2072 replies to this topic

[AplusWebMaster]

FYI...

Fake BBB SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
15 July 2014 - "BBB SBQ Form #862054929(Ref#85-862054929-0-4) pretending to come from BBB Accreditation Services <Emmanuel_Hastings@ newyork .bbb .org> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Thank you for supporting your Better Business Bureau (BBB). As a service to BBB Accredited
Businesses, we try to ensure that the information we provide to
potential customers is as accurate as possible. In order for us to
provide the correct information to the public, we ask that you review
the information that we have on file for your company.
We encourage you to print this SBQ Form, answer the questions and respond to us. (Adobe PDF)...
Thank you again for your support, and we look forward to receiving this updated information.
Sincerely,
Accreditation Services

15 July 2014:BBB SBQ Form.zip (7kb) : Extracted file name:  BBB SBQ Form.exe.exe              
Current Virus total detections: 2/53 * . This  BBB SBQ Form #862054929(Ref#85-862054929-0-4) is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1405433104/
___

Fake Notice to Appear in Court Email - Malware
- http://www.hoax-slay...t-malware.shtml
15 July 2014 - "Email purporting to be from Green Winick Attorneys at Law claims that you are required to appear in court and should click a link to view a copy of the court notice... The email is -not- from Green Winick or any legitimate legal entity.  The link in the email opens a webpage that harbours -malware- ...
> http://www.hoax-slay...s-july-2014.jpg
... The email claims that you are required to appear in court and should therefore -click- a link to download the court notice and 'read it thoroughly'. The message warns that, if you fail to appear as requested, the judge may hear the case in your absence... If you click the link in the email, you will be taken to a website that harbours a version of the notorious Asprox/Kulouz malware. Once downloaded and installed, the malware attempts to download further malware and allows criminals to maintain control of the infected computer and join it to a botnet..."

Ref: ASProx botnet, aka Kulouz
- http://garwarner.blo...reenwinick.html
July 13, 2014
Screenshot: https://3.bp.blogspo...GreenWinick.jpg

- https://www.virustot...sis/1405216664/
___

Fake Virgin Airlines Calls ...
- http://www.hoax-slay...cam-calls.shtml
15 July 2014 - "A number of people in different parts of Australia have reported receiving 'prize' calls claiming to be from Virgin Australia. The callers claim that the 'lucky' recipient of the call has won a cash prize or 999 frequent-flyer points. Supposedly, winners were randomly drawn from the names of people who have flown with the airline in the past. 'Winners' are then told that they must provide their credit card details to claim their prize... the calls are certainly -not- from Virgin Australia and recipients have won nothing at all. The calls are a criminal ruse designed to steal credit card information. Virgin Australia has issued a statement* warning people about the scam..."
* http://www.virginaus.../travel-alerts/

___

.pif files, Polish spam from Orange, and Tiny Banker (Tinba)
- http://garwarner.blo...orange-and.html
July 15, 2014 - "... we saw 1,440 copies of a spam message claiming to be from "orange .pl" with the subject "MMS-ie" and a 70,390 byte .zip file with a randomly numbered IMG#####.zip filename. The .ZIP file contained a 126,976 byte .PIF file that was named "IMG875002763.JPEG.pif" and had an MD5 hash of d382068a8666914584d0ae51dd162c6b. When I just checked the file a few minutes ago on VirusTotal, thinking I would see various Zeus-related malware names... I was surprised to see that the file was actually TinBa or "Tiny Banker"!... email that was distributed so prolifically this morning:
> http://4.bp.blogspot...m.orange.pl.jpg
In case you aren't as fluent in Polish as the rest of us, here is how Google Translate renders that:
    If your phone does not support multimedia messages, you can send and receive using the Crates MMS or MMS Album. Simply log on www .orange .pl. For each received in an MMS message box will send you e-mail. If the recipient of the message does not have MMS-capable phone will be able to pick it up by logging into the portal www .orange .pl, and then select Multi Box and MMS tab. Multimedia messages can also be sent to any e-mail.

The spam from Monday, July 14th, was Tinba spam according to VirusTotal. Late this evening (about 18 hours after the spam campaign) VirusTotal reported a (25 of 53)* detection rate. The spam from July 11th was also in Polish, and also imitated Orange, although this time the sender was Orange .com. There was a .zip file attached, which contained a file named "DKT_Faktura_indywidualna_2014_07_11_R.pdf.pif" which was 102,400 bytes in size and had an MD5 hash of da9330aa6d275ba28954b88ecf27dedb. The .zip file was 70,323 bytes with MD5 hash of fc1e0a665f99b347e424281a8a6a2526. The spam from July 11th was also Tinba spam, according to many vendors at VirusTotal... more malware, disquised as an invoice but actually a .pif file. The current detection at VirusTotal for that campaign is 33 of 53** detections. Unlike the Turkish Incident, where Tinba was being dropped by the Blackhole Exploit Kit, in the current spam, Tinba is directly attached to the email message..."
* https://www.virustot...ce8c6/analysis/

** https://www.virustot...d61d8/analysis/
 

 

Edited by AplusWebMaster, 15 July 2014 - 11:28 AM.

[AplusWebMaster]

FYI...

Fake Fax / Secure msg SPAM
- http://blog.dynamoo....u-have-new.html
16 July 2014 - "This -pair- of spam messages leads to a malicious ZIP file downloaded via goo .gl (and -not- Dropbox as the spam says):
From:     Fax [fax@ victimdomain]
Date:     16 July 2014 16:12
Subject:     You've received a new fax
New fax at SCAN7905518 from EPSON by https ://victimdomain
Scan date: Wed, 16 Jul 2014 23:12:29 +0800
Number of pages: 2
Resolution: 400x400 DPI
You can download your fax message at:
https ://goo .gl/8AanL9
(Dropbox is a file hosting service operated by Dropbox, Inc.)
-------------
From:     NatWest [secure.message@ natwest .com]
Date:     16 July 2014 14:47
Subject:     You have a new Secure Message
You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
Please download your ecnrypted message at:
https ://goo .gl/8AanL9
(Dropbox is a file hosting service operated by Dropbox, Inc.)

I have seen three goo .gl URLs leading to three different download locations, as follows
https ://goo .gl/1dlcL3 leads to
http ://webbedenterprisesinc .com/message/Document-6936124.zip
https ://goo .gl/8AanL9 leads to
http ://rollermodena .it/Document-2816409172.zip
https ://goo .gl/pwgQID leads to
http ://www.vetsaudeanimal .net/Document-9879091.zip
- In all cases, the ZIP file contains a malicious .scr with the same name as the ZIP (e.g. Document-6936124.scr). The file is the same in all three locations and has a VirusTotal detection rate of exactly 0/54*. The Malwr report** shows that this then downloads components form the following locations (hosted by OVH France):
http ://94.23.247.202 /1607h/HOME/0/51Service%20Pack%203/0/
http ://94.23.247.202 /1607h/HOME/1/0/0/
An executable esoez.exe is then dropped onto the target system with a marginally better VT detection rate of 1/54***. The Malwr report for that is inconclusive.
Recommended blocklist:
94.23.247.202
vetsaudeanimal .net
rollermodena .it
webbedenterprisesinc .com"
* https://www.virustot...sis/1405523997/

** https://malwr.com/an...DkzOTBmNWJjMjg/

*** https://www.virustot...sis/1405524493/

94.23.247.202: https://www.virustot...02/information/

 

- http://threattrack.t...re-message-spam
July 16, 2014 - "Subjects Seen:
    You have a new Secure Message
Typical e-mail details:
    You have received a encrypted message from NatWest Customer Support
    In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
    Please download your ecnrypted message at:
    goo .gl/1dlcL3

Screenshot: https://gs1.wac.edge...9zgJ1r6pupn.png

Malicious URLs:
    webbedenterprisesinc .com/message/Document-6936124.zip
    lavadoeimagen .com/Document-09962146.zip

Malicious File Name and MD5:
    Document-<random>.scr (2A835747B7442B1D58AB30ABC90D3B0F)
    Document-<random>.zip (323706E66968F4B973870658E84FEB69)

Tagged: NatWest, Upatre
 

   

Edited by AplusWebMaster, 16 July 2014 - 12:07 PM.

[AplusWebMaster]

FYI...

Fake 'Take a look at this picture' email – malware
- http://myonlinesecur...ke-pdf-malware/
17 June 2014 - "'You should take a look at this picture' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... A very simple email with the subject of 'You should take a look at this picture' and the body just containing a smiley face.
17 July 2014: IMG3384698174-JPG.zip (24 kb) : Extracts to IMG4563693711-JPG.scr
Current Virus total detections: 3/54 * ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1405605234/
 

 

Edited by AplusWebMaster, 17 July 2014 - 05:51 PM.

[AplusWebMaster]

FYI...

Something evil on 5.135.211.52 and 195.154.69.123
- http://blog.dynamoo....521152-and.html
18 July 2014 - "This is some sort of malware using insecure OpenX ad servers to spread... don't know quite what it is, but it's running on a bunch of -hijacked- GoDaddy subdomains and is triggering a generic Javascript detection on my gateway... The two IPs in use both belong to OVH France, but 5.135.211.52 is suballocated to QHoster Ltd (Bulgaria) [VT*] and 195.154.69.123 is suballocated to Iliad Entreprises (France) [VT**]. This second IP has also been used to host "one two three" malware sites back in May***.
Recommended blocklist:
* 5.135.211.52: https://www.virustot...52/information/
** 195.154.69.123: https://www.virustot...23/information/
somerspointnjinsurance .com
risleyhouse .net
ecofloridian .info
ecofloridian .com
trustedelderlyhomecare .net
trustedelderlyhomecare .org
trustedelderlyhomecare .info
theinboxexpert .com "
*** http://blog.dynamoo....ons-center.html
___

Law Firm Spam
- http://threattrack.t...8/law-firm-spam
July 18, 2014 - "Subjects Seen:
    Notice of appearance
Typical e-mail details:
    Notice to Appear,
    To view copy of the court notice click here. Please, read it thoroughly. Note: If you do not attend the hearing the judge may hear the case in your absence.

Malicious URLs:
    encoretaxcpa .com/wp-content/plugins/pm.php?notice=rAKMA0yBTjJaHycjLxYiPxWIuHzgUE6cEU/ZGGio7m4=

Screenshot: https://gs1.wac.edge...n8BS1r6pupn.png

Tagged: Law firm, Kuluoz
___

Hotel Business Center Machines - targeted by keyloggers
- https://atlas.arbor....index#802927307
Elevated Severity
July 17, 2014 - "The U.S. Secret Service has issued an advisory warning users to avoid using hotel business center computers, as cybercriminals frequently target these machines to install keylogging malware.
Analysis: Any publicly accessible computer, even those perceived to be in secure locations, should not be used to access personal or company data. If printing services are needed, users should consider forwarding the information to a throw-away email address, which is then accessed from the public computer.
- http://krebsonsecuri...usiness-centers
 

 

Edited by AplusWebMaster, 18 July 2014 - 11:03 AM.

[AplusWebMaster]

FYI...

Something evil on 188.120.198.1 - (IP4ISP / LuckyNet, Czech Republic)
- http://blog.dynamoo....981-ip4isp.html
21 July 2014 - "... Cushion Redirect sites closely related to this attack a few weeks ago* but this time hosted on 188.120.198.1 (IP4ISP / LuckyNet, Czech Republic). You can see the -redirect- in action in this URLquery report** and VirusTotal*** has a clear indication of badness on this IP. All the sites are -hijacked- subdomains of legitimate domains, a peculiar mix of pornography and Dora the Explorer... the most effective way of securing your network is to permablock 188.120.198.1.
Recommended blocklist:
188.120.198.1
e-meskiesprawy24 .com.pl
dora-explorer .co.uk
adultvideoz .net
alsancakescort .org
anadoluyakasiescort .asia"
* http://blog.dynamoo....ovh-france.html

** http://urlquery.net/...d=1405937345878

*** 188.120.198.1: https://www.virustot....1/information/
___

Facebook video scam leaves unamusing Trojan
- http://net-security....ews.php?id=2814
21.07.2014 - "... video spreading on Facebook leaves a not-so-hilarious Trojan in its wake on users’ computers, according to research by Bitdefender. The malware, believed to originate from Albania, can access a large amount of data from the user’s internet browser. The scam begins with what appears to be a funny video of a Facebook friend. Once the video is clicked on, users are directed to a fake YouTube page, which then -redirects- them to a malicious Flash Player.exe for an Adobe update... Malware writers faked the number of views so the video seems to have been watched by over a million users... In an attempt to bypass security, the hackers got their hands on over 60 bit.ly API keys that helped them generate shortened URLs. The unique links are then spread on Facebook timelines. As API keys are randomly selected, blacklisting a couple does not stop the scam from spreading. Bitdefender has notified bit.ly of the issue. The malware writers used an add-on framework that allows their code to function on several browsers. With Google Chrome, the malicious YouTube video -redirects- users to a fake FlashPlayer install. The file, detected by Bitdefender as Trojan.Agent.BDYV, drops a password-protected archive on the computer and a .bat file, designed to run the executable in the archive after providing the password as a parameter. With Firefox, the page prompts for a malicious add-on install. On both browsers, the add-on tags 20 Facebook friends at a time and injects ad services into the page. The extension also fiddles with some of the social network’s functionalities so that users can't delete the malicious posts from their timeline and activity log..."
___

Bank of America - Activity Alert Spam
- http://threattrack.t...vity-alert-spam
July 21, 2014 - "Subjects Seen:
    Activity Alert: A Check Exceeded Your Requested Alert Limit
Typical e-mail details:
    Activity Alert
    A check exceeded your requested alert limit
    We’re letting you know a check written from your account went over the limit you set for this alert.
    For more details please check attached file

Malicious File Name and MD5:
    report072114_349578904357.exe (23E32D6A9A881754F1260899CB07AC55)
    report072114_349578904357.zip (4FE1365C55AA0C402384F068CDA7DF8E)

Screenshot: https://gs1.wac.edge...Nlop1r6pupn.png

Tagged: Bank of America, Upatre

- http://myonlinesecur...ke-pdf-malware/
21 July 2014
> https://www.virustot...sis/1405960609/
___

Bitly API key and MSNBC unvalidated redirects
- http://community.web...-redirects.aspx
21 Jul 2014 - "... observed a -spam/fraud- campaign whereby a user is -redirected- from a real news site to a -fake- news site. In this case the real site is msnbc.com, which belongs to the well-known cable and satellite channel MSNBC. We have discovered that cyber criminals appear to have gained access to the publicly available MSNBC Bitly API key. This is being abused to create custom URL shorteners. Websense Security Labs has been tracking fraudulent sites of this kind since 2012, but this was the first time that a redirection technique of this type was observed. Executive Summary: The various methods used by this group include:
- Use of publicly available Bitly API key for redirection
- Use of a famous news site to redirect to a fake news site
- Four redirection steps from real news site to fake news site
- Spreading the link through Google and Yahoo groups and spam mail
Here is the -fake- news site to which the user is directed, hosted on a legitimate-looking host of hxxp ://fcxnws .com/:
> http://community.web..._2D00_550x0.jpg
So far, Websense Security Labs has identified that the spam is spread through Google and Yahoo groups, and email. Example post on Google groups:
> http://community.web..._2D00_550x0.jpg
Example post on Yahoo groups:
> http://community.web..._2D00_550x0.jpg
... Bitly is a service to shorten URLs into a more user-friendly format. Shortened URLs are very convenient as they are easier to exchange due to their length, and can improve the look of a message. Businesses can set up their own 'short domains' and change their DNS settings to Bitly's servers. Each Bitly customer has their own API key that they can use to generate short URLs from full URLs. If the API key relates to an account that has set up their own short domain, the custom short domain will be used when generating a short URL... Bitly are currently blocking the redirection page at the time of writing.  Kudos to them.
>> http://community.web..._2D00_550x0.jpg
... Websense Security Labs identified other websites that keep their Bitly API key in public view. Exposing your Bitly API key is a risk if you have a short domain, as it allows anybody to generate short URLs on your short domain that redirect to anywhere of that person's choosing. This can make it appear as if your business is the one redirecting to malware/phishing/fraud etc. Fortunately, there's not much more that anybody can do with an API key as any account-related or link editing features can only be accessed after an OAuth login. All requests to the Bitly API should be done on the website's back end, on the server-side. This means that the API key will never be seen by public users on the front end and your API key remains safe. You can read about Bitly's API best practices here: http://dev.bitly.com..._practices.html . URL shorteners are very useful, but come with their own security risks and should be used with caution from a developer and from a user point of view."
 

 

Edited by AplusWebMaster, 21 July 2014 - 09:52 PM.

[AplusWebMaster]

FYI...

Facebook SCAM - 'Actual Footage Missile MH-17'
- http://www.hoax-slay...rvey-scam.shtml
July 22, 2014 - "Facebook message claims that users can see actual footage of the missile fired at downed Malaysian Airlines flight MH17 by pro-Russian militants. The promised video does not exist. The message is a -scam- designed to trick people into spamming their friends with the same fake material and participating in -bogus- online surveys. If this message comes your way, do not click any links that it contains.
> http://www.hoax-slay...rvey-scam-1.jpg
This message, which is being distributed on Facebook, promises users actual footage showing the missile that destroyed Malaysian Airlines flight MH17. The message invites users to click a link to view the footage... The supposed video is just a trick to get you to click the link in the message.  In fact, the message is a typical 'shocking video' survey scam. If you click the link in the message, you will be taken to a fake Facebook Page that supposedly hosts the video. The fake page comes complete with equally fake user comments... scammers quickly exploit every high-profile disaster and the MH17 tragedy is no exception. In coming days and weeks, be wary of any message that asks you to click a link to access video or breaking news pertaining to MH17..."
___

Facebook Scam leads to Nuclear Exploit Kit
- http://www.symantec....ear-exploit-kit
22 July 2014 - "... The “EXPOSED: Mom Makes $8,000/Month” scam, which we observed recently, redirected users to the Nuclear exploit kit. This particular scam has since been removed by Facebook..."
Regions affected by Nuclear exploit kit
> http://www.symantec....book Scam 4.png
___

Spammy Tumblr Apps and Stalker Hunting
- http://blog.malwareb...talker-hunting/
July 22, 2014 - "... the latest one currently bouncing around the popular social network. You’ll notice it apes the template of the site in the linked blog [1] – same spam posts, same spam application name – although the website for this one looks fairly slick. It’s possible this one is closely related to the February spamrun, as the same Bit.ly user account created shortening URLs for both. Here’s the spam popping up on various blogs:
> http://cdn.blog.malw.../tumbstalk1.jpg
Below is the site it leads to, located at reviewsloft(dot)com/a/?3
> http://cdn.blog.malw.../tumbstalk2.jpg
... Once the install is done, they’ll show the inevitable surveys to the end-user to make some money. As before, a bit.ly link is used... With this current spamrun we can see that we’re hitting about 19,000 in 12 days, with around 2,000 clicks listed as coming from Tumblr and the rest classed as “unknown”. Not a huge amount of information to go on, then, but a good reminder that people continue to fall for this type of scam which has been around for the longest time. As a final note, the -rogue- application will continue to post to your Tumblr until you go into your user settings and remove the app... follow the instructions listed on the Tumblr account security page*. At that point, the spam posts can stop..."
* https://www.tumblr.c...ccount_security

1] http://blog.malwareb...o-tumblr-users/
___

Fake Credit Applicaiton – PDF malware
- http://myonlinesecur...ke-pdf-malware/
22 July 2014 - "Fw: Credit Application is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
... Please see credit application for West Star Environmental.
The job we have for them is for $ 46,214.00
Thank you,
From: Jimmy Robertson
Sent: Tue, 22 Jul 2014 11:57:13 +0100
Subject: Credit Applicaiton
Good Afternoon,
Here is our credit application. If you should require further information please feel free to contact me.
Jimmy Robertson
West Star Environmental, Inc.
4770 W. Jennifer
Fresno, CA 93722 ...

22 July 2014: SWF_CREDIT_APPLICATION.pdf.zip (10kb)  Extracts to SWF_CREDIT_APPLICATION.pdf.scr... Current Virus total detections: 5/53*
This Fw: Credit Applicaiton is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1406038205/
___

Over 30 financial institutions defrauded by phone apps used to intercept passwords
- http://www.reuters.c...N0PX02T20140722
Jul 22, 2014 - "More than 30 financial institutions in six countries have been defrauded by sophisticated criminal software that convinces bank customers to install -rogue- smartphone programs... Though many of the elements of the malicious software, including the interception of one-time passwords sent to phones, have been used elsewhere, the latest criminal campaign is unusual in that it combines many different techniques and leaves few traces... Banks in Austria, Sweden, Switzerland and Japan have all been hit, with damages somewhere in the millions of dollars... The least sophisticated part of the gang's work so far appears to be in the delivery of the software, according to a report by Trend Micro researchers*. Emails that appear to be from major retailers come with attachments that, when opened, prompt the user to download a malicious attachment of an unusual type, called a control panel item. If users do not click again, they are safe. If they do, the software goes to work and hides itself out of view of most antivirus protection. When an infected user later tries to visit the website of one of the targeted banks, the software redirects them to a -fake- site, which asks for login details and then prompts the user to download a smartphone app. That app later intercepts the one-time passwords, giving the gang both that data as well as the login information, enough to clean out an account..."
* http://blog.trendmic...ation-emmental/
___

"Commingled" user data...
- http://www.reuters.c...N0FR1XA20140722
July 22, 2014 - "A federal judge rejected Google Inc's bid to dismiss a privacy lawsuit claiming it commingled user data across different products and disclosed that data to advertisers without permission... Google must face breach of contract and fraud claims by users of Android-powered devices who had downloaded at least one Android application through Google Play. Other parts of the lawsuit were dismissed, including claims brought on behalf of account users who switched to non-Android devices from Android devices after Google had changed its privacy policy in 2012 to allow the 'commingling'... The lawsuit arose after Google on March 1, 2012 scrapped a variety of privacy policies for different products, and created a single, unified policy letting it -merge- user data generated through platforms such as Gmail, Google Maps and YouTube. Users complained that Google made this change -without- their consent and with no way to opt out, in a bid to better compete for ad revenue against Facebook Inc and other social media companies "where all of a consumer's personal information is available in one site." They said this jeopardized their privacy by exposing names, email addresses and geographic locations, increasing the threat of harassment or identity theft by third parties. Google reported $15.42 billion of revenue in the first quarter, of which 90 percent came from advertising. The case is In re: Google Inc Privacy Policy Litigation, U.S. District Court, Northern District of California, No. 12-01382."
___

Scams exploit MH17 Disaster
- http://www.hoax-slay...m17-scams.shtml
July 21, 2014 - "... callous criminals waste no time in exploiting disasters such as air-crashes, terrorist attacks, storms, or tsunamis. The MH17 missile attack tragedy is no exception. In coming days and weeks, Internet users should be wary of scam attacks that attempt to trick people into following links or opening attachments in messages that are supposedly related to MH17... callous criminals waste no time in exploiting disasters such as air-crashes, terrorist attacks, storms, or tsunamis. The MH17 missile attack tragedy is no exception. In coming days and weeks, Internet users should be wary of scam attacks that attempt to trick people into following links or opening attachments in messages that are supposedly related to MH17... after clicking such a link, you are told that, before you proceed, you must share the post, participate in a survey, install an app or browser extension, or download a video player update or other software, close the page immediately..."

- http://blog.trendmic...-of-mh17-crash/
July 18, 2014
___

Facebook SCAM - Mercedes Benz CLA 45' Giveaway
- http://www.hoax-slay...ming-scam.shtml
July 21, 2014 - "Facebook Page claims that users can win a 'Mercedes Benz CLA 45 just by liking the page, liking and sharing a promotional post... The Page is -bogus- and the competitions that it promotes are not legitimate. There are no winners and no cars are being given away. This is a like-farming scam designed to fraudulently increase the number of likes garnered by the Page. Facebook Pages with high like-numbers can later be used to perpetrate further scams to a large audience. Alternatively, the Pages may be sold on the black market to other scammers...
> http://www.hoax-slay...ming-scam-1.jpg
According to a 'Competitions' Facebook Page that is currently being promoted across the network, you could win one of 6 Mercedes Benz CLA 45's just by liking the Page, liking and sharing a Page post... The scammers may also use the bogus Pages to perpetrate advance fee scams... the like-heavy Pages can be sold via a lucrative black market to other scammers who will repurpose it to further their own goals..."
 

 

Edited by AplusWebMaster, 23 July 2014 - 05:55 AM.

[AplusWebMaster]

FYI...

Fake Facebook mails lead to Pharma Spam
- http://blog.malwareb...to-pharma-spam/
July 23, 2014 - "... it may look as though something has gone wrong with your Facebook account, but it’s just a ruse to convince you to -click- the provided link. The message reads:
    “[Name], your messages will be deleted soon responsibly
    You haven’t been to Facebook for a few days, and a lot happened while you were away.
    Your messages will be deleted soon.”

Clicking either the View Messages or Go to Facebook button will result in the clicker hitting a php page on a .com(dot)au URL, before being redirected to a Canadian Pharmarcy page:
> http://cdn.blog.malw...07/fbpharma.jpg
... we do not recommend purchasing random pills from websites you’ve discovered via -fake- Facebook spam mails. No matter how urgent-sounding or laced with impending doom a mail sounds, always consider that the sender simply wants you to click through with as much speed and as little thought as possible..."
___

Fake BBB complaint email – malware
- http://myonlinesecur...plaint-malware/
23 July 2014 - "Better Business Bureau complaint is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This version is slightly different to the usual BBB complaints emails because there is -no- attachment and they want you to click the link to download the gameover -zeus- malware binary directly:
July 23, 2014
Case# 5942415: Joe Russell
Dear Company:
As you are aware, the Better Business Bureau contacted you regarding the above-named complainant, seeking a response to this complaint. Your position is available online.
The following URL (website address) below will take you directly to this complaint and you will be able to view the response directly on our website:
http ://newyork.app.bbb .org/complaint/view/5942415/b/194439957f   
< http ://castlestrategies .net/css/new_7g1.exe>
The complainant has been notified of your response.
The BBB believes that your response adequately addresses the disputed issues and/or has exhibited a good faith effort to resolve the complaint. The complaint will close as “Administratively Judged Resolved” and our records will be updated...

23 July 2014: new_7g1.exe  Current Virus total detections: 2/53*
... it appears to come from a friend or is more targeted..."
* https://www.virustot...sis/1406137574/

184.168.152.4: https://www.virustot....4/information/

- http://threattrack.t...eless-bill-spam
23 July 2014
___

Live SSH Brute Force Logs and New Kippo Client
- https://isc.sans.edu...l?storyid=18433
2014-07-23 - "... a new feature we have been working on for a while, that will display live statistics on passwords used by SSH brute forcing bots. In addition, we also updated our script that will allow you to contribute data to this effort. Right now, we are supporting the kippo honeypot to collect data. This script will submit usernames, passwords and the IP address of the attacker to our system... For data we are collecting so far, see:
- https://isc.sans.edu/ssh.html
... some of the passwords these scripts try out are not necessarily trivial, but they may be common enough to be worth while brute forcing targets."
___

Fake "Redirected message" SPAM ...
- http://blog.dynamoo....redirected.html
23 July 2014 - "This spam pretends to be from a journalist called Paul Fulford at the Birmingham Mail. However, it isn't.. it is a forgery with a malicious attachment.
    Date:      Wed, 23 Jul 2014 20:59:48 +0800 [08:59:48 EDT]
    From:      Birminghammail [paul.fulford@ birminghammail .co.uk]
    Subject:      Redirected message
Dear [redacted]!
Please find attached the original letter received by our system.

I only have two samples of this, the originating IP addresses are:
1.34.211.10 (HINET, Taiwan)
117.212.18.140 (BSNL, India)
Poor Mr Fulford thinks that his email has been hacked.. it hasn't...
> https://3.bp.blogspo...600/fulford.png
Attached is an archive file 1.zip which contains a malicious executable original_letter_234389_193.scr.exe... The Malwr report* shows that this part reaches out to the following IPs:
37.139.47.103
37.139.47.117
Both of these belong to Comfortel Ltd in Russia. From there another file 2.exe is download which has a VT detection rate of just 3/53**. The Malwr report is inconclusive.
I'm not familiar with the Russian host, but having two bad IPs in close proximity makes me think that you probably want to block at least 37.139.47.0/24 or the whole 37.139.40.0/21 (almost all sites are in the /24 anyway). This netblock contains a mix of what look like legitimate Russian-language sites and obvious phishing sites."
* https://malwr.com/an...mZjNTA0YzBiNzI/

** https://www.virustot...sis/1406127100/

- http://myonlinesecur...essage-malware/
23 July 2014
> https://www.virustot...sis/1406126658/
___

Fake invoice 4904541 July SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
23 July 2014 - "invoice 4904541 July is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... A very plain simple email that just says:
This email contains an invoice file attachment

23 July 2014: invoice_4904541.zip (46 kb): Extracts to invoice_32990192.exe
Current Virus total detections: 3/53* ...This invoice 4904541 July  is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is..."
* https://www.virustot...sis/1406127329/
___

Some WSJ systems taken offline after cyber attack
- http://www.reuters.c...N0FS03N20140723
2014.07.23 - "Computer systems containing the Wall Street Journal's news graphics were -hacked- by outside parties, according to the paper's publisher Dow Jones & Co. The systems have been taken offline to prevent the spread of attacks, but Journal officials have not found any damage to the graphics, the newspaper said citing people at the Wall Street Journal familiar with the matter. A hacker who goes by the Twitter handle of 'w0rm' allegedly posted tweets and screenshots claiming to have hacked the Journal's website and offered to sell user information and credentials needed to control the server..."
- http://online.wsj.co...sion-1406074055
July 22, 2014
 

 

Edited by AplusWebMaster, 24 July 2014 - 06:19 AM.

[AplusWebMaster]

FYI...

Fake Remittance Advisory SPAM – malware
- http://myonlinesecur...-email-malware/
24 july 2014 - "Remittance Advisory Email is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email... This email doesn’t have an attachment but has a link in the body for you to click on & download the malware:
Thursday 24 July 2014
This is a Remitter Advice following the submission of a payment instruction by Lloyds Bank Plc.
Please review the details of the payment here.  
<http ://dentairemalin .com/images/report934875438jdfg8i45jg_07242014.exe>
Lloyds Banking Group plc...

24 July 2014: report934875438jdfg8i45jg_07242014.exe
Current Virus total detections: 5/53* ..."
* https://www.virustot...sis/1406204716/

- http://centralops.ne...ainDossier.aspx
canonical name     dentairemalin.com.
addresses 217.16.10.2 ...

217.16.10.2: https://www.virustot....2/information/

- http://blog.dynamoo....ved-secure.html
24 July 2014

- http://threattrack.t...remittance-spam
July 24, 2014
Tagged: lloyds tsb, Dyreza
___

Fake VoiceMail SPAM
- http://blog.dynamoo....email-spam.html
24 July 2014 - "This tired old malware spam is doing the rounds again.
    From:      Voice Mail [voicemail_sender@local]
    Subject:      You have received a new VoiceMail
    Date:      Thu, 24 Jul 2014 17:31:25 +0700 [06:31:25 EDT]
    You have received a voice mail message.
    Message length is 00:03:27.

As you might expect, the attachment VoiceMail.zip does not contain a voice mail at all, but it is a malicious executable VoiceMail.scr which has a a VirusTotal detection rate of 3/53*. The CAMAS report** and Anubis report*** shows the malware downloading an encrypted file from the followng locations:
egozentrica .com/wp-content/uploads/2014/07/tor2800_2.7z
reneerlaw .com/wp-content/uploads/2014/07/tor2800_2.7z
Blocking those sites may give some protection against this malware."
* https://www.virustot...sis/1406214495/

** http://camas.comodo....81ab360a0b0806c

*** http://anubis.isecla...80b&format=html

50.115.19.181: https://www.virustot...81/information/

82.98.151.154: https://www.virustot...54/information/
___

CNN News Spam
- http://threattrack.t...aking-news-spam
July 24, 2014 - "Subjects Seen:
    CNN Breaking News - Malaysian Boing 777
Typical e-mail details:
    Ukraine recognizes that hit a Malaysian Boing 777
    Malaysia Airlines flight 17 shot down in Ukraine.
    FULL STORY

Malicious URLs:
    firstfiresystems .com/images/CNN_breaking_news_read_now.exe
Malicious File Name and MD5:
    CNN_breaking_news_read_now.exe (57D5055223344CF8814DCFC33E18D7E6)

Screenshot: https://gs1.wac.edge...rrEN1r6pupn.png

Tagged: CNN, Malaysian Airlines, Dyreza, MH17

208.69.121.22: https://www.virustot...22/information/
 

 

Edited by AplusWebMaster, 24 July 2014 - 03:58 PM.

[AplusWebMaster]

FYI...

Fake Tax Notice SPAM
- http://blog.dynamoo....-2014-spam.html
25 July 2014 - "This fake HMRC tax notice comes with a malicious attachment:
    Date:      Fri, 25 Jul 2014 16:48:37 +0900 [03:48:37 EDT]
    From:      HMRC Revenue&Customs [Rosanne@ hmrc .gov.uk]
    Reply-To:      Legal Aid Agency [re-HN-WFCLL-OECGTZ@ hmrc .gov.uk]
    Dear [redacted] ,
    Please be advised that one or more Tax Notices (P6, P6B) have been issued.
    For the latest information on your Tax Notices (P6, P6B) please open attached report.
    Document Reference: 34320-289...

Screenshot: https://4.bp.blogspo.../s1600/hmrc.png

Attached is a file P6_rep_34320-289.zip which unZips to a folder called P6_rep(9432)_84632_732.doc which contains a malicious executable P6_rep(9432)_84632_732.doc.scr which has a VirusTotal detection rate of 4/53*. The CAMAS report** shows that a second component is downloaded from 37.139.47.167/bt/2.exe which in turn has a VirusTotal detection rate of 5/52***. The IP address of 37.139.47.167 is in the same /24 as the two other IPs mentioned here [1]. I would very strongly recommend blocking traffic to at least 37.139.47.0/24 or the whole 37.139.40.0/21 range (although there do seem to be some legitimate Russian-language sites in there)..."
* https://www.virustot...sis/1406281395/

** http://camas.comodo....eb92638ce475692

*** https://www.virustot...sis/1406281708/

1] http://blog.dynamoo....redirected.html
___

Fake Virgin Media SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
25 July 2014 - "Help & Advice – Virgin Media Business Virgin Media Automated Billing Reminder  pretending to come from Virginmedia Business <services@ virginmediabusiness .co.uk>is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer...
> https://t2.gstatic.c...n Media Web.jpg
This e-mail has been sent you by Virgin Media to inform you that we were
unable to process your most recent payment of bill. This might be due to
one of the following reasons:
    A recent change in your personal information such as Name or address.
    Your Credit or Debit card has expired.
    Insufficient funds in your account.
    Cancellation of Direct Debit agreement.
    Your Card issuer did not authorize this transaction.
To avoid Service interruption you will need to update your billing profile, failure to update your profile may lead in service cancellation and termination.
Please fulfill attached form and send it back to our email adress...

25 July 2014: form_19927-267.zip (85 kb): Extracts to billing_form91_4352-2105.pdf.scr
Current Virus total detections: 5/53* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1406293502/
___

Fake Tiffany SPAM...
- http://blog.dynamoo....-july-spam.html
25 July 2014 - "This fake Tiffany & Co email has a malicious attachment:
    Date:      Fri, 25 Jul 2014 17:32:38 +0800 [05:32:38 EDT]
    From:      "J.Parker" [rcaukomti@ tiffany .co.uk]
    Subject:      invoice 0625859 July
    Kindly open to see export License and payment invoice attached, meanwhile we sent the balance payment yesterday.
    Please confirm if it has settled in your account or you can call if there is any problem.
    Thanks
    J.parker
    Tiffany & Co.

Attached to the message is an archive invoice copy.zip which contains a folder invoice copy in which there is a malicious file invoice copy.exe which has a VirusTotal detection rate of 9/51*. The CAMAS report** shows that the malware downloads components..."
* https://www.virustot...sis/1406295906/

** http://camas.comodo....8811ff0ea747d57
___

Fake "eFax message" SPAM
- http://blog.dynamoo....ssage-spam.html
25 July 2014 - "Another tired old spam template leading to malware:

Screenshot: https://3.bp.blogspo.../s1600/efax.png

In this case the link in the email goes to verzaoficial .com/css/fax_390392029_072514.exe which downloads a file with a VirusTotal detection rate of just 1/45*. Automated analysis [pdf] is fairly inconclusive as to what it does."
* https://www.virustot...sis/1406297301/
 

 

Edited by AplusWebMaster, 25 July 2014 - 09:01 AM.

[AplusWebMaster]

FYI...

Something evil on 198.27.110.192/26 ...
- http://blog.dynamoo....ng-evil-on.html
26 July 2014 - "... seems to refer to a Proforma Invoice rather than Π - but in fact the attachment is malware.
    Date:      Fri, 25 Jul 2014 22:50:14 -0700 [01:50:14 EDT]
    From:      OLINMETALS TRADING CO
    Subject:      PLEASE SEND PI
    Greetings,
    Regarding our previous conversation about our urgent purchase, kindly
    find attached PI and let us know if the quantity can fit in 40ft
    container.
    kindly revise the Proforma invoice so that we can proceed with an
    advance payment as agreed.
    We look forward to your urgent response with revised proforma invoice.
    Thks & Rgds,
    OLINMETALS TRADING CO., LTD ...

... the attachment Order.zip contains a malicious executable klopppp890.exe which has a VirusTotal detection rate of 18/53*... malware phones home to walex2.ddob .us/sddob/gate.php on 198.27.110.200 (OVH Canada reassigned to Big Kesh, LLC, US). Looking at the domains registered on 198.27.110.200 and the surrounding IPs there do seem to be a lot of malicious ones being used as malware C&Cs... I think this is enough evidence to block the entire 198.27.110.192/26 as a precaution (although there do appear to be a small number of legitimate sites too)...
Recommended blocklist:
198.27.110.192/26
xiga .us
ddob .us "
(More detail at the dynamoo URL above.)
* https://www.virustot...sis/1406366678/

Diagnostic page for AS16276 (OVH)
- https://www.google.c...c?site=AS:16276
"... over the past 90 days, 3231 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-07-26, and the last time suspicious content was found was on 2014-07-26... Over the past 90 days, we found 483 site(s) on this network... that appeared to function as intermediaries for the infection of 1070 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 930 site(s)... that infected 219349 other site(s)."
___

Fake Order Notification SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 July 2014 - "Notification of order is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...  using an old trick to attempt to disguise the file name & fool you into thinking it is a genuine PDF by inserting loads of spaces between the pdf & the .exe:
    Dear Customer
    We have received your order and it’ll be processed for 2 business days.
    Your credit card will be charged for 803 USD.
    You can find specification of the invoice and delivery details: http ://link.vpn .by/?id=157562
    Yours truly,
    Absalon Holmes
    FG Charter Travel Company

Todays Date: bill.2563034.zip (53 kb): Extracts to bill.2563034.PDF____________.exe
Current Virus total detections: 1/53* . This Notification of order is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is..."
* https://www.virustot...sis/1406396500/

178.124.137.170: https://www.virustot...70/information/
 

 

Edited by AplusWebMaster, 26 July 2014 - 05:28 PM.

[AplusWebMaster]

FYI...

Something evil on 88.198.252.168/29 - Ransomware
- http://blog.dynamoo....9825216829.html
28 July 2014 - "88.198.252.168/29 (Hetzner, Germany) is infected with a whole bunch of ransomware landing pages, like this:
Screenshot: https://4.bp.blogspo...1600/locker.png

In the past this IP range has been used to host a number of legitimate Austrian sites, but at the moment it appears to be hosting -ransomware- landing pages exclusively. The domains in use are a combination of crappy .in domains registered to a series of -fake- addresses, plus a bunch of subdomains of legitimate domains that have been hijacked. What is interesting about these hijacked domians is that they all use afraid .org as namerservers. This hijacking at afraid .org is because these particular domain users are using the free afraid .org service which allows anyone to create a subdomain of your domain and point is where they like (explained in this FAQ*). The bad news is that this sort of -hijacking- is a quick way to ruin your domain's reputation... Blocking these landing pages will probably not stop a PC from becoming infected with ransomware, but monitoring or blocking the following list may give you some intelligence as to what is happening on your own network.
Recommended blocklist:
88.198.252.168/29
fernandocoelho .net.br
duk66 .com
cerone .com.ar
gigliotti .com.ar
clawmap .com
lareferencedentaire .com
izaksuljkic .tk..."
(Complete list @ the dynamoo URL above.)
* https://freedns.afraid.org/faq/#14

Diagnostic page for AS24940 (HETZNER-AS)
- https://www.google.c...c?site=AS:24940
"... Of the 327849 site(s) we tested on this network over the past 90 days, 2634 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-07-28, and the last time suspicious content was found was on 2014-07-28... Over the past 90 days, we found 328 site(s) on this network... that appeared to function as intermediaries for the infection of 2189 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 377 site(s)... that infected 4506 other site(s)..."
___

Fake Delivery fail SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
28 July 2014 - "Delivery failure , July 28, 2014 BN_3647007 pretending to come from UKmail  Express is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
> http://printhut.co.u...k_mail_logo.jpg
   An urgent service package has come to the local post office. Delivery was rescheduled because our courier was not able to deliver the package [RECEIVER NOT PRESENT].
    You can find more information including contact details regarding your package in the attached file.
    Privacy Policy and
      Copyright © 2014 UKMail Group plc

28 July 2014: BN_2118176.zip (83 kb) : Extracts to report_form2_28-07-2014.pdf.scr
Current Virus total detections: 2/54* . This Delivery failure , July 28, 2014 BN_3647007 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1406549984/
___

Fake skipped invoice SPAM – word doc malware
- http://myonlinesecur...rd-doc-malware/
28 July 2014 - "skipped invoice is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
     HI Richie,
    Attached is invoice #2223 651.45 from May missed in check received.
    I am out of the office tomorrow and Monday so I’m emailing & begging for payment to make month end.
    Thanks & have a great weekend!
    Katherine Sargent / Credit Manager
    Pacemaker Steel and Piping Co., Inc. ... 

28 July 2014: invoice_28.07.zip ( 11kb) : Extracts to invoice_28.07.doc.exe          
Current Virus total detections: 5/54* . This skipped invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word.doc  file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1406569801/

178.63.240.112: https://www.virustot...12/information/
___

Fake Amazon order SPAM
- http://blog.dynamoo....order-spam.html
28 July 2014 - "This fake Amazon spam comes with a malicious attachment:
Screenshot: https://2.bp.blogspo...1600/amazon.png

Attached is a file Order-239-1744919-1697181.zip which in turn contains a malicious executable Order details 001-8821901-992107.exe which has a VirusTotal detection rate of 18/54*. The Comodo CAMAS analysis** shows that the malware reaches out to a familiar set of URLs*** to download further components... recommend blocking the following domains:
zag .com.ua
daisyblue .ru
ricebox .biz
brandsalted .com
fbcashmethod .ru
expositoresrollup .es
madrasahhusainiyahkl .com
sexyfoxy .ts6.ru
huework .com
siliconharbourng .com
martijnvanhout .nl "
* https://www.virustot...sis/1406572004/

** http://camas.comodo....8753809cbbc5ac2

*** http://blog.dynamoo....-july-spam.html
 

 

Edited by AplusWebMaster, 28 July 2014 - 02:39 PM.

[AplusWebMaster]

FYI...

Something evil on 31.210.96.155, ...156, ...157 and ...158 (31.210.96.152/29)
- http://blog.dynamoo....3121096156.html
29 July 2014 - "I don't know quite what the exploit kit of the month is here, but the IP addresses 31.210.96.155, 31.210.96.156, 31.210.96.157 and 31.210.96.158 are currently serving up malware using -hijacked- GoDaddy domains, and are targeting victim websites by altering their .htaccess files** to intercept traffic coming from search engines such as Google. These IP addresses have been used for malware for some time*...VirusTotal reports for these IPs are pretty poor [1] [2] [3] [4]. I assume that they form part of an allocation 31.210.96.152/29 which I would very strongly recommend blocking that range... these appear to be subdomains of -hijacked- GoDaddy domains... I would recommend permablocking the following IP range and temporarily blocking the following domains:
31.210.96.152/29 ..."
(Long list at the dynamoo URL above.)
* http://c-apt-ure.blo...ears-later.html

** http://www.symantec....ess-redirection

1] 31.210.96.155: https://www.virustot...55/information/
2] 31.210.96.156: https://www.virustot...56/information/
3] 31.210.96.157: https://www.virustot...57/information/
4] 31.210.96.158: https://www.virustot...58/information/
 

 

Edited by AplusWebMaster, 29 July 2014 - 10:52 AM.

[AplusWebMaster]

FYI...

Fake 'documents ready for download' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 July 2014 - "Your documents are ready for download is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Your documents 6419165973846 are ready , please sign them and email them back.
Thank you
John Garret
Level III Account Management
817-768-8742 office
817-874-8795 cell
johngarret@ natwest .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
The security of personal information about you is our priority. We protect this information by maintaining physical, electronic, and procedural safeguards that meet applicable law. We train our employees in the proper handling of personal information. When we use other companies to provide services for us, we require them to protect the confidentiality of personal information they receive...

30 July 2014: Documents_3922929617733.rar (10 kb) : Extracts to Documents.scr
Current Virus total detections: 2/53* . This Your documents are ready for download is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1406710734/
___

Fake "Amazon order" SPAM
- http://blog.dynamoo....er-spam_30.html
30 July 2014 - "Another -fake- Amazon spam with a malicious payload:

Screenshot: https://4.bp.blogspo...600/amazon4.png

There's a ZIP file attached (in this case Order-853-9908013-4362599.zip) which unzips to a folder Order details with a malicious file ORDER-992-5188991-000933.exe which has a VirusTotal detection rate of 9/53*. The Comodo CAMAS report** shows that it downloads a further component...
This second executable has a VT detection rate of 5/54***..."
(Long recommended blocklist at the dynamoo URL above.)
* https://www.virustot...sis/1406729013/

** http://camas.comodo....d35633ec2b7f226

*** https://www.virustot...sis/1406729311/
___

Fake Order status 30.07.2014.xls – XLS malware
- http://myonlinesecur...ke-xls-malware/
30 July 2014 - "Order status -540130 30.07.2014.xls is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... An email received coming from a -random- name with -no- company details and a totally blank body and a subject of  Order status -540130 30.07.2014.xls ( different order numbers ) with a zip attachment
30 July 2014 : 540130-30.07.2014.zip ( 47 kb) : Extracts to   order-8301138-30.07.2014.xls.exe
Current Virus total detections: 9/54* . This  Order status -540130 30.07.2014.xls  is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Excel spreadsheet file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1406736903/
___

Fake "Payslip" SPAM
- http://blog.dynamoo....yslip-spam.html
30 July 2014 - "...  terseness works with this kind of message:
     From:     Richard Mason [richardm254@ gmail .com]
    Date:     30 July 2014 21:23
    Subject:     Payslip
    Please find attached the payment slip.
Attached is a file swift copy-Payment-Slip-$70,000.html which when it is opened up in your browser comes up with a popup box.
> https://3.bp.blogspo...JI/s1600/js.png

Clicking OK downloads an executable from www.greenexpress .ge/swift//payslip.exe which you are presumably meant to run. It's a bit of an odd way to do it, so perhaps there's a reason. The HTML is simple enough..
> https://3.bp.blogspo...k/s1600/js2.png
..but why bother doing it this way at all? Well, it makes it just a bit harder for email security software to find the link because the attachment is Base 64 encoded... The malware itself has a VirusTotal detection rate of 31/53*... Automated analysis tools seem to time out or crash, which indicates that the malware is hardened against analysis, but the VT report does see traffic with a pattern that might be blockable if you have a webfilter..."
* https://www.virustot...sis/1406754444/

198.50.169.4: https://www.virustot....4/information/
___

New Crypto-Ransomware in the wild
- http://blog.trendmic...ge-in-the-wild/
July 30, 2014 - "... new crypto-ransomware variants that use new methods of encryption and evasion... 'Cryptoblocker' will not drop any text files instructing the victim on how to decrypt the files. Rather, it displays the dialog box below. Entering a transaction ID in the text box will trigger a message stating that the “transaction was sent and will be verified soon.”:
> http://blog.trendmic...07/cryptob1.jpg
... This malware does not use CryptoAPIs, a marked difference from other ransomware. CryptoAPIs are used to make RSA keys, which were not used with this particular malware. This is an interesting detail considering RSA keys would make decrypting files more difficult. Instead, we found that  the advanced encryption standard (AES) is found in the malware code. A closer look also reveals that the compiler notes were still intact upon unpacking the code... Based on feedback from the Trend Micro Smart Protection Network, the US is the top affected country, followed by France and Japan. Spain and Italy round up the top five affected countries.
Countries affected by Cryptoblocker:
> http://blog.trendmic...nfection-01.jpg
... These ransomware variants prove that despite significant takedowns, cybercriminals will continue to find ways to victimize users. Users should remain cautious when dealing with unfamiliar files, emails, or URL links. While it might be tempting to pay the ransom for encrypted files, there is no guarantee that the cybercriminals will decrypt the ransomed files..."
 

 

Edited by AplusWebMaster, 30 July 2014 - 06:51 PM.

[AplusWebMaster]

FYI...

Backoff... Malware
Backoff Point-of-Sale Malware
- https://www.us-cert....lerts/TA14-212A
July 31, 2014 - "... malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft's Remote Desktop [1] Apple Remote Desktop,[2] Chrome Remote Desktop,[3] Splashtop 2,[4] Pulseway[5], and LogMEIn Join.Me[6] offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request. USSS, NCCIC/US-CERT and Trustwave Spiderlabs have been working together to characterize newly identified malware dubbed "Backoff", associated with several PoS data breach investigations. At the time of discovery and analysis, the malware variants had low to -zero- percent anti-virus detection rates, which means that fully updated anti-virus engines on fully patched computers could -not- identify the malware as -malicious- ..."
Description: “Backoff” is a family of PoS malware and has been discovered recently. The malware family has been witnessed on at least three separate forensic investigations. Researchers have identified three primary variants to the “Backoff” malware including 1.4, 1.55 (“backoff”, “goo”, “MAY”, “net”), and 1.56 (“LAST”). These variations have been seen as far back as October 2013 and continue to operate as of July 2014. In total, the malware typically consists of the following four capabilities. An exception is the earliest witnessed variant (1.4) which does not include keylogging functionality. Additionally, 1.55 ‘net’ removed the explorer.exe injection component:
- Scraping memory for track data
- Logging keystrokes
- Command & control (C2) communication
- Injecting -malicious- stub into explorer.exe
The malicious stub that is -injected- into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Keylogging functionality is also present in most recent variants of “Backoff”. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware.
Impact: The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements. These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts. It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now.
Solution: At the time this advisory is released, the variants of the “Backoff’ malware family are largely -undetected- by anti-virus (AV) vendors. However, shortly following the publication of this technical analysis, AV companies will quickly begin detecting the existing variants. It’s important to maintain up-to-date AV signatures and engines as new threats such as this are continually being added to your AV solution...
(More detail at the us-cert URL above.)
___

- http://blog.trendmic...off-targets-us/
Aug 6, 2014
Heat map of malicious communications found in affected US states
> http://blog.trendmic...8/heatmap31.jpg

- http://atlas.arbor.n...ndex#1443301999
High Severity
7 Aug 2014
 

 

Edited by AplusWebMaster, 08 August 2014 - 01:05 PM.

[AplusWebMaster]

FYI...

Fake "New fax" SPAM - using goo .gl shortening service
- http://blog.dynamoo....shortening.html
31 July 2014 - "Here are a couple of variations of a fax -spam- using the goo .gl shortening service:
    From:     Fax [fax@ victimdomain]
    Date:     31 July 2014 11:23
    Subject:     You've received a new fax
    New fax at SCAN5735232 from EPSON by https ://victimdomain
    Scan date: Thu, 31 Jul 2014 19:23:11 +0900
    Number of pages: 2
    Resolution: 400x400 DPI
    You can download your fax message at:
    https ://goo.gl /1rBYjl
    (Google Disk Drive is a file hosting service operated by Google, Inc.)
    ------------------------------
    From:     FAX [fax@ qcom .co.uk]
    Reply-to:     FAX [fax@ qcom .co.uk]
     fax@ localhost
    Date:     31 July 2014 10:53
    Subject:     You have received a new fax message
    You have received fax from EPS76185555 at victimdomain
    Scan date: Thu, 31 Jul 2014 16:53:10 +0700
    Number of page(s): 2
    Resolution: 400x400 DPI
    Download file at google disk drive service - dropbox.
    https ://goo .gl/t8jteI ...

There seems to be an uptick of goo.gl spam.. if you receive something like this you can report it to goo.gl/spam-report as malware... I've seen three different URLs... Obviously, this is a ZIP file. It contains a malicious executable Document-95722.scr which has a VirusTotal detection rate of just 1/54*. The CAMAS report** shows that the malware reaches out to the following locations to download further components:
andribus .com/images/images.rar
owenscrandall .com/images/images.rar
Incidentally, if you add a "+" to the end of the goo.gl URL you can see how many people have clicked through. For example:
> https://1.bp.blogspo...1600/goo-gl.png
164 clicks isn't a lot, but there are multiple URLs in use.
Recommended blocklist:
andribus .com
owenscrandall .com
esys-comm .ro
autoescuelajoaquin .com
pinkfeatherproductions .com "
* https://www.virustot...sis/1406804074/

** http://camas.comodo....f61c27883e995cc
___

Fake Evernote "File has been sent" SPAM
- http://blog.dynamoo....-sent-spam.html
31 July 2014 - "I've never understood Evernote. Something to do with elephants I think. But this spam isn't from them anyway..
    Date:      Thu, 31 Jul 2014 12:26:53 +0200 [06:26:53 EDT]
    From:      EVERNOTE [lcresknpwz@ business .telecomitalia .it]
    Subject:      File has been sent [redacted]
    DSC_9426679.jpg attached to the letter
    Copyright 2014 Evernote Corporation. All rights reserved

The file attached is actually DSC_9426679.zip and not .jpg, containing a malicious executable DSC_8832966.exe with a VirusTotal detection rate of 7/53*. The CAMAS report** shows that the malware attempts to download an additional component... These download locations are the same as yesterday's Amazon spam run***. The downloaded file has a VT detection rate of 3/53****. The recommended blocklist is the same as yesterday."
* https://www.virustot...sis/1406813029/

** http://camas.comodo....efb5316d1a785dd

*** http://blog.dynamoo....er-spam_30.html

**** https://www.virustot...sis/1406813571/
___

ADP Payroll Spam
- http://threattrack.t...dp-payroll-spam
Juky 31, 2014 - "Subjects Seen:
    ACH Notification
Typical e-mail details:
    Attached is a summary of Origination activity for 07/31/2014
    Download it from Google Disk Drive Inc.:
    goo .gl/mp4Vh3
    If you need assistance please contact us via e-mail during regular business hours.
    Thank you for your cooperation.

Malicious URLs:
    espressomachinesinfo .com/wp-includes/images/Document-83265.zip
Malicious File Name and MD5:
    Document-83265.scr (3603D5B08D83130414B264FAF3EE41E1)

Screenshot: https://gs1.wac.edge...SPvX1r6pupn.png

Tagged: ADP, Upatre

72.29.66.41: https://www.virustot...41/information/
___

Fake Xerox WorkCentre SPAM
- http://blog.dynamoo....entre-spam.html
31 July 2014 - "This is a thoroughly old school spam with a malicious attachment.
    Date:      Thu, 31 Jul 2014 18:16:08 +0000 [14:16:08 EDT]
    From:      Local Scan [scan.614@ victimdomain]
    Subject:      Scanned Image from a Xerox WorkCentre
    You have a received a new image from Xerox WorkCentre.
    Sent by: victimdomain
    Number of Images: 5
    Attachment File Type: ZIP [PDF]
    WorkCentre Pro Location: Machine location not set
    Device Name: victimdomain
    Attached file is scanned image in PDF format...

Guess what.. it isn't an image at all, but a ZIP file with the unusual name of Image_[_var=partorderb].zip which contain a malicious executable Image_07312014.scr, scoring a measly 1/54* at VirusTotal. The Comodo CAMAS report** shows that the malware downloads components... There are some further clues in the VirusTotal comments* as to what the malware does. Sophos has also seen the 94.23.247.202 (OVH, France) IP before***.
Recommended blocklist:
94.23.247.202
globe-runners .com
lucantaru .it
mediamaster-2000 .de
ig-engenharia .com
upscalebeauty .com
lagrimas.tuars .com "
* https://www.virustot...sis/1406832159/

** http://camas.comodo....0dc468affa02a7a

*** http://www.sophos.co...d-analysis.aspx

94.23.247.202: https://www.virustot...02/information/
 

 

Edited by AplusWebMaster, 31 July 2014 - 04:14 PM.