2072 replies to this topic

[AplusWebMaster]

FYI...

Fake Invoice - xls malware
- http://myonlinesecur...ke-xls-malware/
6 June 2014 - "June Invoice with a subject line of inovice <random number> June is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Note the spelling mistake in the subject line of the email inovice 9667444 June rather than invoice. Email simply says:

    This email contains an invoice file attachment

6 June 2014: invoice_9667444.zip ( 49kb) : Extracts to June_invoice_7846935978.xls.exe
Current Virus total detections: 1/51*
This June Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper xls ( Microsoft excel spread sheet)  file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...b58a7/analysis/
___

Malicious major website ads lead to ransomware
Cisco said the attacks can be traced to advertisements on Disney, Facebook and The Guardian newspaper
- http://www.computerw...d_to_ransomware
June 6, 2014 - "Malicious advertisements on domains belonging to Disney, Facebook, The Guardian newspaper and others are leading people to malware that encrypts a computer's files until a ransom is paid, Cisco Systems has found*... Cisco's investigation unraveled a technically complex and highly effective way for infecting large number of computers with ransomware, which it described in detail on its blog*... The company noticed that it was blocking requests to 90 domains, many of those WordPress sites, for more than 17 percent of its CWS customers... many of the CWS users were ending up on those domains after viewing advertisements on high-traffic domains such as "apps.facebook .com," "awkwardfamilyphotos .com," "theguardian .co.uk" and "go .com," a Disney property, among many others. Certain advertisements that appeared on those domains, however, had been tampered with. If clicked, they redirected victims to one of the 90 domains. The style of attack, known as "malvertising," has long been a problem. Advertising networks have taken steps to try and detect malicious advertisements placed on their network, but the security checks aren't foolproof... The 90 domains the malicious advertisements pushed traffic to had also been hacked..."
* https://blogs.cisco....kit-strikes-oil
June 5, 2014 - "... we have seen RIG using malvertising to perform a drive-by attack on visitors to high profile, legitimate websites. This accounts for the high amount of traffic we have seen in the last month... Requests for RIG landing pages April 24 - May 22:
> http://blogs.cisco.c...art-550x314.png
___

Fake Pirate Bay uses tricks to push PUS
- http://www.f-secure....s/00002711.html
June 6, 2014 - "This is piratebay.com
> http://www.f-secure....ratebay_com.png
It's a cheap knockoff imitation of The Pirate Bay*. If you "search" for something — you'll be offered a custom named executable to download. Buried at the bottom of the page is this disclaimer:
> http://www.f-secure...._disclaimer.png
"Additional software may be offered to you"? Yeah… indeed it will. And the "decline" button is white text on gray on more gray. Very duplicitous.
> http://www.f-secure....p_discovery.png
In all, several applications are installed. Given the target audience, this probably takes advantage of kids. Lame. To be avoided..."
* http://en.wikipedia..../The_Pirate_Bay
___

Preying on Insecurity: Placebo Applications ...
- http://www.fireeye.c...amazon-com.html
June 4, 2014 - "FireEye mobile security researchers recently uncovered, and notified Google and Amazon to take down, a series of anti-virus and security configuration apps that were nothing more than scams. Written easily by a thieving developer with just a few hundred lines of code then covered with a facade of images and progress bars, the seemingly useful apps for Android’s operating environment charge for installation and upgrade but do nothing. In other words, placebo applications. Fortunately all the applications have been removed from the Google Play store due to our discovery. Up to 50,000 downloads in some cases, these -fake- apps highlight how cybercriminals are exploiting the security concerns consumers have about the Android platform. In this case, we found five (!) fake antivirus apps that do nothing other than take a security-conscious user’s money, leaves them unprotected from mobile threats, and earns a criminal thousands of dollars for little work... the paid versions of the apps were available for Google Play customers outside the US and UK, while users in the UK and US could choose the free versions with in-app upgrade options. Also available in third party markets such as appbrain.com[1] and amazon.com[2], the fraudulent apps ranged in price from free to $3.99. The applications included:
    Anti-Hacker PLUS (com.minaadib.antihackerplus) Price $3.99
    JU AntiVirus Pro (com.minaadib.juantiviruspro) Price $2.99
    Anti-Hacker (com.minaadib.antihacker) Free
    Me Web Secure (com.minaadib.mewebsecurefree) Free
    Me Web Secure Pro (com.minaadib.mewebsecure) Price $1.99
Taking full advantage of the legacy, signature-based approach mobile antivirus apps have adopted, that makes it hard for a user to tell if it really is working, total charges for these “security” apps ran into the thousands of US dollars in the Google Play store alone. This old security model puts users relying on such applications at risk, either because it incites them to download apps that simply don’t have functionality – as we see in this case – or they don’t provide adequate protection against today’s threats. Ultimately, users simply cannot tell when they are protected..."
___

Six governments tap Vodafone calls
- http://www.reuters.c...N0EH0UK20140606
Jun 6, 2014 - "The world's second-biggest mobile phone company Vodafone revealed government agencies in six unidentified countries use its network to listen to and record customers' calls, showing the scale of telecom eavesdropping around the world... While most governments needed legal notices to tap into customers' communications, there were six countries where that was not the case, it said... Vodafone did not name the six for legal reasons... The Vodafone report, which is incomplete because many governments will not allow it to disclose requests, also linked to already-published national data which showed Britain and Australia making hundreds of thousands of requests. It showed that of the countries in which it operates, EU member Italy made the most requests for communication data. Germany, which expressed outrage when it was revealed last year that U.S. intelligence services had listened into the calls of Angela Merkel, also made requests to listen in to conversations and collect the data around them, such as where the calls were made and how long they lasted. Vodafone received no requests from the government of the United States because it does not have an operating licence there. It exited a joint mobile venture with Verizon last year..."
 

 

Edited by AplusWebMaster, 07 June 2014 - 05:31 AM.

[AplusWebMaster]

FYI...

Fake Shell Oil Promo - Scam
- http://blog.malwareb...promo-419-scam/
June 8, 2014 - "From the spam traps, currently being sent out from a Gmail address:

HEAD OFFICE ADDRESS: PLOT 33, ABUBAKAR TAFAWA BALEWA WAY.
CENTRAL BUSINESS DISTRICT, CADASTRAL ZONE,
ABUJA, FEDERAL CAPITAL TERRITORY,
NIGERIA.
EMAIL: [snip]@ gmail .com
Cell Phone No: +[snip]
DEAR CUSTOMER,
How are you today? I am Dr. Emeka Emuwa, Director/Chief Executive Of
Union Bank PLC, I am delighted to inform you that this panel which
just concluded it’s seating today in Abuja just released your name
among the beneficiaries that has not received their payment, and this
time it has been approved to pay you via Diplomatic cash delivery or
through newly introduced ATM Master Card method, therefore indicate
your choice of receiving.
we have been mandated to pay you the sum of $10.5million from
international gaming board, which is your won prize money from Shell
oil promo that you won in the past 3years but fail to redeem it (your
prize money).
Warning: This will be the last time we will contact you in regards to
this transaction and you are hereby given 7 working days to claim your
won prize failure to claim your prize within the stipulated time will
amount to cancellation of your prize...

This is, of course, a 419 scam* and should be ignored (along with some of the slightly modified variants doing the rounds over the weekend). Note that the name they’re using to sign off with is a real person, in an attempt to bump up the authenticity quota. Despite this, there’s nothing genuine about the offer of large sums of cash and can safely be discarded. Here’s some tips for avoiding 419 scams, along with information on what to look out for. “If it sounds to good to be true…” "
* https://en.wikipedia.../wiki/419_scams
 

[AplusWebMaster]

FYI...

Fake ACH report – PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 June 2014 - "ACH transaction failure report is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers...     

ACH PAYMENT REJECTED
    The ACH Transaction (ID: 78751236216395), recently sent from your savings account (by you or any other person), was REJECTED by other financial institution.
    Rejection Reason:  See details in the acttached report.
    Transaction Report:  report_78751236216395.pdf (Adobe Reader PDF)
    13450 Sunrise Valley Drive, Suite 100
    Herndon, VA 20171
    2014 NACHA – The Electronic Payments Association

9 June 2014;  report_78751236216395.zip(310kb) : Extracts to report_46240876034052.scr
Current Virus total detections:  10/52* . This ACH transaction failure report is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...5cd2d/analysis/
___

Fake inovice 2110254 SPAM
- http://blog.dynamoo....-june-spam.html
9 June 2014 - "This terse but badly-spelled spam has a malicious attachment:
    Date:      Mon, 09 Jun 2014 18:03:10 +0530 [08:33:10 EDT]
    From:      Ladonna Gray [wtgipagw@ airtelbroadband .in]
    Subject:      inovice 2110254 June
    This email contains an invoice file attachment

Attached is an archive file invoice_2110254.zip which in turn contains the malicious executable invoice_98372342598730_pdf.exe which has a VirusTotal detection rate of 4/52*. Automated analysis tools are not able to determine exactly what the malware does."
* https://www.virustot...sis/1402318500/
___

Barclays Phish - “For Security Purposes, Your Account has been Locked”
- http://blog.malwareb...barclays-phish/
June 9, 2014 - "... simple phishing email currently in circulation which claims to be from Barclays:
> http://cdn.blog.malw...claysphish0.jpg
It reads:
    For security purposes, your online account has been locked.
    To restore your account, please click : Sign into My Barclays Account and proceed with the verification process.

Clicking the link will take the victim to a page most likely hosted on a compromised website.
> http://cdn.blog.malw...laysphish11.jpg
It asks for name, 5 digit passcode, DOB, telephone passcode, account number, sort code and debit card number. After filling in the relevant information and sending it to the phisher, the victim is redirected to a (legitimate) Barclays page about mortgages. If you or someone you know falls for this one, be sure to contact your bank as soon as possible so they can take the appropriate action. Phishing emails tend to have a little more effort put into them than this one, but the -fake- Barclays page is about as good as any other in terms of looking like the real thing. As always, avoid."
____

- http://msmvps.com/bl...on-android.aspx
Jun 8, 2014 - "... The best patching tool is still the human brain. Did you expect that email? Is it wise to open that attachment?
The bad guys know we have a hard time patching the human."
S. Bradley
 

 

Edited by AplusWebMaster, 09 June 2014 - 03:07 PM.

[AplusWebMaster]

FYI...

Fake Company Tax Return – PDF malware
- http://myonlinesecur...ke-pdf-malware/
10 June 2014 - "Company Tax Return – CT600_4938297 June is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email reads:

    This email contains an Company Tax Return form file attachment

10 June 2014: invoice_4938297.zip (55kb)  Extracts to CT600_june_4323432432.pdf.exe
Current Virus total detections: 1/52* . This Company Tax Return – CT600_4938297 June is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...ce389/analysis/
___

Fake Voice mail SPAM - downloads malware from Dropbox
- http://blog.dynamoo....-mail-spam.html
10 June 2014 - "Another -fake- voice message spam, and another malware attack downloading from Dropbox.
    From:     Microsoft Outlook [no-reply@ victimdomain]
    Date:     10 June 2014 15:05
    Subject:     You have received a voice mail
    You received a voice mail : VOICE437-349-3989.wav (29 KB)
    Caller-Id: 437-349-3989
    Message-Id: U7C7CI
    Email-Id: [redacted]
    Download and extract the attachment to listen the message.
    We have uploaded fax report on dropbox, please use the following link to download your file:
    https ://www.dropbox .com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICIxeWEwMGx3enQ1aWdpOXEifQ/AANABss7_JqczoocZG5p_SjA659fq_BNbEs6hyC4CqDuBA?dl=1
    Sent by Microsoft Exchange Server

The link downloads a file VOICE-864169741-28641.zip which in turn contains a malicious executable VOICE-864169741-28641.scr which has a VirusTotal detection rate of 4/52*. Automated analysis... indicates that it downloads files from the following domains:
newsbrontima .com
yaroshwelcome .com
granatebit .com
teromasla .com
rearbeab .com "
* https://www.virustot...sis/1402407401/

Dropbox phishing: Cryptowall, Bitcoins, and You
- http://phishme.com/i...itcoins/#update
Updated June 10 - "... the attackers have changed their tactics... the email is disguised as a voicemail notification..."
- http://phishme.com/b...-dropbox-links/
June 2, 2014
___

News Headlines for KULUOZ SPAM ...
- http://blog.trendmic...spam-campaigns/
June 10, 2014 - "Last April, we reported a KULUOZ spam campaign using the South Korean ferry sinking tragedy... a malware that is distributed by the Asprox botnet. It can download certain strains of FAKEAV and ZACCESS malware onto the affected system, as well as have the potential to turn that system into a part of the Asprox botnet itself... Now it appears that the spam campaign is still going strong, with the cybercriminals behind the attack leveraging headlines from major news outlets...How they leverage the headlines themselves is relatively simple, and typical of a spam attack: they copy the headline and part of the news article from the news website and implement it into the mail itself, in order to make itself look legitimate to the user as well as bypass spam filters. It seems that this malware also used CNN and BBC News as sources of news clip snippets, incorporated in their spam runs.
KULUOZ spam sample with “Knife attack at South China Station”
> http://blog.trendmic...09comment01.jpg
... we found that the spam email itself retains the previous template of shipping notifications, including that of Fedex and United States Postal Service.
KULUOZ spam sample with “Thai Coup news item”
> http://blog.trendmic...09comment02.jpg
... this may seem like a typical spam run that takes news headlines in order to bypass spam filters (as well as trick users into reading them), it’s to note that the malware being used can compromise the security of unsecured systems should it be allowed to take root. The continued use of news headlines is also something to bear in mind, in that it is proof that as long as there is news to talk about, there will be threats that take advantage of them..."
___

Corporate cyber-espionage ...
Internet postings link a Chinese hacking group to a military unit
- https://www.computer...cyber_espionage
June 9, 2014

- http://resources.cro...om/putterpanda/
June 9, 2014 - "Putter Panda is a cyber espionage actor that conducts operations from Shanghai, China, likely on behalf of the Chinese People’s Liberation Army (PLA) 3rd Department 12th Bureau Unit 61486. The PLA’s General Staff Division (GSD) Third Department appears to be China’s primary SIGINT collection and analysis agency. The 12th Bureau, Unit 61486, headquartered in Shanghai’s Chabei District, supports China’s space surveillance network. They are a determined adversary group, conducting intelligence-gathering operations targeting the Government, Defense, Research, and Technology sectors in the United States, with specific targeting of space, aerospace, and communications. The group has been operating since at least 2007 and has been observed heavily targeting the US Defense and European satellite and aerospace industries. They focus their exploits against popular productivity applications such as Adobe Reader and Microsoft Office to deploy custom malware through targeted email attacks. CrowdStrike identified Chen Ping, aka cpyy, a suspected member of the PLA responsible for procurement of the domains associated with operations conducted by Putter Panda."
 

 

Edited by AplusWebMaster, 11 June 2014 - 03:37 AM.

[AplusWebMaster]

FYI...

Fake Invoice/Billing SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 June 2014 - "Focus Accounts Electronic Invoice and Billing Information for FC4800 is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email reads:

Please find attached your May Invoice and, if you have requested them, additional reports relating to the call and line charges on this bill.
Don’t Forget – We provide a host of other products and services including:
Telephone Systems & Maintenance (both traditional and VoIP)
Office Cabling (Cat5)
IT Support & Maintenance, IT Equipment & Installation
Cloud Computing, Hosted Solutions, Data Backup & Antivirus
Broadband, FTTC, EFM, MPLS & Leased Lines
Mobile Phones & Mobile Broadband
Non-Geographic Numbers (0800, 0845, 0844, 0871)
Inbound and Call Centre Solutions
Web Design & Hosting, Search Engine Optimisation (SEO)
Gas & Electricity Procurement
If you have any problems opening the file(s), or would like to discuss your bill, please call us or reply to this email.
Kind Regards,
Focus Billing.

11 June 2014 : 211852.zip ( 57kb) : Extracts to report_92da3ec16736842.pdf.exe:
Current Virus total detections: 2/53* . This Focus Accounts is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...20110/analysis/
___

Fake RBS SPAM spreads malware via Cubby .com
- http://blog.dynamoo....alware-via.html
11 June 2014 - "This -fake  bank spam downloads malware from file sharing site cubby .com:
    From:     Sammie Aaron [Sammie@ rbs .com]
    Date:     11 June 2014 12:20
    Subject:     Important Docs
    Please review attached documents regarding your account.
    To view/download your documents please click here
    Tel:  01322 215660
    Fax: 01322 796957
    email: Sammie@ rbs .com
    This information is classified as Confidential unless otherwise stated. 


The download location is [donotclick]www .cubby .com/pl/Document-772976_829712.zip/_e97c36c260ed454d8962503b18e37e86 which downloads a file Document-772976_829712.zip which in turn contains a malicious executable Document-772976_829712.scr which has VirusTotal detection rate of just 1/54*. Automated analysis... show that it creates a file with the disincentive name googleupdaterr.exe and attempts to communicate with the following IPs:
85.25.148.6 (Intergenia AG, Germany)
192.99.6.61 (OVH, Canada)
217.12.207.151 (ITL Company, Ukraine)
(Plain list)
85.25.148.6
192.99.6.61
217.12.207.151 "
* https://www.virustot...sis/1402490061/
___

Fake Booking .com email - attached ZIP file contains trojan
- http://blog.mxlab.eu...ontains-trojan/
June 11, 2014 - "... new trojan distribution campaign by email with the subject 'Reservation for Thursday, June 12, 2014 BN_4914940'...

Screenshot: http://img.blog.mxla...g_com_virus.gif

The attached ZIP file has the name BN_4914940.zip and contains the 95 kB large file report_92da3ec16736842.pdf.exe. Please note that the numbers in the subject, message or attachment may vary with each email. The trojan is known as PWSZbot-FXE!3B53E958ECF1  or TrojanSpy.Zbot.herw. At the time of writing, 2 of the 51* AV engines did detect the trojan at Virus Total... Remove the email immediately from your computer. Use the Virus Total permalink* and Malwr permalink** for more detailed information."
* https://www.virustot...sis/1402480105/

** https://malwr.com/an...jQ4MmVlOWMzOWY/
 

 

Edited by AplusWebMaster, 11 June 2014 - 11:54 AM.

[AplusWebMaster]

FYI...

pcwelt .de hacked - serving Angler EK on 91.121.51.237
- http://blog.dynamoo....9112151237.html
12 June 2014 - "The forum of popular German IT news site pcwelt .de has been -hacked- and is sending visitors to the Angler exploit kit. Visitors to the forum are loading up a compromised script hxxp ://www[.]pcwelt[.]de/forum/map/vbulletin_sitemap_forum_13.xml.js which contains some Base64 obfuscated malicious code... which uses a date-based DGA (domain generation algorithm) to direct visitors to a URL with the following format:
[7-or-8-digit-hex-string].pw/nbe.html?0.[random-number]
The .pw domain contains Base64 encoded data which points to the payload kit, in this case [donotclick]exburge-deinothe.type2consulting .net:2980/meuu5z7b3w.php ... which is hosted on 91.121.51.237 (OVH, France). This appears to be the Angler EK...
Recommended blocklist:
91.121.51.237
type2consulting .net
valueoptimizationfrontier .com
typetwoconsulting .com
afiduciaryfirst .com
7411447a .pw
31674ec .pw
e4ae59eb .pw
95bded0e .pw
(and if you can block all .pw domains then it is probably worth doing that too)...
(More detail and lists at the dynamoo URL above.)
Thanks to the #MalwareMustDie crew* and Steven Burn for help with this analysis."
* https://twitter.com/...ustDie?src=hash
___

Fake World Cup 2014 apps ...
- http://blog.trendmic...-cup-2014-apps/
June 12, 2014 - "... Besides recently flooding the internet with phishing scams and the taking down two Brazilian government sites by hacktivists (the Sao Paulo Military Police website  and the official World Cup 2014 Brazil website), cybercriminals are also targeting the mobile scene with scads of World Cup-themed mobile malware  - more than 375 of them already at last count. We found these malicious apps lurking in unauthorized/third party app download stores, just waiting for users to install them on their mobile devices. Upon analysis, we found that the bulk of the malware in question are variants of prevalent mobile malware families... the remote server the apps connect to has 66 different domains, with each domain -spoofing- famous websites like MtGox .com...
Fake World Cup game apps:
> http://blog.trendmic...6/football4.jpg
.
> http://blog.trendmic...6/football5.jpg
... We also found that the C&C servers in question were also used to host third-party app download websites, where most apps are repacked with advertisements and information theft routines... Some football betting apps have also been found leaking information without user notification, as well as blatant security risks in their micropayment process. We advise users to be very careful with their financial and personal information when using these apps (or not to use them at all). Besides these malware, we also found quite a few high-risk apps also themed after the World Cup. Most, if not all, sport some sort of information theft routine, as well as pushing ad notifications/unwanted app advertisements. While it may be a fact of life that big sporting events like these will inevitably have some sort of cybercriminal attack or campaign following close behind, being a victim of them isn’t..."
___

Malwarebytes anti-exploits service protects Windows XP users from attacks
Covers popular targets including Microsoft Office, Java and Adobe
- http://www.theinquir...rs-from-attacks
Jun 12 2014 - "... Malwarebytes has launched anti-exploit services* to protect Windows users from hacking attacks on vulnerabilities in popular targets including Microsoft Office, Adobe software products and Java, a service which even offers protection for Windows XP users. Consumer, Premium and Corporate versions of the service are available, and are designed to pre-emptively stop hackers from infecting Windows machines with malware... The Consumer version of the anti-exploit service is free and offers basic browser and Java protection..."
* http://blog.malwareb...s-anti-exploit/

- http://www.malwareby...rg/antiexploit/
"... Malwarebytes Anti-Exploit wraps three layers of security around popular browsers and applications, preventing exploits from compromising vulnerable code. Not an antivirus, but compatible with most antivirus, Malwarebytes Anti-Exploit is a small, specialized shield designed to protect you against one of the most dangerous forms of malware attacks. And it’s free."

Download: http://downloads.mal...s.org/file/mbae
___

Fake emails using false Intuit email address
- https://security.int...alert.php?a=106
6/11/2014 - "People are receiving fake emails claiming to be from Intuit - that are advertisement emails for services, such as auto and air conditioning repair. These emails are using a fake email address indicating they are coming from Intuit. These emails are -not- from Intuit and the email address "info @ intuit .com" is -not- an Intuit email address.
Steps to Take Now:
> Do not open the attachment in the email...
> Delete the email.

On the Internet, "phishing" refers to criminal activity that attempts to fraudulently obtain sensitive information...
 

Edited by AplusWebMaster, 12 June 2014 - 12:40 PM.

[AplusWebMaster]

FYI...

Something evil on 64.202.123.43 and 64.202.123.44
- http://blog.dynamoo....212343-and.html
13 June 2014 - "This is one of those ephemeral traces of malware you sometimes see, like a will-o'-the-wisp. Something seems to be there, but on closer examination it has vanished. But this isn't an illusion, it seems to be a cleverly constructed way of distributing malware which pops up and then vanishes before anyone can analyse it. The source of the infection seems to be a -malvertisement- on one of those sites with an immensely complicated set of scripts running on all sort of different sites, including those low-grade ad networks that have a reputation for not giving a dayam about what their advertisers are doing. In this case, the visitor gets directed to a page at 12ljeot1.wdelab .com/ijvdg2k/2 which got picked up with a generic malware detection.. but by the time anyone gets to investigate the domain it is mysteriously not resolving. What appears to be happening is that the bad guys are publishing the malicious subdomains only for a very short time, then they stop it resolving and they publish another one. And one thing all these domains have in common is that they are using afraid.org for nameserver services. A bit of investigation shows that this malware is hosted on a pair of servers at 64.202.123.43 and 64.202.123.44 (HostForWeb, US), and despite that bad guys efforts they do leave a trace on services such as VirusTotal [1] [2] and URLquery [3]. This particular URLquery report* shows indications of the Fiesta EK. The attackers are covering their traces by using legitimate hijacked domains, the owners of which may not even be aware of the problem. Despite there being a large number of subdomains, I can only spot six domains being abused:
theholdens .org
denytech .com
jonmills .org
wdelab .com
dimatur .pt
hebel .ch
A full list of the subdomains that I have found so far can be found here [pastebin]**.
A look at the 64.202.123.0/24 block shows a mix of legitimate sites, plus some spammy ones and quite a lot that look malicious. If you are running a high-security environment then you might want to block this who range. Else, I would recommend the following minimum blocklist:
64.202.123.43
64.202.123.44
theholdens .org
denytech .com
jonmills .org
wdelab .com
dimatur .pt
hebel .ch "
1] https://www.virustot...43/information/

2] https://www.virustot...44/information/

3] http://urlquery.net/...14-06-13&max=50

* http://urlquery.net/...d=1402529850112

** http://pastebin.com/S4Ek7tcb
___

Something suspect on 38.84.134.0/24
- http://blog.dynamoo....3884134024.html
13 June 2014 - "This attack (assuming it is an attack) revolves around a bunch of domains hosted in 38.84.134.0/24 (HostZealot, UK). It starts when a visitor visits the website click-and-trip .com hosted on 38.84.134.46 which purports to be some sort of hotel reservation system.
> https://4.bp.blogspo...ck-and-trip.jpg
However, this URLquery report* also shows a suspected Fiesta EK pattern and/or a TDS (Traffic Distribution System) URL. In the case of the report, the landing page is [donotclick]asasas .eu/yo416f8/counter.php?id=5 on 38.84.134.171 but this is one of those cases where the landing page seems to change quickly... We can also check the IP's reputation at VirusTotal* and it doesn't look great. However, if we extend a look to neighbouring servers, we can see a similar pattern of domains all the way from 38.84.134.162 to 38.84.134.171... A look at all the hosts I can find in this range... show nothing of value, and a load of cyberquatting and spam sites. On balance, I think that blocking the entire 38.84.134.0/24 range may be prudent, even if it is hard to tell exactly what is going on here."
(More detail at the dynamoo URL above.)
* http://urlquery.net/...d=1402655467225

** https://www.virustot...71/information/
___

"Equity Investment Limited" lottery scam - still around after more than a decade
- http://blog.dynamoo....ttery-scam.html
13 June 2014 - "... a non-existent UK National Lottery / FIFA Brazil 2014 World Cup scam..
> https://1.bp.blogspo...FICATIONJPG.JPG
The scam is purportedly from a "Mrs Hilda Adams" references a -fake- company:
Equity Investment Limited
132 Blackburn Road
Bolton
BL7 9RP
England
UK
Tel: 00447924556231
Email: uklclaims@ mail .com
Some key parts of the email are:
Reference: EKS255125600304
Ticket number: 034-1416-4612750
But search for "Equity Investment Limited" on just about any search engine and the first hit you will get is an article I wrote way back in 2003* about a lottery scam using a company of exactly the same name. The email address is a throwaway free email account, the telephone number looks like it is British but in fact it a forwarding number provided by Cloud9** which could potentially forward calls to anywhere in the world. This type of "follow me anywhere" number is often abused by scammers. As for the address.. well, it's unlikely that whoever lives at that address is anything to do with this at all. Luckily, most people who run lottery scams have the intelligence of a box of rocks. And it seems that quite a few of their victims have heard of a thing called a search engine.."
* http://www.dynamoo.c...ment_org_uk.htm

** https://en.wikipedia.org/wiki/Cloud9

Labels: 419, Advanced Fee Fraud, Lottery Scam, Spam
 

 

Edited by AplusWebMaster, 13 June 2014 - 10:03 AM.

[AplusWebMaster]

FYI...

Fake Simply Business SPAM – malware
- http://myonlinesecur...2715xb-malware/
16 June 2014 - "'Please fill in your Employer Reference Number, policy – MQBI352715XB' pretending to come from Simply Business insurance company is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This set of emails with the subject of 'Please fill in your Employer Reference Number, policy – MQBI352715XB < numbers vary>' is targeted at employers and small business rather than consumers. I cannot get any payload or malware. The links all lead to -compromised- websites or servers and all go to pages called hxxp ://<  name of website >/err_log/sub/activate.html where a simple script -bounces- you on to hxxp :// 62.76.44.211 :8080/inbound.php which at this time is not responding. We believe this is likely to be one of the -exploit- kits that will attempt to install cryptowall on your computer, if you have a -vulnerable- version of Java, Flash, Adobe PDF reader or Microsoft Silverlight... The email looks like:
    You’re receiving this important service message as a Simply Business customer with Employers’ Liability insurance
    View it in your browser ...
[See image at the myonlinesecurity URL above.]

... look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."

- http://centralops.ne...ainDossier.aspx
62.76.40.0 - 62.76.47.255
descr:          IT House, Ltd
country:        RU ...
address:        195427, St. Petersburg, Russia
route:          62.76.40.0/21
descr:          IT House, Ltd
origin:         AS48172 ...

- https://www.google.c...c?site=AS:48172
"... over the past 90 days, 163 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-06-16, and the last time suspicious content was found was on 2014-06-16... Over the past 90 days, we found 35 site(s).. that appeared to function as intermediaries for the infection of 171 other site(s)... We found 26 site(s)... that infected 310 other site(s)..."
___

Hacks steal Dominos Pizza customer data in Europe, ransom sought
- http://www.reuters.c...N0ER1TF20140616
Jun 16, 2014 - "Hackers have stolen data on more than 600,000 Dominos Pizza Inc customers in Belgium and France, the pizza delivery company said, and an anonymous Twitter user threatened to publish the data unless the company pays a cash ransom. Customer names, delivery addresses, phone numbers, email addresses and passwords were taken from a server used in an online ordering system that the company is in the process of replacing, Dominos spokesman Chris Brandon said on Monday. He said he did not know if the stolen passwords had been encrypted. A Tweet directed at Domino's customers through an account of somebody listed as "Rex Mundi" said hackers would publish the customer data on the Internet unless the company pays 30,000 euros ($40,800), according to an article in The Telegraph. The Rex Mundi account was later suspended. Brandon said he was not familiar with the ransom demands, but that the company would not be making any such payment..."
 

 

Edited by AplusWebMaster, 16 June 2014 - 12:29 PM.

[AplusWebMaster]

FYI...

New banker trojan - Dyreza / delivered by SPAM
- https://www.csis.dk/en/csis/news/4262/
2014-06-16 - "We have been analyzing a new piece of banking malware, which is targeting some major online banking services. Among many, we have verified the following to be on the target list:
Bank of America
Natwest
Citibank
RBS
Ulsterbank
The code is designed to work similar to ZeuS and as most online banking threats it supports browser hooking for Internet Explorer, Chrome and Firefox and harvests data at any point an infected user connects to the targets specified in the malware. The malware is being delivered through -spam- campaigns. We have seen various subjects such as: "Your FED TAX payment ID [random number]" and "RE: Invoice #[random number]. The primary target appears to be the UK. We have seen RBS to be a specific target with the content:
"Please review attached documents regarding your account
To view/download your documents please click here
Tel: 01322 247616
Fax: 01322 202705
email: Leonel@ rbs .com
This information is classified as Confidential unless otherwise stated."

The traffic, when you browse the Internet, is being controlled by the attackers. They use a MiTM (Man in The Middle) approach and thus are able to read anything, even SSL traffic in clear text. This way they will also try to circumvent 2FA * ... Our intel shows that the group behind these attacks is likely to push/distribute a new campaign as a "Flash Player update". Still it's unclear if this is provided as a "Crime as a Service" or if it's a full circle criminal outfit. We believe this is a new banker trojan family and not yet another offspring from the ZeuS source code. CSIS would like to credit the following blog/analysis:
- http://phishme.com/p...s-bypasses-ssl/ "
"... block the IPs 85.25.148.6, 217.12.207.151, and 192.99.6.61 ..."

* https://en.wikipedia..._authentication

- https://www.computer...malware_emerges
June 17, 2014
___

Fake Voicemail recived - malware exploit
- http://myonlinesecur...alware-exploit/
17 June 2014 - "... from Yesterdays Simply Business attack we have the same attack with a subject New voicemail recived pretending to come from YouMail which is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... we are unable to get any malware payload from it... Email looks like:

Screenshot: https://encrypted-tb...X9hcV0N81l7ftlL
... You have received a Voicemail. Follow the link below to listen to it

... these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day... make sure you have “show known file extensions enabled“... look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened..."
___

Spamvertised ‘June invoice” themed emails lead to malware
- http://www.webroot.c...s-lead-malware/
June 17, 2014 - "Cybercriminals continue spamvertising tens of thousands of malicious emails on their way to socially engineer gullible end users, ultimately increasing their botnet’s infected population... recently intercepted a currently circulating malicious campaign enticing users into executing the fake attachment. Detection rate for a sampled malware: MD5: 8b54dedf5acc19a4e9060f0be384c74d – detected by 43 out of 54 antivirus scanners* as Backdoor.Win32.Androm.elwa... Once executed MD5: 8b54dedf5acc19a4e9060f0be384c74d** ...
It then phones back to the following C&C servers:
hxxp ://62.76.189.58 :8080/dron/ge.php
hxxp ://62.76.41.73 :8080/tst/b_cr.exe
62.76.41.73
62.76.185.30
95.101.0.115
... Detection rate for the dropped sample: MD5: 596ba17393b18b8432cd14a127d7c6e2 – detected by 36 out of 54 antivirus scanners as Trojan-Spy.Win32.Zbot.tfdc ... Related malicious MD5s known to have phoned back to the same C&C server (62.76.41.73) ... Related malicious MD5s known to have phoned back to the same C&C server (95.101.0.115) ..."
* https://www.virustot...sis/1403011569/
"... invoice_pdf.exe ..."

** https://www.virustot...1908d/analysis/

*** https://www.virustot...f68a2/analysis/

62.76.189.58: https://www.virustot...58/information/
62.76.41.73: https://www.virustot...73/information/
62.76.185.30: https://www.virustot...30/information/
95.101.0.115: https://www.virustot...15/information/
___

Fake Virgin Media SPAM - malware exploit
- http://myonlinesecur...alware-exploit/
17 June 2014 - "... Virgin Media Automated Billing Reminder pretending to come from Virgin Media Online Services [billing@ virginmedia .com] is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Once again we are unable to get any malware payload from it because the sites insist on some vulnerable software which we don’t have installed. There is an alternative version spreading with a subject of British Gas bill payment. pretending to come from British Gas [services@ britishgas .co.uk] but with exactly the same virgin media email. Email looks like:

Virgin Media Automated Billing Reminder
> https://t2.gstatic.c...n Media Web.jpg
Date 17th June 2014
This e-mail has been sent you by Virgin Media to inform you that we were
unable to process your most recent payment of bill. This might be due to
one of the following reasons:
    A recent change in your personal information such as Name or address.
    Your Credit or Debit card has expired.
    Insufficient funds in your account.
    Cancellation of Direct Debit agreement.
    Your Card issuer did not authorize this transaction.
To avoid Service interruption you will need to update your billing profile, failure to update your profile may lead in service cancellation and termination.
Please click on the link below to login to e-Billing. You will need to login using your primary E-mail address.
Login  to e-Billing
Once logged in you will need to fill in the required fields, please ensure all address and contact details are up to date, once submitted your account details will automatically be updated within 24 Hours.
Kind Regards,
Virgin Media
Customer Services Team
Ellis Willis

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... make sure you have “show known file extensions enabled“... If it says .EXE then it is a problem and should -not- be run or opened."
 

 

Edited by AplusWebMaster, 17 June 2014 - 01:58 PM.

[AplusWebMaster]

FYI...

Fake Customer Daily Statement - XLS malware
- http://myonlinesecur...ke-xls-malware/
18 June 2014 - "Customer Daily Statement pretending to come from Berkeley Futures Limited [trade@bfl.co.uk] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... This email has a zip attachment that requires you to use the password in the body of the email to open the zip file ( hopefully this will slow down & make you think and help protect you). The zip contains 2 files: what appears to eb a genuine PDF statement and a file suggesting it is a Microsoft XLS (  Excel) file which is in fact a renamed .exe malware. Email reads:

    Attached is your daily statement and payment request form for May 2014.
    Please fulfill payment request form and send it back. The attached zip archive is secured with personal password.
    Password: XL6Fs#
    Berkeley On-line and Berkeley Equities are trading names of Berkeley Futures Limited. Berkeley Futures Limited is authorised and regulated by the Financial Conduct Authority (Registered no. 114159) © 2012 Berkeley Futures Limited

18 June 2014: XCU01.zip : Extracts to   request_form_8943540512.xls.exe
Current Virus total detections: 3/54*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper xls file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1403073130/
___

Pinterest and Tumblr Accounts Compromised to Spread Diet Pill Spam
- http://www.symantec....-diet-pill-spam
Updated: 18 Jun 2014 - "Over the weekend, a large number of Pinterest accounts were compromised and used to pin links to a miracle diet pill spam called Garcinia Cambogia Extract. Since most of the compromised accounts were linked to Twitter, these spam “pins” on Pinterest were also cross-posted to Twitter... The main reason spammers go through all of these hoops is to evade spam filters on social networks. On Pinterest, plenty of users pin posts from Tumblr blogs. On Tumblr, a redirect script called 'tumblr-redirect.js' hosted on Dropbox is inserted into each Tumblr page.
Are Twitter accounts compromised?
It does not appear so. Most of the tweets we have seen show they were shared through Pinterest and not Twitter. Symantec Security Response recommends the following tips for Pinterest, Tumblr, and Twitter users:
- Make sure your password on all these services are strong and unique*
- Tumblr users should enable two-factor authentication**
- Twitter users should revoke and reauthorize access to the Pinterest application "
* https://identitysafe...sword-generator

** http://www.tumblr.co...ccount_security
___

Fake Wells Fargo SPAM - malicious PDF file
- http://blog.dynamoo....s-spam-has.html
17 June 2014 - "This -fake- Wells Fargo spam comes with a malicious PDF attachment:
    From:     Raul.Kelly@ wellsfargo .com
    Date:     17 June 2014 18:50
    Subject:     Important docs
    We have received this documents from your bank, please review attached documents.
    Raul Kelly
    Wells Fargo Accounting
    817-713-1029 office
    817-306-0627 cell Raul.Kelly@ wellsfargo .com
    Investments in securities and insurance products are:
    NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
    Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...

The attachment is account_doc~9345845757.pdf which has a VirusTotal detection rate of 5/51*. The Malwr report doesn't say much but can be found here**."
* https://www.virustot...sis/1403031721/

** https://malwr.com/an...zdmMDA5YzZkN2I/
___

Fake Payment Overdue SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
18 June 2014 - "Payment Overdue - Please respond pretending to come from Payroll Invoice [payroll@intuit.com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    We have uploaded previous month reports on dropbox, please use the
    following link to download your file:
    https ://www.cubby .com/pl/Document_772-998.zip/_666f6271a7a8418a9881644fdcae6e1f
    Sincerely,
    Gabriel Preston
    This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY...

18 June 2014: Document_772-998.zip (8kb) : Extracts to Document_772-998.scr
Current Virus total detections: 2/54* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."    
* https://www.virustot...79ab7/analysis/  
___

Fake Lloyds Bank SPAM
- http://blog.dynamoo....e-customer.html
18 June 2014 - "Sent to the same targets and the same victim as this HSBC spam, this fake Lloyds Bank message comes with a malicious payload:
     From:     Lloyds Bank Commercial Finance [customermail@ lloydsbankcf .co.uk]
    Date:     18 June 2014 12:48
    Subject:     Customer Account Correspondence
    This attachment contains correspondence relating to your customer account with Lloyds Bank Commercial Finance Ltd.
    This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.
    If you have received this email in error please contact the individual or customer care team whose details appear on the statement.
    This email message and its attachment has been swept for the presence of computer viruses.
    Lloyds Bank Commercial Finance, No 1 Brookhill Way, Banbury, Oxfordshire OX16 3EL | www.lloydsbankcommercialfinance .co.uk

Ensuring that your PDF reader is up-to-date may help to mitigate against this attack."
___

Fake Xerox WorkCentre Spam...
- http://blog.dynamoo....workcentre.html
18 June 2014 - "The PDF spammers are busy today - this is the third time this particular malicious PDF has been spammed out to victims, first as a fake HSBC message, then a fake Lloyds message, and now a fake Xerox WorkCentre spam.
    From:     Xerox WorkCentre
    Date:     18 June 2014 13:41
    Subject:     Scanned Image from a Xerox WorkCentre
    It was scanned and sent to you using a Xerox WorkCentre Pro.
    Sent by: [redacted]
    Number of Images: 0
    Attachment File Type: PDF
    WorkCentre Pro Location: Machine location not set
    Device Name: [redacted]
    Attached file is scanned image in PDF format...

The payload is a malicious PDF that is identical to the HSBC and Lloyds spams."
___

Fake Electro Care SPAM - XLS malware
- http://myonlinesecur...ake-xlsmalware/
18 June 2014 - "Invoice from Electro Care Electrical Services Ltd is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like :
    This invoice is the oldest and we did receive a cheque if £4900.00 On the 16/04/14
    Please not that they have deducted CIS at 20% on the above payment so the total amount applied to this invoice is £5400.00.
    Any question then please call me.
    This message contains Invoice #03974 from Electro Care Electrical Services Ltd.  If you have questions about the contents of this message or Invoice, please contact Electro Care Electrical Services Ltd.
    Electro Care Electrical Services Ltd
    Unit 18
    Lenton Business Centre
    Lenton Boulevard
    Nottingham
    NG7 2BY
    T: 01159699638 F: 01159787862 ...

18 June 2014: ECE03974.zip (57kb) : Extracts to Electro Care Electrical Services Ltd invoice.scr
Current Virus total detections: 3/54* . Invoice from Electro Care Electrical Services Ltd is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper XLS  file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...b51f8/analysis/
___

Fake HSBC SPAM...
- http://blog.dynamoo....ost-recent.html
18 June 2014 - "This convincing looking bank spam comes with a malicious PDF attachment:
From:     HSBC.co.uk [service@ hsbc .co.uk]
Date:     18 June 2014 12:33
Subject:     Unable to process your most recent Payment
HSBC Logo
You have a new e-Message from HSBC .co.uk
This e-mail has been sent to you to inform you that we were unable to process your most recent payment.
Please check attached file for more detailed information on this transaction.
Pay To Account Number:   **********91
Due Date: 18/06/2014
Amount Due: £ 876.69 ...

Attached is a malicious PDF file HSBC_Payment_9854711.pdf which has a VirusTotal detection rate of just 6/53*. The Malwr report does not add much but can be found here**."
* https://www.virustot...sis/1403092029/

** https://malwr.com/an...GY3OGI5MzdiOWM/
___

Android ransomware uses TOR
- http://blog.trendmic...mware-uses-tor/
June 17, 2014 - "... samples we now detect as AndroidOS_Locker.HBT, we found that this malware  shows a user interface that notifies the user that their device has been locked down, and that they need to pay a ransom of 1000 rubles to unlock it. The interface also states that failure to pay would result in the destruction of all data in the mobile device. Examples of apps we’ve seen display this routine are found in third-party app stores, bearing names such as Sex xonix, Release, Locker, VPlayer, FLVplayer, DayWeekBar, and Video Player. Non-malicious apps with these names are available from various app stores... The user will be asked to pay to account 79660624806/79151611239/79295382310 by QIWI or 380982049193 by Monexy within 48 hours. This UI will also keeping pop out, thus preventing the user from being able to use their device properly... we found that it communicates to its command-and-control server via TOR. Although this is not the first time we’ve seen Android malware use TOR, this is the first ransomware we’ve seen that uses it. Considering the amount of data that users now store in their mobile devices, we predict that this is just the start of the continuous development of mobile ransomware... How to Remove this Ransomware: For users whose devices are infected with this ransomware, the malicious app can be manually removed through the Android Debug Bridge. The adb is part of the Android SDK*, which can be freely downloaded from the Android website..."
* http://developer.and...s/help/adb.html
 

 

Edited by AplusWebMaster, 18 June 2014 - 01:28 PM.

[AplusWebMaster]

FYI...

Netflix – Phish...
- http://myonlinesecur...tflix-phishing/
19 June 2014 - "An email received with a subject saying Your Netflix Account Requires Validation  that is -spoofed- to appear to come from NETFLIX [secure@ netflix .co.uk]. This is a new one on us. It is the first time I have seen a phish trying to get your Netfix log in details. The site in the link looks at first glance to be genuine. But if you look carefully, you will see the genuine Netflix site is - https://www.netflix....in?locale=en-GB
This -fake- phishing site is http ://netflix-user .com/<lots of random characters>/Login.htm

The urls are very similar and show how careful you must be to make sure that you are on a genuine site and why you should -never- respond to emails asking for log in details...
Dear Customer,
We recently failed to validate your payment information we hold on record for your account, therefore we need to ask you to complete a brief validation process in order to verify your billing and payment details. Click here to verify your account Failure to complete the validation process will result in a suspension of your netflix membership. We take every step needed to automatically validate our users, unfortunately in this case we were unable to verify your details. The process will only take a couple of minutes and will allow us to maintain our high standard of account security.
Netflix Support Team

If you follow the link you see a webpage looking like:
> http://myonlinesecur...ishing-site.png ..."
 

 

[AplusWebMaster]

FYI...

Password Protected Malware
- http://blogs.apprive...otected-Malware
Jun 18, 2014 - "... a small malware campaign started up claiming to be daily customer statements from “Berkeley Futures Limited” (real company, but messages are spoofed). The payload was an attached .zip file that was password protected. The password was displayed right in the original message body for the recipient though, whcih should be a red flag to users. A file will normally be encrypted when a password is used, making scanning inside an archive for malware not possible unless a user inputs the password on their computer to extract it. This can make filtering files like this tricky, but not impossible.
> http://blogs.apprive...resized-600.PNG
The attached file contains 2 actual files inside. One is an scr file and the other is a pdf file of a fake invoice. The first interesting thing was that the file had a .zip extension, but it was actually a Rar file (First few bytes are RAR! instead of PK for zip).This could have been on purpose as some attempt to avoid some scanner, or an accident when they created the archive. Rar malware is much less common that zip malware since zip files work natively on most systems... The -fake- Spreadsheet in the archive is the scr executable. The file shows a compile date of 5/25/2014 and has a VirusTotal score of 3/52 AV engines. Upon opening the file, it turns out it is a Trojan downloader and it reaches out to the internet (62.76.43.110; Russian IP) and downloads a 220kb “1.exe” file that had an Amazon logo for an icon. This file has the same compile date as above and a capture rate of 5/52 on VirusTotal. The AV engines classify it as a Zbot. When running this exe, it tries to reach out to another Russian IP but no connection could be established... The zbot is a common piece of malware we see due to its main purpose of being built to steal money, meaning it can be very profitable for the people behind malware campaigns. A good bit of advice with password protected zips is that if the password is in the email, that sort of defeats the whole reason of being secure and having a password. I would suggest people be cautious of any files from unknown senders but especially wary of password protected zips with the password in the body. Using a protected zip is a common way for malware authors to try and sneak through any malware filtering a company may be using. Currently we are blocking this malware with over 40,000 hits so far this morning."
(More detail and screenshots at the appriver URL above.)

62.76.43.110: https://www.virustot...10/information/
___

Spamvertised ‘Customer Daily Statement’ emails lead to malware
- http://www.webroot.c...s-lead-malware/
June 20, 2014 - "... persistent spamvertising of tens of thousands of fake emails, for the purpose of socially engineering gullible end users into executing the malicious attachments found in the rogue emails. We’ve recently intercepted a currently circulating malicious campaign, impersonating Barkeley Futures Limited, tricking users into thinking that they’ve received a legitimate “Customer Daily Statement”.
More details: Sample screenshot of the spamvertised email:
> https://www.webroot....ley_Futures.png
Detection rate for a sampled malware: MD5: b05ae71f23148009c36c6ce0ed9b82a7 – detected by 29 out of 54 antivirus scanners* as Trojan-Ransom.Win32.Foreign.kxka
* https://www.virustot...542ee/analysis/
Once executed, the sample drops the following malicious MD5 on the affected hosts: MD5: ed54fca0b17b768b6a2086a50ac4cc90 **
** https://www.virustot...f44c8/analysis/
It then phones back to the following C&C servers:
62.76.43.110
62.76.185.94
Related malicious MD5s known to have phoned back to the following C&C server (62.76.43.110):
MD5: c02e137963bea07656ab0786e7cc54de . Once executed, the dropped MD5: ed54fca0b17b768b6a2086a50ac4cc90 starts listening on ports 35073.
also phones back to the following C&C servers:
62.76.185.94
23.62.99.40
Related malicious MD5s known to have phoned back to the following C&C server (23.62.99.40)..."

23.62.99.40: https://www.virustot...40/information/
___

Fake ACH/Bank form – PDF malware
- http://myonlinesecur...ke-pdf-malware/
20 June 2014 - "ACH – Bank account information form pretending to come from Bettye Cohen [Bettye.Cohen@ jpmchase .com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Email reads:
    Please find attached the business account forms 9814285.
    If you are unable to open the attached file, please reply to this email with a contact telephone number. The Finance Dept will be in touch in due course.
    Bettye_Cohen
    Chase Private Banking Level III Officer
    3 Times Square
    New York, NY 10036
    T. 212.804.3166
    F. 212.991.5185

20 June 2014: Important Chase Private Banking Forms.zip (93 kb)  Extracts to: Important Chase Private Banking Forms.scr
Current Virus total detections: 3/54* . This ACH – Bank account information form is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...85a24/analysis/
___

Fake Cloud Storage Mails lead to Pharmacy Sites
- http://blog.malwareb...pharmacy-sites/
June 20, 2014 - "We’re seeing a number of emails claiming that image files have been uploaded to the web, or have simply been damaged somehow. Here’s one claiming to be from “Box”, which as you may already know is a Cloud content management service:
> http://cdn.blog.malw...06/boxspam1.jpg
The large “View Images” button leads clickers to a Canadian pharmacy spam page:
> http://cdn.blog.malw...adianpharma.jpg
We’ve seen a few others like the above but in those cases the final destination was already offline, so it’s hard to say exactly what they were trying to send people to. Here’s one stating that your files have been uploaded, this time from “Drive”. SkyDrive / OneDrive? Google Drive? I have no idea, but here it is anyway:
> http://cdn.blog.malw...6/drivespam.jpg
Don’t panic if confronted with mysterious messages about damaged files or uploads you know nothing about. It’s just a slice of spammy -clickbait- which can be safely ignored."
___

Lloyds/TSB – Phish...
- http://myonlinesecur...ation-phishing/
20 June 2014 - "We all get frequent phishing emails pretending to come from a bank or other financial institution. Todays offering shouldn’t really fool anybody, but it will as usual, when you don’t check carefully the address the link sends you to in your browser address bar. Subject says:
Important Update Notification and pretends to come from LloydsTSB

Any customer of the bank knows that Lloyds and TSB have now split up and you either have Lloyds Bank or TSB bank . Most of us still have a credit/debit car and cheque book that says LloydsTSb, but all communications from these banks have been Lloyds or TSB specific for some considerable time now. Email looks like:

Dear Valued Customer,
The update to our mobile banking app for iPhone and Android users is coming this summer.
We’ve made some big improvements, so it’s easier and quicker to use with enhanced security. You’ll need an up-to-date phone number so you can complete
device registration the first time you use it.
Please ensure your phone numbers are up to date today by checking your details now.
CHECK MY DETAILS NOW
Sincerely,
Lloyds Bank plc ...

If you follow the link you see a webpage looking -identical- to the genuine Lloyds bank log in site..."
 

 

Edited by AplusWebMaster, 20 June 2014 - 01:43 PM.

[AplusWebMaster]

FYI...

Fake Order|Mobile Inc. – malformed Word doc malware
- http://myonlinesecur...rd-doc-malware/
23 June 2014 - "Your Order No 7085967 | Mobile Inc. is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... word .doc attachment. The word .doc is malformed and will infect you if you have a vulnerable version of word or some other out of date software on the computer. Luckily Microsoft security essentials detects and blocks it on my computer. It is detected as W97M/Adobdocro.A  Just -previewing- the attachment in your email client or browser might be enough to infect you. MSE jumped in and blocked it as soon as I selected preview, so beware and immediately delete the entire email without attempting to open, save or preview the attachment. We have had this malware running on a test system and it downloads a file from http ://barniefilm1996 .ru/info.exe which is detected on Virus total by 11/54 AV's*...
Thank you for ordering from Mobile Inc.
This message is to inform you that your order has been received and is currently being processed.
Your order reference is 4863028.  You will need this in all correspondence.
This receipt is NOT proof of purchase. We will send a printed invoice by mail to your billing address.
You have chosen to pay by credit card.
Your card will be charged for the amount of 5.38 USD and “Mobile Inc.” will appear next to the charge on your statement.
Your purchase information appears below in the file...
 
23 June 2014: Order_230614.Doc (47 kb) Current Virus total detections: 2/51**
MALWR Auto Analysis***
This Your Order No 7085967  | Mobile Inc. is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...d0a49/analysis/

** https://www.virustot...291e5/analysis/

*** https://malwr.com/an...2ExZmEzNGFmNWU/
___

Fake Amazon email delivers Malware
- http://blog.malwareb...eliver-malware/
June 23, 2014 - "Beware of an email in circulation claiming to be from 'Amazon Local', which mentions invoices for an order you -never- actually made. If you buy a lot of goods from Amazon there’s always the possibility you might fall for this one in the general deluge of legitimate payment confirmation emails.

Screenshot: http://cdn.blog.malw...mazonlocal1.jpg

... Note that the email mentions the order was placed on the 15th, which adds to the illusion of “Wait…did I actually order this but forget about it?” The attachment is called order_id.zip, though it had already been scrubbed from the service it was sent to up above so we can’t give more information on it at this time. You can see more examples of what appear to be related campaign mails over on this CISCO alert*. As with all fake order mails, be very cautious around attachments and if there’s an order you’re not sure about then login to Amazon or [merchant x] and see if you actually are missing a delivery. Chances are, the only thing waiting in your mailbox is some Malware..."
* http://tools.cisco.c...x?alertId=33857
___

Fake "Domain Listing Expired" scam/spam (ibulkmailer .com / 192.99.148.65)
- http://blog.dynamoo....-scam-spam.html
23 June 2013 - " I've received this spam to the contact details for several domains I own in the past few weeks:

Screenshot: http://1.bp.blogspot...ain-renewal.png

It looks like a domain renewal notice.. but it isn't. It's a renewal notice for SEO services. "But wait," I hear you cry, "I haven't signed up for any SEO services!" to which my answer is "Exactly!" This is where the spam moves from being annoying to being a more of a -scam- ... The use of the word "Renew" implies that you already have a relationship with these people but you do not. There is nothing to renew, but stating that this is something you already use is not only incorrect but in my personal opinion it is a -fraudulent- misrepresentation. The link in the email goes to 192.99.148.65 (OVH Canada, not surprisingly) and then onto a landing page at ibulkmailer .incom on 192.185.170.196 (Websitewelcome, US)... If you get these spam messages (and the link still leads to ibulkmailer .com) then one effective way of dealing with it would be to forward the message to the webhost abuse department at abuse -at- websitewelcome .com. Doing business with spammers is never a good idea, and doing business with spammers who misrepresent your relationship with them is likely to be a very bad idea indeed. Avoid..."
(More detail at the dynamoo URL above.)

192.99.148.65: https://www.virustot...65/information/

192.185.170.196: https://www.virustot...96/information/
___

Dropbox Phish ...
- http://blog.malwareb...-dropbox-creds/
June 23 2014 - "It’s after your email usernames and passwords. All of them if possible, actually.
Screenshot: http://cdn.blog.malw...014/06/db01.png
We suggest that you forget about the image you wanted to see that resulted to this page loading up and -close- the browser tab immediately. As those who are familiar with phishing know, the only end result for anyone who willingly (albeit unknowingly) hand over their digital keys to the wrong hands is more trouble. From the interface, we can infer that this -phishing- campaign placed priority into getting credentials from Yahoo!, Gmail, Hotmail, and Aol email users. Clicking each logo on the page displays a little window where one can provide their login details.
> http://blog.malwareb...gmail.png?w=484
Clicking the green “Sign In” button leads users to the default login pages of these email services. If one happens to use the same user name and password combination across his/her online accounts, from cloud storage sites like Dropbox to digital libraries, emails and social networks (clearly a bad practice we should stop doing), it’s highly likely that more than one account would get compromised with just a single phishing campaign. Several security vendors flag this page as malicious as well since they detect a script in it as equally malicious. Furthermore, we found that the domain where this page is hosted [an official website of a company that is into the trading and wholesale of alloy wheels and accessories] was -hacked- and defaced in January this year. We can only assume that either the security issues surrounding the website has not been fully addressed or the issues were never mitigated..."
___

ZBOT-UPATRE far from Game Over - uses Random Headers
- http://blog.trendmic...random-headers/
June 23, 2014 - "TROJ_UPATRE, the most common malware threat distributed via spam, is known for downloading encrypted Gameover ZeuS onto affected systems. This ZeuS variant, in turn, is known for its use of peer-to-peer connections to its command-and-contol (C&C) servers. This behavior has been known about since October 2013. We have observed that these specific ZeuS variants are now employing non-binary files. The UPATRE downloader is also responsible for decrypting these malicious files. This is done to bypass security features and avoid detection and removal from the infected systems. Previously, ZBOT malware can be detected via its header with ZZP0 even though it is initially encrypted by UPATRE. However, in our recent findings, it is found that ZeuS dropped this header and now uses -random- headers and changed its file extension, thus making it arduous to be detected in the network... UPATRE is continuously developing not only in terms of effective social engineering lures such as the abuse of Dropbox links to lead to ZBOT, NECURS, and just recently, Cryptolocker. This 'improvement' can also be seen in the use of XOR key to decrypt the downloaded file. We can say that the cybercriminals behind UPATRE are aware that their tactic of encrypted downloaded file is already detected by security solutions. As such, they continually modify their algorithm to circumvent efforts to detect and mitigate the risk posed by UPATRE... As a downloader, the main function of UPATRE is to deliver the main payload: Gameover ZeuS. In the past, the Pony loader and Cutwail spam botnet was used to download GoZ malware..."
 

 

Edited by AplusWebMaster, 23 June 2014 - 10:40 AM.

[AplusWebMaster]

FYI...

Seasonal Scam returns ...
- http://blog.malwareb...l-scam-returns/
June 24, 2014 - "... For those who are still in the middle of planning on a trip with family or friends, preparing for That Day is an essential step not to miss. And for most of us, part of that preparation is getting healthy, looking fit (thus, good) before hitting the beach... there are sites out there ready to pounce on unwary internet users browsing the Web in search of the latest diet craze, fitness regimens of their favourite celebrities, or healthy recipes that are easy to whip up. Depending on how you combine certain keywords like “summer” and “diet” in your search, you may find yourselves ending up with results that lead to sites such as the below:
> http://cdn.blog.malw...2014/06/TMZ.png
.
> http://cdn.blog.malw...06/gracinia.png
... Malware Intelligence Analyst Chris Boyd has written extensively about this campaign last year. You may check out the scam timeline he put together here* if you’re curious to find out more. Links to Garcinia scams can be shared via email through compromised accounts and social networks like Twitter, Tumblr, and Instagram. That said, we should remain cautious about clicking links from others wherever we are online."
* http://www.threattra...-new-outbreaks/
 

 

[AplusWebMaster]

FYI...

Fake RBS SPAM - leads to malicious ZIP file
- http://blog.dynamoo....m-leads-to.html
25 June 2014 - "This -fake- RBS spam leads to malware:
    From:     Bankline.Administrator@ rbs .co.uk [Bankline.Administrator@ rbs .co.uk]
    Date:     25 June 2014 15:25
    Subject:     Outstanding invoice
    Dear [redacted],
    Please download on the link below from dropbox copy invoice which is showing as unpaid on our ledger.
    http ://figarofinefood .com/share/document-128_712.zip
    I would be grateful if you could look into this matter and advise on an expected payment date .
    Many thanks
    Max Francis
    Credit Control ...

The link isn't a Dropbox link at all, but it downloads an archive file from [donotclick]figarofinefood.com/share/document-128_712.zip which contains the malicious executable document-128_712.scr which has a VirusTotal detection rate of 4/54*. Automated analysis tools... show that it attempts to phone home to babyslutsnil .com on 199.127.225.232 (Tocici LLC, US). That domain was registered a few days ago..."
* https://www.virustot...sis/1403708638/

199.127.225.232: https://www.virustot...32/information/
___

Fake Payment Advice / CHAPS credits – PDF malware ...
- http://myonlinesecur...ke-pdf-malware/
25 June 2014 - "Payment Advice – Advice Ref:[GB960814205896] / CHAPS credits... pretending to come from HSBC Advising Service... mail.hsbcnet.hsbc .com... is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Sir/Madam,
    Please download document from dropbox, payment advice is issued at the request of our customer. The advice is for your reference only.
    Download link:
    http ://salamatiancar .ir/css/document-128_712.zip
     Yours faithfully,
    Global Payments and Cash Management
    HSBC ...

An alternative version of this malware email is Outstanding invoice pretending to come from Bankline.Administrator@ rbs .co .uk
    Dear scans,
    Please download on the link below from dropbox copy invoice which is showing as unpaid on our ledger.
    http ://figarofinefood .com/share/document-128_712.zip
    I would be grateful if you could look into this matter and advise on an expected payment date .
    Many thanks
    Jack Duncan
    Credit Control ...

Todays Date: document-128_712.zip (95kb)  Extracted file name:  document-128_712.scr              
Current Virus total detections: 5/54* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...581f5/analysis/
___

Fake Amazon order/email contains trojan
- http://blog.mxlab.eu...ontains-trojan/
June 25, 2014 - "... new trojan distribution campaign by email with the subject “Order Details”.
This email is sent from the spoofed address “delivers@ amazon .com”...

Screenshot: http://img.blog.mxla...0625_amazon.gif

The attached ZIP file has the name order_id_78362477.zip and contains the 118 kB large file order_id_7836247823678423678462387.exe. The trojan is known as Win32:Malware-gen, Trojan.Win32.Krap.2!O, Spyware.Zbot.VXGen, PE:Malware.XPACK-HIE/Heur!1.9C48 or TROJ_GEN.F0D1H0ZFP14. At the time of writing, 7 of the 54 AV engines did detect the trojan at Virus Total*. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: d12526fc430fa213d77f8523a89c92c5f4e0d11deacbaf5c160a16f87ed5adc3."
* https://www.virustot...sis/1403726988/

** https://malwr.com/an...WU2NmJjOTg2N2Q/
___

China hacking threatens national security ...
- http://www.reuters.c...N0P60KC20140625
Jun 25, 2014 - "Cyber theft of trade secrets by China is a threat to U.S. national security, U.S. Ambassador to China Max Baucus said on Wednesday in the first major public address of his tenure, warning that Washington would continue to pressure Beijing. Baucus' remarks come as commercial ties between the world's two largest economies have been strained over cyber espionage charges... In May, Washington indicted five Chinese military officers for hacking U.S. companies, prompting Beijing to suspend a Sino-U.S. working group on cyber issues. It adamantly denies the charges. Such behaviour is criminal and runs counter to China's World Trade Organization commitments, Baucus told business leaders at an American Chamber of Commerce in China luncheon two weeks ahead of annual high-level bilateral talks in Beijing... China heavily restricts dozens of industries and U.S. firms have long complained they are forced to meet unfair burdens such as ownership caps and are pressured to transfer technology in exchange for market access."
___

PlugX RAT with “Time Bomb” abuses Dropbox for C&C settings
- http://blog.trendmic...ntrol-settings/
June 25, 2014 - "Monitoring network traffic is one of the means for IT administrators to determine if there is an ongoing targeted attack in the network. Remote access tools or RATs, commonly seen in targeted attack campaigns, are employed to establish command-and-control (C&C) communications. Although the network traffic of these RATs, such as Gh0st, PoisonIvy, Hupigon, and PlugX, among others, are well-known and can be detected, threat actors still effectively use these tools in targeted attacks. Last May we encountered a targeted attack that hit a government agency in Taiwan. In the said attack, threat actors used PlugX RAT that abused Dropbox to download its C&C settings. The Dropbox abuse is no longer new since an attack before employed this platform to host the malware. However, this is the first instance we’ve seen this technique of using Dropbox to update its C&C settings... Although there are differences in the features of types I and II PlugX, the similarities in certain techniques and indicators of compromise can aid in mitigating the risks posed to confidential data. Targeted attack campaigns that used PlugX can be detected via threat intelligence. The publicly available information on indicators of compromise can determine if an enterprise is being hit by targeted attacks... we didn’t find any vulnerability in Dropbox during our investigation and other similar cloud applications could be used in this manner. Dropbox was already informed of this incident as of posting."
___

Havex hunts for ICS/SCADA systems
- http://www.f-secure....s/00002718.html
June 23, 2014 - "... we've been keeping a close eye on the Havex malware family and the group behind it. Havex is known to be used in targeted attacks against different industry sectors, and it was earlier reported to have specific interest in the energy sector. The main components of Havex are a general purpose Remote Access Trojan (RAT) and a server written in PHP. The name "Havex" is clearly visible in the server source code... Havex took a specific interest in Industrial Control Systems (ICS)... The attackers have trojanized software available for download from ICS/SCADA manufacturer websites in an attempt to infect the computers where the software is installed to. We gathered and analyzed -88- variants of the Havex RAT used to gain access to, and harvest data from, networks and machines of interest. This analysis included investigation of -146- command and control (C&C) servers contacted by the variants, which in turn involved tracing around -1500- IP addresses in an attempt to identify victims. The attackers use compromised websites, mainly blogs, as C&C servers... We also identified an additional component used by the attackers that includes code to harvest data from infected machines used in ICS/SCADA systems. This indicates that the attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS/SCADA systems in those organizations. The source of this motivation is unclear to us... The Havex RAT is distributed at least through following channels:
- Spam email
- Exploit kits
- Trojanized installers planted on compromised vendor sites
... Of more interest is the third channel, which could be considered a form of "watering-hole attack", as the attackers chose to compromise an intermediary target - the ICS vendor site - in order to gain access to the actual targets. It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers. Our research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were -trojanized- to include the Havex RAT. We suspect more similar cases exist but have not been identified yet... All of these entities are associated in some way with the development or use of industrial applications or machines. The majority of the victims are located in Europe, though at the time of writing at least one company in California was also observed sending data to the C&C servers. Of the European-based organizations, two are major educational institutions in France that are known for technology-related research; two are German industrial application or machine producers; one is a French industrial machine producer; and one is a Russian construction company that appears to specialize in structural engineering... Summary: The attackers behind Havex are conducting industrial espionage using a clever method. Trojanizing ICS/SCADA software installers is an effective method in gaining access to target systems, potentially even including critical infrastructure. The method of using -compromised- servers as C&C's is typical for this group... We managed to monitor infected computers connecting to the servers and identify victims from several industry sectors. The additional payload used to gather details about ICS/SCADA hardware connected to infected devices shows the attackers have direct interest in controlling such environments. This is a pattern that is not commonly observed today..."
___

Interactive exploit kit redirection technique
- http://www.welivesec...tion-technique/
20 June 2014 - "The usual pattern we see when dealing with exploit kits starts with a legitimate website that gets compromised and used to automatically redirect its visitors to the actual malicious content. Techniques such as iFrame injection and HTTP -redirections- are frequently observed. This week though, we found an interesting variation while doing research on some exploit kit traffic. We noticed that the compromised website contained code that actually interacts with the user by presenting a -fake- message about some script slowing down the browser:
> http://www.welivesec...ie_warning2.png
The code responsible for this interaction is an injected HTML form that is shown only when the visiting browser is Internet Explorer... Of course, clicking on either Cancel or OK triggers the same POST request to an intermediate page, which in turn -redirects- the visitor to the Angler exploit kit by returning a small snippet of HTML and Javascript code... Typically the visitors are automatically redirected to the exploit kit when they visit a compromised website, so why bother with displaying a message first? It might be to prevent automated systems (malware analysis sandboxes, search-engine bots etc.) from reaching the exploit kit, making it harder for researchers to track and investigate such a threat. The malware that was being distributed at the time we performed our research was Win32/PSW.Papras.CX*  (SHA1: 7484063282050af9117605a49770ea761eb4549d)."
* http://www.virusrada....CX/description
 

 

Edited by AplusWebMaster, 25 June 2014 - 03:56 PM.