2072 replies to this topic

[AplusWebMaster]

FYI...

Fake USPS SPAM ...
- http://blog.dynamoo....voice-spam.html
26 June 2014 - "This -fake- USPS spam is pretty Old School in its approach:

Screenshot: https://1.bp.blogspo.../s1600/usps.png

The link in the email I had was broken, but was attempting to redirect to:
[donotclick]kadoi .gr/shopfine/redir.php
and from there to:
[donotclick]cascadebulldogrescue .org/xmlrpc/invoice.zip
This .zip file contains a malicious executable invoice.com (a .com file.. that really is old school) which has a VirusTotal detection rate of 29/54*. The Malwr report** shows an attempted connection to klempfrost.zapto .org on 199.21.79.114 (Internap, US). Other automated analysis tools are less conclusive...
Recommended blocklist:
199.21.79.114
kadoi .gr
cascadebulldogrescue .org
klempfrost.zapto .org "
* https://www.virustot...sis/1403811760/

** https://malwr.com/an...TQ2ODI0MmY0ZTU/
___

 

MITM steals half million euros in a week ...
- http://www.theregist...k_smash_n_grab/
26 Jun 2014 - "Attackers have pulled off a lucrative lightning raid on a single beleaguered bank stealing half a million euros in a week, Kaspersky researchers say. The crims stole between €17,000 and €39,000 from each of -190- Italian and Turkish bank accounts, with a single continuous attack. Man-in-the-middle attackers used stolen bank login details to transfer money to mule accounts before cashing out at ATMs around 20 January this year. Kaspersky researchers found evidence of the manic raid, dubbed "Luuuk"* in a command and control server and suggested one of a series of established and sophisticated trojans such as Zeus, Citadel or SpyEye were used... The attackers wiped the compromised command and control server as part of what Kaspersky suggested was careful track-covering. The researchers said the attackers were very active and would be unlikely to have terminated their profitable fraud scheme because of the Kaspersky discovery. The mules who funnelled the stolen cash were entrusted with differing transfer limits from €1750 to €50,000 depending on the trust afforded to each by the fraud masterminds... The raid was notable in the short time taken to steal account details and retrieve cash from ATMs..."
* https://www.secureli...the_force_Luuuk
June 25, 2014
___

China cybercrime cooperation stalls after U.S. hacking charges
- http://www.reuters.c...N0F12OJ20140626
June 26, 2014 - "Fledging cooperation between the United States and China on fighting cyber crime has ground to a halt since the recent U.S. indictment of Chinese military officials on hacking charges, a senior U.S. security official said on Thursday. At the same time, there has been no decline in Chinese hackers' efforts to break into U.S. networks, the official said. In May, the Justice Department charged five Chinese military members with hacking the systems of U.S. companies to steal trade secrets, prompting Beijing to suspend a Sino-U.S. working group on cyber issues. China denies the charges and has in turn accused Washington of massive cyber spying. U.S. and Chinese officials had started working together to combat certain types of online crime, including money laundering, child pornography and drug trafficking, the U.S. official said. But that cooperation has stopped... The new chill underscores the fragility of the efforts to ease tensions and mutual accusations of hacking and Internet theft between China and the United States, at the expense of the security areas where the nations had reached some understanding. The indictments, the first criminal hacking charge the United States has filed against specific foreign officials, put more strain on a complex commercial relationship between the two economic powers and created new troubles for some U.S. technology companies doing business in China. Beijing has responded with a promise to investigate all U.S. providers of important IT products and services, though it has not specified the move was a direct retaliation. Chinese state media has also lashed out, without indicating a connection, at U.S. firms including Google, Apple, Yahoo, Cisco Systems, Microsoft and Facebook with allegations of spying and stealing secrets..."
 

 

Edited by AplusWebMaster, 27 June 2014 - 03:14 AM.

[AplusWebMaster]

FYI...

Banking malware uses Network Sniffing for Data
- http://blog.trendmic...for-data-theft/
June 27, 2014 - "With online banking becoming routine for most users, it comes as no surprise that we are seeing more banking malware enter the threat landscape. In fact, 2013 saw almost a million new banking malware variants — double the volume of the previous year. The rise of banking malware continued into this year, with new malware and even new techniques. Just weeks after we came across banking malware that abuses a Window security feature, we have also spotted yet another banking malware. What makes this malware, detected as EMOTET, highly notable is that it “sniffs” network activity to steal information. EMOTET variants arrive via spammed messages. These messages often deal with bank transfers and shipping invoices. Users who receive these emails might be persuaded to click the provided links, considering that the emails refer to financial transactions.
Sample spammed messages:
> http://blog.trendmic...06/EMOTET-1.png
...
> http://blog.trendmic...06/EMOTET-2.png
The provided links ultimately lead to the downloading of EMOTET variants into the system. Once in the system, the malware downloads its component files, including a configuration file that contains information about banks targeted by the malware. Variants analyzed by engineers show that certain banks from Germany were included in the list of monitored websites... EMOTET infections are largely centered in the EMEA region, with Germany as the top affected country... However, other regions like APAC and North America have also seen EMOTET infections, implying that this infection is not exclusive to a specific region or country. As EMOTET arrives via spammed messages, users are advised not to click links or download files that are unverified. For matters concerning finances, it’s best to -call- the financial or banking institution involved to -confirm- the message before proceeding..."
___

Scams hook users with "free" Facebook hacks
- http://blog.malwareb...cebook-hacking/
June 27, 2014 - "Ah, Facebook hacking. It’s one of those things security folks generally warn people against due to its questionable legality regardless of one’s reasons for doing so, yet many continue to go out of their way to look for hacking tools and services online... Whether one genuinely lost their Facebook account password or not, it’s never a good (nor safe) idea to entrust matters to hacking, cracking, or sniffing. There’s almost always a catch. It’s still best to contact Facebook support directly for password retrieval... bogus site(s) serve as a reason for users considering trying hacking not to do it. Delving into the business of shady fellows who’re only waiting for users to fall into their lures will cost more to the service or tool user than it is for those who developed or is offering the illegal service..."
 

 

Edited by AplusWebMaster, 28 June 2014 - 08:27 AM.

[AplusWebMaster]

FYI...

Several no-ip .com domains apparently seized by MS
- http://blog.dynamoo....apparently.html
30 June 2014 - "It appears that the nameservers for the following dynamic DNS domains belonging to no-ip .com may have been seized by Microsoft as the namesevers are pointing to NS7.MICROSOFTINTERNETSAFETY .NET and NS8.MICROSOFTINTERNETSAFETY .NET
3utilities .com
serveftp .com
serveblog .net
myftp .org
servehttp .com
servebeer .com
zapto .org
no-ip .org
noip .me
no-ip .biz
redirectme .net
hopto .org
no-ip .info
sytes .net
myvnc .com
myftp .biz
servegame .com
servequake .com
This seems to have had the effect of taking down any sites using these dynamic DNS services. Usually this happens when Microsoft gets a court order prior to legal proceedings. Now, although these domains are widely abused it is not no-ip .com themselves doing the abusing. I do recommend that businesses block access to dynamic DNS sites because of the high level of abuse, but I do feel that it something that network administrators should choose for themselves."
___

MS disrupts cybercrime rings with roots in Kuwait, Algeria
- http://www.reuters.c...N0F52A920140630
Jun 30, 2014 - "Microsoft Corp launched what it hopes will be the most successful private effort to date to crack down on cyber crime by moving to disrupt communications channels between hackers and infected PCs. The operation, which began on Monday under an order issued by a federal court in Nevada, targeted traffic involving malicious software known as Bladabindi and Jenxcus, which Microsoft said work in similar ways* and were written and distributed by developers in Kuwait and Algeria. It is the first high-profile case involving malware written by developers outside of Eastern Europe, according to Richard Domingues Boscovich, assistant general counsel of Microsoft's cybercrime-fighting Digital Crimes Unit**... it would take several days to determine how many machines were infected, but noted that the number could be very large because Microsoft's anti-virus software alone has detected some 7.4 million infections over the past year and is installed on less than 30 percent of the world's PCs. The malware has slick dashboards with point-and-click menus to execute functions such as viewing a computer screen in real time, recording keystrokes, stealing passwords and listening to conversations, according to documents filed in U.S. District Court in Nevada on June 19 and unsealed Monday... the developers blatantly marketed their malware over social media, including videos on Google's YouTube and a Facebook page. They posted instructional videos with techniques for infecting PCs... The court order allowed Microsoft to disrupt communications between infected machines and a Reno, Nevada, firm known as Vitalwerks Internet Solutions... about 94 percent of all machines infected with the two viruses communicate with hackers through Vitalwerks servers. Criminals use Vitalwerks as an intermediary to make it more difficult for law enforcement to track them down... Microsoft will filter out communications from PCs infected with another 194 types of malware that are also being filtered through Vitalwerks..."

* http://blogs.technet...e-families.aspx
30 Jun 2014
> http://www.microsoft...ages/a/dcu6.png

** http://blogs.technet...disruption.aspx

30 Jun 2014

> http://blogs.technet...14_5F00_v5e.png

Collateral damage...
- http://arstechnica.c...-no-ip-domains/
June 30 2014
___

'Amazon Local' Spam
- http://threattrack.t...azon-local-spam
June 30, 2014 - "Subjects Seen:
    FW: Order Details
Typical e-mail details:
    Good morning,
    Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.com.
    Order Details...

Screenshot: https://gs1.wac.edge...kEjG1r6pupn.png

Malicious File Name and MD5:
    order_id.zip (80583D63E52AD48A14D91DC7CAE14115)
    order_id_783624782367842367846238751111.exe (C31F54BB78D5B1469B9B1AEE691FF8E3)

Tagged: amazon local, Dofoil
 

Edited by AplusWebMaster, 01 July 2014 - 04:41 AM.

[AplusWebMaster]

FYI...

Something evil on 37.187.140.57 (OVH, France)
- http://blog.dynamoo....ovh-france.html
1 July 2014 - "A group of Cushion Redirect sites appear to be hosted on 37.187.140.57 (OVH, France), although I cannot determine the exact payload of these sites you can be assured that it is Nothing Good and you may well want to block the IP. Here is a sample URLquery report* for this IP. VirusTotal** also reports a low number of detections for this address.
Domains being abused in this attack include:
charlie-lola .co.uk
clashofclanshackdownload .com
check-email .org
cialis25 .pl
adultvideoz .net
In all cases the attack is carried out by using a malicious subdomain..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/...d=1404216440815

** https://www.virustot...57/information/
___

MS No-IP Takedown ...
- https://isc.sans.edu...l?storyid=18329
2014-07-01 - "... No-IP is crying foul, stating that Microsoft never contacted them to have the malicious domains blocked. Further, Microsoft is apparently not able to properly filter and support all queries for these seized domains, causing widespread disruption among legit no-ip customers. According to the court order, Microsoft is able to take over DNS for the affected domains, but because the legit domains far outnumber the malicious domains, Microsoft is only allowed to block requests for malicious domains. Microsoft apparently overestimated the abilities of it's Azure cloud service to deal with these requests. In the past, various networks blocked dynamic IP providers, and dynamic IP services have been abused by criminals for about as long as they exist. However, No-IP had an abuse handling system in place and took down malicious domains in the past. The real question is if No-IP's abuse handling worked "as advertised" or if No-IP ignored take down requests... a similar justification may be used to filter services like Amazon's (or Microsoft's?) cloud services which are often used to serve malware [4][5]. It should make users relying on these services think twice about the business continuity implications of legal actions against other customers of the same cloud service. There is also no clear established SLA for abuse handling, or what level of criminal activity constitutes abuse..."
4] http://blog.malwareb...soft-azure-too/

5] http://www.washingto...est-of-malware/
___

Malware Spam Source in Q2-2014
- http://blog.trendmic...rce-in-q2-2014/
July 1, 2014 - "DOWNAD, also known as Conficker remains to be one of the top 3 malware that affects enterprises and small and medium businesses. This is attributed to the fact that a number of companies are still using Windows XP, susceptible to this threat. It can infect an entire network via a malicious URL, spam email, and removable drives. It is known to exploit MS08-067 Server service vulnerability in order to execute arbitrary codes. In addition, DOWNAD has its own domain generation algorithm that allows it to create randomly-generated URLs.  It then connects to these created URLs to download files on the system. During our monitoring of the spam landscape, we observed that in Q2, more than 40% of malware related spam mails are delivered by machines infected by DOWNAD worm.  Spam campaigns delivering FAREIT , MYTOB , and LOVGATE payload in email attachments are attributed to DOWNAD infected machines. FAREIT is a malware family of information stealers which download ZBOT . On the other hand, MYTOB is an old family of worms known for sending a copy of itself in spam attachments.
Spam sending malware
> http://blog.trendmic...e-Family-01.jpg
Based on this data, CUTWAIL (Pushdo) botnet together with Gameover ZeuS (GoZ) are the other top sources of spam with malware... CUTWAIL was previously used to download GoZ malware. However, now UPATRE employs GoZ malware or variants of ZBOT which have peer-to-peer functionality. In the last few weeks we have reported various spam runs that abused Dropbox links* to host malware like NECURS and UPATRE.  We also spotted a spammed message in the guise of voice mail that contains a Cryptolocker variant. The latest we have seen is a spam campaign with links that leveraged CUBBY, a file storage service, this time carrying a banking malware detected as TSPY_BANKER.WSTA. Cybercriminals and threat actors are probably abusing file storage platforms so as to mask their malicious activities and go undetected in the system and network. As spam with malware attachment continues to proliferate, so is spam with links carrying malicious files. The continuous abuse of file hosting services to spread malware appears to have become a favored infection vector of cyberciminals most likely because this makes it more effective given that the URLs are legitimate thereby increasing the chance of bypassing Antispam filters. Although majority of the above campaigns are delivered by the popular GoZ, it is important to note that around -175- IPs are found to be related with DOWNAD worm. These IPs use various ports and are randomly generated via the DGA capability of DOWNAD. A number of machines are still infected by this threat and leveraged to send the spammed messages to further increase the number of infected systems..."
* http://blog.trendmic...-dropbox-links/
___

2 -Fake- inTuit emails ...
1] https://security.int...alert.php?a=107
June 30, 2014 - "People are receiving -fake- emails with the title "validate". These mails are coming from tax.turbo@ mail .com, which is -not- a legitimate email address. Below is a copy of the email people are receiving.
Kindly validate your login
myturbotax .intuit .com

This is the end of the -fake- email.
Steps to Take Now:
- Do -not- open the attachment in the email...
- Delete the email..."

2] https://security.int...alert.php?a=108
June 30, 2014 - " People are receiving -fake- emails with the title "Alert from Intuit: Action Required!" Below is a copy of the email people are receiving:
Screenshot: https://security.int...entityPhish.jpg

This is the end of the -fake- email.
Steps to Take Now:
- Do -not- open the attachment in the email...
- Delete the email..."
 

 

Edited by AplusWebMaster, 02 July 2014 - 04:52 AM.

[AplusWebMaster]

FYI...

 

Fake Amazon Local SPAM / order_id.zip
- http://blog.dynamoo....tails-spam.html
2 July 2014 - "This fake Amazon spam has a malicious attachment:

Screenshot: http://3.bp.blogspot...mazon-local.png

Attached is a file order_id.zip which in turn contains the malicious executable order_id_467832647826378462387462837.exe which is detected as malicious by 5/54 engines of VirusTotal*. Automated analysis tools are inconclusive about what this malware does..."
* https://www.virustot...sis/1404306154/
___

Fake email “Failed delivery for package #0231764″ from Canada Post - contains URLs to malicious file
- http://blog.mxlab.eu...malicious-file/
July 2, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Failed delivery for package #0231764″ from Canada Post regarding a failed attempt to deliver an item. This email is send from the spoofed address “Canada Post <tracking@ canadapost .com>” and has the following body:
Dear customer,
We attempted to deliver your item on Jul 2nd, 2014 , 05:44 AM.
The delivery attempt failed because no person was present at the shipping address, so this notification has been automatically sent.
You may arrange redelivery by visiting the nearest Canada Post office with the printed shipping inboice mentioned below.
If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.
TRACKING Number: RT000961269SG
Expected Delivery Date: JUL 2nd, 2014
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent
The shipping invoice can be viewed online, by visiting ...

The first embedded URl hxxp ://documents-signature .com/pdf_canpost_RT000961269SG.pdf leads to a website that shows a PDF file... The second embedded URL hxxp ://documents-signature .com/pdf_canpost_RT000961269SG.zip leads to a malicious file pdf_canpost_RT000961269SG.zip  that contains the file pdf_canpost_RT000961269SG.pif. The trojan is known as Backdoor.Bot or HEUR/Malware.QVM07.Gen. At the time of writing, 2 of the 54 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information."
* https://www.virustot...sis/1404326965/

** https://malwr.com/an...zgxYjA1MjlhMjE/

23.62.98.234: https://www.virustot...34/information/

87.121.52.82: https://www.virustot...82/information/
___

WordPress plugin puts sites at risk...
- http://arstechnica.c...sk-of-takeover/
July 1 2014 - "Websites that run WordPress and MailPoet, a plugin with more than 1.7 million downloads, are susceptible to hacks that give attackers almost complete control, researchers have warned. "If you have this plugin activated on your website, the odds are not in your favor," Daniel Cid, CTO of security firm Sucuri, warned in a blog post published Tuesday*. "An attacker can exploit this vulnerability without having any privileges/accounts on the target site. This is a major threat, it means every single website using it is vulnerable." The bug allows attackers to remotely upload any file of their choice to vulnerable servers. Cid declined to provide specifics about the flaw other than to say it's the result of the mistaken assumption that WordPress admin_init hooks are called only when a user with administrator privileges visits a page inside the /wp-admin directory. In fact, "any call to /wp-admin/admin-post.php also executes this hook without requiring the user to be authenticated." The behavior makes it possible for anyone to upload files on vulnerable sites. The only safe version is the just released 2.6.7**, which should be installed immediately on all vulnerable websites. MailPoet gives sites added abilities to create newsletters and automatically post notifications and responses..."
* http://blog.sucuri.n...ewsletters.html

** http://downloads.wor...tters.2.6.7.zip
___

New Cridex Version Combines Data Stealer and Email Worm
- http://www.seculert....email-worm.html
July 1, 2014 - "... Cridex is a data stealer also referred to as Feodo, and Bugat. The new Cridex version we are seeing now, aka Geodo, combines a self-spreading infection method – effectively turning each bot in the botnet into a vehicle for infecting new targets... Through further analysis of this attack, we were able to determine that the second piece of malware (the worm) is provided with approximately 50,000 stolen SMTP account credentials including the related SMTP servers to connect to. The bot then uses these credentials to target mostly Germany accounts by impersonating legitimate email.
Stolen SMTPs Country of Origin:
> http://www.seculert....ted-numbers.png
The C&C provides the malware with a batch of 20 targeted email addresses.The malware is also given a from address, subject line, and email body text unique to this particular batch of emails. Once the malware has run through the batch, it is provided with a new batch of 20 emails. And with each new batch of emails the C&C also sends a new from address, subject line, and body... The emails we have seen, written in German, contain a link prompting the recipient to download a zip file which contains an executable disguised as a PDF document... There is no definitive information on where the 50,000 stolen credentials came from, but Cridex is the suspected culprit. And as a data stealer, Geodo can compromise the intellectual property of a corporation, putting its business and reputation at risk..."
___

Fake “Google Service Framework” Android malware ...
- http://www.fireeye.c...-hijackrat.html
July 1, 2014 - "... a malicious Android class running in the background and controlled by a remote access tool (RAT). Recently, FireEye mobile security researchers have discovered such a malware that pretends to be a “Google Service Framework” and -kills- an anti-virus application as well as takes other malicious actions. In the past, we’ve seen Android malware that execute privacy leakage, banking credential theft, or remote access separately, but this sample takes Android malware to a new level by combining all of those activities into one app. In addition, we found the hacker has designed a framework to conduct bank hijacking and is actively developing towards this goal. We suspect in the near future there will be a batch of bank hijacking malware once the framework is completed. Right now, eight Korean banks are recognized by the attacker, yet the hacker can quickly expand to new banks with just 30 minutes of work...
The structure of the HijackRAT malware:
> http://www.fireeye.c...6/structure.png
... Virus Total detection of the malware sample:
> http://www.fireeye.c...2014/06/VT5.png
... fake “Google Service Framework” icon in home screen:
> http://www.fireeye.c.../removeicon.png
A few seconds after the malicious app is installed, the “Google Services” icon appears on the home screen. When the icon is clicked, the app asks for administrative privilege. Once activated, the uninstallation option is disabled and a new service named “GS” is started as shown below. The icon will show “App isn’t installed.” when the user tries to click it again and removes itself from the home screen... The malware has plenty of malicious actions, which the RAT can command... The server IP, 103.228.65.101, is located in Hong Kong. We cannot tell if it’s the hacker’s IP or a victim IP controlled by the RAT, but the URL is named after the device ID and the UUID generated by the CNC server...  the malware app parses the banking apps that the user has installed on the Android device and stores them in the database under /data/data/com.ll/database/simple_pref... the hacker has designed and prepared for the framework of a more malicious command from the CNC server once the hijack methods are finished. Given the unique nature of how this app works, including its ability to pull down multiple levels of personal information and impersonate banking apps, a more robust mobile banking threat could be on the horizon."

 

- http://atlas.arbor.n...index#322328699
July 3, 2014
___

Win8 usage declined in June - XP usage increased
- http://www.infoworld...ncreased-245339
July 1, 2014
> http://www.netmarket...=10&qpcustomd=0
 

 

Edited by AplusWebMaster, 04 July 2014 - 08:48 AM.

[AplusWebMaster]

FYI...

Javascript Extortion advertised via Bing ...
- https://isc.sans.edu...l?storyid=18337
Last Updated: 2014-07-02 20:49:25 UTC - "... a search for "Katie Matusik" on Bing will include the following result. The rank has been slowly rising during the day, and as of right now, it is the first link after the link to "Videos"...
Screenshot: https://isc.sans.edu... 2_13_48 PM.png
... Once a user clicks on the link, the user is redirected to http ://system-check-yueedfms .in/js which loads a page claiming that the user's browser is locked, and the user is asked to pay a fine via "Moneypak", a Western-Union like payment system. Overall, the page is done pretty bad and I find it actually a bit difficult to figure out how much money they are asking to ($300??).
> https://isc.sans.edu...s/2_14_44_x.png
The user is not able to close the browser or change to a different site. However, just rebooting the system will clear things up again, or you have to be persistent enough in clicking "Leave this Page" as there are a large number of -iframes- that each insert a message if closed. The link was reported to Bing this morning but the result has been rising in Bing's search since then. Respective hosting providers for the likely -compromised- WordPress blog have been notified.
> Quick update: For "katie matysik" (replace 'u' with 'y', the correct spelling of the ), Bing now returns the malicious site as #1 link. Both spellings are valid last names, so either may be the original target of the SEO operation."

46.4.127.172: https://www.virustot...72/information/
___

Chain Letter migrates from mail to Social Networking
- http://blog.malwareb...ial-networking/
July 3, 2014 - "...  guaranteed to see a chain letter of one form or another bouncing around on a social network or in a mailbox, and here’s one such missive currently in circulation. It claims Microsoft and AOL are running a form of email beta test with big cash rewards for anybody forwarding on the email – $245 every time you send it on, $243 every time a contact resends it and $241 for every third person that receives it. The catch here is that the text – which is clearly supposed to be sent to email addresses – has been posted to a social network comment box on a profile page instead.
> http://cdn.blog.malw.../microspam1.jpg
... nonsense then, and it’s nonsense now. Amazingly, the mail from 2005 even sports the same phone numbers as the social network post from a few days ago... it’s extremely likely that they’re long since abandoned. Even so, you can’t keep a good scam down and so -eight- years after it rolled into town the -fake- Microsoft / AOL beta payout bonanza continues to find new life, as it moves from mailboxes to social network comment boxes in a desperate attempt to live on for a few more years. Think twice before forwarding chain letters..."
___

Accidental leak reveals identity numbers of 900,000 Danes
- http://www.reuters.c...N0F822Y20140703
Jul 3, 2014 - "The identity numbers of around 900,000 Danes, widely used as a means of identification in telephone transactions with banks or medical services, were mistakenly made available on the internet for almost an hour on Wednesday, the Danish government said. The numbers were mistakenly included by an outside contractor in a database of people who have asked -not- to receive marketing mail or calls that is made available to Danish firms, according to the daily Borsen. It is common for Danish financial institutions, hospitals and government agencies to ask for the civil registration number as a proof of identity in telephone inquiries, raising the possibility of widespread abuse. The government said the list had been downloaded 18 times in the 51 minutes that it was accessible..."
___

Brazil Boleto Fraud Ring ...
- https://blogs.rsa.co...ud-ring-brazil/
July 2, 2014 - "... Through a coordinated investigation spanning three continents, RSA Research has uncovered details of a substantial malware-based fraud ring that is operating with significant effectiveness to infiltrate one of Brazil’s most popular payment methods – the Boleto. Based on evidence gleaned from this fraud investigation, RSA Research discovered a Boleto malware or “Bolware” fraud ring that may have compromised 495,753 Boletos transactions over a two-year period. While the investigation did not yield evidence as to whether the fraudsters were successful in collecting on all of these compromised transactions, RSA researchers did find evidence of their value – estimated to be up to $3.75 Billion USD (R$ 8.57 Billion). Boleto Bancário, or simply Boleto, is a financial instrument that enables a customer (“sacado”) to pay an exact amount to a merchant (“cedente”). Any merchant with a bank account can issue a Boleto associated with their bank; that Boleto is then sent to the consumer to pay anything from their mortgage, energy bills, taxes or doctor’s bills via electronic transfer... Their popularity has risen because of the convenience for consumers who don’t require a personal bank account to make payments using Boletos. The Boleto system is regulated by Banco Central do Brasil (Brazilian Central Bank) and has become the second most popular payment method (behind credit cards) in Brazil. E-bit, an e-commerce market research firm in Latin America estimates that 18% of all purchases in Brazil during 2012 were transacted via Boletos...
Boleto malware – how it works:
> https://blogs.rsa.co...letoMalware.png
...  While the fraudsters behind this operation may have had the potential to cash out these modified Boletos, it is not known exactly how many of these Boletos were actually paid by the victims and whether all the funds were successfully redirected to fraudster-controlled bank accounts... RSA has turned over its research along with a significant number of fraudulent Boleto ID numbers and IOCs (indicators of compromise) to both U.S. (FBI) and Brazilian law enforcement (Federal Police) and have been in direct contact with a number of Brazilian banks. RSA is working together with these entities in the investigation... to help with shutting down infection points in the wild and blacklisting fraudulent Boleto IDs... RSA urges consumers to be vigilant when handling Boleto payments and to verify that all the details, specifically the Boleto ID are genuine prior to confirming payments. Because the Bolware gang has been spreading their malware mainly through phishing and spam, consumers in Brazil are also urged to take care when clicking on links or opening attachments in emails or social media messages from -unknown- senders and to use updated anti-virus software to help protect their PCs from infection..."

- http://www.reuters.c...N0PB0UQ20140702
Jul 2, 2014
 

Edited by AplusWebMaster, 03 July 2014 - 01:58 PM.

[AplusWebMaster]

FYI...

Fake: RAS Cargo (rascargointernational .com)
- http://blog.dynamoo....ationalcom.html
4 July 2014 - "There is -no- company in the UK with the name RAS Cargo according to Companies House*. So why are they spamming me?

Screenshot: https://4.bp.blogspo...0/ras-cargo.png

The site is professional-looking enough, quoting... contact details... there is no multinational freight business going on here. Also, the telephones numbers quoted appear in no trade directories or other web sites, indicating that they are -fake-"
* http://wck2.companieshouse.gov.uk/
___

advocatesforyouths.org, Eem Moura, Tee Bello and other FAKE sites
- http://blog.dynamoo....-moura-tee.html
4 July 2014 - "Advocates for Youth is a -legitimate- campaign organisation that says that it "champions efforts to help young people make informed and responsible decisions about their reproductive and sexual health." It has a website at www.advocatesforyouth.org which was registered in 1996. However, the domain advocatesforyouths .org is a completely -fake- rip-off of the legitimate advocatesforyouth.org site (note the extra "s") which is advertising itself through spam:
    From:     Advocates for Youth [inboxteam6@ gmail .com]
    Reply-To:     Advocates for Youth [ljdavidson@ advocatesforyouths .org]
    Date:     2 July 2014 21:52
    Subject:     Say No to FORCED MARRIAGE and HIV/AIDS
    Mailing list:     xkukllsbhgeel of 668
    Signed by:     gmail.com
    Invitation Ref No: OB-22-52-30-J ...

In this case the email originates from 217.120.44.73 (Ziggo / Groningen, Netherlands) and was sent to a spam trap. The -fake- site is almost a bit-for-bit copy... but things like the Contact Details page are slightly different:
> https://2.bp.blogspo...00/fake-afy.png
... The fax number is in California, but the "202" telephone number appears to be Washington.. but on closer examination it looks like a VOIP (internet phone) number which could possibly be anywhere in the world.
> https://3.bp.blogspo...0/fake-afy2.png
... the fake site looks utterly convincing. Mostly because it is cloned directly from the legitimate site (See screenshot above). The domain advocatesforyouths .org was registered on 24th May 2014 with anonymous details, and the mail handler is mailhostbox.com who are a legitimate commercial provider. But what most visitors to advocatesforyouths.org will not spot is that the domain just does a framed forward to another site googleones .in/advocates4youth/ which is where things get more complicated. googleones .in is hosted on 74.122.193.45  a Continuum Data Centers IP -reallocated- ...
 Al-zaida Emirates: "alz" is a site called "Al-zaida Emirates" which is a -ripoff- of the legitimate Zamil Group Holding Company. Probably the obvious different to that the "Al-zaida" site has an "Apply For Loan" button which marks it out as some sort of finance scam.
> https://3.bp.blogspo...00/al-zaida.png
 EEM Moura and TEE Bello (part 1): The next -fake- site is under "eem" which advertises itself as "EEM MOURA & TEE BELLO Group of Companies". This site is a slightly-altered copy of the legitimate Alpha Group.
> https://2.bp.blogspo...a-tee-bello.png
...  perhaps a clue here under "Shipping" which could be advertising for a Parcel Mule job (i.e. laundering stolen goods).
 EEM MOURA & TEE BELLO (part 2) [eemthollandbv .nl] There is another -fake- "EEM MOURA & TEE BELLO" site in the folder "eemtholland" (and using the forwarder domain eemthollandbv .nl). This is different from the other site being a fake shopping site, a poor copy of the legitimate HollandForYou .com site.
> https://4.bp.blogspo...-tee-bello2.png
This -fake- site is also likely to be recruiting people for a parcel reshipping scam.
 Hotel T. Bello: The final -fake- site is filed under "tbello" (sounds familiar?) and is supposedly the "Hotel T. Bello" in Den Haag (The Hague). It is a poor copy of the InterContinental Amstel Amsterdam.
> https://3.bp.blogspo...tel-t-bello.png
Perhaps the "Hotel T Bello" is a -fake- hotel for the delegates to the -fake- "Advocates for Youth" conference that was advertised in the original spam.. that is certainly one way that these conference scams work.
There is not a single legitimate site on this server. Avoid."
 

 

[AplusWebMaster]

FYI...

Fake 'Exceeded Storage Limit' Phish ...
- http://www.hoax-slay...imit-scam.shtml
Last updated: July 5, 2014 - "Email claims that the user's email account has exceeded its storage limit and instructs him or her to reply with the account username and password in order to restore full functionality. Some versions ask users to click a link in the message... The message is -not- from any system administrator or support team nor is it from Outlook, Hotmail, or any other email service provider. The email is a phishing scam designed to trick users into divulging their email account login details to Internet criminals...

Screenshot: http://www.hoax-slay...it-scam-pin.jpg

This message, which purports to be from the "System Administrator", claims that the recipient's email account has exceeded its storage limit and the sending and receiving of email may therefore be disrupted. The message instructs the recipient to reply to the email with his or her username and password so that the "System Administrator" can reset the account and increase the size of the database storage limit. A later version of the scam askes users to reply with account details to "confirm" the mailbox. In some variants, users are asked to click a link to supply their username and password. However, the message is not from the "System Administrator" or anyone else at the account holder's email service provider. Instead, the message is a phishing scam designed to trick recipients into handing over their web mail login details to Internet criminals. Those who reply to the message with their login details as instructed will in fact be handing over access to their webmail account to scammers who can then use it as they see fit. Once in their victim's email account, these criminals can then use the account to send spam messages, or in many cases, send other kinds of scam emails... Be wary of -any- unsolicited message that asks you to supply your webmail login details by replying to an email. All such requests are likely to be scams."
___

Attack on Dailymotion - redirected visitors to exploits
- https://www.computer...ors_to_exploits
July 4, 2014 - " Attackers injected malicious code into Dailymotion.com, a popular video sharing website, and redirected visitors to Web-based exploits that installed malware. The rogue code consisted of an iframe that appeared on Dailymotion on June 28, researchers from security vendor Symantec said Thursday in a blog post*. The iframe redirected browsers to a different website hosting an installation of the Sweet Orange Exploit Kit, an attack tool that uses exploits for Java, Internet Explorer and Flash Player. The flaws that Sweet Orange attempted to exploit are: CVE-2013-2551, patched by Microsoft in Internet Explorer in May 2013; CVE-2013-2460, patched by Oracle in Java in June 2013; and CVE-2014-0515, patched by Adobe in Flash Player in April..."
* http://www.symantec....ers-exploit-kit
3 Jul 2014 - "On June 28, the popular video sharing website Dailymotion was compromised to redirect users to the Sweet Orange Exploit Kit. This exploit kit takes advantage of vulnerabilities in Java, Internet Explorer, and Flash Player. If the vulnerabilities were successfully exploited during the campaign, pay-per-click malware was then downloaded on the victim’s computer. This week, Dailymotion is no longer compromised, as users are currently not being redirected to the exploit kit..."
___

4th of July SPAM...
- http://www.symantec....ndependence-day
4 July 2014 - "... like every other year, spammers are sending people a barrage of cleverly crafted spam aimed at exploiting this mood of celebration. This year, Symantec has observed a variety of spam, ranging from fake Internet offers to pharmacy deals, which take advantage of the US Independence Day.
Travel promotion spam - Subject: 4th of July Private Jets
> http://www.symantec....pam_figure1.png
Online casino spam
> http://www.symantec....pam_figure2.png
Fake pharmacy website exploiting July 4
> http://www.symantec....pam_figure3.png
Clearance sale product spam exploiting July 4
> http://www.symantec....pam_figure4.png
... Keep your antispam product updated frequently to get the best protection against these threats..."

- http://www.bbb.org/b...with-gift-card/
July 4, 2014
 

 

Edited by AplusWebMaster, 07 July 2014 - 02:18 PM.

[AplusWebMaster]

FYI...

Fake USPS SPAM - contains trojan
- http://blog.mxlab.eu...ontains-trojan/
July 7, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Ship Notification”. This email is send from the spoofed address “USPS.com” and has the following body:
Notification
Our courier couldnt make the delivery of parcel to you at June 17 2014.
Print label and show it in the nearest post office.
Download attach . Print a Shipping Label NOW ...

Screenshot: http://img.blog.mxla...140707_USPS.gif

The attached ZIP file has the name notification.zip and contains the 67 kB large file Notification_72384792387498237989237498237498.exe. The trojan is known as Win32:Malware-gen, HW32.CDB.C647, W32/Trojan.BIFV-0857, W32/Trojan3.JCT or Trojan-Spy.Agent. At the time of writing, 5 of the 54 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information."
* https://www.virustot...38977/analysis/

** https://malwr.com/an...DhkZGFlYWRmNGM/

- http://threattrack.t...usps-label-spam
July 7, 2014 - "Subjects Seen:
    Ship Notification
Typical e-mail details:
    Notification
    Our courier couldnt make the delivery of parcel to you at June 17 2014.
    Print label and show it in the nearest post office.
    Download attach . Print a Shipping Label NOW
Malicious File Name and MD5:
    Notification.zip (C44F58432832C2CA9C568939F7730C83)
    Notification_72384792387498237989237498237498.exe (2C286A551D3ED1CAFFB0F679F9473E65)

Screenshot: https://gs1.wac.edge...8cfu1r6pupn.png

Tagged: USPS, Dofoil
___

All Seized Domains Returned to No-IP
- http://threatpost.co...to-no-ip/107028
July 7, 2014 - "Less than a week after Microsoft seized nearly two dozen domains owned by a small hosting provider as part of a takedown of a malware operation, all of those domains are back in the control of the provider, No-IP... This latest takedown operation, however, raised many eyebrows among security researchers, some of whom questioned why Microsoft is being permitted to take control of other companies’ property... all of the seized domains have been returned to the control of Vitalwerks... Microsoft officials said they were still working with Vitalwerks on identifying specific malicious subdomains..."
- http://www.noip.com/...osoft-takedown/
___

Infected travel websites
- http://www.proofpoin...el-websites.php
July 5, 2014 - "... a large number of travel destination websites had been compromised and were being used to deliver the Nuclear exploit kit...  users received promotional emails from these sites containing -links- to infected pages... shares many of the attributes usually associated with watering hole attacks, since these were legitimate emails that users had typically opted-in to receive... the attackers timed their activities to coincide with the summer travel season and the marketing activities that usually happen... Initially about a dozen travel destination websites were identified as being compromised, but additional sites are still continuing to be discovered... these are popular sites that see a lot of organic web traffic, so anyone searching for information relating to tourism in a large number of US cities could have been exposed to the infected sites... When a user browsed to any of these websites they were exposed to the Nuclear exploit kit that integrates multiple different exploits including exploits for Java and Adobe Acrobat. In this case, if the exploit is successful, it attempts to install at least three pieces of malware:
Zemot – A downloader that downloads and installs additional pieces of malware.
Rovnix – A sophisticated bootloader/rootkit that launches the installed malware when the PC boots and then hides itself and other malware from detection.
Fareit – Also a downloader that also attempts to steal user credentials and can be used in DDOS attacks.
... In this case they used what appears to be a travel related site, ecom[.]virtualtravelevent[.]org, helping make the exploit link blend in and look like legitimate content.
> http://www.proofpoin...ite07052014.jpg
So far, all the IPs used in the attack appear to be based in the Ukraine.
Current list of infected websites:
www[.]visitsaltlake[.]com
www[.]visitcumberlandvalley[.]com
www[.]visitmyrtlebeach[.]com
www[.]visithoustontexas[.]com
www[.]seemonterey[.]com
www[.]visitannapolis[.]org
www[.]bostonusa[.]com
www[.]visitokc[.]com/
www[.]tourismvictoria[.]com
www[.]trenton-downtown[.]com
UtahValley[.]com
www.visittucson[.]org
www[.]visitrochester[.]com
www[.]visitannapolis[.]org
www[.]southshorecva[.]com
The hosting companies for these sites have been contacted, so some sites shown above might have been fixed."
 

 

Edited by AplusWebMaster, 07 July 2014 - 01:21 PM.

[AplusWebMaster]

FYI...

Fake BTinternet email - Phish ...
- http://www.hoax-slay...-phishing.shtml
Last updated: July 8, 2014 - "Message purporting to be from BTInternet claims that you must update all of your 'informations' via an attached form or risk the 'expiration' of your BTInternet email. The message is -not- from BT. It is a phishing scam designed to steal personal and financial information from BT customers.
Screenshot: http://www.hoax-slay...hishing-pin.jpg
According to this email, which claims to be from BTInternet, you are required to update all of your account information by filling in a form contained in an attached file. The message warns that your account will be disabled if you do not update your details as instructed... the email is -not- from BT and the claim that you must update details or risk account 'expiration' is a lie.
In fact, the email is a typical phishing scam and is designed to steal your personal and financial data. The attached file contains a form that asks for a large amount of information, including your account login details, your name and contact data, and your credit card and bank account numbers. Opening the attachment loads the form in your web browser. Clicking the 'Submit' button on the -bogus- form sends all of the information to criminals who can then use it to commit financial fraud and identity theft... Any email that asks you to open an attached file or click a link to supply personal and financial information should be treated as suspicious..."

- https://en.wikipedia.org/wiki/BT_Group
___

Chinese hacks turned focus to U.S. experts on Iraq
- http://www.reuters.c...N0FC2E620140708
Jul 8, 2014 - "A sophisticated group of hackers believed to be associated with the Chinese government, who for years targeted U.S experts on Asian geopolitical matters, suddenly began breaching computers belonging to experts on Iraq as the rebellion there escalated, a security firm said on Monday. CrowdStrike Inc said* that the group is one of the most sophisticated of the 30 it tracks in China and that its operations are better hidden than many attributed to military and other government units... China's Foreign Ministry repeated that the government opposed hacking and dismissed the report... Over the past three years, CrowdStrike said it has seen the group it calls "Deep Panda" target defense, financial and other industries in the United States. It has also gone after workers at think tanks who specialize in Southeast Asian affairs, including former government experts..."
* http://www.crowdstri...anks/index.html
Jul 7, 2014

- http://atlas.arbor.n...ndex#-308984771
July 10, 2014
A Chinese nation-state threat group called "Deep Panda" has been targeting national security think tanks, particularly individuals with ties to Iraq/Middle East policy issues.
Analysis: The focus on these individuals began the same day as an ISIS-led attack on an oil refinery in Iraq, which provides a large amount of oil to China. [ http://www.crowdstri...anks/index.html ] Advanced threat actors frequently target individuals who may have access to sensitive information, demonstrated recently again when hackers believed to be Chinese accessed some databases of the Office of Personnel Maintenance, which conducts background reviews for security clearances. [ http://www.nytimes.c...us-workers.html ] Many individuals are also targeted using information available via public sources such as social media. This information could then be used to conduct social engineering attacks to deliver malware, steal credentials, etc.
___

SCAM: "All Company Formation" (allcompanyformation .com / businessformation247 .com)
- http://blog.dynamoo....-formation.html
8 July 2014 - "Sometimes it isn't easy to see what a -scam- is, but this email hit my -spamtrap- advertising an outfit that can allegedly create offshore companies and acquire all sorts of trading licences and things like SSL certificates.
    From:     All Company Formation [info@ allcompanyformation .com]
    Date:     7 July 2014 12:58
    Subject:     [Info] Worldwide Company Formation Services - EV SSL Approval Services
    We have a team of agents in different countries we are providing Company Registration services...
    For order and need more informations kindly contact us : www .allcompanyformation .com
    Email: info@ allcompanyformation .com
    skype : companiesformations

The spam originates from 209.208.109.225 which belongs to Internet Connect Company in Orlando, Florida.. Orlando being a hotbed of fraud which would make it ideal for twinning with Lagos. The spam then bounces through a WebSiteWelcome IP of 192.185.82.77. None of those IP's give a clue as the the real ownership of the site. The -spamvertised- site of allcompanyformation .com (also mirrored at businessformation247 .com) looks generic but professional:
> https://3.bp.blogspo...yfoundation.png
It is plastered with logos from legitimate organisations, presumably to give it an air of respectability:
> https://2.bp.blogspo...yformation3.png
You can pay for these "services" using any one of a number of obscure payment methods:
> https://2.bp.blogspo...yformation4.png
... The contact information seems deliberately vague and there are no physical contact addresses or company registration details anywhere on the website:
> https://3.bp.blogspo...yformation5.png
The telephone number looks like a US one, but on closer examination appears to be a Bandwidth.com VOIP forwarder to another number (which could be anywhere in the world). These 315-944 numbers seem to be often abused by scammers. The WHOIS details are anonymous, and the website has been carefully excised of any identifying information. Most of the text (and indeed the whole concept) has been copy-and-pasted from Slogold.net who seem to be a real company with real contact details. They even go so far as to warn people of various scams using the Slogold name. The following factors indicate that this is a scam, and sending them money would be a hugely bad idea:
- The site is promoted through spam (this sample was sent to a spamtrap)
- The domain allcompanyformation .com has anonymous registration details and was created only in December 2013.
- There are no real contact details anywhere on the site.
- The text is copy and pasted (i.e. stolen) from other sites, primarily Slogold .net.
-Avoid- "
___

AVG Safeguard and Secure Search ActiveX control provides insecure methods
- http://www.kb.cert.org/vuls/id/960193
Last revised: 07 Jul 2014 - "... By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to download and execute arbitrary code with the privileges of the logged-on user.
Solution: Apply an update: This issue is addressed in AVG Secure Search -toolbar- version 18.1.7.598 and AVG Safeguard 18.1.7.644. While these versions are still marked as Safe for Scripting, this version of the control has restrictions in place that prevent its use by web pages hosted by domains other than .avg .com or .avg.nation .com. Please also consider the following workaround:
Disable the AVG ScriptHelper ActiveX control in Internet Explorer:
The vulnerable AVG ScriptHelper ActiveX control can be -disabled- in Internet Explorer by setting the kill bit..."
(More detail at the cert URL above.)
- https://web.nvd.nist...d=CVE-2014-2956 - 9.3 (HIGH)

> http://www.avg.com/us-en/secure-search
"... connection times out
> http://inst.avg.com/...ab0:productpage
"... connection times out
 

 

Edited by AplusWebMaster, 11 July 2014 - 04:48 AM.

[AplusWebMaster]

FYI...

Fake Incoming Fax – PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 July 2014 - "New Incoming Fax pretending to come from Incoming Fax <noreply@ fax-reports .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
Dear Customer,
You have received a new fax.
Date/Time: 2014:08:09 12:28:09
Number of pages:2
Received from: 08447 53 54 56
Regards,
FAX

9 July 2014: fax9999999999.zip(168 kb)  Extracts to fax0010029826052014.scr          
Current Virus total detections: 7/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1404915722/
___

E-Z Pass Spam
- http://threattrack.t...3/e-z-pass-spam
July 9, 2014
Screenshot: https://gs1.wac.edge...8QOy1r6pupn.png
Subjects Seen:
    Indebted for driving on toll road
Typical e-mail details:
    Dear customer,
    You have not paid for driving on a toll road. This invoice is sent repeatedly,
    please service your debt in the shortest possible time.
    The invoice can be downloaded here.

Malicious URLs:
    krsk .info/components/api/aHZ/WVeiJ0vWJCZzh9O0pXzmah/NtSjknz1hSYIcsqQ=/toll

91.193.224.60: https://www.virustot...60/information/

Tagged: E-Z Pass, Kuluoz
 

   

Edited by AplusWebMaster, 09 July 2014 - 04:04 PM.

[AplusWebMaster]

FYI...

Shylock takedown - Europol
- http://www.nationalc...shylock-malware
10 July 2014  -"An international operation involving law enforcement agencies and private sector companies is combating the threat from a type of malicious software (malware) used by criminals to steal from bank accounts. In the first project of its kind for a UK law enforcement agency, the National Crime Agency has brought together partners from the law enforcement and private sectors, including the FBI, Europol, BAE Systems Applied Intelligence, GCHQ, Dell SecureWorks, Kaspersky Lab and the German Federal Police (BKA) to jointly address the Shylock trojan. As part of this activity, law enforcement agencies are taking action to disrupt the system which Shylock depends on to operate effectively. This comprises the seizure of servers which form the command and control system for the trojan, as well as taking control of the domains Shylock uses for communication between infected computers. This has been conducted from the operational centre at the European Cybercrime Centre (EC3) at Europol in The Hague. Investigators from the NCA, FBI, the Netherlands, Turkey and Italy gathered to coordinate action in their respective countries, in concert with counterparts in Germany, Poland and France. Shylock - so called because its code contains excerpts from Shakespeare’s Merchant of Venice -  has infected at least 30,000 computers running Microsoft Windows worldwide. Intelligence suggests that Shylock has to date targeted the UK more than any other country, although the suspected developers are based elsewhere. The NCA is therefore coordinating international action against this form of malware. Victims are typically infected by clicking on malicious links, and then unwittingly downloading the malware. Shylock will then seek to access funds held in business or personal accounts, and transfer them to the criminal controllers..."
___

MS cybercrime bust frees 4.7 million infected PCs
- http://www.reuters.c...N0FF2CU20140710
July 10, 2014 - "Microsoft Corp said it has freed at least 4.7 million infected personal computers from control of cyber crooks in its most successful digital crime-busting operation, which interrupted service at an Internet-services firm last week. The world's largest software maker has also identified at least another 4.7 million infected machines, though many are likely still controlled by cyber fraudsters, Microsoft's cybercrime-fighting Digital Crimes Unit said on Thursday. India, followed by Pakistan, Egypt, Brazil, Algeria and Mexico have the largest number of infected machines, in the first high-profile case involving malware developed outside Eastern Europe. Richard Domingues Boscovich, assistant general counsel of the unit, said Microsoft would quickly provide government authorities and Internet service providers around the world with the IP addresses of infected machines so they can help users remove the viruses... The operation is the most successful of the 10 launched to date by Microsoft's Digital Crimes Unit, based on the number of infected machines identified, Boscovich said. Microsoft located the compromised PCs by intercepting traffic headed to servers at Reno, Nevada-based Vitalwerks Internet Solutions, which the software maker said criminals used to communicate with compromised PCs through free accounts on its No-IP.com services. Vitalwerks criticized the way Microsoft handled the operation, saying some 1.8 million of its users lost service for several days. The Internet services firm said that it would have been glad to help Microsoft, without interrupting service to legitimate users. Microsoft has apologized, blaming "a technical error" for the disruption, saying service to customers has been restored... The operation, which began on June 30 under a federal court order, targeted malicious software known as Bladabindi and Jenxcus, which Microsoft said work in similar ways and were written and distributed by developers in Kuwait and Algeria."
___

Fake "TT PAYMENT COPY" SPAM - malicious attachment
- http://blog.dynamoo....-copy-spam.html
10 July 2014 - "We've seen spam like this before. It comes with a malicious attachment.
    Date:      Thu, 10 Jul 2014 00:09:28 -0700 [03:09:28 EDT]
    From:      "PGS Global Express Co, Ltd." [pgsglobal1960@ gmail .com]
    Subject:      Re TT PAYMENT COPY
    ATTN:
    Good day sir,here is the copy of the transfer slip ,kindly find the attach copy and please check with your bank to confirm the receipt of the payment and do the needful by dispatching the material as early as possible.
   We hope you will do the needful and let us know the dispatch details.
    (purchase) Manager.
                       ------sent from my iphone5s-------

It comes with an attachment TT PAYMENT COPY.ZIP containing the malicious executable TT PAYMENT COPY.exe which has a VirusTotal detection rate of 19/54*. According to Malwr** this appears to be a self-extractive archive file which then drops (inter alia) a file iyKwmsYRtDlN.com which has a very low detection rate of 1/52***. It isn't clear what this file does according to the report**."
* https://www.virustot...sis/1405000247/

** https://malwr.com/an...mU0OWM0YzM0OTA/

*** https://www.virustot...sis/1405000668/
___

Fake E100 MTB ACH SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
10 July 2014 - "E100 MTB ACH Monitor Event Notification is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
You have received a secure message from M&T Bank
At M&T Bank,we understand the importance of protecting confidential information. That’s why we’ve developed this email messaging system, which will allow M&T to securely send you confidential information via email.
An M&T Bank employee has sent you an email message that may contain confidential information. The sender’s email address is listed in the from field of this message. If you have concerns about the validity of this message, contact the sender directly.
To retrieve your encrypted message, follow these steps:
1. Click the attachment, securedoc.html.
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser.
2. Enter your password.
If you are a first time user, you will be asked to register first.

10 July 2014: Securedoc.zip ( 284kb): Extracts to Securedoc.pdf.scr               
Current Virus total detections: 0/38 * . This E100 MTB ACH Monitor Event Notification is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1405013243/
___

Fake Money Transfer - PDF malware
- http://myonlinesecur...ke-pdf-malware/
10 July 2014 - "Important Notice – Incoming Money Transfer is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
An Incoming Money Transfer has been received by your financial institution for thespykiller .co .uk. In order for the funds to be remitted on the correct account please complete the “A136 Incoming Money Transfer Form”.
Fax a copy of the completed “A136 Incoming Money Transfer Form” to +1 800 722 4969.
To avoid delays or additional fees please be sure the Beneficiary Information including name, branch name, address, city, state, country, and Routing Number (ABA Number) or SWIFT BIC Code is correct. For international Wires be sure you include the International Routing Code (IRC) and International Bank Account Number (IBAN) for countries that require it.
Thank you,
Trevor.Mcdowell
Senior Officer Level III
Cash Management Verification ...

10 July 2014: A136_Incoming_Money_Transfer_Form.zip (10kb): Extracts to
A136_Incoming_Money_Transfer_Form.exe.exe - Current Virus total detections: 2/53 * . This Important Notice – Incoming Money Transfer is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected.
* https://www.virustot...sis/1405013171/
___

Symantec in talks with Chinese government after software ban report
- http://www.reuters.c...N0FF1V320140710
July 10, 2014 - "U.S. security software maker Symantec Corp said it is holding discussions with authorities in Beijing after a state-controlled Chinese newspaper reported that the Ministry of Public Security had banned use of one of its products. The China Daily reported last week that the ministry had issued an order to its branches across the nation telling them to uninstall Symantec's data loss prevention, or DLP, products from their systems and banning their future purchase, saying the software 'could pose information risks'..."
 

 

Edited by AplusWebMaster, 10 July 2014 - 05:19 PM.

[AplusWebMaster]

FYI...

Fake Citibank Commercial Form email – PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 July 2014 - "FW: Important – Commercial Form is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Commercial Banking Form
To: < redacted >
Case: C1293101
Please scan attached document and fax it to +1 800-285-5021 .
All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record. Not yet filing your accounts online? See how easy it is… For enquiries, please telephone the Service Desk on +1 800-285-6575 or email enquiries@ citibank .com. This email was sent from a notification-only email address which cannot accept incoming mail. Please do not reply directly to this message. .
Yours faithfully
Leanne Davis Commercial Banking Citibank N.A Leanne.Davis@ citibank .com
Copyright © 2014 Citigroup Inc.

11 July 2014: C1293101.zip (9kb): Extracts to  C100714.scr
Current Virus total detections: 0/53 * . This FW: Important – Commercial Form is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1405086057/
___

A cunning way to deliver malware
- http://blog.malwareb...eliver-malware/
July 11, 2014 - "Potentially unwanted programs, also known as PUPs, continue to be a real nuisance. A recent blog post by Will Dormann on CERT.org* shows the prevalence of such applications lurking on every corner of the web: search engines results, software portals, popups, ads, etc... Here is an example of an unwanted warning pushed as a pop-up:
> http://cdn.blog.malw.../07/message.png
... The following page shows that our browser (Internet Explorer) may be out of date and urges us to download a program to check for outdated software.
> http://cdn.blog.malw...07/download.png
It is worth noting that this webpage was totally unsolicited and is in fact very misleading... In other words, the program they want you to download bundles other applications, something we know all too well. Attempting to close the page brings up yet another warning:
> http://cdn.blog.malw...014/07/sure.png
We could argue with advertisers that these practices are not okay until we are blue in the face. But here’s the catch with this one: while the page is saying our system could be at risk we are silently being infected with a drive-by download... two malware payloads are subsequently dropped (#1, #2) detected as Spyware.Zbot.VXGen... We have reported this incident to Akamai’s Abuse department so that they can take immediate action against these bad actors."
1) https://www.virustot...115c2/analysis/

2) https://www.virustot...25fbb/analysis/

* https://www.cert.org...cfm?EntryID=199
7/07/2014 - "... depending on what the application is, where you downloaded it from, and how carefully you paid attention to the installation process, you could have some extra goodies that came along for the ride. You might have components referred to as adware, foistware, scareware, potentially unwanted programs (PUPs), or worse. Sure, these may be annoyances, but there's an even more important security aspect to these types of applications: attack surface..."
___

Fake 'E-ZPass Unpaid Toll' SPAM - links to Malware
- http://www.hoax-slay...l-malware.shtml
July 11, 2014 - "Email purporting to be from US toll collection system E-ZPass claims that the recipient has not paid for driving on a toll road and should click a link to download an invoice... The email is -not- from E-ZPass. It is a criminal ruse designed to trick you into downloading malware... If you receive this message, do -not- click any links or open -any- attachments that it contains..."
> http://www.hoax-slay...l-malware-1.jpg

Ref: http://stopmalvertis...-to-asprox.html
9 July 2014 - E-ZPass themed emails lead to Asprox
___

GameOver Zeus mutates - launches Attacks
- http://blog.malcover...er-zeus-returns
July 10, 2014 - "... -new- trojan based heavily on the GameOver Zeus binary. It was distributed as the attachment to three spam email templates, utilizing the simplest method of infection through which this trojan is deployed... we saw spam messages claiming to be from NatWest...
> https://cdn2.hubspot...er_Return_2.png
... we saw spam messages with the subject “Essentra PastDue” like these:
> https://cdn2.hubspot...er_Return_4.png
... The longest lasting of the spam campaigns was imitating M&T Bank, with a subject of “E100 MTB ACH Monitor Event Notification. That campaign is still ongoing as of this writing.
> https://cdn2.hubspot...er_Return_7.png
The three spam campaigns each had a .zip attachment. Each of these contained the same file in the form of a “.scr” file with the hash:
MD5:   5e5e46145409fb4a5c8a004217eef836
At this timestamp (1600 Central time, 7 hours after we first noticed the spam campaign) the detection rate at VirusTotal is 10/54:
> https://cdn2.hubspot...er_Return_8.png
Once the attachment was opened and the malware payload executed, the malware began to make attempts to contact certain websites in accordance with a domain generation algorithm. The goal of these contact attempts is to make contact with a server that can in turn provide instructions to the malware. Many sandboxes would have failed to launch the malware, as the presence of VMWare Tools will stop the malware from executing. Other sandboxes would not have noticed the successful connection, because the malware took between 6 and 10 minutes to randomly generate the single domain name that was used successfully to launch the new Zeus trojan and download the bank information “webinject” files from the server. The Domain Generation Algorithm is a method for a criminal to regain access to his botnet. Based on the current date, random-looking domain names are calculated and the malware reaches out via the Internet to see if that domain exists... Malcovery analysts confirmed with the FBI and Dell Secure Works that the original GameOver Zeus is still "locked down".  This new DGA list is not related to the original GameOver Zeus but bears a striking resemblance to the DGA utilized by that trojan. In addition to a new DGA, the malware seems to have traded its Peer to Peer Infrastructure for a new Fast Flux hosted C&C strategy... This discovery indicates that the criminals responsible for GameOver’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history..."

- http://www.nationalc...icious-software
13 June 2014
___

SCAMS: Free Movies - Reel Deal? ...
- http://blog.malwareb...-the-reel-deal/
July 11, 2014 - "... We often see Netflix themed sites used as a -bait- so this one immediately caught our eye... The end user is presented with a number of surveys and offers, one of which has to be completed to obtain the “free account”. They lead to a variety of places:
> http://cdn.blog.malw...14/07/flix3.jpg
Another one:
> http://cdn.blog.malw...14/07/flix4.jpg
We tried to “unlock” the supposed text file to see what happened next, by installing two separate offers – a “TV toolbar” and a “We love games community toolbar”.
> http://cdn.blog.malw...14/07/flix5.jpg
> http://cdn.blog.malw...14/07/flix6.jpg
In both cases, nothing was unlocked and we saw no evidence of text files. What we did have, were two potentially unwanted programs which a regular user would only have installed to get the text file in the first place. You’re better off avoiding sites which promise “free” signups to websites and services, and buying directly from the real thing. More often than not, you can never be sure if what you’re receiving is legit or will be shut down by the service provider. And of course, in many cases what you’ll be getting your hands on after signing up to offers or downloading programs will be little more than thin air..."
 

 

Edited by AplusWebMaster, 11 July 2014 - 12:26 PM.

[AplusWebMaster]

FYI...

ZeuS GameOver Reloaded
- http://stopmalvertis...r-reloaded.html
12 July 2014 - "Yesterday we received an unsolicited email appearing to be from the M&T Bank, an American commercial bank headquartered in Buffalo. The emails arrive with the subject line "E100 MTB ACH Monitor Event Notification".

Screenshot: http://stopmalvertis...s/new-gmo16.jpg

The recipient is informed that an M&T Bank employee has sent them an email message that may contain confidential information. To retrieve the encrypted message the addressee is invited to save the attachment "securedoc.html" and open the file in a Web browser. The attachment isn’t a HTML file as stated by the spammed out message but a ZIP archive containing an executable named SECUREDOC.PDF.SCR. The file with a double extension (.pdf.scr) poses as a PDF document... -never- trust a file by its icon and make sure that Windows Explorer is set to show file extensions... The new instance of SECUREDOC.PDF.SCR will create a random named folder in the %TEMP% directory and will drop a copy of itself in the new folder using a random file name with an EXE extension... The payload is similar to ZeuS GameOver without the Necurs rootkit component... This version doesn’t rely on P2P communications but uses a different Domain Generation Algorithm (DGA) compared to the ZeuS GameOver version we know. The DGA domains are hosted on a Fast Flux infrastructure. This release generates .COM, .NET, .ORG and .BIZ domains, apparently between 21 and 28 alphanumeric characters long (without the domain extension). The threat performs around 500 DNS lookups to see if any of the DGA domains resolve to an IP, pauses 5 minutes and starts all over again...
Update: Additional Information - Although the rootkit component has been left out in this new release of ZeuS GameOver, from a technical point of view the code shares more similarities with the ZeuS GameOver with Necurs variant than with the version before the rootkit introduction. Both versions share the same compiler and compile settings. The new version mostly uses the same classes as ZeuS GameOver with Necurs and the same zlib and pcre library versions. The content of the encrypted string table is identical in both versions. The new release also uses RSA to verify the authenticity of the server’s response, the content is decrypted using RC4 and VisualDecrypt... IP Details
zi7sh2zoptpb14w9mgxugkey2 .com - 69.61.18.148
9zusnu3rh65o1nal2ty1fbb5o0 .net - 86.124.164.25
... The IP 86.124.164.25 is a known CryptoLocker IP. According to VirusTotal* several malware samples communicate with this IP but at the time of the write-up I'm unable to tell if this is yet another sinkhole.
Update July 13, 2014: this IP is a sinkhole..."
(More detail at the stopmalvertising.com URL above.)
* https://www.virustot...25/information/ - Still active 2014-07-16

69.61.18.148: https://www.virustot...48/information/ - Still active 2014-07-16

Cutwail botnet spam email containing the new Gameover Zeus variant
- http://www.securewor...over.zeus.1.png

- http://www.securewor...eer-capability/
July 11, 2014 - "... Previous Gameover Zeus versions relied primarily on the P2P component for communication but reverted to a DGA if no peers could be contacted. The new DGA used in this version generates 1,000 domains per day..."

- http://net-security....ews.php?id=2804
July 11, 2014
> http://www.net-secur...tolocker-bd.jpg
___

Gameover Zeus Variant Resumes Activity
- https://atlas.arbor....index#170748218
17 Jul 2014
A new variant based on the GameOver Zeus Trojan has been identified distributing spam.
Analysis: While the original GameOver Zeus was taken down by law enforcement last month, this new variant suggests that cyber criminals will continue to leverage this malware. Past law enforcement operations on active botnets, while temporarily successful, have done little to fully disrupt malicious activity, as criminals frequently find new available malware and tools. [ http://blog.malcover...er-zeus-returns , http://nakedsecurity...-from-the-dead/ ]
 

 

Edited by AplusWebMaster, 18 July 2014 - 06:20 AM.

[AplusWebMaster]

FYI...

Fake Important Internal Only SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
14 July 2014 - "Important – Internal Only that pretends to come from administrator @ your domain is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
File Validity: 07/14/2014
File Format: Office – Excel ,PDF
Name: Internal Only
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: Internal Only.pdf
********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s)...

14 July 2014: Internal Only – thespykiller.co.uk.zip: Extracted file name:   Internal Only.scr
Current Virus total detections: 3/54 * . This Important – Internal Only is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1405352721/

- http://blog.dynamoo....-only-spam.html
14 July 2014 - "This spam comes with a malicious payload:
    Date:      Mon, 14 Jul 2014 16:12:49 +0000 [12:12:49 EDT]
    Subject:      Important - Internal Only
    File Validity: 07/14/2014
    File Format: Office - Excel ,PDF
    Name: Internal Only
    Legal Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: Internal Only.pdf ...
Attached to the message is an archive file Internal Only - victimdomain which in turn contains a malicious executable Internal Only.scr which has a VirusTotal detection rate of 9/54* which indicates that this is a variant of Upatre... This drops a few files, including mkird.exe which has a VirusTotal detection rate of 6/54** .."
* https://www.virustot...sis/1405363103/

** https://www.virustot...sis/1405363781/

82.98.160.242: https://www.virustot...42/information/

194.58.101.96: https://www.virustot...96/information/
___

Email Messages distributing Malicious Software - July 14, 2014
- http://tools.cisco.c...x?alertId=34782
Version: 9
First Published: 2014 June 30 11:59 GMT
Last Published: 2014 July 14 18:48 GMT
"... significant activity related to spam email messages distributing malicious software...  sample of the email message that is associated with this threat outbreak: Subject: 10 messages..."
(More detail at the cisco URL above.)
 

 

Edited by AplusWebMaster, 15 July 2014 - 05:59 AM.