ae4b88be17075fbe "
* https://www.virustot...75fbe/analysis/

** https://malwr.com/an...WU1ODMyMmMyZGQ/
 

 

Edited by AplusWebMaster, 22 April 2014 - 07:56 AM.

[AplusWebMaster]

FYI...

Massive cyber wire fraud attacks on US Companies
- https://www.trusteds...s-us-companies/
April 25, 2014 - "... a number of US companies have been impacted, and unfortunately, a number of companies that are still unaware they were victim of this attack. A major offensive is currently happening on a number of United States based companies, mostly involving those that have international components. TrustedSec notified law enforcement that multiple companies are affected, and these attacks are aimed at extracting money from the companies. An ongoing and active case is in progress working with the companies affected and investigating the incidents... high success rate. They appear to have different escalation models and ways to force organizations to perform the transfer without triggering suspicion. They use a combination of social-engineering (both email and phone), compromising trusted partners/third parties, and spoofing email addresses in order to accomplish their goals...
What you can do:
1. Notify your financial and accounts payable departments of these attacks and the techniques.
2. Verify all transactions with your third party partners and vendors, especially when refunding money (phone calls directly to a known phone number).
3. Provide enhanced education and awareness of these types of attacks.
4. If you have fallen victim to this attack, notify your local FBI office immediately...
Measures should be taken right -now- in order to educate your finance and accounts payable departments as well as an emphasize in controls in place for your third party partners and vendors."
(More detail at the trustedsec URL above.)
 

 

[AplusWebMaster]

FYI...

Something evil on 146.185.213.69 ...
- http://blog.dynamoo....521369-and.html
1 May 2014 - "146.185.213.69 caught my eye, hosting a number of "ads." subdomains, many of which are tagged by Google as being malicious... you can probably assume that all those domains are malicious (even without the ads. prefix)... The block is owned by RN Data SIA of Latvia and suballocated to somebody in St Petersburg by the name of  Mikhail Evgenyevich Valyalov. RN Data are one of those hosts that have hosted malware in the past*, and I tend to lean towards blocking them... frankly this entire /24 looks like it is being used for evil purposes at the moment and I recommend that you block it..." [146.185.213.*]
* http://blog.dynamoo....s-to-block.html
(More detail at the dynamoo URL above.)
___

Fake Malwarebytes 2.0 ...
- http://blog.malwareb...are-2-0-abound/
May 1, 2014 - "... we already started seeing fake executable files purporting to be free versions of our product being hosted on unfamiliar sites.
A small sample of rogue files we found in the wild:
> http://blog.malwareb.../04/samples.png
One of the many sites that host MBAM PUPs:
> http://blog.malwareb...4/fake-site.png
... we found that these files have common behaviours: they all enable themselves to run whenever Windows is restarted or the system is turned on and they’re capable of accessing private information that browsers store whenever we go online, such as data pertaining to cookies, browsing history, and list of restricted sites... Several of these samples also create entries to IE’s restricted sites zone, consequently blocking users from accessing specific domains...
Sample of MBAM Installation GUI (taken from malwr.com):
> http://blog.malwareb.../MWB-sample.png
For anyone interested in trying out MBAM 2.0, the wisest thing to do is still to go to our official download site*..."
* https://www.malwareb....org/downloads/
 

 

Edited by AplusWebMaster, 01 May 2014 - 08:35 PM.

[AplusWebMaster]

FYI...

Android "Police Locker" ransomware ...
- http://net-security....ews.php?id=2759
5.05.2014 - "Android users might soon become victims of "Police Locker" ransomware, if they haven't already, warns the researcher behind the Malware don't need Coffee blog*. "The 'Reveton team' has diversified its locking activity," he informs us. "The advert is old (2014-02-18) but i decided to write about it today as I found a Traffic Distribution System (TDS) using almost all features proposed by this affiliate including the Android locker." Other options for malware delivery include system lockers, fake AV, fake codecs, and Browlock ransomware. The researcher discovered a threat actor that uses a TDS that employs almost all features: if you land on a malicious site using Internet Explorer, a variant of the Winlock ransomware is served. If you land with with another browser on Windows, Linux or Mac, you'll get Brownlock. Finally, if you land on it with Android, you will be redirected to a fake adult website that will automatically push the download of a malicious APK file masquerading as a video downloader app (and using the icon of the legitimate BaDoink Video Downloader). The good news is that the user must approve the installation... The 'fine' US users are asked to pay in order to get their phones unlocked is $300, payable via Money Pak... The malware is detected... as Trojan Koler**, and the researcher has already spotted another threat actor delivering it. In this case, the malicious APK masquerades as the popular BSPlayer video player for Android."
* http://malware.dontn...e-for-your.html

** https://www.virustot...sis/1399286001/
Detection ratio: 4/52
___

Bank of America CashPro Spam
- http://threattrack.t...ca-cashpro-spam
May 5, 2014 - "Subjects Seen:
    FW: Important account documents
Typical e-mail details:
    Please scan attached document and fax it to +1 (888) 589-1001.
    Please note that the Terms and Conditions available below are the Bank’s most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager.
    Yours faithfully
    Vince Blue

Malicious File Name and MD5:
    Account_Documents.zip (40E7BB684935A7B86E5D8E480974F691)
    Account Documents.scr (6E40CD3BB6F1F531CDCE113A8C684B08)

Screenshot: https://gs1.wac.edge...Egvd1r6pupn.png

Tagged: Bank of America, Upatre
___

Encrypting Ransomware ...
- http://www.webroot.c...ing-ransomware/
May 5, 2014 - "... big change in the encrypting ransomware family... For those that aren’t aware of what encrypting ransomware is, its a cryptovirus that encrypts all your data from local hard drives, network shared drives, removable hard drives and USB. The encryption is done using an RSA -2048 asymmetric public key which makes decryption without the key impossible. Paying the ransom will net you the key which in turn leads to getting your data back.
Cryptolocker:
> https://www.webroot....yptolocker5.png
(Other samples at the first webroot URL above.)
In it’s first evolution of what we know as “Cryptolocker” the encryption key was actually stored on the computer and the victim, with enough effort could retrieve said key. Then you could use tools submitted on forums to put in your key and decrypt all your data without paying the ransom. In future improvements malware authors made sure that the only place the key was stored was on a secure server so that you were forced to pay. However, more often than not the malicious dropper didn’t delete the VSS (Volume Shadow Service) and victims still had the option to manually restore files from a previous date using programs like Shadow explorer (OS drive only). For those that don’t know what the VSS is it’s a restorative feature that is included in XP sp2 and later versions of windows. Essentially it is a technology that allows taking manual or automatic backup copies of data and is related to system restore. In newer variants of Crytpolocker the VSS is almost always deleted at deployment. Malware authors also give the victim a special extended period of time to get their files they waited past the deadline, but the price usually doubles of triples.
CryptoDefense:
> https://www.webroot....yptolocker7.png
(Other samples at the first webroot URL above.)
In one of the more recent variants of encryption ransomware dubbed “CryptoDefense” it no longer has a graphical user interface (GUI). Instead the malware will just open a webpage after encryption and leave a text file at every directory that was encrypted. The instructions to get the key to decrypt your files have you install anonymous tor or other layered encryption browsers so you can pay them directly and securely. this enables malware authors to circumvent a portion of the Zeus fraud avoid the need for money mules (middle man) and increasing the percentage of profit.
DirCrypt:
> https://www.webroot....05/dircrypt.png
In this most recent change in encrypting ransomware. Instead of going after various file extensions, all files are encrypted into RTF documents with a *.enc.rtf extension. This one really blind sides the victim as you’ll get no pop up GUI or webpage once encryption completes; you have to open one of your documents to find that it was encrypted. All documents will have the same content similar to what is shown. One big improvement that is quite nasty for victims is the encryption is no longer a static one time deal. This variant will actively seek out and encrypt any new or modified files written to drives. We noticed while testing a collected sample that when we attempted to save screenshots, that it immediately encrypted them. We expect future encrypting ransomware variants to include these tactics as the evolution continues..."
 

 

Edited by AplusWebMaster, 05 May 2014 - 01:24 PM.

[AplusWebMaster]

FYI...

Hacked WordPress site - ccccooa .org
- http://blog.dynamoo....press-site.html
6 May 2014 - "ccccooa .org ("Cumberland County Council on Older Adults") is another hacked WordPress site being used to serve pharma spam. I got -82- of these all at the same time..
From:     Linkedln Email Confirmation [emailing@ compumundo .info]
Reply-To:     emailing@ compumundo .info
To:     topsailes@ gmail .com
Date:     6 May 2014 13:41
Subject:     Please confirm your email address
Linkedln
Click here to confirm your email address.
You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.
We ask you to confirm your email address before sending invitations or requesting contacts at Linkedln. You can have several email addresses, but one will need to be confirmed at all times to use the system.
If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.
Thank you for using Linkedln!
--The Linkedln Team
This email was intended for [redacted]. Learn why we included this...

One example landing URL is [donotclick]www.ccccooa .org/buyphentermine/ which leads to a sort of intermediary landing page..
> https://3.bp.blogspo...0/fake-rx-1.png
This is turn goes to a -redirected- at [donotclick]stylespanel .com/h/go/phentermine.php and then to [donotclick]www.hq-pharmacy-online .com/search.html?q=phentermine which is a -fake- pharmacy site hosted on 95.211.228.240 (LeaseWeb, Netherlands) which is registered to a probably fake address in Argentina. Avoid.. oh, and if you run a WordPress site please make sure the software is up-to-date."
___

BT Digital File - SPAM
- http://blog.dynamoo....-file-spam.html
6 May 2014 - "This -fake- BT spam comes with a malicious attachment:
    Date:      Tue, 6 May 2014 15:18:15 +0700 [04:18:15 EDT]
    From:      Santiago Biggs [Santiago.Biggs@ bt .com]
    Subject:      Important - BT Digital File
    BT Digital Vault     BT
    Dear Customer,
    This email contains your BT Digital File. Please scan attached file and reply to this email.
    If you have any questions or forgotten your password, please visit the "Frequently Asked Questions" at www.bt .com/personal/digitalvault/help or call the helpdesk on 0870 240 1116* between 8am and midnight.
    Thank you for choosing BT Digital Vault.
    Kind regards,
    BT Digital Vault Team ...
    Please note that this is an automatically generated email for your information only. We are sorry, but we can not respond to a "Reply" to this address...

Screenshot: https://2.bp.blogspo...-Q/s1600/bt.png

Attached to the message is an archive file BT_Digital_Vault_File.zip which in turn contains a malicious executable BT_Digital_File.scr which has a VirusTotal detection rate of 11/52*. Automated analysis tools...  show that this malware downloads additional components from the following locations:
[donotclick]realtech-international .com/css/0605UKdp.rar
[donotclick]biz-ventures .net/scripts/0605UKdp.rar
Blocking those URLs or monitoring for them may help to prevent further infection."
* https://www.virustot...sis/1399371324/
___

Fake MMS message – jpg malware
- http://myonlinesecur...ke-jpg-malware/
6 May 2014 - "... message pretending to come from 01552521415@ mmsreply.t-mobile .co .uk [NBdnO_0K0Cb8VYiYEpV8ozYauXw7swqpIiIs6nK3@ mmsreply.t-mobile .co .uk] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Email reads:
our message:
    Guess what I forgot *handoverface*, see attached pic
    Sending a reply:
    You can reply by email to this mobile number within the next 7 days.
    The total message size should not exceed 300kb.
    You can only reply once, and it must be within 7 days of receiving this message...

Todays Date: PIC000444182547.zip (53 kb)  Extracts to  PIC000983339211.jpeg.exe
Current Virus total detections: 6/52*
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg file instead of the .exe file it really is...  look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
* https://www.virustot...c47fd/analysis/
___

Fake Payment error SPAM – malware
- http://myonlinesecur...592410-malware/
6 May 2014 - "Payment error #25393592410  pretending to come from Orville Creasy [payment@ rachelwarne .co .uk] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
Email looks like :
    This e-mail has been sent to you to inform you that we were unable to process your most recent payment #570475658997219860277606
    Please check attached file for more detailed information on this transaction.
    Pay To Account Number: 8843867223806343
    Date: 2014-05-05 15:19:19 UTC.
    Transaction ID: 25393592410
    Amount Due: £ 1060.45
    Orville Creasy,
    +07957419543

The number on the email subject is different in every email as are the transaction numbers, the pay to account number, the amount due and alleged sender and his/her phone number. The email senders are all different and the only thing in common is that they all pretend to be sent from payment @ some random named but real company. The companies have not been hacked. They just use the name of a company from a long list...  unless you have “show known file extensions enabled“, will look like a file with an icon of a £ sign pretending to be a specialised invoice  instead of the .exe file it really is..."
 

   

[AplusWebMaster]

FYI...

Fake invoice file attachment SPAM
- http://blog.dynamoo....voice-file.html
7 May 2014 - "Another case of a very terse spam with a malicious email attachment:
    Date:      Wed, 7 May 2014 14:06:46 +0700 [03:06:46 EDT]
    From:      Accounts Dept [menopausaln54@ jaygee .co .uk]
    Subject:      Email invoice: 1888443
    This email contains an invoice file attachment

... The attachment is emailinvoice.069911.zip which in turn contains a malicious executable emailinvoice.899191.exe which has a VirusTotal detection rate of 5/52*. Automated analysis tools of this binary... shows that it downloads a further component... This "111.exe" binary has an even lower VirusTotal detection rate of 3/51**. Automated analysis of this... shows the malware installs itself deeply into the target system. There is a further dowload of a malicious binary from files.karamellasa .gr/tvcs_russia/2.exe which has a detection rate of 5/50*** and identifies as a variant of Zeus. This creates fake svchost.exe and csrss.exe executables on the target system..."
(More detail at the dynamoo URL above.)
* https://www.virustot...sis/1399448792/

** https://www.virustot...sis/1399450008/

*** https://www.virustot...sis/1399450683/
___

Fake Lloyds Banking BACs – fake PDF malware
- http://myonlinesecur...ke-pdf-malware/
7 May 2014 - "Lloyds Commercial Banking Important BACs pretending to be from Lloyds Commercial Banking [Ora.Hutchison@ lloydsbank .com]is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email looks like:
Important account documents
Reference: C96 Case number: 0746481
Please review attached BACs documents and fax it to +44 (0) 845 600 9454.
Please note that the Terms and Conditions available below are the Bank’s most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager.
Yours faithfully
Adrienne Mcdermott Senior Manager, Lloyds Commercial Banking ...

Screenshot: http://myonlinesecur...ortant-BACs.png

7 May 2014 : LloydsCase-8948231.zip ( 11kb)  Extracts to LloydsCase-07052014.scr
Current Virus total detections: 3/51*
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is... make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
* https://www.virustot...156c3/analysis/
___

Fake "TNT UK Limited" SPAM
- http://blog.dynamoo....mited-spam.html
7 May 2014 - "This -fake- TNT spam has a malicious attachment:
    Date:      Wed, 7 May 2014 01:50:00 -0600 [03:50:00 EDT]
    From:      TNT COURIER SERVICE [tracking@tnt.co.uk]
    Subject:      TNT UK Limited - Package tracking 236406937389
    TNT COURIER SERVICE (TCS)
    Customer/Delivery Services Department
    Central Pk Est/Mosley Rd, Trafford Park
    Manchester, M17 1TT UK.
    DETAILS OF PACKAGE
    Reg order no: GB5766211
    Your package have been picked up and is ready for dispatch. Please print attached form
    and pick up at the nearest office.
    Connote #        :        236406937389
    Service Type     :        Export Non Documents - Intl
    Shipped on       :        07 Apr 13 00:00
    Order No         :        5766211
    Status           :       Driver's Return Description      :       Wrong Postcode ...

The attachment is GB5766211.zip which contains the malicious executable GB07052014.scr (note the date is encoded into the filename). This has a VirusTotal detection rate of 7/52*. Automated analysis tools... show a UDP connection to wavetmc .com and a further binary download from demo.providenthousing .com/wp-content/uploads/2014/05/b01.exe . This second executable has a VirusTotal detection rate of 20/51**. The Malwr report and Anubis report both show attempted connection to various mail servers (e.g. Gmail and Hotmail). Furthermore the Anubis report shows a data transfer to 83.172.8.59 (Tomsk Telecommunication Company, Russia).
Recommended blocklist:
83.172.8.59
wavetmc .com
demo.providenthousing .com"
* https://www.virustot...sis/1399452001/

** https://www.virustot...sis/1399452578/
___

More PUPs - using Instagram as Lure
- http://blog.malwareb...tagram-as-lure/
May 7, 2014 - "... In the case of Instagram, what we’ve seen out there could pose greater risk than, say, your average phishing site. Doing a Google search surely yields sites where one can download several programs involving Instagram. Some of which can either be classed as “image viewers” or “image and video downloaders” publicly-accessible accounts. Most of the files I sampled below belong to the latter:
> http://blog.malwareb...5/instagram.png
Since Instagram can be visited via Web browsers, we can easily say that these downloads target any Windows computer user who just want to keep copies of photos and videos that are likely not their own. We ran these potentially unwanted programs (PUPs) on VirusTotal and got the following...
1) https://www.virustot...sis/1398865443/
2) https://www.virustot...sis/1398865443/
3) https://www.virustot...sis/1398864970/
(More listed at the malwarebytes URL at the top.)
... Internet slowdown, unwanted redirection to sites and possible installation of other programs without the user’s consent are just some of the obvious signs users may experience once these programs are installed. Like what we always advise our blog readers, please avoid downloading such programs onto your system as doing so will increase its security risks..."
___

Fake Google+ Survey - Phish ...
- http://www.hoax-slay...hing-scam.shtml
May 7, 2014 - "Email purporting to be from the 'All Domain Mail Team' at Google+ asks recipients to participate in a 'spam and fraudulent verification survey'. The email is -not- from Google+ or anybody else at Google. It is a phishing scam designed to trick users into giving their Google account login details to criminals...

Screenshot: http://www.hoax-slay...hing-scam-1.jpg

... claims to be from the 'All Domain Mail Team' at Google's social network Google+. It claims that the team is running a 'spam and fraudulent verification survey' and asks users to click a link to participate. It warns that if the verification survey is 'not gotten' within 24 hours, the team will assume that the recipient is a 'fraulent user' and his or her email account will be shut down... These login details will be collected by criminals and used to hijack the Google accounts belonging to the victims. The one set of login credentials can be used to access many different Google services. Thus, the criminals may be able to steal private information stored in various Google applications as well as use Gmail and Google+ accounts to launch further spam and scam campaigns..."
 

 

Edited by AplusWebMaster, 07 May 2014 - 01:02 PM.

[AplusWebMaster]

FYI...

Infected malformed PDF attachments to emails
- http://myonlinesecur...chments-emails/
8 May 2014 - "We are now seeing lots of infected -malformed- PDF attachments to emails. The bad guys are changing the method of malware delivery with these emails and attaching a genuine PDF file to the email instead of a zip. These PDFs are -malformed- and contain a script virus that will infect you if you open the PDF and very likely when you preview it in your browser. They are using several well known and hopefully fully fixed exploits in older versions of Adobe reader. They attach what appears to be a genuine PDF file, that is malformed and has a script virus embedded. It depends on which version of Adobe reader you use, but older ones are definitely vulnerable to this exploit... It is vital that you make sure Adobe PDF reader is updated to the latest version 11.0.6* and if you use any alternative PDF reader then make sure that is fully updated. The majority of PDF exploits will affect ALL PDF readers, not just Adobe... these malformed PDFs do -not- preview and appear as plain blank pages in Windows 7 and Windows 8. The other thing that will help to avoid being unwittingly infected by these is to Set Adobe reader or any other PDF reader to open PDFs in the program and NOT in your browser... it is much safer to view them in the application itself which should be sand-boxed to prevent exploits slipping out..."
* https://helpx.adobe..../apsb14-01.html
___

Koler Trojan or other ransomware on Android
- http://blog.malwareb...are-on-android/
May 7, 2014 - "A new Android ransomware dubbed Koler has been spreading as a fake adult themed streaming service ‘BaDoink’ app. Uncovered by security researcher Kafeine*, Koler uses familiar “Police Locker” tactics to get victims to pay a ransom for unlocking their PC or device. Traced back to the team that brought us the Reverton ransomware, Koler uses FBI and other police agency symbols to look legitimate, as well as carefully crafted text.
> http://cdn.blog.malw...5/akoler04b.jpg
While your files and other data are not encrypted by Koler.a, the annoying browser page takes over as the active window. Koler is delivered with site redirection, once installed and running the device is taken over by the ransom browser page, pressing the Home button or attempting to dismiss the page works for a very short time. The page will reappear when you attempt to open another app or within a few seconds. This causes removal problems because you don’t have enough time to uninstall through normal methods. Removal: The good news is you don’t have to pay the ransom to remove. First off, Malwarebytes Anti-Malware Mobile** detects as Android/Trojan.Koler.a and will prevent and remove this Trojan on your Android device. However, at times there are race conditions where Koler’s page is up and has control of the screen or you might not have a security tool installed... Safe Mode: The quickest manual solution would be to use Android’s Safe Mode, similar to Windows, Safe Mode is a diagnostic environment where third-party apps won’t load and you can remove..."
(See the Complete procedure at the malwarebytes URL above.)
* http://malware.dontn...e-for-your.html

** https://www.malwarebytes.org/mobile/

Related: http://www.webroot.c...sed-ransomware/
May 7, 2014
- http://blog.kaspersk...re-for-android/
May 8, 2014
 

 

Edited by AplusWebMaster, 09 May 2014 - 11:23 AM.

[AplusWebMaster]

FYI...

Fake HMRC SPAM / VAT0781569.zip
- http://blog.dynamoo....0781569zip.html
9 May 2014 - "This -fake- HMRC spam comes with a malicious attachment:
    Date:      Fri, 9 May 2014 12:47:49 +0530 [03:17:49 EDT]
    From:      "noreply@ hmrc .gov .uk" [noreply@ hmrc .gov .uk]
    Subject:      Successful Receipt of Online Submission for Reference 0781569
    Thank you for sending your VAT Return online. The submission for reference 0781569 was
    successfully received on Fri, 9 May 2014 12:47:49 +0530  and is being processed. Make VAT
    Returns is just one of the many online services we offer that can save you time and
    paperwork.
    For the latest information on your VAT Return please open attached report.
    The original of this email was scanned for viruses by the Government Secure Intranet
    virus scanning service supplied by Cable&Wireless Worldwide in partnership with
    MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
    certified virus free.
    Communications via the GSi may be automatically logged, monitored and/or recorded for
    legal purposes.

It says "On leaving the GSi this email was certified virus free" which (as you might suspect) is utter bollocks, because it comes with a malicious payload. Attached to the message is an archive VAT0781569.zip which in turn contains two identical malicious executables AccountDocuments.scr and VAT090514.scr which have a VirusTotal detection rate of 15/52*. This is part one of the infection chain. Automated analysis... shows that components are then downloaded from the following locations:
[donotclick]bmclines .com/0905UKdp.rar
[donotclick]gamesofwar .net/img/icons/0905UKdp.rar
[donotclick]entslc .com/misc/farbtastic/heap170id3.exe
[donotclick]distrioficinas .com/css/b01.exe
The malicious binary heap170id3.exe has a VirusTotal detection rate of 9/52**. Automated analysis...  shows that this makes a connection to a server at 94.23.32.170 (OVH, France). The other malicious binary, b01.exe had a VirusTotal detection rate of 11/52***. Analysis of this shows... that it attempts to connect to several different email services, presumably to send out spam."
* https://www.virustot...sis/1399629443/

** https://www.virustot...sis/1399629644/

*** https://www.virustot...sis/1399629683/
___

Fake Trusteer Security Update – PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 May 2014 - "... pretending to be from Trusteer Support  is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Email reads:
Customer Number: 4086477
Important Security Update
Online Banking Protection Software Update from Trusteer
— THIS IS AN AUTOMATED RESPONSE. NO REPLY IS NECESSARY —
Please be sure to restart your computer after installing the new update
Sincerely, Trusteer Technical Support
Your internet banking account is valuable to fraudsters. That’s why criminals are always looking for new ways to get your online banking details and penetrate your account. Anti-virus and firewalls can’t detect the latest attacks, leaving you vulnerable.
To protect you against online fraud, please take a moment to Update Rapport – dedicated online banking security software from the experts at Trusteer. It only takes a few minutes to download and install, and there’s no need to restart your computer...

Screenshot: http://myonlinesecur...rity-Update.png

9 May 2014: derek_RaportUpdate.zip  (24 kb)  Extracts to  Trusteer Update Now.scr
Current Virus total detections:  8/52* ...
This Important Security Update is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...32aff/analysis/

- http://threattrack.t...8/trusteer-spam
May 9, 2014
Tagged: Trusteer, Upatre
 

 

Edited by AplusWebMaster, 09 May 2014 - 10:53 AM.

[AplusWebMaster]

FYI...

Fake PayPal SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
12 May 2014 - "PayPal Notification of payment received is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. These emails are absolutely identical to the genuine emails that you receive from PayPal when someone sends you money, especially after selling something on eBay . The difference is the link to the transaction goes to a fake site that tries to download a malware file to your computer, that appears to be a PDF...

Screenshot: http://myonlinesecur...l_new_funds.png

12 May 2014:  PP_detalis_726716942049.pdf.exe ( 485 kb)
Current Virus total detections: 0/51*
This PayPal Notification of payment receivedis another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...e265f/analysis/
___

BBB SPAM - Washington Metro Area ...
- http://threattrack.t...metro-area-spam
12 May 2014 - "Subjects Seen:
    RE:Case #2475314
Typical e-mail details:
    Owner/Manager
    The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you.  The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position. FILE ATTACHED (Adobe Photoshop format)
    As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct...
    We look forward to your prompt attention to this matter.
    Sincerely, BBB of Metropolitan Washington DC and Eastern Pennsylvania

Malicious File Name and MD5:
    Complaint.zip (F72C05A0A0C4C188B07ECE7806CC0F44)
    ComplaintToManager.scr (F89D06A787094FE2DC1AF6B2C0914C17)

Screenshot: https://gs1.wac.edge...HQFX1r6pupn.png

Tagged: bbb, Upatre

- http://myonlinesecur...ke-pdf-malware/
12 May 2014 - "Better Business Bureau Complaint with subject of RE:Case #8396880 pretending to come from Refugio Ratliff [Refugio_Ratliff@ bbb .org] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
Email looks like:
    May 12, 2014
    Owner/Manager
    The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you.  The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position. FILE ATTACHED (Adobe Photoshop format)
    As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct...
    We look forward to your prompt attention to this matter.
    Sincerely,
    BBB of Metropolitan Washington DC and Eastern Pennsylvania

12 May 2014 : Complaint.zip ( 7kb)  Extracts to ComplaintToManager.scr
Current Virus total detections: 2/52*
...  another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...12998/analysis/
___

“Your Photos Are being Used” Phish
- http://blog.malwareb...-phishing-lure/
May 12, 2014 - "We’re seeing some reports that an old favourite of scammers everywhere is currently in circulation on social media sites such as Tumblr. If you receive a message from a friend which says:
    OMG YOUR PHOTOS ARE BEING USED ON THIS SITE
then be very careful should you happen to click the link, because you may well be sent to a fake login page. In this case, the scammers use some Javascript to bounce the victim from a Tumblr spam blog to a fake Facebook login which they’ll need to use to see the supposed photos. Anybody filling in their details and hitting enter will of course have their username and password sent to the attacker.
> http://cdn.blog.malw...4/05/tumblr.png
...
> http://cdn.blog.malw...05/phish-fb.png
This sort of scam is often seen on Twitter, and regularly puts in a guest appearance or twelve on other sites. Any urgent-sounding messages sent your way which suggest imminent personal embarrassment of some description should be treated with healthy skepticism until you’ve confirmed that a) the message is genuine and b ) it really was worth saving up for a one way ticket to the Sahara desert all those years ago. It’s very likely you’re going to be fine – however, you won’t be able to say the same for accounts being handed over to a scammer using a little shock and awe (but mostly shock) as a bait to spirit away some logins."
___

- http://blog.trendmic...ultiple-emails/
May 12, 2014 - "... Users should be wary of clicking shortened URLs, especially if they come from unverified sources. It’s recommended that they simply use bookmarks or type in the site’s URL directly into the address bar to avoid phishing pages. They should also double-check a site’s URL before they give out any user information; it has become all too easy for bad guys to create login pages that are near-identical to legitimate ones..."
 

 

Edited by AplusWebMaster, 13 May 2014 - 06:52 AM.

[AplusWebMaster]

FYI...

Paypal Phish Flood
- http://blog.malwareb...phishing-flood/
May 13, 2014 - "... noticed a trend in phishing scams over the last week, namely that a specific style of PayPal phish e-mail has been flooding potential victims. The text of the phishing e-mail includes:
Dear Member,
Recently, there's been activity in your PayPal account that     seems unusual compared to your normal account activities. Pleaselog in to PayPal to confirm your identity and update your       password and security questions.
To help protect your account, no one can send money or withdraw money. In addition, no one can close your account, send refunds,remove any bank accounts, or remove credit cards.
Click here to login <- Phishing Page
What's going on?
We're concerned that someone is using your PayPal account       without your knowledge. Recent activity on your account seems tohave occurred from a suspicious location or under circumstances that may be different than usual.
What to do
Log in to your PayPal account as soon as possible. We may ask   you to confirm information you provided when you created your   account to make sure you're the account holder. We'll then ask  you to change your password and security questions...

They then advise to wait until PayPal responds within 72 hours after all tasks are complete, however we know that by that time, any credit or accounts associated with your PayPal login are likely to be compromised. We have seen a massive amount of domains being employed to host the actual phishing page, which looks like this:
> http://cdn.blog.malw...ayPal_Phish.png
In addition to the many locations this -scam- is being hosted, the amount of observed IP addresses sending the phishing attack is so far over 500. So keep an eye out for any such scam.  In addition, there seems something oddly ‘phishy’ about the pattern of these attacks and as we uncover more we will update this post..."
___

Fake Computer Support Services invoice – PDF malware
- http://myonlinesecur...ke-pdf-malware/
13 May 2014 - "Computer Support Services fake invoice with subject of Computer Support Services JJBCL0104291 pretending to come from Computer Support Services [Bishop.j@ blackjj .co .uk] <  random names @ blacjj .co .uk  > is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... email looks like
    Dear Carole  We have created a new invoice for you. To view your statement including a pdf of this invoice please download the attachment.
    Invoice Details
    Invoice Number:
    Description:     1/4/14 – 30/4/14
    Amount:     £67.80
     Payment Details
    Account Number:     01706454
    Sort Code:     400822
    Account Name:     Computer Support Services
    Kind Regards, Jennifer Eden Computer Support Services T: 0161 8505080 F: 0161 929 0049 W: www. blackjj .co .uk

13 May 2014  Report_ID30D74D9365D2AC998DC.zip (63 kb) : Extracts to invoice_65476859394857_pdf.exe
Current Virus total detections: 0/52*  
This Computer Support Services fake invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...b56e7/analysis/
___

Citibank Commercial Banking Form Spam
- http://threattrack.t...nking-form-spam
May 14, 2014 - "Subjects Seen:
    Important - Commercial Form
Typical e-mail details:
    Please scan attached document and fax it to +1 800-285-6016 .
    All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record. Not yet filing your accounts online? See how easy it is… For enquiries, please telephone the Service Desk on +1 800-285-0106 or email enquiries@citibank.com. This email was sent from a notification-only email address which cannot accept incoming mail. Please do not reply directly to this message. .
    Yours faithfully     
    Lilly Mccann
    Commercial Banking
    Citibank N.A
    Lilly.Mccann@ citibank .com

Malicious File Name and MD5:
    CommercialForm.zip (5881899D33E80B0B33139BBDED43D9BB)
    CommercialForm.scr (F7F5269B1031FF35B8F4DF1000CBCBBB)

Screenshot: https://gs1.wac.edge...xVdL1r6pupn.png

Tagged: Citibank, Upatre
___

Microsoft Exchange Voice mail Spam
- http://threattrack.t...voice-mail-spam
May 14, 2014 - "Subjects Seen:
    You have received a voice mail
Typical e-mail details:
    You received a voice mail : VOICE933-947-8474.wav (24 KB)
    Caller-Id: 933-947-8474
    Message-Id: XA6TL3
    Email-Id: <email address>
    This e-mail contains a voice message.  
    Download and extract the attachment to listen the message.
    Sent by Microsoft Exchange Server

Malicious File Name and MD5:
    VoiceMail.zip (B41AF487FC1D362DF736EAC5E14CF5FF)
    VoiceMail.scr (DDBA4AD13DE7D5AE604729405C180D65)

Screenshot: https://gs1.wac.edge...2QEg1r6pupn.png

Tagged: Voicemail, Upatre
 

 

Edited by AplusWebMaster, 14 May 2014 - 03:55 PM.