2072 replies to this topic

[AplusWebMaster]

FYI...

Fake NatWest SPAM ...
- http://myonlinesecur...west-statement/
15 May 2014 - "NatWest Statement is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email looks like:
    View Your April 2014 Online Financial Activity Statement
     Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It’s available for you to view at this secure site. Just click to select how you would like to view your statement:
    View/Download as a PDF
    View all EStatements
    So check out your statement right away, or at your earliest convenience...

Screenshot: http://myonlinesecur...t-statement.png

15 may 2014 : Statement-pdf.zip (14 kb) : Extracts to Statement-pdf.scr
Current Virus total detections: 7/53*   
This NatWest Statement is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...71030/analysis/

- http://blog.dynamoo....ains-bitly.html
15 May 2014 - "This -fake- NatWest spam sends victims to a malicious download via a bit.ly link... The link in the email goes to [donotclick]bit .ly/1jKW2GJ which then downloads a malicious file Statement-pdf.scr which has a VirusTotal detection rate of 8/53*...
* https://www.virustot...sis/1400164292/
___

Fake 401K Fund Spam
- http://threattrack.t...erformance-spam
May 15, 2014 - "Subjects Seen:
    401k April 2014 Fund Performance and Participant Communication
Typical e-mail details:
    Co-op 401k Plan Participants
    Attached you will find the April 2014 401k fund performance results as well as an informational piece regarding online calculators available on the website.
    If you are a facility manager, please forward, print or post a copy of these pages on your bulletin board or in a conspicuous place where your employees can see them.
    Please contact me if you have any questions.
    Elsie Mosley
    Employee Benefits/Plan Administrator...

Malicious File Name and MD5:
    April-2014-401k-Fund.zip (B5B2231F7110B15F70DB7968134A5A98)
    April-2014-401k-Fund.scr (81928270710BAD7443BDBCAA253E4094)

Screenshot: https://31.media.tum...Pc4p1r6pupn.png

Tagged: 401K, Upatre
___

Fake justice .co.uk - REMINDER NOTICE ...
- http://myonlinesecur...-notice-ignore/
15 May 2014 - "Fake justice .co.uk REMINDER NOTICE DO NOT IGNORE is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...  a spurious parking ticket, hoping to extort a large sum of money from you...

UK central Police svc notice: http://www.actionfra...ne-emails-mar14

Email looks like:
   REMINDER NOTICE DO NOT IGNORE
    To: submit@ thespykiller .co .uk Case: C5067787
    Please print attached form and fax it to +44 020 4869 0219 Your vehicle was recorded parked on our Clients Private Property driveways on the 15.05.2014 and remained on site for 2 hour 28 min. A notice was sent to you on 10.04.2014 which gave 28 days to pay full PARKING CHARGE or challenge the issue. The amount of £78.00 is now due...

Screenshot: http://myonlinesecur...-NOT-IGNORE.png

15 May 2014: Form-STD-Vehicle-150514.zip  ( 11kb) Extracts to  Form-STD-Vehicle-150514.scr
Current Virus total detections: 5/53*
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...05ce4/analysis/
 

 

Edited by AplusWebMaster, 15 May 2014 - 10:54 AM.

[AplusWebMaster]

FYI...

Fake TT PAYMENT COPY - SPAM ...
- http://blog.dynamoo....-copy-spam.html
19 May 2014 - "This spam has a malicious attachment:
    Date:      Sun, 18 May 2014 20:54:20 -0700 [05/18/14 23:54:20 EDT]
    Subject:      Re TT PAYMENT COPY
    please confirm the attachment payment Copy and get back to me?

Attached is an archive file TT PAYMENT COPY.zip which in turn contains another archive file TT PAYMENT COPY.rar (which relies on the victim having a program to uncompress the RAR file). Once that is done, a malicious executable PaySlip.exe is created. This file has a VirusTotal detection rate of 27/53*. Automated analysis tools... don't reveal what is happening, but you can guarantee it is nothing good."
* https://www.virustot...sis/1400507439/
___

High Fashion to High Risk ...
- http://blog.malwareb...n-to-high-risk/
May 19, 2014 - "... Suffice to say that several Fashion Weeks have come and gone since 2014 started... more runway events have been announced and are already scheduled to happen within the next two to three weeks...  it’s highly likely that you may encounter the sites we’ve found these past few days. We have also noted that such sites have increased in number, with most of them carrying the brands Louis Vuitton, Chanel, Gucci, Hermes, and Oakley.
> http://cdn.blog.malw...ouisvuitton.png
...
> http://cdn.blog.malw...guccioutlet.png
... What fantasylouisvuitton, guccioutlet, and fashionshop-usa have in common goes beyond not having an easy way for anyone to verify the products they say for authenticity. All these sites redirect to random JS (JavaScript) scripts hosted on js(dot)users(dot)51(dot)la, a site that has been associated with many -malicious- activities in the past*. Google Safe Browsing flags it as “suspicious”... Meanwhile, Tumblr users have been inundated with spam posts from users claiming to be students who have put up their own personal fashion site and wishing others to visit it. This is an old Tumblr scam designed to encourage the clicking of adverts, which is often against the Terms of Service (ToS) of many advertising networks and can be seen as a form of click fraud. In this case, scammers specifically looked for those interested in fashion... When it comes to dealing with scams and potentially risky websites, users are always at the losing end. Thus, avoiding such sites, in general, and sticking to visiting legitimate and/or official selling sites of popular brands are best practices to keep in mind."
* https://www.virustot...la/information/
___

Targeted Attack Trends - 2H 2013
- http://blog.trendmic...ook-at-2h-2013/
May 19, 2014 - "Targeted attacks are known to use zero-day exploits. However, old vulnerabilities are still frequently exploited. In fact, based on cases analyzed in the second half of 2013, the most exploited vulnerability in this time frame was CVE-2012-0158, a Microsoft Office vulnerability that was patched in April 2012. This shows how important applying the latest patches and security updates are in mitigating the risks posed by these threats.
Most commonly exploited vulnerabilities related to targeted attacks
> http://blog.trendmic...5/tareport2.jpg
... Spear phishing* is still the most seen entry point for targeted attacks. These email messages use relevant-sounding subjects that trick users into opening it and the file attachments therein that serve as malware carriers.  In our 2014 prediction, we noted that mobile devices will also be leveraged by threat actors to gain entry to networks... Although targeted attacks are difficult to detect, this task can be made easier with solutions that use advanced threat detection technology that can detect, analyze, and respond to attacks that traditional antivirus signature-based solutions and blacklisting are not capable of. Targeted attacks often leave traces that can serve as indicators of compromise. As such, enterprises and large organizations are encouraged to build their own threat intelligence capability, which they can incorporate into their own existing security solutions..."
> http://about-threats...sify-in-2h-2013
... The latter half of 2013 also bore witness to a series of threat landscape updates that show the aggressive stance of present-day attackers... While bad actors prefer using tried-and-tested attack vectors-such as spear-pshing emails, vulnerabilities, and malware-research shows that they are on the move in terms of diversifying their victims all over the world..."
* http://searchsecurit.../spear-phishing

- http://www.securewor...-cve-2014-1761/
May 16, 2014

- http://www.reuters.c...EA4I09420140519
May 19, 2014 - "The United States on Monday charged five Chinese military officers and accused them of hacking into American nuclear, metal and solar companies to steal trade secrets, ratcheting up tensions between the two world powers over cyber espionage. China immediately denied the charges, saying in a strongly worded Foreign Ministry statement the U.S. grand jury indictment was "made up" and would damage trust between the two nations... Federal prosecutors said the suspects targeted companies including Alcoa Inc, Allegheny Technologies Inc, United States Steel Corp, Toshiba Corp unit Westinghouse Electric Co, the U.S. subsidiaries of SolarWorld AG, and a steel workers' union.  Officials declined to estimate the size of the losses to the companies, but said they were "significant." The victims had all filed unfair trade claims against their Chinese rivals, helping Washington draw a link between the alleged hacking activity and its impact on international business. According to the indictment, Chinese state-owned companies "hired" Unit 61398 of the People's Liberation Army "to provide information technology services" including assembling a database of corporate intelligence..."
___

E-On Energy Bill Spam
- http://threattrack.t...nergy-bill-spam
May 19, 2014 - "Subjects Seen:
    Unable to process your most recent bill payment
Typical e-mail details:
    Dear customer,
    This e-mail has been sent to you to inform you that we were unable to process your most recent payment of bill.
    Please check attached file for more detailed information on this transaction.
    IMPORTANT: The actual delivery date may vary from the Delivery By date estimate. Please make sure that there are sufficient available funds in your account to cover your payment beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.
    If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.
    We apologize for any inconvenience this may cause.

Malicious File Name and MD5:
    Eonenergy-Bill-29052014.zip (73C46BEB4997D121D88E4DA220EB8E75)
    Eonenergy-Bill-29052014.scr (FE272CDACF8BB7C3A8B264BFDF3772FD)

Screenshot: https://gs1.wac.edge...wRJh1r6pupn.png

Tagged: eon, Upatre

- http://myonlinesecur...t-bill-payment/
19 May 2014
> http://myonlinesecur...ill-payment.png

* https://www.virustot...c6675/analysis/
 

 

Edited by AplusWebMaster, 20 May 2014 - 09:27 AM.

[AplusWebMaster]

FYI...

Fake Sage Invoice SPAM leads to malware
- http://blog.dynamoo....to-malware.html
20 May 2014 - "This -fake- Sage spam leads to malware:
    Date:      Tue, 20 May 2014 09:20:53 +0100 [04:20:53 EDT]
    From:      Sage [Wilbur.Contreras@ sage-mail .com]
    Subject:      FW: Invoice_6895366
    Please see attached copy of the original invoice (Invoice_6895366). [/i]

Attached is an archive file Invoice6895366.zip which in turn contains a malicious executable Invoice200522014.scr which has a VirusTotal detection rate of 8/52*. The Malwr analysis** shows that it then goes on to download further components from [donotclick]protecca .com/fonts/2005UKdp.zip ... [108.163.165.122]"
* https://www.virustot...sis/1400575304/

** https://malwr.com/an...ThjZDFlNzRkMDI/

- https://www.virustot...22/information/

- http://myonlinesecur...-notice-ignore/
Updated 20 May 2014 - "... Another big run of these this morning. See the notice on Justice .co.uk* and Action Fraud** where they are asking you to report these to them..."
* https://www.justice.gov.uk/help/fraud
 
** http://www.actionfra...ne-emails-mar14

Screenshot: http://myonlinesecur...-NOT-IGNORE.png

- http://threattrack.t...of-justice-spam
May 20, 2014
Tagged: UK Ministry of Justice, Upatre
___

Fake LexisNexis Invoice – PDF malware
- http://myonlinesecur...ke-pdf-malware/
20 May 2014 - "LexisNexis Invoice Notification for May 2014 pretending to come from LexisNexis [einvoice.notification@ lexisnexis .com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
Email looks like:
    There was an invoice issued to your company: thespykiller .co.uk Please  double click the PDF attachment to open or print your invoice.
    To view  full invoice details or for any Online Account Management options, download PDF attachment.
    Account Number                        278QCB
    Invoice Number                        195709944451
    Invoice Date                        May 20, 2014
    Invoice Amount                        $3.809.00
    Account Balance                        $0.00
    You can PAY YOUR BALANCE  through the PowerInvoice please print the attached invoice and mail to the address indicated on the invoice statement...

Screenshot: http://myonlinesecur...or-May-2014.png

20 May 2014  LexisNexis_Invoice_05202014.zip  (12 KB)  Extracts to
LexisNexis_Invoice_05202014.scr - Current Virus total detections: 0/52*
This LexisNexis Invoice Notification for May 2014 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1400601699/
___

SCAM: FIFA World Cup Tickets
- http://blog.trendmic...ld-cup-tickets/
March 20, 2014 - "As the 2014 FIFA World Cup Brazil draws near, we are seeing more threats using the event as bait. We recently talked about cybercriminals in Brazil taking advantage of the event to spread malware, but we’ve found that the threats have gone beyond that: we’ve spotted -fake- FIFA websites selling game tickets... For the site meant for visitors from Brazil, would-be fans can buy a ticket for the final Game for 8,630.20 reais (or just under 3,900 US dollars). This price is almost 4000% higher than the official price on FIFA’s website. At a Brazilian complaints site, a user reported that he bought three tickets for the Portugal versus Germany match from this site, but hadn’t received any tickets yet. The victim also claims that this scam site left no phone number to be contacted. Another complaint on the same site says the only way for the scammers to be contacted is via chat or email... This scam is an example of how different legitimate services (hosting, domain registration, online payment system) can be used fraudulently to scam victims around the globe... remember that -only- FIFA is authorized to sell tickets for the World Cup games..."
___

iBanking: Exploiting the Full Potential of Android Malware
- http://www.symantec....android-malware
20 May 2014 - "Powerful Russian cybercrime gangs have begun to use premium Android malware to broaden their attacks on financial institutions. The tool, known as iBanking, is one of the most expensive pieces of malware Symantec has seen on the underground market and its creator has a polished, Software-as-a-Service business model... iBanking often masquerades as legitimate social networking, banking or security applications and is mainly being used to defeat out-of-band security measures employed by banks, intercepting one-time passwords sent through SMS. It can also be used to construct mobile -botnets- and conduct covert surveillance on victims. iBanking has a number of advanced features, such as allowing attackers to toggle between HTTP and SMS control, depending on the availability of an Internet connection... One of the most active iBanking users is the Neverquest* crew, a prolific cybercrime group that has infected thousands of victims with a customized version of Trojan.Snifula**. This financial Trojan can perform Man-in-the-Middle (MITM) attacks against a range of international banks. The Neverquest crew utilizes iBanking to augment its Snifula attacks, capturing one-time passwords sent to mobile devices for out-of-band authentication and transaction verification. Control numbers (the mobile numbers that the bots can receive instructions from) indicate that the Neverquest crew is likely operating out of Eastern Europe... Since iBanking victims are usually tricked into installing the app by a desktop financial Trojan, keeping your desktop antivirus software up to date will help avoid infection. You should be wary of any SMS messages which contain links to download APKs (Android application package files), especially from non-reputable sources. IT administrators should consider blocking all messages which contain a link to install an APK. Some iBanking APKs have been seeded onto trusted marketplaces and users should be aware of this as a potential avenue of infection. Users should be aware of sharing sensitive data through SMS, or at least be aware that malicious programs are sniffing this data..."

* http://malware.dontn...sed-by-the.html

** http://www.symantec....-112803-2524-99
 

 

Edited by AplusWebMaster, 20 May 2014 - 08:00 PM.

[AplusWebMaster]

FYI...

Something evil on 93.171.173.173 ...
- http://blog.dynamoo....3173-sweet.html
21 May 2014 - "93.171.173.173 (Alfa Telecom, Russia) is currently distributing the Sweet Orange EK via a bunch of -hijacked- GoDaddy subdomains. The malware is being spread through code injected into legitimate but hacked websites. For example [donotclick]www.f1fanatic .co.uk is a compromised website that tries to redirect visitors to two different exploit kits:
[donotclick]adv.atlanticcity .house:13014/sysadmin/wap/fedora.php?database=3
[donotclick]fphgyw.myftp .biz/kfafyfztzhtwvjhpr37ffn9qi7w0ali5rhczqxcgif3d4
The second one is an attempt to load the Fiesta EK although the payload site is currently down. But the .house domain appears to be Sweet Orange (incidentally this is the first time that I've seen one of the new TLDs abused in this way)... The server on 93.171.173.173 hosts a number of subdomains that are hijacked from GoDaddy customers. I recommend that you block either the subdomain or domains themselves... The EK page itself has a VirusTotal detection rate of 0/53*, although hopefully some of the components it installs will trigger a warning."
(More detail at the dynamoo URL above.)
* https://www.virustot...sis/1400664015/

93.171.173.173: https://www.virustot...73/information/

- http://centralops.ne...ainDossier.aspx
93.171.173.173
inetnum: 93.171.172.0 - 93.171.175.255
country: RU ...
origin:  AS29182

Diagnostic page for AS29182 (ISPSYSTEM-AS)
- https://www.google.c...c?site=AS:29182
"Of the 16625 site(s) we tested on this network over the past 90 days, 264 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-05-22, and the last time suspicious content was found was on 2014-05-22... Over the past 90 days, we found 87 site(s) on this network... appeared to function as intermediaries for the infection of 393 other site(s)...  this network has hosted sites that have distributed malicious software in the past 90 days. We found 260 site(s)... that infected 3562 other site(s)..."
___

FireEye Confirms DOJ’s Findings on APT1 Intrusion Activity
- http://www.fireeye.c...n-activity.html
May 20, 2014 - "Yesterday, the U.S. Department of Justice (DOJ) announced the indictment of five members of the Second Bureau of the People’s Liberation Army (PLA) General Staff Department’s Third Department, also known as PLA Unit 61398. This is the -same- unit that Mandiant publicly unmasked last year in the APT1 report*. At the time it was originally released, China denounced the report, saying that it lacked sufficient evidence. Following the DOJ’s indictment, however, China’s usual response changed from “you lack sufficient evidence” to “you have fabricated the evidence”, calling on the U.S. to “correct the error immediately.” This is a significant evolution in China’s messaging; if the evidence is real, it overwhelmingly demonstrates China’s unilateral attempts to leapfrog years of industrial development — by using cyber intrusions to access and steal intellectual property... Although one could attempt to explain every piece of evidence away, at some point the evidence starts to become overwhelming when it is all pointing in one direction. Our timestamp data, derived from active RDP logins over a two year period, matches the DOJ’s timestamp data, derived from a different source — active Dynamic DNS re-pointing over a five year period. These data sets show that APT1 is either operating in China during normal Chinese business hours or that APT1 is intentionally going to painstaking lengths to look like they are... "
(More detail at the fireeye URL above.)
* http://intelreport.mandiant.com/
___

“Amazoon” Phishing
- http://blog.malwareb...azoon-phishing/
May 21, 2014 - "Be warned that there are some typo happy phishers looking out for login credentials... take a trip down the Amazoon:
> http://cdn.blog.malw...05/amazoon1.jpg
It reads:
Verify your Amazoon account
    Dear Amazon user,
    We need to confirm your account information,
    you must confirm your amazon account before we close it.
    Click the link below to confirm your account information using our secure server.

Clicking the “Manage” link will take victims to a page asking for username and password information:
> http://cdn.blog.malw...05/amazoon2.jpg
After this, they’re faced with a page asking for personal information (name, address, phone number and so on):
> http://cdn.blog.malw...05/amazoon3.jpg
The page after this one is broken – looks like the host has taken it down mid-blog so hopefully nobody else will be scammed by this one. Typically the pattern for this kind of thing would be login details, personal information then card data. While we can’t say for sure what lay in wait at step 3, we can say to be on your guard for any more emails from “Amazoon” and -never- hand over personal data such as card details in response to emails you’ve been sent."

>> http://www.dilbert.com/2014-05-19/
___

Fake Contrat Commercant SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
21 May 2014 - "Contrat Commercant N: 9579514  pretending to come from Rick Goddard [Rick.Goddard@ credit-agricole .fr] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. This is written entirely in French...
Email looks like :
    Bonjour,
    Enchante d’avoir fait votre connaissance. Je vous confirme que j’ai bien recupere les documents..
    Pouvez-vous me dire si vous souhaitez conserver le contrat commercant n°9579514 ? En effet, sans action de notre part, il sera automatiquement resilie le 22 mai 2014.
    Pour  eviter  automatiquement resilie  accorder  2  minutes  au  service  Credit Agricole  en remplissant le formulaire ci-joint.
    Rick Goddard ...

21 May 2014: Contrat_9579514.zip  ( 8kb)  Extracts to Contrat_210514.scr
Current Virus total detections: 0/52* ...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...4bc09/analysis/
___

PrimeAspire (primeaspire .com) spam
- http://blog.dynamoo....recom-spam.html
21 May 2014 - "Startup or no startup, sending spam to a spamtrap is not a good way to drum up business..
    From:     Team@ primeaspire .com
    To:     donotemail@ wearespammers .com
    Date:     20 May 2014 13:32
    Subject:     PrimeAspire - The Freelance Platform
    Hello,
    Following our recent launch we'd like to invite you to PrimeAspire where you can post any task and securely get skilled people to complete specific freelance tasks.
    The platform is completely free and used by talented people looking for freelance projects.
    Learn more
    Thanks,
    The PrimeAspire team ...

Screenshot: http://4.bp.blogspot...primeaspire.png

.. CEO of PrimeAspire is one Chris Adiolé. PrimeAspire (strictly speaking it is Prime Aspire Ltd) is a real company (07850209 in the UK), and Mr Adiolé even has his name on the domain WHOIS details rather than hiding behind a proxy service... Originating IP is 79.170.44.6 which is Heart Internet in the UK. The primeaspire.com domain is hosted with the same firm on 79.170.40.239... promoting your startup through spam is always a very bad move..."
 

 

Edited by AplusWebMaster, 26 May 2014 - 01:45 PM.

[AplusWebMaster]

FYI...

Browlock -redirects- via Google Image Search
- http://blog.malwareb...e-image-search/
May 22, 2014 - "We saw a website offering up a downloadable version of what they claim is Telltale’s Back to the Future game. The site had apparently been -hacked- allowing those who compromised it to add redirect code onto the website. As a side effect of this, clicking on their image via the initial returned results from a Google image search while using Chrome will mean your browser is redirected to a Browlock scam page, complete with dire warnings placed on top of the preview image which is now adrift in a sea of fakery:
> http://cdn.blog.malw...locksearch1.png
... we’re looking at a typical “Your PC has been encrypted, pay us money to return your files” message – the translation of which can be seen over on the F-Secure website* – and depending on your browser set up, you may have a few problems getting rid of the page. For example:
> http://cdn.blog.malw...locksearch2.jpg
Once the box is on the screen, there is no way to open another tab or indeed navigate to one that is already open. For similar reasons, you won’t be able to close the browser either. The browser is trapped in a loop of confirmation pop-up boxes and our old friend CTRL+ALT+DEL will be required to kill the browser in Task Manager. The end-user isn’t under too much risk here – the scam page is simply -pretending- that the PC has had all files encrypted, and wants them to pay up to get their hands back on valuable personal data. There have been instances in the past where Fake AV has taken advantage of image search and caused problems for Mac users, and here’s a Youtube video** of the Windows equivalent. In this case, if you’re ever able to get the popup out of the way AND close the image AND open up the vanilla website AND read the Russian text…you should close the browser via the wonder of Task Manager and go do something else anyway. Your data is safe, no need to hand over cash to scammers!"
* http://www.f-secure....s/00002698.html

**
___

Malvertising ads on popular site leads to Silverlight exploit, Zeus Trojan
- http://blog.malwareb...it-zeus-trojan/
May 22, 2014 - "Malicious ads displayed on legitimate websites (malvertising) are something we see a lot of these days... third-party content is always a bit iffy because you just can’t control it. Case in point, a popular website recently suffered a malvertising attack. Our honeypots detected the malicious redirection from a compromised ad in the wee hours of last Friday morning. We contacted both the site owners and the advertising agency and the malicious traffic stopped shortly after. Over the course of the weekend and the beginning of the week, we exchanged some further emails to get a better understanding about the attack, which turned out to be an Ad server compromise... the advertising agency had suffered a server compromise themselves. I managed to talk to them and they were willing to share information about the attack that affected them and in turn their customers. After browsing their log files they noticed a peculiar IP address that had logged in through SSH and had connected to their email server. But interestingly the attacker waited patiently before doing anything nefarious. It appears the attacker was reading their emails and simply waiting for something valuable to come up. Finally, a new ad campaign with a high volume website was started and details were shared via email. Almost immediately after, the attacker redirected the tracking for the ad server to his own malicious site (rotator)... The goal of this malvertising attack is to -redirect- unsuspecting users to an exploit kit landing page in order to infect their computers... Drive-by download through Angler exploit kit: The exploit kit landing page is heavily obfuscated to make detection harder... Following successful exploitation of the machine, a payload is dropped. This one is none other than the infamous Zeus/Zbot banking Trojan... The best defence is a layered one and it starts with browser protection. To stop the Silverlight exploit you need to be running the latest version of the software*... also another notable external connection to an IP (37.57.26.167) based in the Ukraine... good Anti-Malware protection running in the background can also protect you against the threat, either by blocking the malicious site or the dropped payload... Thanks to the advertising agency for sharing some of the details on their compromise. Hopefully this will be helpful to other website owners."
(More detail at the malwarebytes URL above.)
* http://www.microsoft...ll/Default.aspx

- http://atlas.arbor.net/briefs/
Elevated Severity
May 23, 2014
Microsoft Silverlight vulnerabilities were recently targeted in a malvertising campaign redirecting victims to exploit kits.
Analysis: Malicious ads in the AppNexus network redirected victims to malicious sites hosting the Angler Exploit Kit containing Silverlight exploits. Angler EK has shown a significant increase in attacks against Silverlight since late April... Like many other exploit kits, Angler EK makes use of disclosed, patched vulnerabilities rather than zero-days. The two Silverlight vulnerabilities exploited in this campaign, CVE-2013-0074 and CVE-2013-3896, both have available patches and published exploit code... Angler EK also contains exploits for other applications including Java and Flash, whose security issues are frequently discussed. Given the widespread and growing usage of Silverlight, including by popular video streaming site Netflix, it is likely that Silverlight will continue to be targeted. Users who have Silverlight installed should ensure that it is up-to-date.
 

 

Edited by AplusWebMaster, 24 May 2014 - 03:07 AM.

[AplusWebMaster]

FYI...

Targeted attacks against Taiwan gov't agencies
- http://blog.trendmic...ent-agencies-2/
May 23, 2014 - "... We are currently monitoring a campaign that specifically targets government and administrative agencies in Taiwan. We are naming this specific campaign PLEAD because of the letters of the backdoor commands issued by the related malware. The point of entry for this campaign is through email. In the PLEAD campaign, threat actors use the RTLO (right to left override) technique in order to fool the target recipient into thinking that the file extension of the unpacked file is not suspicious, i.e., not an executable. In some cases related to the PLEAD campaign, the RTLO technique was implemented correctly, as seen in a case targeting a particular ministry in Taiwan, purporting to be reference materials for a technical consultant conference... We also observed the use of an exploit using the CVE-2012-0158 vulnerability, which had long been patched by MS12-027 in 2012. The vulnerability exists in Windows common controls, could allow an attacker to execute malicious code, and is a common vulnerability found in targeted attacks... We are still conducting research about the related C&Cs and malware tools in the PLEAD campaign and will be providing technical details about the breadth of this campaign. It appears that the attacks related to this campaign have been around since 2012."
(More detail at the trendmicro URL above.)
___

Fake NatWest email downloads malware via Dropbox
- http://blog.dynamoo....ds-malware.html
May 23, 2014 - "This fake NatWest email follows the same pattern as this one except that it is downloading malware via Dropbox rather than Bitly.
    From:     NatWest .co.uk [noreply@ natwest .co.uk]
    Date:     23 May 2014 11:36
    Subject:     NatWest Statement
     View Your May 2014 Online Financial Activity Statement
    Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It's available for you to view at this secure site. Just click to select how you would like to view your statement:
    View/Download as a PDF
    View all EStatements
    So check out your statement right away, or at your earliest convenience.
    Thank you for managing your account online.
    Sincerely,
    NatWest Bank ...

The link in the email goes to [donotclick]dl.dropboxusercontent .com/s/h8ee7pet8g3myfh/NatWest_Financial_Statement.zip?dl=1&token_hash=AAGNPq4-blG8MXToyYPu1l8lXEyrOQNz6EjK7rUBRaSHGg&expiry=1400838977 which downloads an archive file NatWest_Financial_Statement.zip which in turn contains the malicious executable NatWest_Financial_Statement.scr. This has a VirusTotal detection rate of just 3/52*. Automated analysis tools... show that it downloads a component from [donotclick]accessdi .com/wp-content/uploads/2014/04/2305UKmw.zip ... The Malwr analysis shows that it then downloads some additional EXE files:
    ibep.exe (VT 2/52, Malwr report)
    kuten.exe (VT 3/52, Malwr report)
    sohal.exe (VT 2/52. Malwr report)
 As is typical with the attack, the payload appears to be P2P/Gameover Zeus/Zbot."
(More detail and links at the dynamoo URL above.)
* https://www.virustot...sis/1400846756/
___

Fake eBay Customer List is Bitcoin Bait
- http://krebsonsecuri...s-bitcoin-bait/
May 22, 2014 - "... an advertisement that is offering to sell the full leaked user database for 1.4 bitcoins (roughly USD $772 at today’s exchange rates). The ad has even prompted some media outlets to pile on that the stolen eBay data is now for sale. But a cursory examination of the information suggests that it is almost certainly little more than a bid to separate the unwary from their funds... There is a surprisingly simple method for determining the validity of these types of offers. Most Web-based businesses allow one user or customer account per email address, and eBay is no exception here. I took a random sampling of five email addresses from the 12,663 users in that file, and tried registering new accounts with them. The outcome? Success on all five... the main target of these fake leak scammers are probably security companies eager enough to verify the data that they might just buy it to find out. Interestingly, I did have one security company approach me today about the feasibility of purchasing the data, although I managed to talk them out of it..."
 

 

Edited by AplusWebMaster, 23 May 2014 - 08:41 AM.

[AplusWebMaster]

FYI...

Fake Voice Msg – PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 May 2014 - "Voice Message from < random number> pretending to come from message @ <random email address> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...
Today we are seeing a mass run of the common voice message malware theme. 2 different versions of these so far today. Loads of slightly different subjects
    Voice Message from +07720-160332
    Voice message transmission report: 2014.05.26_4B10694078
    Incoming voice message [2014_05_26_9E57221633]
    Incoming Voice Message [+07457706455]
They all come via one of the bots and have an alleged  sender of message@any name you can think of .com/co.uk/net etc. Emails look like:
    You have a new Voice Message!
    Sender: +07457706455
    Date: 2014-05-24 13:19:26 UTC
    ID: 2014-05-26_0D87942690

26 May 2014: voice_message_2014-05-26_75555857A9.zip Extracts to  voice_message_2014-05-26_3C51847781.exe
Current Virus total detections: 2/53* . This Voice Message from is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1401119086/

- https://www.virustot...b1e96/analysis/
 

 

[AplusWebMaster]

FYI...

eBay phish ...
- http://myonlinesecur.../ebay-phishing/
27 May 2014 - "... Today we started to receive eBay phishing emails that aren’t connected with the password reset that eBay are requesting all users to do, but a more typical -phish- with a message saying an eBay member has left you a message regarding item no #2389452906... always -ignore- the links in these emails and log in to your eBay account manually and check the My Messages link inside eBay. That is the -only- way to be guaranteed that it is the correct site. This one is quite well crafted and until you look very closely at the web address, you could quite easily believe that you are on the genuine eBay site.... Email looks like:
    Question about Item #2389452906- Respond Now
    eBay sent this message on behalf of an eBay member through My Messages.
    Dear member,
    eBay member timeautoparts has left you a message regarding item #2389452906
    Click here to view the message
    Regards,
    eBay

Screenshot: http://myonlinesecur...phish-email.png
If you follow the links in the email, you end up on a page looking like this:
Screenshot: http://myonlinesecur..._phish_site.png
... after giving your details are sent to a confirmation page that looks like this asking to conform your email address and email password. The phishers want 2 bites at the cherry and not only want your eBay account log in details but also your email account log in details so they can use that to spread their spam and malware:
> http://myonlinesecur...nfirm_email.png
... That then bounces you to the genuine eBay site where you don’t realise that you have given your details to a phishing site..."

- http://www.hoax-slay...fications.shtml
May 27, 2014 - "... the genuine eBay notification does -not- ask you to click a link. Instead, it asks that you go to eBay in your usual way and login to change your password..."
___

Aussie Apple devices, including the iPhone, are being hijacked
- http://www.theage.co...0527-zrpbj.html
May 27, 2014 - "Owners of Apple devices across Australia are having them digitally held for ransom by hackers demanding payment before they will relinquish control. iPad, iPhone and Mac owners in Queensland, NSW, Western Australia, South Australia and Victoria have reported having their devices held hostage. One iPhone user, a Fairfax Media employee in Sydney, said she was awoken at 4am on Tuesday to a loud "lost phone" message that said "Oleg Pliss" had hacked her phone. She was instructed to send $50 to a PayPal account to have it unlocked... It is likely hackers are using the unusual name as a front to get money from people. A real Oleg Pliss is a software engineer at tech company Oracle. A similar name is listed on LinkedIN as a banking professional in Ukraine, while there are others in Russia. Affected users in Australia have been discussing the issue on Twitter and Apple's own support forum*."
* https://discussions....tart=0&tstart=0

How to defend against... iCloud attack
> http://blogs.compute...s-icloud-attack
May 27, 2014 - "... If you have a passcode for your device, then you don't have a problem -- just use the passcode to get into your device again, and change your iCloud password. Find My iPhone can only set its own code if you have not created your own passcode for the device... Some reports claim the following steps may help locked out users regain control of their device..."
(More detail at the computerworld URL above.)

- http://www.f-secure....s/00002707.html
May 27, 2014

- http://www.databreac...r-their-phones/
May 27, 2014
___

Ransomware Moves to Mobile
- http://blog.trendmic...oves-to-mobile/
May 26, 2014 - "Ransomware continues to make waves... it is now targeting mobile devices... cybercrime groups have decided to include mobile users in their intended victims. Our earlier efforts  resulted in some of those behind these attacks being arrested, but not all of these cybercriminals are now behind bars – and some have expanded their efforts into mobile malware. This is detected as ANDROIDOS_LOCKER.A ... The malware will monitor the screen activity when a device is active or running. Based on the analysis of its code, it tries to put its UI on top of the screen when the device is unlocked. People will not be able to uninstall the malicious app by traditional uninstall means as one would normally do because the system or even the AV UI is always “covered” by the malware’s UI. It also tries to connect to several URLs that are its command-and-control servers. These are currently inaccessible. However, one URL was found to display pornographic content.  The ransomware appears to be capable of sending information to these C&C servers albeit a limited function because it only has few permissions... To -avoid- these threats, we strongly suggest that you -disable- your device’s ability to install apps from sources outside of Google Play and double check the developer of the app you want to download and be very meticulous of the app reviews to verify apps’ legitimacy. This setting can be found under Security in the system settings of Android devices..."
 

 

Edited by AplusWebMaster, 28 May 2014 - 06:32 PM.

[AplusWebMaster]

FYI...

Fake AMEX SPAM - Activity Report – PDF malware
- http://myonlinesecur...ke-pdf-malware/
28 May 2014 - "Recent Activity Report – Incident #TCC6CVXM02FYBAE  pretending to come from American Express [Whitney.Clinton@ americanexpress .com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email looks like:
    As part of our security measures, we deliver appropriate monitoring of transactions and customers to identify potentially unusual or suspicious activity and transactions in the American Express online system.
    Please review the “Suspicious Activity Report” document attached to this email.
    Your Cardmember information is included in the upper-right corner of this document to help you recognize this as a customer service e-mail from American Express. To learn more about e-mail security or report a suspicious e-mail, please visit us at http ://www.americanexpress .com/phishing
    Thank you for your Cardmembership.
    Sincerely,
    Whitney.Clinton
    Tier III Support
    American Express Account Security
    Fraud Prevention and Detection Network
    Copyright 2014 American Express Company. All rights reserved.

28 May 2014: Incident_TCC6CVXM02FYBAE.zip (10 kb): Extracts to Incident_1BBWHVO9AR3E263.scr (25kb)
Current Virus total detections: 4/52*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...09d51/analysis/
___

Fake eFax message SPAM - downloads malware from Dropbox
- http://blog.dynamoo....known-spam.html
28 May 2014 - "This -fake- eFax message downloads malicious content from a Dropbox link.
    From:     eFax [message@ inbound .efax .com]
    Date:     28 May 2014 13:12
    Subject:     eFax message from "unknown" - 1 page(s), Caller-ID: 1-949-698-5643
    Fax Message [Caller-ID: 1-949-698-5643
    You have received a 1 page fax at Wed, 28 May 2014 09:11:44 GMT.
    * The reference number for this fax is atl_did1-1400166434-95058563842-154.
    Click here to view this fax using your PDF reader...

The telephone number will vary from spam-to-spam, but the download link seems consistent and is [donotclick]dl.dropboxusercontent .com/s/uk0mlaixvbg52g2/Fax_938_391102933_1245561.zip?dl=1&token_hash=AAEUA5cH_mfvkp4l4CePv7t100XZKo4GBq6ZxY1UiElKyQ&expiry=1401269894 which leads to a ZIP file Fax_938_391102933_1245561.zip which unzips to a malicious executable Fax_938_391102933_1245561.scr. This binary has a VirusTotal detection rate of 6/53*. Automated reporting tools... show a download from landscaping-myrtle-beach .com/wp-content/uploads/2014/05/2805UKdw.dkt ... This last one makes a connection to innogate .co .kr for unknown reasons.
Recommended blocklist:
landscaping-myrtle-beach .com
innogate .co.kr "
* https://www.virustot...sis/1401279784/

- http://myonlinesecur...ke-pdf-malware/
28 May 2014 - "... links to Dropbox in the spoofed Corporate eFax message email rather than the more usual attachment..."
- https://www.virustot...9c29b/analysis/
Screenshot: http://myonlinesecur...13/12/efax2.png
___

"TPPCO" PPI SMS spam
- http://blog.dynamoo....i-sms-spam.html
28 May 2014 - "Despite some high-profile recent cases* where SMS spammers have been busted by the ICO, the wave of spam seems to be continuing. This one came less than an hour ago from +447729938098.

Unsure if you qualify for a refund of PPI paid on a loan or credit card? Reply PPI and we will run a no obligation check or reply STOP to opt out. TPPCO

I have no idea who "TPPCO" are, but they are a common sender of these spam messages. In this case, the spam was sent to a number that is TPS registered, and I believe that the approach is fraudulent in any case - in most cases the spammers will get paid for a lead even if it turns out that the claimant wasn't eligible. If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Carriers and the ICO are cracking down on these scumbags, but they need reports from victims to gather enough evidence.
You can also report persistent spam like this via the ICO's page on the subject, which might well end up in the spammers getting a massive fine."
* http://ico.org.uk/ne...ssages-22052014
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Invoice Notice Email Messages - 2014 May 28
Fake Product Purchase Order Request Email Messages - 2014 May 28
Fake Invoice Notice Email Messages - 2014 May 28
Fake Court Appearance Request Email Messages - 2014 May 28
Fake Product Purchase Order Request Email Messages - 2014 May 28
Fake Shipping Documents Attachment Email Messages - 2014 May 28
Fake Product Purchase Order Request Email Messages - 2014 May 28
Fake Financial Transaction Notification Email Messages - 2014 May 28
Fake Scanned Image Notification Email Messages - 2014 May 28
Fake Financial Documents Email Messages - 2014 May 28
Fake Product Sample Order Email Messages - 2014 May 28
Fake Product Invoice Notification Email Messages - 2014 May 28
Fake Fax Delivery Email Messages - 2014 May 28
Fake Bank Account Statement Email Messages - 2014 May 28
Fake Shipping Order Information Email Messages - 2014 May 28
Fake Bank Payment Transfer Notification Email Messages - 2014 May 28
Fake Unpaid Debt Invoice Email Messages - 2014 May 28
Fake Product Order Email Messages - 2014 May 28
(More detail and links at the cisco URL above.)
 

 

Edited by AplusWebMaster, 28 May 2014 - 05:40 PM.

[AplusWebMaster]

FYI...

More eFax / Dropbox malware SPAM
- http://blog.dynamoo....lware-spam.html
29 May 2014 - "This -fake- eFax message downloads malware from Dropbox, similar to yesterday's attack but with different binaries:
    From:     Incoming Fax [no-reply@ efax .co.uk]
    Date:     29 May 2014 10:26
    Subject:     INCOMING FAX REPORT : Remote ID: 499-364-9797 ...
    Date/Time: Thu, 29 May 2014 18:26:56 +0900
    Speed: 4360bps
    Connection time: 07:09
    Pages: 9
    Resolution: Normal
    Remote ID: 915-162-0353
    Line number: 0
    DTMF/DID:
    Description: Internal report
    We have uploaded fax report on dropbox, please use the following link to download your file:
    https ://www.dropbox .com/meta_dl/[redacted]

The malicious download is from [donotclick]www.dropbox .com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICJvempiZ256bDM2aGRlMTgifQ/AAKxr3bqwwmIfwE_cp_xalkzMz7tKRtiivmPhViZTBLBkA?dl=1 which is an archive file FAX-21651_7241.zip which in turn contains the malicious executable FAX-21651_7241.scr . This binary has a VirusTotal detection rate of 6/53* and the Malwr report shows that it downloads a file from soleilberbere .com/images/2905UKdw.tar which subsequently drops a file eucis.exe with a VirusTotal detection rate of just 3/51**. Automated reports... are pretty inconclusive as to what this does."
* https://www.virustot...sis/1401357330/

** https://www.virustot...sis/1401357905/

- http://myonlinesecur...re-via-dropbox/
29 May 2014 - "... Instead of the usual malware attachment to an email or a link to an infected file on a compromised or hacked server and website, the bad guys have started to deliver malware via Dropbox... 'bad guys appear to be doing this, because of the way many mail servers now block attachments or scan and disinfect them to stop users being infected... 'bad guys often create one malicious file & use 4, 5 or even 10 different email subjects and contents to entice a user to read the mail, open any attachment or follow the link & get infected. We try to post as many of the current emails here as we can, to alert you to what is a fake, but some just slip past."
___

Iranian hackers use fake Facebook accounts to spy on U.S., others
- http://www.reuters.c...N0E90A220140529
May 29, 2014 - "In an unprecedented, three-year cyber espionage campaign, Iranian hackers created false social networking accounts and a fake news website to spy on military and political leaders in the United States, Israel and other countries, a cyber intelligence firm said on Thursday. ISight Partners*, which uncovered the operation, said the hackers' targets include a four-star U.S. Navy admiral, U.S. lawmakers and ambassadors, members of the U.S.-Israeli lobby, and personnel from Britain, Saudi Arabia, Syria, Iraq and Afghanistan. The firm declined to identify the victims and said it could not say what data had been stolen by the hackers, who were seeking credentials to access government and corporate networks, as well as infect machines with malicious software..."
* https://www.isightpa...e-social-media/
May 28, 2014 - "... Iranian threat actors are using more than a dozen fake personas on social networking sites (Facebook, Twitter, LinkedIn, Google+, YouTube, Blogger) in a coordinated, long-term cyber espionage campaign.  At least 2,000 people/targets are, or have been, caught in the snare and are connected to the false personas. This campaign, working undetected since 2011, targets senior U.S. military and diplomatic personnel, congressional personnel, Washington D.C. area journalists, U.S. think tanks, defense contractors in the U.S. and Israel, as well as others..."
___

Fake COPY OF PMNT/ORDER CONFIRMATION - PDF malware
- http://myonlinesecur...ke-pdf-malware/
29 May 2014 -"COPY OF PAYMENT REMITTANCE and ORDER CONFIRMATION is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email looks like this:
Good evening,
Attached is the 30% remittance copy for our first Order and our specifications approval documents. Please confirm payment as soon as received at your end and also confirm order processing time according to your invoice. Awaiting your kind response.
Kind regards,
Eddie Martinez CTM International Giftware Inc/ CTM International Hardware Inc. Phone: (614) 384-0636 Fax: (614) 883-1748 ...

29 May 2014: PAYMENT SWIFT CONFIRMATION.zip : Extracts to  PAYMENT SWIFT CONFIRMATION.zip.scr
Current Virus total detections: 2/53*... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...de46a/analysis/
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
(MANY -new- with today's date - there were -21- new entries as of date/time of this post. More info and links at the cisco URL above.)
___

Chromebook touchpads borked by update
- http://www.theinquir...hrome-os-update
May 29 2014 - "... reports that large numbers of Chromebooks have been borked by the latest version of Chrome OS*. The problem stems from the touchpad and its "Touch to Click" feature, which seems to have stopped registering clicks after the upgrade. This is particularly crucial as some models of Chromebook have done away with the mechanical touchpad buttons altogether. The problem is a huge embarrassment for Google in its efforts to get Chrome OS recognised as a viable alternative to Windows. Posters to the Chromium community forums are fuming**... Google rolled out Chrome OS version 35 last week, including organisation options for the app launcher, universal activation of the "OK Google" voice control command and better control for logging in to public WiFi hotspots. Google's Chrome OS community manager Andrea Mesterhazy has acknowledged the problem in the forums***..."
* http://googlechromer...-chrome-os.html
May 20, 2014

** https://code.google....etail?id=377165

*** https://productforum...[101-125-false]
May 28, 2014
 

 

Edited by AplusWebMaster, 29 May 2014 - 05:59 PM.

[AplusWebMaster]

FYI...

Fake HMRC Application – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 May 2014 - "HMRC Application – < your domain or company name > pretending to come from HMRC .gov.uk [application@ hmrc .gov.uk] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... The reference numbers amounts change in each email. Email reads:
    Please print this information, sign and send to application@ hmrc .gov.uk.
    Date Created:     30 May 2014
    Business name:   thespykiller .co.uk
    Acknowledgement reference:  0220014
    VAT Registration Number is 0220014.
    Repayment of Input Tax
    Before the business starts to make taxable supplies they may provisionally claim repayment of VAT they are charged as input tax. The general rules about VAT, including Input Tax, Partial Exemption, are explained in VAT Notices 700 and 706, available on the HMRC website...
    Change of Circumstances
    If your client no longer intends to make taxable supplies, or there is any other change of circumstances affecting their VAT registration (including any delay in starting to make taxable supplies), they must notify HMRC within 30 days of the change...
    By law, your client must send their VAT returns to HMRC online and make any payments due electronically.
    Before they can submit VAT returns to HMRC online they’ll have to enrol for the VAT online service. Further information on how to do this can be found on the HMRC website
    If you will be completing and submitting the online VAT returns on your client’s behalf, you will have to enrol for the VAT for Agents online service and be authorised to act as their agent before you can do this...
    If you will be completing and submitting the online VAT returns on your client’s behalf, you will have to enrol for the VAT for Agents online service and be authorised to act as their agent before you can do this.
    To download a copy of the form, follow the link below...

30 May 2014: Application_0220014.zip ( 8KB)  Extracts to Application_05302014.scr
Current Virus total detections: 2/53* . This HMRC Application is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...725f7/analysis/
___

Fake Credit Card report - PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 May 2014 - "Credit Card- Suspicious Recent Transactions is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Dear credit card holder,
A recent review of your transaction history determined that your card was used in possible fraudulent transactions. For security reasons the requested transactions were refused.
Please carefully review electronic report for your card. For more details please see the attached transaction report.
Chauncey.Burton Data Protection Officer CREDIT AMERICA LIMITED 1 Sheldon Square New York W2 6WH (858)433-5208...

30May 2014: Credit_card_Report.zip (42kb) Extracts to Credit_card_Report.zip.scr
Current Virus total detections: 0/53* . Analysis: This Credit Card- Suspicious Recent Transactions  is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...f7f27/analysis/
___

Fake Electric Bill - Phish leads to Cryptolocker
- https://isc.sans.edu...l?storyid=18185
Last Updated: 2014-05-30 13:44:46 UTC -  Phishing e-mail... claims to come from "Energy Australia", an actual Australian utility company, and the link leads to:   hxxp ://energymar .com/ data/ electricity/ view/get/ energy.php ?eid=[long number] . Note the somewhat plausible domain name (energymar .com). The actual domain name for Energy Australia is "www .energyaustralia .com.au".The first screen presented to the user asks the user to solve a very simple CAPTCHA. This is likely put in place to hinder automatic analysis of the URL:
> https://isc.sans.edu... 7_21_55 AM.png
The layout of the page matches the original very well. Users are confronted with CAPTCHAs regularly in similar sites, so I doubt this will raise suspicion. Next, we are asked to download the file, again using a similar layout.
> https://isc.sans.edu... 7_21_45 AM.png
The "bill" itself is a ZIP file that includes a simple ZIP file that expands to an EXE. Virustotal shows spotty detection 15/53*:
*   https://www.virustot...8f875/analysis/
... Once downloaded and unzipped, the malware presents itself as a PDF... as soon as the malware is launched, it does reveal it's true nature:
> https://isc.sans.edu... 8_49_22 AM.png
After launching the malware, the system connected via https to 151.248.118.193.( vps.regruhosting  .ru )...."
151.248.118.193
- http://centralops.ne...ainDossier.aspx
role:           Reg.Ru Network Operations
address:        Russia, Moscow, Vassily Petushkova st., house 3, Office 326
remarks:        NOC e-mail: noc@ reg .ru
remarks: User support: support@ reg .ru ...
Information related to '151.248.118.0/24AS197695'...
Diagnostic page for AS197695 (REGRU)
- https://www.google.c...?site=AS:197695
"... over the past 90 days, 47 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... The last time Google tested a site on this network was on 2014-05-30, and the last time suspicious content was found was on 2014-05-30..."
___

New Trojan compiled from Zeus and Carberp ...
- http://atlas.arbor.n...index#424058024
29 May 2014
Source: http://securityintel...us-zbot-carberp
Analysis: It is not uncommon for attackers to take pieces of code from various malware, creating new variants of known threats. In particular, when source code of popular Trojans like Zeus and Carberp leaks, new variants quickly begin to appear, contributing to the rapidly evolving threat landscape. As antivirus solutions may -lag- behind newer forms of malware, additional security measures are needed to help detect such threats.
 

 

Edited by AplusWebMaster, 30 May 2014 - 01:33 PM.

[AplusWebMaster]

FYI...

Fake British Airways SPAM ...
- http://www.hoax-slay...d-malware.shtml
June 2, 2014 - "Email purporting to be from British Airways claims that your flight ticket has not been activated and asks you to open an attached file and fill in a form to complete the ticket activation... The email is -not- from British Airways. The attached .zip file hides a .exe file that, if opened, could install information-stealing malware on your computer...
> http://www.hoax-slay...d-malware-1.jpg
... The emails claim that your British Airways flight ticket has not yet been activated and advise you to open an attached file to complete a ticket activation form. The emails also claim that you can cancel your flight and request a refund via the attached form... The emails have no connection to British airways. If you open the attached .zip file, you will find a .exe file hidden inside. Opening this .exe file can install malware on your computer. Once installed, the malware may collect your passwords and other sensitive personal data and send it to online criminals. It may also download and install further malware and allow criminals to control your computer...  In recent years, similar malware campaigns have used the names of several airlines, including Delta Airlines, American Airlines, and Qantas... do not open any attachments that it contains. Do not click any links in the email..."
___

Molerats, here for Spring
- http://www.fireeye.c...for-spring.html
June 2, 2014 - "Between 29 April and 27 May, FireEye Labs identified several new Molerats attacks targeting at least one major U.S. financial institution and -multiple- European government organizations... Molerats activity has been tracked and expanded to a growing target list, which includes:
    Palestinian and Israeli surveillance targets
    Government departments in Israel, Turkey, Slovenia, Macedonia, New Zealand, Latvia, the U.S., and the UK
    The Office of the Quartet Representative
    The British Broadcasting Corporation (BBC)
    A major U.S. financial institution
    Multiple European government organizations
Previous Molerats campaigns have used several garden-variety, freely available backdoors such as CyberGate and Bifrost, but, most recently, we have observed them making use of the PIVY and Xtreme RATs. Previous campaigns made use of at least one of three observed -forged- Microsoft certificates, allowing security researchers to accurately tie together separate attacks even if the attacks used different backdoors. There also appears to be a habitual use of lures or decoy documents – in either English or Arabic-language – with content focusing on active conflicts in the Middle East. The lures come packaged with malicious files that drop the Molerats’ flavor of the week..."
___

Ransomware now uses Windows PowerShell
- http://blog.trendmic...ows-powershell/
Jun 1, 2014 - "... We recently encountered another variant that used the Windows PowerShell feature in order to encrypt files. This variant is detected as TROJ_POSHCODER.A. Typically, cybercriminals and threat actors have used Windows Powershell to go undetected on an affected system, making detection and analysis harder... in this case, using PowerShell made it easier to detect as this malware is also hardcoded... Since it uses Powershell, TROJ_POSHCODER.A is script-based, which is not common for ransomware. It uses AES to encrypt the files, and RSA4096 public key cryptography to exchange the AES key. When executed, it adds registry entries, encrypts files, and renames them to {filename}.POSHCODER. It also drops UNLOCKYOURFILES.html into -every- folder. Once all files on the infected system are encrypted, it displays the following image:
Instructions on how users can -supposedly- retrieve their files
> http://blog.trendmic.../poshcoder1.png
Once users followed the instructions stated in the ‘ransom note,’ they will see the image below informing them to install the Multibit application that will allow them to have their own Bitcoin-wallet account for 1 Bitcoin. When they purchase the application, they are instructed to submit the form that contains information like email address, and BTC address and ID. Users will supposedly get the decryptor that will help encrypt the files.
Users need to fill this form...
> http://blog.trendmic.../poshcoder2.png
... POSHCODER uses English for its ransom notes and primarily affects users in the United States..."
___

USPS Spam delivering Asprox variant
- http://research.zsca...ik-variant.html
May 29, 2014 - "UPDATE: The botnet which is described here is called 'Asprox'. I've compared research with that seen from StopMalvertising*... Recent email spam has begun taking advantage of user's need to snail mail something. The attacker will forward a message supposedly from USPS in order to get victim's to click on a link purported to be a shipping receipt, which actually leads to a malicious file. If the user is unfortunate enough to click the link in the spam mail, a zip file containing a variant of Asprox is downloaded.
> https://2.bp.blogspo...tp_download.png
Once the file makes it way onto the desktop, it feigns a document icon in order to trick the user into thinking it is safe to view. This is actually the malicious executable... VirusTotal scans**... Attackers are leveraging nonstandard HTTP ports in order to bypass some security solutions."
* http://stopmalvertis...ion-scheme.html

** https://www.virustot...b0416/analysis/
 

 

Edited by AplusWebMaster, 02 June 2014 - 05:00 AM.

[AplusWebMaster]

FYI...

Fake email with “Balance sheet” contains malicious .scr file
- http://blog.mxlab.eu..._sheet_pdf-zip/
June 3, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Balance sheet”. This email is sent from the spoofed address and has the following short body:

    Please save the attached file to your hard drive before deleting this message. Thank you.

The attached ZIP file has the name Balance_sheet_pdf.zip and contains the XXX kB large file Balance_sheet_pdf.scr. The trojan is known as Trojan.Ranapama.AU, W32/Trojan.APUP-2842, W32/Trojan3.INJ, HEUR/Malware.QVM20.Gen or Trojan.Cryptodefense. At the time of writing, 12 of the 51 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information..."
* https://www.virustot...617d3/analysis/

** https://malwr.com/an...GI1Y2Q1MTFiZGQ/

78.110.175.80: https://www.virustot...80/information/

85.214.32.141: https://www.virustot...41/information/
 

 

Edited by AplusWebMaster, 03 June 2014 - 05:15 AM.

[AplusWebMaster]

FYI...

Fake Amazon SPAM / order.zip
- http://blog.dynamoo....m-orderzip.html
4 June 2014 - "This fake Amazon spam has a malicious attachment:

Screenshot: https://4.bp.blogspo...600/amazon3.png

Attached to the spam is an archive file order.zip which in turn contains a malicious executable order_id_26348273894729847239.exe which has a VirusTotal detection rate of 4/51*. Automated analysis tools... shows the malware altering system files and creating a -fake- csrss.exe and svhost.exe to run at startup. The malware also attempts to phone home to two IP addresses at 91.226.212.32 and 193.203.48.37 hosted in Russia but controlled by a Ukranian person or entity PE Ivanov Vitaliy Sergeevich. These network blocks are well-known purveyors of crapware, and I recommend that you block the following:
91.226.212.0/23
193.203.48.0/22 "
* https://www.virustot...sis/1401876273/

Diagnostic page for AS48031 (XSERVER-IP-NETWORK-AS)
- https://www.google.c...c?site=AS:48031
"Of the 1782 site(s) we tested on this network over the past 90 days, 26 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-06-03, and the last time suspicious content was found was on 2014-06-03... Over the past 90 days, we found 6 site(s)... that appeared to function as intermediaries for the infection of 15 other site(s)..."
___

Targeted Attack exploits - Japan ...
- http://blog.trendmic...-vulnerability/
June 4, 2014 - "...  We recently uncovered a targeted attack campaign we dubbed as “ANTIFULAI” that targets both government agencies and private industries in Japan... Like many targeted attacks, ANTIFULAI uses several emails as entry vectors to get the attention of its would-be targets. In this particular case, the detected email posed as a job application inquiry with which a JTD file (Ichitaro RTF format) is attached. However, this file exploits an Ichitaro vulnerability (CVE-2013-5990*) detected as TROJ_TARODROP.FU. When exploited, this vulnerability allows arbitrary code to run on the infected system that is used to drop malicious files. The final payload is a backdoor detected as BKDR_ FULAIRO.SM. Once run, this backdoor gathers the list of running processes, steals information, and downloads and executes files. The presence of the following files indicates the presence of this malware:
    %Startup%\AntiVir_Update.URL
    %Temp%\~Proc75c.DAT
Unusually, this malware “hides” its targets in the URL it uses to contact its command-and-control (C&C) servers. Threat actors can easily see if the targeted organization has been breached by checking the said URL... Network traffic is one of the ways IT administrators can check if their network has been hit by targeted attacks. This is why it is crucial for enterprises and large organizations to build threat intelligence capabilities. With these tools available to them, IT administrators can break a targeted attack cycle before it reaches the data exfiltration stage. In addition, enterprises are advised to regularly update their systems and applications as a security step in mitigating targeted attacks because old vulnerabilities are typically used in order to infiltrate a network..."
* https://web.nvd.nist...d=CVE-2013-5990 - 9.3 (HIGH)
___

FTC charges - selling Bogus Debt Relief Services ...
- http://www.ftc.gov/n...relief-services
June 3, 2014 - "The Federal Trade Commission charged an Irvine, California-based scheme with billing consumers as much as $10,000 after making deceptive claims that it would provide legal advice, settle consumers’ debts, and repair their credit in three years or less.  Instead, the scheme often left consumers in financial ruin, the agency charged. The FTC alleged that the DebtPro 123 LLC defendants told consumers to stop paying and communicating with their creditors. As a result, although consumers hired the defendants in hopes of improving their financial situation, their debt often increased, causing them to lose their homes, have their wages garnished, lose their retirement savings, or file for bankruptcy, according to the complaint. Although the defendants promised to refund unsatisfied customers, they rarely did... Ringleader Bryan Taylor and three other individuals, along with DebtPro 123 and five other companies marketed their -bogus- debt relief services through telemarketing calls, website ads, promotional videos and marketing companies that acted as lead generators, according to the complaint. Promising that in as little as 18 months consumers could “become debt free and enjoy financial independence,” the defendants claimed their “Legal Department” would “leverage their existing relationships with all of the major creditors to negotiate the best possible resolution.” The defendants claimed that consumers could reduce the amount they owed by 30 to 70 percent. The complaint alleges that the defendants violated the Federal Trade Commission Act,  the Telemarketing Sales Rule, and the Credit Repair Organizations Act, not only through their -false- promises, but also by providing their affiliate marketing companies with -deceptive- materials to deceive consumers and by collecting an advance fee for their bogus debt relief services. For more information about how to handle robocalls and debt relief offers, see Robocalls*, and Avoiding Debt Relief Scams**..."
* http://www.consumer....-0025-robocalls

** http://www.consumer....bt-relief-scams

FTC Summary - 2013 Financial Acts Enforcement and Related Research ...
- http://www.ftc.gov/n...rcement-related
June 3, 2014
___

Fake Facebook - Big W pages - "Prizes for Sharing"
- http://www.hoax-slay...laxy-scam.shtml
June 3, 2014 - "Facebook pages claiming to be associated with Australian department store chain Big W, advise users that they can win Dell computers, Samsung Galaxy phones, or other expensive prizes just by liking and sharing page posts... are -scams- and are -not- associated with Big W in any way. The -fake- pages are designed to gather large numbers of page likes and to trick users into participating in -bogus- online surveys. There are -no- prizes... do not like, share or comment on it... do -not- click any links that it contains. Example:
> http://www.hoax-slay...laxy-scam-2.jpg
... Some versions also ask users to click a link to claim their prize... You can help by reporting scam pages to Facebook..."
___

China escalating attack on Google
- http://www.nytimes.c...e-heats-up.html
June 2, 2014 - "The authorities in China have made Google’s services largely inaccessible in recent days, a move most likely related to the government’s broad efforts to stifle discussion of the 25th anniversary of the crackdown on pro-democracy demonstrators in Tiananmen Square on June 3 and 4, 1989. In addition to Google’s search engines being blocked, the company’s products, including Gmail, Calendar and Translate, have been affected..."
- http://www.reuters.c...N0EF0CA20140604
Jun 4, 2014
- http://www.reuters.c...deoId=313180863
Video 1:20
 

 

Edited by AplusWebMaster, 04 June 2014 - 02:04 PM.

[AplusWebMaster]

FYI...

Fake Netflix Cancellation - phish
- http://www.hoax-slay...hing-scam.shtml
June 5, 2014 - "Message purporting to be from video streaming service Netflix claims that, due to a payment issue, your account will be cancelled unless you click a link and update credit card details. The message is a phishing scam and Netflix did -not- send it. Clicking the link will take you to a fake Netflix website that asks for login credentials, credit card details, and other personal information. This information will be collected by criminals and used for credit card fraud and identity theft. Example:
> http://www.hoax-slay...hing-scam-1.jpg
Like many other users, you may have recently received an account cancellation message claiming to be from online video streaming service Netflix. The message claims that, because of a problem processing your credit card, you must click a link to update card details to keep your account active. However, the message is -not- from Netflix and you do -not- need to update credit card details as claimed. The message is a typical phishing scam..."
___

Fake email Fax msg - leads to malicious file on Dropbox
- http://blog.mxlab.eu...ile-on-dropbox/
June 5, 2014 - "... new trojan distribution campaign by email with the subject “Fax Message at 2014-05-06 08:55:55 EST”. This email is send from the spoofed address “Fax Message <message@ inbound .efax .com>” and has the following body:

Screenshot: http://img.blog.mxla...xmessage_j2.gif

The embedded URL leads to hxxps ://www .dropbox .com/meta_dl/**SHORTENED**
The downloaded ZIP file has the name Fax-932971.zip and contains the 146 kB large file Fax-932971.scr. The trojan is known as PE:Malware.XPACK-HIE/Heur!1.9C48. At the time of writing, only 1 of the 51* AV engines did detect the trojan at Virus Total so this is a potential risk. Use the Virus Total permalink* and Malwr permalink** for more detailed information..."
* https://www.virustot...sis/1401979986/

** https://malwr.com/an...jQzNmY4NzkyOTc/

192.64.115.91: https://www.virustot...91/information/
5/52 2014-06-09 01:05:06 http ://newsbrontima .com/hcgaryuo4nuf
4/52 2014-06-08 09:42:07 http ://newsbrontima .com/
6/52 2014-06-07 11:18:52 http ://newsbrontima .com/9j3yr9i7zw477
6/52 2014-06-07 11:18:45 http ://newsbrontima .com/a98n76ah7609y
6/52 2014-06-07 11:18:44 http ://newsbrontima .com/z7ekevxgm20zdz

- http://centralops.ne...ainDossier.aspx
192.64.115.91
Registrar URL: http://www.godaddy.com
Registrar Abuse Contact Email: abuse@godaddy.com
Registrant Name: Registration Private - ?
Registrant Organization: Domains By Proxy, LLC
Registrant City: Scottsdale
Registrant State/Province: Arizona ..

efax Spam Containing Malware
- https://isc.sans.edu...l?storyid=18225
2014-06-08
> https://isc.sans.edu...Fax Message.PNG

- http://www.efax.com/...?tab=reportSpam
___

Hacking Apple ID?
- http://blog.trendmic...cking-apple-id/
June 5, 2014 - "... Apple’s 2014 Worldwide Developers Conference (WWDC) this week was welcome news to the throngs of Apple developers and enthusiasts. It was also welcome news for another group of people with less than clean motives: cybercriminals... How could users recover from this attack? One way would be to restore a backup from iTunes. Unfortunately, many – perhaps even most – iPhone users are not particularly fastidious about backing up. One could try restoring from iCloud as well, but that would involve logging in with the user’s Apple ID account – which has been compromised by this very attack. As in any case where a user’s account has been compromised, recovery can be very difficult. We will likely see more attacks trying to steal Apple ID moving forward. For example, we can see routers** with malicious DNS settings being used in man-in-the-middle attacks to try and steal credentials. Phishing attacks may increase as well. The value of a stolen Apple ID can only go up as more and more information is placed in it by users... Our advice is similar to those for any other credential that needs to be protected:
- Don’t reuse your password.
- Use a secure password/passphrase.
- Enable security features like two-factor authentication, if possible.
To be fair, some of these steps are harder to perform on a mobile device than a desktop or laptop. Entering a long password may be hard without a password manager (like DirectPass*), for example. Despite this increased difficulty, it has to be done: it is now clear that mobile device credentials – like Apple ID – are a valuable target for cybercriminals..."
* https://itunes.apple...d598904988?mt=8

** http://blog.trendmic...s-turn-hostile/

iCloud: https://www.apple.co.../setup/ios.html
___

dedicatedpool .com.. spam or Joe Job?
- http://blog.dynamoo....or-joe-job.html
5 June 2014 - "... received a number of spam emails mentioning a Bitcoin mining website dedicatedpool .com, subjects spotted are:
    Subject: Bitcoins are around you - don't miss the train!
    Subject: Dedicatedpool .com business proposal (Save up on taxes)
    Subject: Make money with darkcoin and bitcoin now! ...
... the pattern of the spam looks like a Joe Job* rather than some horribly misguided attempt to market the website. There are several signs that make it look like someone is trying to cause trouble for the site operators:
1. The spam was sent repeatedly to a spamcop.net address, the type of address that would have a high probability of filing an abuse report. I call this a "reverse listwash".
2. The spam mentions the established dedicatedpool.com website repeatedly (rather than using some sort of redirector) but the originating IPs appear to be from an illegal botnet (see note 1). The use of a botnet indicates a malicious intent.
3. Spammers don't tend to include personal details of any sort in their messages, but the inclusion of "Ryan" (who does genuinely appear to be the administrator) seems suspicious.
 In my opinion, the balance of probabilities is that this is not sent out by dedicatedpool .com themselves, but is sent out by someone wanting to disrupt their business.
Note 1: I have seen the following IPs as originating the spam..
188.54.89.107
92.83.156.130
31.192.3.89
37.99.127.11
87.109.78.213 "
* https://en.wikipedia.org/wiki/Joe_job
___

Scammers bait users with FIFA Coins
- http://blog.malwareb...ith-fifa-coins/
June 4, 2014 - "To all gamers and enthusiasts of FIFA 14: Please be wary of sites claiming to generate coins for you for nothing. As the saying goes — If it sounds too good to be true, it probably is. Recently, we found one such site: fifa14cheats(dot)cheathacktool(dot)com.
> http://cdn.blog.malw...aksforemail.png
Once visited, it asks for an email address, and then, if provided, lets users decide on how many coins they want handed to them.
> http://cdn.blog.malw...6/03-finito.png
After users press “Finish Hack”, they are then presented with a survey -scam- that, as we may already know, will eventually lead to zero coins. There are -still- users who do not know this and had to find out the hard way unfortunately..."
 

 

Edited by AplusWebMaster, 09 June 2014 - 04:25 AM.