2072 replies to this topic

[AplusWebMaster]

FYI...

WordPress attacks exploiting XMLRPC
- http://myonlinesecur...loiting-xmlrpc/
Aug 22, 2014 - "We are experiencing Ongoing WordPress attacks exploiting XMLRPC. There appears to be a massive attack on WordPress sites today. So far I have had almost -1600- blocked attacks against ONE of my WordPress sites... Anybody using WordPress should make sure that they are plugged and use a good security system to prevent or -block- these attacks. It appears to be using the attack mentioned in this post:
> http://blog.sucuri.n...-wordpress.html
... -None- of the current wordpress security plugins will -block- this and you need to make sure that you have a strong random password on your admin account. The -only- way to block them is on the perimeter, that is use a firewall that blocks the offending IP numbers that are responsible for the attacks. They are all coming from other compromised servers or hacked users computers..."
(More detail at the URL's above.)
___

Fake ADP 'Anti-Fraud Secure Update' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
22 Aug 2014 - "'ADP: August 22, 2014 Anti-Fraud Secure Update' pretending to come from ADP_Netsecure@ adp .com  is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
Dear Valued ADP Client,
We are pleased to announce that ADP Payroll System released secure upgrades to your computer.
A new version of secure update is available.
Our development division strongly recommends you to download this software update.
It contains new features:
    The certificate will be attached to the computer of the account holder, which disables any fraud activity
    Any irregular activity on your account is detected by our safety centre
Download the attachment. Update will be automatically installed by double click.
We value our partnership with you and take pride in the confidence that you place in us to process payroll on your behalf. As always, your ADP Service Team is happy to assist with any questions you may have...

22 August 2014 : 2014 Anti-Fraud Secure Update_08222014.zip (9kb)
Extracts to   2014 Anti-Fraud Secure Update_08222014.exe
Current Virus total detections: 3/54* . This 'ADP: August 22, 2014 Anti-Fraud Secure Update' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408710186/

- http://threattrack.t...aud-update-spam
22 Aug 2014 - "Subjects Seen:
    ADP: August 22, 2014 Anti-Fraud Secure Update
Typical e-mail details:

Screenshot: https://gs1.wac.edge...Ga8i1r6pupn.png

Malicious File Name and MD5:
    2014 Anti-Fraud Secure Update_08222014.scr (840B3B6A714F7330706F0C19F99D5EB8)
    2014 Anti-Fraud Secure Update_08222014.zip (AB0D93E0952BDCE45D6E6494DF4D94AD)

Tagged: ADP, Upatre
___

Backoff Point-of-Sale Malware Campaign
- https://www.us-cert....alware-Campaign
August 22, 2014 - "US-CERT is aware of Backoff malware compromising a significant number of -major-  enterprise networks as well as small and medium businesses. US-CERT encourages administrators and operators of Point-of-Sale systems to review the Backoff malware alert* to help determine if your network may be affected. Organizations that believe they have been infected with Backoff are also encouraged to contact their local US Secret Service Field Office."
* https://www.us-cert....lerts/TA14-212A
Last revised: Aug 22, 2014 - "... the Secret Service currently estimates that over 1,000 U.S. businesses are affected..."

Backoff malware Q&A
- https://www.trustwav...malware-danger/
"In light of a recent string of breaches involving a new point-of-sale malware family that our Trustwave researchers identified and named "Backoff," we have received many questions about the threat and how businesses can protect themselves..."
- https://gsr.trustwav...lware-overview/
___

"FlashPack" - add-on targets Japanese users, leads To exploit kit
- http://blog.trendmic...to-exploit-kit/
Aug 21, 2014 - "... In order to affect users, this particular exploit kit does -not- rely on spammed messages or compromised websites: instead, it uses a compromised website add-on. This particular add-on is used by site owners who want to add social media sharing buttons on their sites. All the site owner would have to do is add several lines of JavaScript code to their site’s design template. This code is freely available from the website of the add-on. The added script adds an overlay like this to the site’s pages:
Added share buttons:
> http://blog.trendmic.../08/toolbar.png
To do this, a JavaScript file on the home page of the add-on is loaded. This alone should raise red flags: it means that the site owner is loading scripts from an external server -not- under their control. It’s one thing if it loads scripts on trusted sites like Google, Facebook, or other well-known names; it’s another thing to load scripts on little-known servers with no name to protect. As it turns out, this script is being used for malicious purposes. On certain sites, instead of the original add-on script, the user is redirected to the script of FlashPack... loading the s.js file directly will simply load the “correct” script for the add-on. One site which, if found in the Referer header, will trigger the exploit kit is a well-known free blogging site in Japan. The exploit kit delivers various Flash -exploits- to -targeted- users... At least approximately 58,000 users have been affected by this attack, with more than 87% of these coming from Japan. The landing pages of the exploit kit are hosted in servers in the Czech Republic, the Netherlands, and Russia.
Number of hits by country from August 1 to 17
> http://blog.trendmic...-Country-01.jpg
How can users and site owners prevent these attacks? Site owners should be very cautious about adding add-ons to their site that rely on externally hosted scripts. As shown in this attack, they are trivial to use in malicious activities. In addition, they can slow the site down as well. Alternatives that host the script on the same server as the site itself are preferable. This incident illustrates for end users the importance of keeping-software-patched. The vulnerability we mentioned above has been fixed for half-a-year. Various auto-update mechanisms exist which can keep Flash up-to-date..."
 

 

Edited by AplusWebMaster, 22 August 2014 - 08:32 PM.

[AplusWebMaster]

FYI...

My Photos SPAM - malware
- http://myonlinesecur...photos-malware/
23 Aug 2014 - "'My Photos' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Very simple email with content just saying 'Please find attached photos of my birthday party.' This one is particularly nasty and dangerous because it doesn’t give any outward signs of infection. It downloads an auto-configure script from http ://construtoralondres.zip .net/JScript32.log which then attempts to send all traffic through a proxy server http ://supermercadorleves.ddns .net which then filters out UK banking traffic to another proxy where they can steal all your banking log on and account information. Each UK bank is sent to a -different- proxy where the sites are set up to intercept traffic to the genuine UK bank site. That way, you think that you are on the genuine UK bank site and you actually are, but the proxy between you and the bank can read -everything- you type or do on the bank site. You have absolutely no idea that this is happening & you still get a padlock in the address bar to say that you are on a safe site.

23 August 2014: My Photos.zip ( 8kb): Extracts to My Photos.exe
Current Virus total detections: 10/50* . All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, and then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
* https://www.virustot...sis/1408799346/

zip .net / 200.147.99.195: https://www.virustot...95/information/
- http://quttera.com/d..._report/zip.net
Submission date: Aug 24 16:53:51 2014
Server IP address: 200.147.99.195
"Warning: This Website Is Blacklisted!..."

ddns .net / 8.23.224.108: https://www.virustot...08/information/
- http://quttera.com/d...report/ddns.net
Submission date: Aug 24 16:46:40 2014
Server IP address: 8.23.224.108
"Alert: Suspicious Content Detected On This Website!..."
___

Sony PlayStation Network taken down by attack
- http://www.reuters.c...N0GP02620140825
Aug 24, 2014 - "Sony Corp said on Sunday its PlayStation Network was taken down by a denial of service-style attack and the FBI was investigating the diversion of a flight carrying a top Sony executive amid reports of a claim that explosives were on board. The company said in a posting on its PlayStation blog that no personal information of the network was accessed in the attack, which overwhelmed the system with heavy traffic... Sony is hoping its PlayStation network, with 52 million active users, can serve as a centerpiece of its plans to rebuild its business after years of losses in its flagship electronics operations..."

- http://www.reuters.c...N0GP02620140825
Aug 25, 2014 - "Sony Corp's PlayStation Network was back online on Monday following a cyber attack that took it down over the weekend, which coincided with a bomb scare on a commercial flight carrying a top Sony executive in the United States. Sony said on its PlayStation blog that its PlayStation network had been taken down by a denial of service-style attack, which overwhelmed the system with traffic, but did not intrude onto the network or access any of its 53 million users' information..."

> http://support.xbox....box-live-status
 

   

Edited by AplusWebMaster, 25 August 2014 - 05:28 AM.

[AplusWebMaster]

FYI...

Fake Invoice SPAM - PDF Malware
- http://myonlinesecur...ke-pdf-malware/
25 Aug 2014 - "'Please find attached Invoice No.' < random number> pretending to come from portadown.372@eel .co.uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... These emails are -not- being sent from eel .co.uk or edmundson-electrical .co.uk, As far as we can determine they have not been hacked or their website or email system compromised. The bad guys have just decided to use Edmundson Electrical Ltd as a way to persuade you to open the attachment and become infected. It is a follow on campaign from this Broadoak toiletries attack:
> http://myonlinesecur...ke-pdf-malware/
Once again this email template has several different sized malwares attached to it and it appears random which version you get... Email looks like:
    WALSALL
    MAHON RD IND EST. PORTADOWN
    CO. ARMAGH BT62 3EH
    T:028 3833 5316
    F:028 3833 8453
    Please find attached Invoice No. 3036 – 8340637
    Best
    Branch Manager
    Registered Office: PO Box 1 Knutsford Cheshire WA16 6AY ...

25 August 2014: 3036 – 8340637.zip (44kb): Extracts to Invoice 372 – 667911.exe
Current Virus total detections: 2/55*  
25 August 2014: 0463 – 485325.zip (47kb): Extracts to Invoice 829 – 991882.exe
Current Virus total detections: 2/51**
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408955315/

** https://www.virustot...sis/1408955404/
___

Fake Fax SPAM - pdf malware
- http://myonlinesecur...ke-pdf-malware/
25 Aug 2014 - "'A fax has arrived from remote ID ’866-905-0884' pretnding to come from RFaxSMTP MTGm <RIGHTFAX@ mtgmfaxmail .bankofamerica .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
    A fax has arrived from remote ID ’866-905-0884′.
    ————————————————————
    Transmission Record
    Received from remote ID: ’866-905-0884′
    Inbound user ID derek, routing code 669164574
    Result: (0/352;0/0) Successful Send
    Page record: 1 – 2
    Elapsed time: 00:39 on channel 34 ...

25 August 2014: Fax_Remote_ID.zip ( 13kb) : Extracts to Fax_Remote_ID.scr
Current Virus total detections: 0/55* . This 'A fax has arrived from remote ID 866-905-0884' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408971894/
___

Bank of America Activity Alert Spam
- http://threattrack.t...vity-alert-spam
Aug 25, 2014 - "Subjects Seen:
    Bank of America Alert: A Check Exceeded Your Requested Alert Limit
Typical e-mail details:
    Activity Alert
    A check exceeded your requested alert limit
    We’re letting you know a check written from your account went over the limit you set for this alert.
    For more details please check attached file

Screenshot: https://gs1.wac.edge...Tu861r6pupn.png

Malicious File Name and MD5:
    report08252014_6897454147412.vcr (7ED898AA2A8B247F7C7A46D71B125EA8)
    report08252014_6897454147412.zip (FF4C74D80D3C7125962D7316F570A7FF)

Tagged: Bank of America, Upatre
___

Facebook Work From Home SCAM
- http://www.hoax-slay...gram-scam.shtml
Aug 25, 2014 - "Message claims that Facebook has launched a new 'Work From Home' program that will allow users to make money from the comfort of their own homes... The message is a scam. Facebook has not launched such a program and has no connection to the scheme. The link in the message takes you to a fake Facebook Page that tries to trick you into paying four dollars for a dodgy 'Facebook Millionaire' kit. Fine print on the signup form indicates that your credit card will be charged $94 per month for continued access. Do -not- be tempted to participate in this -bogus- program.
> http://www.hoax-slay...gram-scam-1.jpg
... It claims that people can potentially make thousands of dollars per month but warns that only a limited number of 'positions' are available... If this message comes your way, do -not- click any links it contains..."
___

Fake ADP SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
25 Aug 2014 - "'ADP Invoice for week ending 08/22/2014 Invoice: 447589545' pretending to come from Billing.Address.Updates@ ADP .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Your most recent ADP invoice is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number or e-mail address provided on the invoice for assistance.
    Thank you for choosing ADP for your business solutions.
    Important: Please do not respond to this message. It is generated from an unattended mailbox.

25 August 2014: invoice_447589545.zip (10kb): Extracts top invoice_447589545.exe
Current Virus total detections: 2/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408992097/
___

BoA Merrill Lynch CashPro Spam
- http://threattrack.t...ch-cashpro-spam
Aug 25, 2014 - "Subjects Seen:
    Bank of America Merrill Lynch: Completion of request for ACH CashPro
Typical e-mail details:
    You have received a secure message from Bank of America Merrill Lynch
    Read your secure message by opening the attachment, securedoc.html. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser.
    If you have concerns about the validity of this message, contact the sender directly.
    First time users - will need to register after opening the attachment.

Malicious URLs:
    161.58.101.183/handler/jxpiinstall.exe

Malicious File Name and MD5:
    securedoc.html (D6E1DD6973F8FAA730941A19770C97F2)
    jxpiinstall.exe (C3110BFDD8536DC627336D7F7A6CC2E7)

Screenshot: https://gs1.wac.edge...RagN1r6pupn.png

Tagged: Bank of America, Merrill Lynch, tuscas

161.58.101.183: https://www.virustot...83/information/
 

 

Edited by AplusWebMaster, 25 August 2014 - 05:10 PM.

[AplusWebMaster]

FYI...

Fake Vodafone SPAM
- http://blog.dynamoo....lware-spam.html
26 Aug 2014 - "This -fake- Vodafone spam comes with a malicious attachment. There is not body text as such, the header reads:
    From:     Vodafone MMS service [mms813562@ vodafone .co.uk]
    Date:     26 August 2014 12:00
    Subject:     IMG Id 813562-PictQbmR TYPE--MMS

The version I had was mangled and the attachment was just called noname which required a bit of work to turn into a ZIP file IMG Id 813562-PicYbgRr TYPE--MMS.zip which in turn contains a malicious executable Picture Id 550125-PicSfdce TYPE-MMS.exe This .EXE file has a VirusTotal detection rate of 3/55*. The malware then attempts to download additional components... This second component has a VirusTotal detection rate of 3/53**... I would recommend the following blocklist:
192.254.186.106 ..."
(More detail at the dynamoo URL above.)
* https://www.virustot...sis/1409051519/

** https://www.virustot...sis/1409052175/

192.254.186.106: https://www.virustot...06/information/
___

Phishers hook Facebook Users via SMS
- https://blog.malware...-users-via-sms/
Aug 26, 2014 - "If you happen to receive an SMS message from a potentially unknown recipient with the following text—
    wtf f***** remove this pic from Facebook. http ://bit[dot]do/fbnudephotos
... much like the fellow on the screenshot:
> https://blog.malware...2014/08/SMS.png
...then you’ve been targeted by a phishing campaign. The bit .do link is the shortened URL for a publicly available HTML page hosted on a Dropbox account. It looks like this:
> https://blog.malware.../dbox-phish.png
All links but one – the 'Get Facebook for iPhone and browse faster' link – lead to a 404 page. The aforementioned link leads to the actual iTunes app download page. The full code of the page is actually hex encoded and executed by the unescape () function... Once users provide their Facebook credentials to the page, these are then posted to a .PHP page hosted on 193[dot]107[dot]17[dot]68, which we found out to be quite a popular location for hosting malware. While this happens at the background, users are directed to the following screenshot which serves as humour, if not a “Gotcha!” after a successful con:
> https://blog.malware.../08/unibrow.png
... Individuals or groups with bad intent have been using SMS as a way to -scam- people, either for their money or for their information. Senior Security Researcher Jérôme Segura have published a post entitled “SMS Scams: How To Defend Yourself”* back in 2013, which I recommend you... read as well. His thoughts on this kind of fraud remains relevant to this date..."
* https://blog.malware...efend-yourself/

193.107.17.68: https://www.virustot...68/information/
___

Vacation SCAMS ...
- https://blog.malware...-at-the-border/
Aug 26, 2014 - "... common travel scams and things to be wary of right now... First up, we have an Infographic over at the Just the flight blog which details 40 tourist scams to avoid*, along with common locations for said scams:
* http://www.justthefl...his-summer.html
... Whether you’re being driven to fake hotels by taxi drivers in on the act, looking at bogus takeaway menus slipped under your hotel door, accosted by  pretend policemen or trying to catch a fake baby (no really) thrown in your general direction by a scammer working with pickpockets... Next up, we have some advice on the South China Morning Post in relation to travelling alone**, which includes tips and advice alongside links to additional information. Well worth a look if you’re planning on upping sticks and going solo:
** http://www.scmp.com/...ingle-traveller
Finally, there’s a device which can be placed inside jewelry and perform numerous functions while on the move, including sending alert messages*** in case of emergency:
*** http://www.bust.com/...p-you-safe.html
Wherever you go, you can be sure con-jobs and fakeouts lie in wait and the sensible traveler will do a little background reading before wandering off to parts unknown. It pays to keep your wits about you whether at home or abroad..."
(More at the malwarebytes URL at the top.)
___

SourceForge sub-domain redirects to Flash-Pack-Exploit-Kit
- https://blog.malware...ck-exploit-kit/
Aug 25, 2014 - "We have talked about SourceForge before on this blog, in particular when they were associated with -bundled- software... take a look at an infected sub-domain hosted on SourceForge responsible for a drive-by download attack... This calls to stat-count .dnsdynamic .com a domain previously identified* as a source of malicious activity. This one is no different...
* https://www.virustot...om/information/
... You may recognize the URL landing for the Flash Pack Exploit Kit. There is an interesting series of -redirections- ... The last URL is a Flash file, VT detection here:
>  https://www.virustot...sis/1408996053/
... A Flash file with a peculiar name for its classes:
> https://www.virustot...sis/1408979154/
The payload (VT results**) is detected by Malwarebytes Anti-Malware as Trojan.Agent.ED... We have spotted similar redirections to the Flash Pack exploit kit in other popular sites as well. Whether is it part of a larger campaign is hard to say but it is particularly active at the moment. Drive-by download attacks are the number -one- vector for malware infections. Legitimate websites often fall victim to malicious -injections- stealing incoming traffic and sending it to booby-trapped pages. Within seconds, an unpatched computer could get infected with a nasty piece of malware..."
(More detail at the malwarebytes URL at the top.)
** https://www.virustot...sis/1408996125/

dnsdynamic .com - 84.45.76.100: https://www.virustot...00/information/
 

 

Edited by AplusWebMaster, 26 August 2014 - 12:46 PM.

[AplusWebMaster]

FYI...

Fake Invoice SPAM - malicious attachment ...
- http://blog.dynamoo....lware-spam.html
27 Aug 2014 - "This -fake- invoice spam claims to be from a (real) coal mine in Botswana. But in fact the PDF file attached to the message is malicious.
    From:     Madikwe, Gladness [GMadikwe@mcm.co.uk]
    Date:     27 August 2014 10:43
    Subject:     Tax Invoice for Delivery Note 11155 dated 22.08.14
    Hello ,   
    Please find attached the invoice for delivery note 11155 which was created on the 22 . 08. 14 after a system error to process this tax invoice.
    Thank you      
    Regards
    Gladness B Madikwe
    Sales & Marketing Clerk
    Morupule Coal Mine ...

Screenshot: http://1.bp.blogspot...00/moropule.png

Neither the Morupule Coal Mine nor the Debswana Diamond Company mentioned in the disclaimer are anything to do with this spam email, in fact it originates from a -hacked- machine in India. The attachment has a VirusTotal detection rate of 5/54*. My PDF.. isn't good enough to tell you what this malware actually does, but you can definitely guarantee that it is malicious."
* https://www.virustot...sis/1409133512/
___

Malvertising: Not all Java from java .com is legit
- http://blog.fox-it.c...-is-legitimate/
Aug 27, 2014 - "... getting a Java exploit via java .com, the primary source for one of the most common used browser plugins? Current malvertising campaigns are able to do this... real-time advertisement bidding platforms being infiltrated by cyber criminals spreading malware... Malvertising has changed over the years starting with exploitation of weak advertisement management panels... evolved into pretending to be a legit third party advertiser with social engineering. The current malvertising techniques are quite deceptive and most of the times only noticeable at the client side... It can be a malicious advertiser 3 layers down in the chain but it can also be on the 1st level... observed multiple high-profile websites -redirecting- their visitors to malware... These websites have not been compromised themselves, but are the victim of malvertising. This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware. While monitoring network traffic to and from workstations we observed a higher than usual amount of infections. When investigating these incidents in depth we noticed that they were infected with advertisements served via high-profile websites... the following websites were observed redirecting and/or serving malicious advertisements to their visitors:
    Java .com
    Deviantart .com
    TMZ .com
    Photobucket .com
    IBTimes .com
    eBay .ie
    Kapaza .be
    TVgids .nl
The advertisement in this case included the Angler exploit kit. Upon landing on this exploit kit a few checks were done to confirm whether the user is running a vulnerable version of either Java, Flash or Silverlight. If the user was deemed vulnerable the exploit kit would embed an exploit initiating a download of a malicious payload, in this campaign it was the Asprox malware. This whole process of malvertising towards an exploit kit is also visualized in the image at the top of this post. Please note, a visitor does -not- need to -click- on the malicious advertisements in order to get infected. This all happens silently in the background as the ad is loaded by the user’s browser... ... 3 IP’s having been associated with these domains:
    198.27.88.157: https://www.virustot...57/information/
    94.23.252.38: https://www.virustot...38/information/
    178.32.21.248: https://www.virustot...48/information/
There is no silver bullet to protect yourself from malvertising. At a minimum:
- Enable click-to-play in your browser. This prevents 3rd party plugins from executing automatically.
- Keep all plugins running in the browser up-to-date using tools like Secunia PSI.
- Consider turning off unneeded plugins if you don’t use them. For example, Java can be installed without the web-plugin component lowering the risk of exploitation and infection..."
(More detail at the fox-it URL above.)
___

"Customer Statements" - malware SPAM
- http://blog.dynamoo....lware-spam.html
27 Aug 2014 - "This brief spam has a malicious PDF attachment:
    Fom:     Accounts [hiqfrancistown910@ gmail .com]
    Date:     27 August 2014 09:51
    Subject:     Customer Statements
    Good morning,attached is your statement.
    My regards.
    W ELIAS

Attached is a file Customer Statements.PDF which has a VirusTotal detection rate of 6/55*. Analysis is pending."
* https://www.virustot...sis/1409135030/
___

Royal Bank of Canada Payment Spam
- http://threattrack.t...da-payment-spam
Aug 27, 2014 - "Subjects Seen:
    The Bank INTERAC to Leo Dooley was accepted.
Typical e-mail details:
    The INTERAC Bank payment $19063.01 (CAD) that you sent to Leo Dooley, was accepted.
    The transfer is now complete.
    Message recipient: The rating was not provided.
    See details in the attached report.
    Thank you for using the Service INTERAC Bank RBC Royal Bank.

Malicious File Name and MD5:
    INTERAC_PAYMENT_08262014.exe (B064F8DA86DB1C091E623781AB464D8A)
    INTERAC_PAYMENT_08262014.zip (71239A9D9D25105CEC3DF269F1FDCA2D

Screenshot: https://gs1.wac.edge...OUqn1r6pupn.png

Tagged: RBC, Upatre
___

AT&T DocuSign Spam
- http://threattrack.t...t-docusign-spam
Aug 27, 2014 - "Subjects Seen:
    Please DocuSign this document: Contract_changes_08_27_2014 .pdf
Typical e-mail details:
    Hello,
    AT&T Contract Changes has sent you a new DocuSign document to view and sign. Please click on the ‘View Documents’ link below to begin signing.

Malicious URLs:
    79.172.51.73/Docusign/wps/myportal/sitemap/Member/ATT/SignDocument/7c16d8c7-e5ad-4870-bb79-1c1e4c9b35d6&er=fb88d3b6-88f4-4903-ae77-41754063bd7c/Contract_changes_08_27_2014.zip
Malicious File Name and MD5:
    Contract_changes_08_27_2014.zip (5ED69A412ADB215A1DABB44E88C8C24D)
    Contract_changes_08_27_2014.exe (C65966CCA8183269FF1120B17401E693)

Screenshot: https://gs1.wac.edge...fIWp1r6pupn.png

79.172.51.73: https://www.virustot...73/information/

Tagged: ATT, DocuSigin, Upatre

- http://myonlinesecur...ke-pdf-malware/
27 Aug 2014
___

ADP Past Due Invoice Spam
- http://threattrack.t...ue-invoice-spam
Aug 27, 2014 - "Subjects Seen:
    ADP Past Due Invoice
Typical e-mail details:
    Your ADP past due invoice is ready for your review at ADP Online Invoice Management .
    If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
    Review your ADP past due invoice here...

Malicious URLs:
    81.80.82.27/upload/portal.adp.com/wps/myportal/sitemap/PayTax/PayStatements/invoice_449017368.zip
Malicious File Name and MD5:
    invoice_449017368.zip (CF55AD09F9552A80CD1534BD392B44D1)
    invoice_449017368.exe (C65966CCA8183269FF1120B17401E693)

Screenshot: https://gs1.wac.edge...SD3h1r6pupn.png

81.80.82.27: https://www.virustot...27/information/

Tagged: ADP, Upatre
___

Fake Payment Advice SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Aug 2014 - "'Payment Advice Note from 27.08.2014' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Disclaimer:
    This e-mail is intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not represent those of AL-KO KOBER Limited. It may also contain information, which may be privileged and confidential and subject to legal privilege. If you are not the intended recipient, you may not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return or destroy the original message.
    AL-KO KOBER Limited is Registered in England at Companies Registration Office Cardiff with Company number: 492005. AL-KO KOBER Limited, South Warwickshire Business Park, Kineton Road, Southam, Warwickshire, CV47 0AL.
    Cell 270 547-9194

27 August 2014: Payment_Advice_Note_27.08.2014.PDF.zip (48 kb)  
Extracts to   Payment_Advice_Note_27.08.2014.PDF.scr
Current Virus total detections: 0/55* . This Payment Advice Note from 27.08.2014 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1409154303/
 

 

Edited by AplusWebMaster, 27 August 2014 - 02:41 PM.

[AplusWebMaster]

FYI...

The ‘Unknown’ Exploit Kit ...
- https://blog.malware...wn-exploit-kit/
Aug 28, 2014 - "... Unless you have tracked the drive-by / exploit kit scene from day one or been able to map it out down to the tiniest details, this is not something easy... A couple of weeks ago, we observed a new traffic pattern (new to us) that first caught our attention for a couple of reasons:
- The payload’s size did not match that of any URL from the capture
- The URL patterns were new
... This exploit kit targets two different pieces of software: Microsoft Silverlight and Adobe Flash. However, unlike some other exploit kits it will only push one exploit per load giving preference to Silverlight first and then Flash.
Attack paths:
Silverlight only:
> https://blog.malware...rlight_only.png
Flash only:
> https://blog.malware.../Flash_only.png
Silverlight and Flash:
> https://blog.malware...t_and_Flash.png
All three successful paths lead to either a:
- Silverlight exploit
- Flash exploit
... Conclusions:
The payload appears to be a -browser- hijack whose goal is to illegally gain advertising revenue from infected computers. What is perhaps more puzzling is the fact that this exploit kit has been around for so long and yet has been so quiet, not to mention the fact that reproducing an infection even with the proper referers is rather difficult (IP blacklisting, geolocation, etc). Another big question remains: Why would the author(s) bother with such advanced fingerprinting and evasion techniques, something we don’t normally see in typical malware... this bit of research has brought up more questions than when we started. That is not unusual though, and at least some dots have been connected."
(More detail at the malwarebytes URL at the top.)
 

[AplusWebMaster]

FYI...

Fake 'new photo' SPAM - malware
- http://myonlinesecur...-photo-malware/
29 Aug 2014 - "'my new photo' pretending to come from Yulia <random name@ madmimi .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... These all have the same subject of 'my new photo' and come from somebody called 'yulia' and today all pretend to come from same domain madmimi .com... Email reads:

    my new photo  ..
    if you like my photo to send me u photo

29 August 2014: photo.zip ( 23kb): Extracts to photo.exe
Current Virus total detections: 2/55* ... more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
* https://www.virustot...sis/1409297373/
___

Netflix PHISH ...
- https://blog.malware...u-high-and-dry/
Aug 29, 2014 - "... This type of -scam- is called phishing and typically starts with an urgent-looking message in your inbox. Upon following the directions (typically clicking on a link), you’re taken to a page that looks like an exact -replica- of the genuine company. Eric Lawrence, creator of the famous Fiddler web debugger, spotted a phishing attack targeting Netflix customers... This new one is more sophisticated (better graphics, etc) although it does -not- have the tech support scam element but instead goes after your identity and wallet.
> https://blog.malware...hish1.png?w=564
The -bogus- domain netflix-ssl .net (IP address: 176.74.28.254) was registered a few days ago through the “Crazy Domains FZ-LLC” registrar... The information requested on the phishing page includes name, address and credit card details. It’s sent back to the bad guys’ server with multiple POST requests... Note the clever use of a long URL that resembles the genuine one and that may be particularly effective on mobile devices:
> https://blog.malware.../08/iphone5.png
We are reporting this site to the registrar and hosting company so that it can be taken down as soon as possible. Phishing scams are always getting more elaborate and unfortunately very hard to block because they keep popping up on new domains, registrars etc. truly making this a cat and mouse game between crooks and the security community. While many web browsers (Internet Explorer, Google Chrome, Mozilla Firefox) do have anti-phishing technology that blocks access to fraudulent sites, there often is a bit of a lag between the time a new site comes up and when it gets blacklisted. The best defence against these scams is awareness and suspicion from any email purporting to be from a company you deal with. There are some telltale signs to recognize phishing attacks such as poor grammar, spelling mistakes or obviously unrelated URLs as well as a general ‘urgency’ in the tone of the message."

176.74.28.254: https://www.virustot...54/information/

netflix-ssl .net / 92.222.121.100: https://www.virustot...00/information/
8.31.2014 9:02AM EDT
___

Internet Disconnection SCAM calls
- http://www.hoax-slay...cam-calls.shtml
Aug 29, 2014 - "Callers claiming to be from the technical department of Internet Service Providers (ISPs) such as Telstra warn that your Internet service is about to be disconnected because hackers have accessed your computer or it has been infected with viruses... The calls are -not- from your ISP... The best way to deal with these scammers is to simply hang up on their bogus calls... if you are unsure, terminate the call and contact the service provider directly. DO NOT use a phone number supplied by the scammers... find a phone number for the provider via a legitimate source such as a phone directory or bill. In some cases, if you are doubtful of their claims, the scammers may provide a 'technical support' phone number supposedly belonging to your ISP. But, when you call the number, you will simply be reconnected to the same scammer... service providers such as Telstra may contact you from time to time to review your service options or discuss a problem with your account, they will -never- demand an immediate -fee- over the phone to rid your computer of hackers or viruses. Nor will they ask you to download software that gives them access to your computer. Any caller that makes such a request should -not- be trusted..."
___

Fake Refund email targets UK taxpayers
- https://blog.malware...s-uk-taxpayers/
Aug 29, 2014 - "Taxpayers in the UK should be wary of emails claiming they’re owed a tax refund to the tune of 100.60 GBP... The mail reads:
> https://blog.malware...08/faketax1.jpg
Clicking the Ow.ly link in the email sends potential victims to a .zip download hosted on what appears to be a -compromised- German bicycle shop website. Inside is a .html file containing a -fake- refund form. As a sidenote, it’s a little unusual to see scammers making use of Ow.ly shortening links for a HMRC phishing scam. The -fake- refund form asks for name, DOB, address, postcode, account number, full card details …all the usual bits and pieces of information required to -swipe- the payment information.
> https://blog.malware...08/faketax2.jpg
... the refund amount pre-filled on the form is 100.65 GBP. I’m not sure where the extra five pence comes from, though given that this is all a massive work of fiction anyway I don’t think it matters besides helping to tip off recipients that this isn’t a real refund. Feel free to report these missives to HRMC directly*, and remember: HMRC will -never- ask for payment information or notify taxpayers of refunds by email."
* http://www.hmrc.gov....y/reporting.htm
___

New BlackPOS Malware emerges in-the-Wild - targets Retail Accounts
- http://blog.trendmic...etail-accounts/
Aug 29, 2014 - "... a brand new BlackPOS (point-of-sale) malware detected by Trend Micro as TSPY_MEMLOG.A. In 2012, the source code of BlackPOS was -leaked- enabling other cybercriminals and attackers to enhance its code. What’s interesting about TSPY_MEMLOG.A is it disguises itself as an installed service of known AV vendor software to avoid being detected and consequently, deleted in the infected PoS systems... The malware can be run with options: -[start|stop|install|uninstall]. The –install option installs the malware with service name =<AV_Company> Framework Management Instrumentation, and the –uninstall option deletes the said service. The RAM scraping routine begins as a thread when the installed service starts. It may only start its main routine if it has successfully been registered as a service. Apart from masquerading itself as an AV software service, another new tactic of TSPY_MEMLOG.A is its updated process iteration function. It uses CreateToolhelp32Snapshot API call to list and iterate all running processes. BlackPOS variants typically use the EnumProcesses API call to list and iterate over the processes. It drops and opens a component t.bat after it has read and matched the track data. This track data is where the information necessary to carry out card transactions is located; on the card this is stored either on the magnetic stripe or embedded chip. The data will eventually get written out to a file called McTrayErrorLogging.dll. This is similar to what happened in the PoS malware attack involving the retail store, Target last December 2013... we recommend enterprises and large organizations implement a multi-layered security solution to ensure that their network is protected against vulnerabilities existing in systems and applications as this may be used to infiltrate the network. In addition, check also when a system component has been modified or changed as criminals are using known in-house software applications to hide their tracks. IT administrators can use the information on malware routines and indicators of compromise (IoCs) here to determine if their network has been compromised already by this new BlackPOS malware..."
(More detail at the trendmicro URL above.)
> http://www.trendmicr...em-breaches.pdf
___

Microsoft boots 1,500 apps from its Windows Store
- http://www.theinquir...s-windows-store
Aug 29 2014 - "... Microsoft GM of Windows Apps and Store Todd Brix said in a blog post*, "As Windows Store expands to reach more customers in more markets with a growing list of great titles, we are continuously looking for ways to improve both customer experience and developer opportunity. We strive to give our worldwide customer base easy access to amazing app experiences while keeping developer friction to a minimum. From time to time this process slips out of sync and we need to recalibrate". Brix admitted that Microsoft found that some customers weren't satisfied with the Windows Store and some of the apps they found there, but he described the problem as involving merely misleading app descriptions... After relating how Microsoft tackled identifying apps having "confusing or misleading titles", Brix said, "Most of the developers behind apps that are found to violate our policies have good intentions and agree to make the necessary changes when notified. Others have been less receptive, causing us to remove more than 1,500 apps as part of this review so far....", not forgetting to reassure customers that "as always we will gladly refund the cost of an app that is downloaded as a result of an erroneous title or description".
* http://blogs.windows...-windows-store/
 

 

Edited by AplusWebMaster, 31 August 2014 - 07:05 AM.

[AplusWebMaster]

FYI...

Tesco Phish ...
- http://myonlinesecur...wards-phishing/
1 Sep 2014 - "... email arrives saying 'Tesco Payback Rewards'... email arrives apparently from Tesco saying 'Tesco Payback Rewards' that offers you £150 for filling in a Tesco customer satisfaction survey... it is a -scam- and is a phishing -fraud- designed to steal your bank and credit card details. The email says something like this:
    Tesco Customer Satisfaction program selected you to take part in our quick survey.
    To earn your 150 £ reward, please click here and complete the form.

Screenshots:
- http://myonlinesecur...k-_rewards1.png

- http://myonlinesecur...k-_rewards2.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them... careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
___

Fake Statement SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
1 Sep 2014 - "'Statement as at 01/09/2014' pretending to come from Cathy Rossi < C.Rossi@ tcreidelectrical .co.uk > is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... emails are not being sent from tcreidelectrical .co.uk or T C REID (ELECTRICAL) LTD, As far as we can determine they have not been hacked or their website or email system compromised... Email reads:

    Please find attached statement from T C REID (ELECTRICAL) LTD as at 01/09/2014.

1 September 2014 : D0110109.PDF.zip ( 274kb): Extracts to D0110109.PDF.exe
Current Virus total detections: 2/55* . This Statement as at 01/09/2014 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1409570924/
___

O/S Market Share - August 2014 ...
- http://www.netmarket...=10&qpcustomd=0
Browser Market Share
- http://www.netmarket...d=0&qpcustomd=0
9/1/2014
___

China gives MS 20 days to provide explanation in anti-trust probe
- http://www.reuters.c...N0GW1FD20140901
Sep 1, 2014 - "A Chinese anti-trust regulator said on Monday it has given Microsoft 20 days to reply to queries on the compatibility of its Windows operating system and Office software suite amid a probe into the world's largest software company. The State Administration for Industry and Commerce (SAIC) questioned Microsoft Vice President David Chen and gave the company a deadline to make an explanation... Microsoft is one of at least 30 foreign companies that have come under scrutiny by China's anti-monopoly regulators as the government seeks to enforce its six-year old antitrust law. Critics say the law is being used to unfairly target overseas businesses, a charge the regulators deny. According to a state media report on Monday, Microsoft's use of verification codes also spurred complaints from Chinese companies. Their use "may have violated China's anti-monopoly law", the official Xinhua news agency said on Monday. Verification codes are typically used by software companies as an anti-piracy mechanism. They are provided with legitimate copies of software and can be entered to entitle customers to updates and support from the manufacturer. Microsoft has long suffered from piracy of its software within China. Former Chief Executive Steve Ballmer told employees in Beijing that the company made less revenue in China than it did in the Netherlands... SAIC also repeated that it suspected the company has not fully disclosed issues relating to the compatibility of the software and the operating system... Last month, a delegation from chipmaker Qualcomm, led by company President Derek Aberle, met officials at the National Development and Reform Commission (NDRC) as part of that regulator's investigation of the San Diego-based firm. NDRC said earlier this year that the U.S. chipmaker is suspected of overcharging and abusing its market position in wireless communication standards. Microsoft's Nadella is expected to make his first visit to China as chief executive later this month."
 

 

Edited by AplusWebMaster, 01 September 2014 - 08:45 AM.

[AplusWebMaster]

FYI...

Something evil on 95.163.121.188 (Sweet Orange EK)
- http://blog.dynamoo....1188-sweet.html
2 Sep 2014 - "95.163.121.188 is currently hosting the Sweet Orange Exploit Kit (hat tip*). The IP is allocated to Digital Networks CJSC (aka DINETHOSTING) that has featured on this blog many times before**...
(Long list of domains at the URL above.)
... The domains appear to be legitimates ones that have been hijacked in some way.
95.163.121.188 forms part of a large netblock of 95.163.64.0/18 - I have had -half- of this (95.163.64.0/19) blocked for several years which has stopped a great deal of badness, so I recommend that you -block- either the /19 or /18..."
* http://www.malware-t...8/29/index.html

** http://blog.dynamoo....el/DINETHOSTING
___

Fake 'Bonus' SPAM/SCAM ...
- http://myonlinesecur...automated-draw/
2 Sep 2014 - "email received that tells you that you have won £1000 in an automated draw and haven’t claimed it yet:

Attempting to contact <REDACTED>
    This is automated draw #23851
    Our system shows you have been awarded with £1000!
    According to our records, voucher wasn’t collected yet
    Please be informed that your voucher is still valid. You may claim your wininngs and use them without making any deposit.
    Confirm your email here to claim your £1000 voucher.
    Have fun !
    Lindsey Lane
    CRM Manager..
    * This offer is available to new players only.
    You have received this email because you have requested more information from BonusNews...

Clicking the button that says claim your reward (or any other of the buttons) gives you a  file to run on your computer that installs some casino software that is detected by several anti-malware programs as unwanted*..."
* https://www.virustot...29f89/analysis/
___

Hacks behind biggest-ever Password Theft begin Attacks
- http://it.slashdot.o...t-begin-attacks
1 Sep 2014 - "Back in August, groups of Russian hackers assembled the biggest list of compromised login credentials ever seen: 1.2 billion accounts. Now, domain registrar Namecheap reports* the hackers have begun using the list to try and access accounts. 'Overnight, our intrusion detection systems alerted us to a much higher than normal load against our login systems. ... The group behind this is using the stored usernames and passwords to simulate a web browser login through -fake- browser software. This software simulates the actual login process a user would use if they are using Firefox/Safari/Chrome to access their Namecheap account. The hackers are going through their username/password list and trying each and every one to try and get into Namecheap user accounts'. They report that most login attempts are failing, but some are succeeding. -Now- is a good time to check that none of your important accounts share passwords."
* http://community.nam...internet-users/
 

 

Edited by AplusWebMaster, 02 September 2014 - 12:08 PM.

[AplusWebMaster]

FYI...

Fake NDR SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
3 Sep 2014 - "'NDR Bill' pretending to come from Ebilling <Ebilling@ westlothian .gov.uk> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...  Non domestic rates bills normally come out in February or March each year, so using this email template in September will or should raise alarm bells immediately. This particular email allegedly being sent by a Scottish Local Council should immediately alert a recipient in the rest of UK to being totally bogus:
Please find attached your Non Domestic Rates bill.
If your account is in credit you are due a refund unless you have any other debt due to the Council.
To allow your credit to be processed please confirm:
- If you want the credit transferred to another account you have with us. Please confirm the account details. – If you want the credit refunded by cheque, please confirm who it should be sent to and the address.
Links to Non Domestic Rates information are detailed below.
Important Note: If you access these links using a mobile phone the network provider may charge for this service.
Yours sincerely Scott Reid Revenues Manager ...

3 September 2014: 00056468.pdf.zip ( 207 kb): Extracts to 00056468.pdf.exe
Current Virus total detections: 3/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1409725854/

- http://blog.dynamoo....bill-email.html
3 Sep 2014 - "Sometimes spammers come up with weird approaches. This one is a bill from West Lothian Council in the UK.. well, actually it -isn't- a bill but it comes with a malicious attachment.
    From:     Ebilling [Ebilling@ westlothian .gov.uk]
    Date:     3 September 2014 09:20
    Subject:     NDR Bill
    Please find attached your Non Domestic Rates bill...

Attached is a file 00056468.pdf.zip which contains a malicious executable D0110109.PDF.exe (which has an icon to make it look like a PDF file). This has a low detection rate at VirusTotal of 4/55*... This second component has a VT detection rate of just 3/55**. The Anubis report shows an attempted phone home to 80.94.160.129 (National Academy of Sciences of Belarus) and 92.222.46.165 (OVH, France)
Recommended blocklist:
80.94.160.129
92.222.46.165 ..."
(More at the dynamoo URL above.)
* https://www.virustot...sis/1409733696/

** https://www.virustot...sis/1409734574/
___

“YouTube Account Manager has sent you a Message…”
- https://blog.malware...-you-a-message/
Sep 3, 2014 - "We’ve seen some complaints of a message sent to YouTube users via the YouTube messaging system, warning of account suspension:

    YouTube account manager has sent you a message
    We’d like to inform you that due to repeated or severe violations of our community guidelines and your YouTube account will be suspended 3 days from the time of this message. After careful review we determined that activity in your account violated our community guidelines, which prohibit spam, scams or commercially deceptive content. Please be aware that you are prohibited from accessing, possessing or creating any other YouTube accounts.
    Please follow the following instructions to recover your account:
    1. Please contact your account manager here: [url]
    2. You have to complete a quick survey to make sure you are human.
    3. Wait for our email explaining the next steps.
    * If you decide to ignore this message and not follow the above steps your account will be suspended.

This is what you would see after hitting the supplied link in the message:
“Complete a survey to verify your account”
> http://blog.malwareb...untmanager1.jpg
This one is a survey scam, and whoever is sending these messages is looking to make a little cash along with the panic they’re no doubt whipping up in YouTube users right about now. The links displayed on the left hand side are regional and will take clickers to various offers / surveys / signups and downloads. If you’re in any doubt as to the status of your YouTube account, you’d be better served contacting them directly than being tricked by these false messages currently in circulation. Scammers will often use similar tactics to send phishing links and malware, so in some ways recipients of this missive are getting the best of a bad deal – it’s “only” surveys and forms to fill in, along with the occasional download. However, that doesn’t mean we should rush to jump through their survey sign-up hoops either. Steer clear of this one, and keep on making those videos."
___

Fake 'Internet free' email SCAM - malware attachment
- http://myonlinesecur...ke-pdf-malware/
3 Sep 2014 - "'Transaction via the Internet free of charge, ID:I613410_745' pretending to come from Santander BillPay is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer... The -scammers-, malware purveyors and phishers do get more creative every day and this email is quite creative, with a link to report suspicious emails to Santander and genuine links to Visa, MasterCard and VeriSign in their efforts to persuade you that it is a genuine email and that you should open the attachment:
Dear <removed>,
Our system detectet that you have made a bill payment using our cloud-based BillPay processing website.
You can find all details regarding the transaction in attachment.
Important information on recent fake email activityA number of UK banks have recently been targeted by fraudsters using emails to ask customers to enter their security details into a fake website.
At Santander Corporate Banking we will never send you an email that asks you to verify your security details or link to Internet banking. If you receive an email claiming to be from Santander Corporate Banking that you are suspicious about, please forward it to phishing@ santander .co.uk
If you are worried that someone may already have your personal security details, then please contact us on 0151 966 2105. Calls are recorded and may be monitored for security, quality control and training purposes...

3 September 2014 : I613410_745.zip ( 57kb): Extracts to Bill_Payment_2E_832e458.pdf.exe
Current Virus total detections: 1/54* ... This 'Transaction via the Internet free of charge, ID:I613410_745' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1409750135/
___

Fake attached CBE form SPAM - PDF malware
- http://myonlinesecur...rm-pdf-malware/
3 Sep 2014 - "'Please review the attached CBE form' pretending to come from Jonathan.Bledsoe@ adp .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email contains a genuine PDF file that is malformed and contains a script virus and can infect you with no action on your part by simply previewing the PDF in your browser or in the PDF reader...
     Importat message, read right away.
    Please review the attached CBE form, If you require changes to the options shown, please contact me right away so that we may address your concerns. We will record your elections in our system and provide you a final Client Confirmation Statement for your review.
    Please sign and send it back.
    Regards,
    ADP TotalSource Benefits Team

3 September 2014 : cbe_form.pdf - Current Virus total detections: 8/54*
... more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day..."
* https://www.virustot...sis/1409761379/
___

Fake 'August report' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
3 Sep 2014 - "'August Report' pretending to come from Jackie Cantrell <Jackie.Cantrell@ bankmanager .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
    Hello , Please find attached documents for last month. Please could you sign the BACs form and return it as your approval that I am to go ahead with the transmission. Kind regards Jackie Payroll Manager

This email attachment has 2 files inside it. Both are identical although have different names, so the bad guys get 2 bites at the cherry.
3 September 2014: BACs_Documents.zip ( 20 kb): Extracts to   BACs_Documents.scr
and to    Case_090314.scr . Current Virus total detections: 12/55* . This August Report is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1409724912/
___

Fake Sky .com SPAM ...
- http://blog.dynamoo....spam-again.html
3 Sep 2014 - "These fake Sky emails are pretty common and have a malicious attachment:
    Date:      Wed, 3 Sep 2014 09:17:22 +0200 [03:17:22 EDT]
    From:      "Sky.com" [statement@ sky .com]
    Subject:      Statement of account
    Afternoon,
    Please find attached the statement of account.
    We look forward to receiving payment for August, invoice as this is now due for payment.
    Regards,
    Clark ...

The attachment is Statement.zip which contains a malicious executable Statement.scr which has a reasonable VirusTotal detection rate of 18/55*. The Anubis report indicates that the binary phones home..."
* https://www.virustot...sis/1409736793/
___

Fake 'Important Documents' email SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
3 Sep 2014 - "'RE: Important Documents' pretending to come from Simon Leiman <Simon.Leiman@ rbs .com>  the name of sender at RBS appears to be random and can be any name is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... No attachment in the email but a link to a compromised website to download the malware:
RE: Important Documents
    [RBS Logo Image]
    Building tomorrow
    RE: Important Information
    We’re letting you know we have received a request from your bank to complete and sign the attached documents.
    To view/download the documents please click here.
    Please fill out the documents and fax them at +44 131 242 0017
    Simon Leiman
    Senior Accounting Manager
    Tel. +44 131 242 0017
    Email: Simon.Leiman@ rbs .com
    ? Royal Bank of Scotland 2014 ...

3 September 2014: AccountDocuments.zip ( 12kb) : Extracts to AccountDocuments.scr
Current Virus total detections: 4/54* . This 'RE: Important Documents' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...c0822/analysis/
___

iCloud hack/leak now being used as Social Engineering lure
- http://blog.trendmic...gineering-lure/
Sep 3, 2014 - "...  it was certainly only a matter of time before some enterprising cybercriminal decided that things were ripe for leveraging with socially-engineered threats. And that’s just what happened, as our scanning brought to our attention some freshly-concocted schemes targeting those looking for the photos borne from the aforementioned leak. The first threat we found hails from Twitter, in the form of a tweet being posted with hashtags that contain the name of one of the leak’s -victims- Jennifer Lawrence. The tweet spots a shortened link that, if -clicked- leads the user to a website offering a video of the actress in question...
Tweet with malicious link:
> http://blog.trendmic...wrencetweet.png
Website with offered video:
> http://blog.trendmic...encewebsite.png
If the user goes on to engage the playback, they are instead redirected to a download page for a ‘video converter’. The downloaded file is detected as ADW_BRANTALL:
> http://blog.trendmic...eoconverter.png
Besides this bait-and-switch maneuver, this particular threat also spread itself on Facebook by forcing users to share the malicious site on their profiles before they are given the ability to ‘play’ the offered video. This would result in the user’s wall being spammed with the link, as well as the download of another variant of ADW_BRANTALL. The spamming is shown below.
> http://blog.trendmic...acebookwall.png
Of course, in both cases, the user does not get to watch any video at all. And from our analysis, it appears that the majority of the users affected by this are from the United States (70%). We also discovered several malicious files floating around the internet that have been relabeled as zipped archives and/or video files of the leaked pictures in question. Again, we believe these files as part of a cybercriminal scheme to target those looking for the pictures themselves... With this incident in mind, it’s a good time to remind users that all popular news events – the iCloud leak being a prime example of it – will always have cybercriminals taking advantage of it in one way or another. If it’s something that you’ll use a search engine for, there’s a good chance that they’ve already created threats for it that will jump on you the moment you go looking. And do note that the threats we’ve talked about above are not the only ones lying around in wait! Always get your online news from trusted websites, and refrain from looking for/and downloading illegal material (such as leaked private photos or cracked software). Look into installing a security solution as well, if you haven’t done so already in these turbulent times.  A few fleeting moments of convenience or enjoyment is never worth the hassle."
___

'Infrastructure-configuration' adjustment
- http://www.reuters.c...N0GY2EQ20140903
Sep 3, 2014 - "Facebook Inc went down briefly for an unknown number of U.S. users on Wednesday afternoon in what appeared to be the latest outage to affect the world's largest social network. Several users had earlier reported getting an error message, "unable to connect to the Internet" when attempting to sign in. Facebook said the log-in problems arose after what it called an infrastructure-configuration adjustment..."
 

 

Edited by AplusWebMaster, 03 September 2014 - 08:12 PM.

[AplusWebMaster]

FYI...

Fake sage .co.uk "Invoice_7104304" SPAM - PDF malware
- http://blog.dynamoo....04304-spam.html
4 Sep 2014 - "This -fake- invoice from Sage is actually a malicious PDF file:
    From:     Margarita.Crowe@ sage .co.uk [Margarita.Crowe@ sage .co.uk]
    Date:     23 July 2014 10:31
    Subject:     FW: Invoice_7104304
    Please see attached copy of the original invoice (Invoice_7104304).

Attached is a file sage_invoice_3074381_09042014.pdf which is -identical- to the payload for this Companies House spam* ..."
* http://blog.dynamoo....ual-return.html
4 Sep 2014 - "This -fake- Companies House spam comes with a malicious attachment.

Screenshot: https://4.bp.blogspo...ies-house-5.png

Attached is a malicious PDF file ar01_456746_09042014.pdf which has a VirusTotal detection rate of 5/54**. The Malware Tracker report shows that this attempts to exploit the CVE-2013-2729 flaw that was patched over a year ago.."
** https://www.virustot...58a2a/analysis/

- http://myonlinesecur...70-pdf-malware/
4 Sept 2014: sage_invoice_3074381_09042014.pdf - Current Virus total detections: 4/55***
*** https://www.virustot...sis/1409823534/
___

Fake 'Unauthorised iTunes Purchase' email - PHISH
- http://myonlinesecur...tunes-purchase/
4 Sep 2014 - "email received that says 'Unauthorised iTunes Purchase'. The interesting point about this one is the phishing URL. It is a pass through from a genuine Google URL https ://www.google .com/url?gc=PAH96di-ZUnHVlY&q=%68%74tp%3a%2f%2Fdl6.c1l%2eus%2FSb7ouez&sa=D&usg=AFQjCNEQ84I8qa2xYHVEKwXmJMrXG0_GhA which bounces via another url http ://dl6.c1l .us/Sb7ouez to end up on http ://111.90.144.179 /datacare/login/auth/dc347f94af30dff3ce1efd53f335d0e7/low_aa/
I had no idea that you could use google, especially a HTTPS (secure site) link to pass through to a phishing or any other site. Almost anybody seeing a google link will think that it is safe. Obviously this is a big security risk that Google servers allow this sort of divert or pass through and it needs to be plugged. The site asks for your Apple ID and password, then sends you to a page saying:
    My Apple ID
    It looks like someone used your data to make unverified purchase.
    We need to be sure that you’re real holder of this account and match the information you will provide us now with the information in our databases. Please make sure your information is correct before submitting it to us or it may cause further delays.
    Thank you.

Then wants you to fill in the form to give them your Name, address, Date of Birth, Credit card details, Mobile phone number etc. Everything they need to take over your identity in the virtual world as well as clear out all your bank and credit card accounts. It will then bounce you to the correct Apple page..."

111.90.144.179: https://www.virustot...79/information/
 

 

Edited by AplusWebMaster, 04 September 2014 - 09:35 AM.

[AplusWebMaster]

FYI...

Phishing safety ...
- http://blog.trendmic...s-https-enough/
Sep 5, 2014 - "It was recently reported that Google would improve the search ranking of HTTPS sites in their search engine. This may encourage website owners to switch from HTTP to HTTPS. Cybercriminals are -also- taking part in this switch... we recently spotted a case where users searching for the -secure- version of a gaming site were instead led to a phishing site. We researched phishing sites that used HTTPS and were blocked by Trend Micro web reputation technology from 2010-2014. Based on our investigation, the number of phishing sites is increasing and we expect it to -double- towards the latter part of 2014...
Number of HTTPS phishing sites from 2010 to 2014:
> http://blog.trendmic...HTTPS_count.jpg
One of the reasons for this spike is that it is easy for cybercriminals to create websites that use HTTPS: they can either compromise sites that already use HTTPS, or use legitimate hosting sites or other services that already use HTTPS. There is no need for the cybercriminals to acquire their own SSL certificate, since they have just abused or compromised servers that -do- have valid certificates...
Screenshots of legitimate site (left) and phishing site (right):
> http://blog.trendmic...hishingsite.jpg
... While some sites have a green icon bar in the address bar as a security indicator, users still need to check the common name and organization. For example, users search for the Bank of America login page and click on the top result. In the login page, they can check for the green icon bar and the domain name, (which in this case is bankofamerica.com). When they click the green icon bar, a window will pop up. Users can then check for the “Issued to” which is equivalent to “Common Name.”  Note that the Common Name should be similar to the domain name...
Check the green icon bar and the domain name to determine if it is a legitimate site:
> http://blog.trendmic...reenbaricon.jpg
As more and more sites use SSL due to the boost in Google search rankings, users will have to become aware that the padlock of HTTPS is no longer a sign that they are visiting a safe site. They must first check the certificate before proceeding to give enter credentials and personal identifiable information (PII)... Based on feedback from the Smart Protection Network data, the top affected countries that visit HTTPS phishing sites are US and Brazil.
Top affected countries:
> http://blog.trendmic...ountries-01.jpg ..."
___

Hoax email comes with malicious Word doc
- http://blog.dynamoo....comes-with.html
5 Sep 2014 - "... Spanish-language spam email reports the (fake) death of Shakira in a car accident. Attached is a Word document that contains a malicious macro...  translates as:
Shakira dies in serious accident
    This morning at 1:10 A.M. in the neighborhood La Macarena, Colombia. The well-known singer and performer Shakira Isabel Mebarak Ripoll, suffered a serious car accident in which she lost herlife. Aboard the vehicle was her manager, who was seriously injured. Witnesses say the car driven by the latter, was speeding ..
    To view exclusive images and details of the story, we have attached a document with all the information about this tragic event.

When attempting to open the Word document (IMAGENES_01.doc), the potential victim sees the following:
Screenshot: https://4.bp.blogspo...600/shakira.png

The rest of the document explains to the victim how to remove the security settings from Word, supposedly to enable them to view the pictures. But what will actually happen is that the malicious macro in the document will try to infect the PC. This malicious document has a VirusTotal detection rate of just 2/54*. According to an analysis of the document, it then appears to download additional components from an insecure Joomla site at [donotclick]www .papeleriaelcid .com/aurora/ajax/ ... In this case the originating IP was 207.150.195.247 (a SouthWeb Ventures IP allocated to a customer supposedly called "Microinformatica Gerencial, S.A. de C.V."). Blocking the papeleriaelcid .com site and rejecting emails from 207.150.195.247 might be wise ..."
(English or other languages may be spammed out next.)
* https://www.virustot...sis/1409926479/
___

NatWest Phish: “You are Logging In from Different Cities”
- https://blog.malware...fferent-cities/
Sep 5, 2014 - "There’s a NatWest phish in circulation which tries to scare recipients with warnings of logins from multiple cities which it claims is forbidden. Anybody spending a lot of time on the road for work or personal reasons could potentially be panicked into clicking the links in this one. The URL in the mail leads to a 404 error on a website about different types of paint, so it’s likely been reported and / or pulled by the hosts but here’s the text so you can easily spot it the next time it gets rolled out with a fresh URL:

    Dear Customer,
    During a recent review of your account we found that you are currently logging in from different cities in a suspicious manner that is not compliant with our bank policies.
    NatWest customers are not permitted to log in from different places at same time, or using proxies.
    For your safety, we have temporarily deactivated your account, to reactive your account please go to our SSL secure link below and update your account credentials.
    However, please note that our squad reserves the right to close your account at any time. As such, we encourage you to become familiar with our program policies and monitor your network accordingly.

The email displays the full URL in the text of the legitimate NatWest website, but uses the old trick of making the clickable link take them to a -phish- hosted on a -compromised- website... it’s always a good idea to hover over any clickable link in an email so you can check the final destination... with so many people traveling as part of their job nowadays this could easily snag a few victims."
___

Cryptographic Locker
- http://www.webroot.c...graphic-locker/
Sep 5, 2014 - "... every few weeks we see a -new- encrypting ransomware variant. It’s not surprising either since the business model of ransoming files for money is tried and true. Whether it’s important work documents, treasured wedding pictures, or complete discographies of your favorite artists, everyone has valuable data they don’t want taken. This is the last thing anyone wants to see:
> https://www.webroot....und-cropped.png
This variant does bring some new features to the scene, but also fails at other lessons learnt by previous variants. Starting with the new features this variant will now just “delete” the files after encrypting them (it just hides them from you). This doesn’t add any more intangibility since they are encrypted with AES-128 anyway, but it does add a greater sense of loss and panic since all of your common data directories will appear to have been cleaned out. Another new feature is the constant raise in price every 24 hours. While price bumping was used on previous variants, this one doesn’t have a limit...  this variant falls short on overall volatility is in the failure to delete the VSS (Volume Shadow Service) so using tools like Shadow Explorer* will work to retrieve your files and circumvent paying the ransom. As I’ve said in previous blogs I do expect issues like this to be fixed once this malware is adopted by more botnets for widespread distribution..."
* http://www.shadowexplorer.com/
 

 

Edited by AplusWebMaster, 05 September 2014 - 01:19 PM.

[AplusWebMaster]

FYI...

Fake BH Live Tickets SPAM - (bhlive .co.uk / bhlivetickets .co.uk)
- http://blog.dynamoo....r-pan-spam.html
8 Sep 2014 - "...  very large quantity of these spam emails, purporting to be from:
    From:     bhlivetickets@ bhlive .co.uk
    Date:     8 September 2014 08:43
    Subject:     Confirmation of Order Number 484914
    ORDER CONFIRMATION
    Order Number     Order Date
    484914     07-09-2014 13:00
    YOUR E-TICKET(S) ARE ATTACHED TO THIS EMAIL, SENT TO [redacted]. Please print ALL PAGES of the PDF file attached to the email and bring them with you to gain admission to the event...

These emails are -not- from BH Live Tickets and their systems have not been compromised in any way. Instead, these emails are a forgery with an attachment (tickets.3130599.zip or similar) which in turn contains a malicious executable (in this case tickets.332091.exe). The VirusTotal detection rate for this malware is just 3/55*. Comodo CAMAS reports** that this downloads an additional component from tiptrans .com .tr/333 which has a VirusTotal detection rate of 4/51***. According to ThreatExpert****, this second component POSTs some information to 80.94.160.129:8080 (OVH, France) and also appears to contact 92.222.46.165 (National Academy Of Sciences Of Belarus).
Recommended blocklist:
tiptrans .com .tr
92.222.46.165
80.94.160.129"
* https://www.virustot...sis/1410162673/

** http://camas.comodo....c59aacda2c1bfe3

*** https://www.virustot...sis/1410163490/

**** http://www.threatexp...394a991645aec4b

- http://myonlinesecur...ke-pdf-malware/
8 Sep 2014
Screenshot: http://myonlinesecur...ve_ticketsd.png

> https://www.virustot...sis/1410164460/
___

Fake RBS "Important Docs" SPAM - again ...
- http://blog.dynamoo....-docs-spam.html
8 Sep 2014 - "The Royal Bank of Scotland has been spoofed several times recently, this latest fake spam contains a payload that looks like it might be Cryptowall.
Date:      Mon, 8 Sep 2014 15:00:22 +0100 [10:00:22 EDT]
From:      Vicente Mcneill [Vicente@rbs .co.uk]
Subject:      Important Docs
Please review attached documents regarding your account.
Tel:  01322 929655
Fax: 01322 499190
email: Vicente@ rbs .co.uk ...

Attached is an archive RBS_Account_Documents.zip containing a malicious executable RBS_Account_Documents.scr which has a detection rate at VirusTotal of 4/53*... analysis shows that it attempts to download components from the following locations:
95.141.37.158/0809uk1/NODE01/0/51-SP3/0/
95.141.37.158/0809uk1/NODE01/1/0/0/
95.141.37.158/0809uk1/NODE01/41/5/4/
bullethood.com/ProfilePics/0809uk1.zip
95.141.37.158 is SeFlow.it Internet Services, Italy. bullethood .com is on a shared server at GoDaddy. The malware also appears to be attempting to connect to 94.23.250.88 (OVH, France).
Recommended blocklist:
bullethood .com
95.141.37.158
94.23.250.88"
* https://www.virustot...sis/1410183105/
___

Cryptowall ransomware ...
- http://arstechnica.c...-gameover-zeus/
Sept 7 2014 - "... Within a week of the takedown of Gameover Zeus and Cryptolocker, a surge of spam with links to a Cryptolocker copycat, known as Cryptowall, resulted in a jump in ransomware infections, states a report released last week by security-services firm Dell Secureworks*. Cryptowall first appeared in November 2013, and spread slowly, but the group behind the program were ready to take advantage of the vacuum left by the downfall of its predecessor. Being prepared paid off: In six months, the Cryptowall group infected nearly 625,000 systems, and even though only 0.27% of victims paid, the group still made $1.1 million, according to data from a command-and-control server discovered by Dell Secureworks..."
* http://www.securewor...all-ransomware/
___

‘Dyre’ malware goes after Salesforce users
- https://blog.malware...lesforce-users/
Sep 8, 2014 - "San Francisco-based company Salesforce well-known for its cloud-based Customer Relationship Management (CRM) software, emailed a security advisory to its customers, late Friday.
Copy of the email sent by Salesforce:
> https://blog.malware...force_email.png
The threat known as Dyre was originally spotted by security firm CSIS* and by PhishMe** which also had uncovered the new malware earlier in June. Back then, the threat was aimed at banks and other financial institutions, something very reminiscent of other banking Trojans such as Zeus and its variants. But researchers discovered that the malware is now capable of capturing login credentials from Salesforce users by -redirecting- them through a phishing website. Dyre will initially infect users through some form of social-engineering, typically with an email that contains a malicious attachment. Once on the system, the malware can act as a man-in-the-middle and intercept every single keystroke. To be clear, this is not a vulnerability with Salesforce or its website, but rather a type of malware that leverages compromised end-point machines... This type of attack could be mean there might be a new trend on the horizon, one that goes after Software as a Service (SaaS) users. Businesses increasingly rely on third-party software providers for their needs because it can be a cheaper option without all the headaches of doing it yourself. For example, instead of managing their own email server, companies will use Office365 or similar cloud-based email solutions. Banking credentials are still the bread-and-butter for the majority of cyber-crooks because they can be immediately used. But the data harvested from many SaaS applications also holds a tremendous value for those willing to invest the time to dig in and find bits of information that could lead to a large compromise in a top-tier business. There is no silver bullet to defend against these threats but once again a healthy balance of end-user education about phishing scams and proper end-point security solutions will go a long way. Data exfiltration is one the most important issues of 2014 with a growing number of businesses being affected. The effects on companies’ brands and trust of their customers can be very damaging and long lasting, not to mention the potential lawsuits that often follow.:
* https://www.csis.dk/en/csis/news/4262/

** http://phishme.com/p...s-bypasses-ssl/
___

Fake "PAYMENT SLIP" SPAM - with an encrypted .7z archive
- http://blog.dynamoo....-encrypted.html
8 Sep 2014 - "This spam comes with a malicious attachment:
    From:     daniel mo [danielweiche002@ gmail .com]
    Subject:     PAYMENT SLIP
    Signed by:     gmail .com
    Thanks for your last message,
    We remitted 30% prepayment today amounting to 51,300USD against your invoice INV332831 as was agreed with you by our purchasing agent. Please check the attached invoice and the payment slip and correspond your account information. You will receive payment in your account after a few days.
    Please confirm the receipt  below,
    kindly use this password {121212} to view attachment for our payment slip;
    Thanks,
    Daniel
    Accounts Assistant
    67752222
    64472801
    Zenia Singapore Pte Ltd

In order to deal with the attachment new order.7z, you'll need something capable of dealing with .7z files (e.g. 7-Zip). Inside the archive is a malicious executable new order.scr which has a VirusTotal detection rate of 5/54*. I have not been able to analyse the malware any further than this."
* https://www.virustot...sis/1410186462/
___

RBC Royal Bank Phish - and PDF malware
- http://myonlinesecur...rvice-phishing/
8 Sep 2014 - "'You have received a new secure message from RBC Royal Bank Customer Service' pretending to come from RBC Royal Bank Customer Service <securemessage@ rbc .com> is an attempt to -scam- you and get your bank log on details. It also is trying to infect you and is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email is particularly devious, evil  and crafty as it sends you to a site that at first glance you think is a phishing site (if you are unwise enough to click any of the links in the email). However that site also has a hidden iframe that tries to download some malware to the computer if you have a vulnerable version of Java. Then if that isn’t enough when you fill in the log in details on the page the buttons on the page appear to link to the genuine RBC bank site so hovering over the links will fool you into thinking that you are on the genuine RBC site:
> http://myonlinesecur...2014/09/rbc.png
... then the sign in button leads you to this webpage where any of the links or the buttons download what appears to be a genuine PDF file that looks blank. That file is a malformed PDF with a script virus embedded that will infect you. This file 09.08.14report.pdf has a current VirusTotal detection rate of 5/55*. These emails contain a genuine PDF file that is malformed  and contains a script virus and can infect you with no action on your part by simply previewing the PDF in your browser or in the PDF reader..."
* https://www.virustot...sis/1410199439/

- http://threattrack.t.../rbc-royal-bank
Sep 8, 2014 - "Subjects Seen:
    You have received a new secure message from RBC Royal Bank Customer Service
Typical e-mail details:
    You have received a secure message
    This is an automated message sent by Royal Bank Secure Messaging Server.
    The link above will only be active until: 09/10/2014
    Please click here or follow this link : royalbank.com/cgi-bin/rbaccess/rbcgi3m01
    Help is available 24 hours a day by email at secure.emailhelp @rbcroyalbank.com
    If you have concerns about the validity of this message, please contact the sender directly. For questions about Royal Bank’s e-mail encryption service, please contact technical support at 1-800-769-2511.
    First time users - will need to register before reading the Secure Message.

Malicious URLs:
    halilbekrek .com/TUTOS/libs/excel/install6.exe
    66.235.98.169/rbc.com/webapp/ukv0/signin/logon.php
    66.235.98.169/rbc.com/webapp/ukv0/signin/report/09.08.14report.pdf
    84.45.53.45/rbc.com/webapp/ukv0/signin/logon.php
    84.45.53.45/rbc.com/webapp/ukv0/signin/message.html
    84.45.53.45/rbc.com/webapp/ukv0/signin/report/09.08.14report.pdf

Malicious File Name and MD5:
    install6.exe (e3fbc7b3bf11f09c5ee33b1e1b45f81b)
    09.08.14report.pdf (ecddafa699814679552d2bf95fc087e5)
    OfigGigg.dat (85d42ccc12301bbda27abf4c0b7eb7ff)

66.235.98.169: https://www.virustot...69/information/

84.45.53.45: https://www.virustot...45/information/

Tagged: RBC, Vawtrak, CVE-2013-2729
___

Fake Tcn Invoice SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
8 Sep 2014 - "'Tcn Invoice # N265588248042E' pretending to come from  Katharine Norwood <Katharine.Norwood@ advanced-ornamentation .com>  is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
    Good morning...
    I requested an invoice yesterday; on the invoice it shows a charge of $585.15 although on my credit card statement it shows a charge of $185.13. Can you please advise on what the total should be and if it is for the amount of $185.13 can you please provide an invoice with that amount.
    Thank you.
    Katharine Norwood
    Administrative Assistant
    San Diego, CA 92135
    205 840-2913

8 September 2014: Invoice.zip ( 48 kb) : Extracts to Invoice.pdf.scr
Current Virus total detections: 4/55*. This 'Tcn Invoice # N265588248042E' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410198304/
___

Twitter Phish SPAM: “Strange Rumors About You”
- https://blog.malware...mors-about-you/
Sep 8, 2014 - "... an ongoing Twitter spam attack which is sending potential victims to phishing pages via a Tumblr -redirect- . Compromised Twitter accounts and / or bots are sending variations of the below to Twitter users:
> https://blog.malware...witterspam1.jpg
We’ve seen some 200+ messages sent in the last ten minutes, and this attack has been ongoing for at least six hours. Here’s the Tumblr -spam- blog which is redirecting to the fake Twitter login, and the -fake- login itself:
> https://blog.malware...witterspam2.jpg
...
> https://blog.malware...witterspam3.jpg
The -fake- page reads:
    “Your current session has ended.
    For security purposes your [sic] were forcibly signed out. You need to verify your Twitter account, please relogin.”
Twitter users should -avoid- signing into Twitter via any of the links being sent around, and always check the URL to ensure they’re entering their credentials in the right place."

211.154.136.106: https://www.virustot...06/information/
 

 

Edited by AplusWebMaster, 08 September 2014 - 06:07 PM.

[AplusWebMaster]

FYI...

Fake Bill.com Invoice SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 Sep 2014 - "'Bill.com Invoice has been paid' pretending to come from The Bill .com Team <notificationonly@ hq.bill .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
[ Bill .com image ]
Hi,
Thank you for payment to Bill.com. The credit/debit card you have on file with us was successfully charged $115.33 for the billing period 08/01/14-09/01/14.
The Statement for this account is now available for viewing. Please find it attached to this email.
Have questions? Sign in at our website, then contact support.
Thank you,
The Bill .com Team
Please do not respond to this email. This e-mail was sent from a notification-only e-mail address.

9 September 2014: bill-d59f78596bfa79e01898cf9d0e645b99328028d597e9005146787f09435a01016270d6ffc5d69ec27901.zip ( 486 kb):
Extracts to BILL_ID_895634523945258345873645763459879876432985763298563253245.pdf.exe     Current Virus total detections: 28/55*. This Bill .com Invoice has been paid is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410252379/
____

“Google dorking“ ...
- http://blog.trendmic...ins-everywhere/
Sep 9, 2014 - "Last July, the US Department of Homeland Security warned of a new kind of criminal attack: “Google dorking“*. This refers to asking Google for things they have found via special search operators... Google finds things online using a program that accesses web sites: the Google web crawler, called the Googlebot. When the Googlebot examines the web and finds “secret” data, it adds it to Google’s database just like any other kind of information... suppose your company’s HR representative left a spreadsheet with -confidential- employee data -online- . Since it’s open for everyone to access, the crawler sees and indexes it. From them on, even though it might have been hard to find before, a simple – or not so simple – Google search will point any attacker to it. Google never stored the actual data (unless it was cached), it just made it easier to find. This kind of “attack” has been around for as long as search engines have been around. There are whole books devoted to the subject of “Google dorking”, which is more commonly known as “Google hacking”.  Books have been published about it for years, and even the NSA has a 643-page manual that describes in detail how to use Google’s search operators to find information. The warning – as ridiculous as it might seem – has some merit... finding information that has been carelessly left out in the open is not strictly criminal: at the end of the day, it was out there for Googlebot to find. Google can’t be blamed for finding what has been left public; it’s the job of web admins to know what is and isn’t on their servers wide open for the world to see. It’s not just confidential documents that are open to the public, either. As we noted as far back in 2013, industrial control systems could be found via Google searches. Even more worryingly, embedded web servers (such as those used in web cameras) are found online all the time with the Shodan search engine. This latter threat was first documented in 2011, which means that IT administrators have had three years to shut down these servers, but it’s still a problem to this day. In short: this problem has been around for a while, but given that it’s still around an official warning from the DHS is a useful reminder to web admins everywhere: perform “Google dorking” against your own servers frequently, looking for things that shouldn’t be there. If you don’t, somebody else will and their intentions might not be so pure..."
* https://publicintell...google-dorking/
___

Fake Sage Outdated Invoice SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 Sep 2014 - "'Outdated Invoice' pretending to come from Sage Account & Payroll <invoice@ sage .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
[Sage logo image ]
Sage Account & Payroll
You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:
... Account?432532=Invoice_090914.zip
If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@sage.com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.
The contents of this email and any attachments are confidential...

9 September 2014: invoice_090914.zip ( 18kb) : Extracts to invoice_090914.scr
Current Virus total detections: 4/55* . This 'Outdated Invoice' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410267601/

- http://blog.dynamoo....voice-spam.html
9 Sep 2014
"Recommended blocklist:
95.141.37.158 ..."
(More detail at the dynamoo URL above.)

95.141.37.158: https://www.virustot...58/information/
___

Fake NatWest Invoice SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 Sep 2014 - "'Important – New account invoice' pretending to come from NatWest Invoice <invoice@ natwest .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
[NatWest logo image]
Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
To view/download your invoice please click here or follow the link below...

9 September 2014: invoice_090914.zip ( 18kb) : Extracts to invoice_090914.scr
Current Virus total detections: 4/55* . This 'Important – New account invoice' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410267601/
___

Fake Worker’s Compensation SPAM – word.doc malware
- http://myonlinesecur...rd-doc-malware/
9 Sep 2014 - "'HMC&TS Worker’s Compensation Appeal' pretending to come from HM Courts and Tribunals Service <submit.wjq@ courtsni .gov.uk>is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... So far today I have seen several subjects for this email:
    HMC&TS Worker’s Compensation Appeal
    Worker’s Compensation Summons
    HM Courts & Tribunals Service Summons
    HM Courts & Tribunals Service
All the emails are very similar, but will have different courts or tribunals listed and different dates, case numbers and tribunal members. The faked sender will always be the same name as the recipient of the email with a few random letters after the name... Email reads:
Worker’s Compensation Appeal Tribunal
Decision # 502
Board Direction To Rehear Decision #695
Claim No.: 2504=5704
Date of Original Notice of Appeal: June 10, 2014
Date Received at The Tribunal: June 19, 2014
Date of Board Direction to Rehear: August 11, 2014
Received: August 20, 2014
Date of Documentary Review by Appeal Committee: August 23, 2014
Date of Decision: September 6, 2014
     To Whom It May Concern,
     Your Corporation (named Respondent)
Appears to be in default because of its failure to comply with the Administrative Law Judge’s Prehearing Order without decent cause, and such default by Respondent constitutes an admission of all facts alleged in the Complaint and a waiver of Respondent’s right to contest such factual allegations. Respondent violated the section 9(6), paragraph B13(1) of the Jobseekers Act 1995.
We recommend you to download a copy of original Complaint at Tribunal in attachment below...

9 September 2014: Copy68789.zip (66kb): Extracts to Copy of original Complaint at Tribunal.docx.exe
Current Virus total detections: 1/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft word .doc instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410269102/

- http://threattrack.t...ls-service-spam
Sep 9, 2014
Screenshot: https://gs1.wac.edge...LcAX1r6pupn.png

Malicious File Name and MD5:
    Copy4855.zip (854ADF297E8B1D79BA0E744F90AFDE50)
    Copy of original Complaint at Tribunal.docx.exe (6D9BDE90B81C064ACA5ED994BC8A981A)

Tagged: HM Courts & Tribunals, Kuluoz
___

Hacks throw 25 malware variants at Apple Mac OS X
- http://www.theinquir...-apple-mac-os-x
Sep 9 2014 - "... 25 varieties of malware, some of which are being used in targeted attacks, warns security firm F-Secure. F-Secure reported uncovering the malware variants in its Threat Report H1 2014*, claiming it discovered the first 20 attack tools earlier this year..."
* http://www.f-secure....s/00002741.html
Sep 8, 2014
 

 

Edited by AplusWebMaster, 09 September 2014 - 12:36 PM.

[AplusWebMaster]

FYI...

Fake DHL invoice SPAM
- http://blog.dynamoo....ust-dhl-no.html
10 Sep 2014 - "Geir Myklebust is a real employee for DHL in Norway, but neither he nor DHL are responsible for this spam run in any way (their systems have NOT been breached either). Instead, it contains a malicious attachment and it should simply be deleted.
From:     Geir Myklebust (DHL NO) [Geir.Myklebust@ dhl .com]
Date:     10 September 2014 10:35
Subject:     FW: customer acct. no.: 4690086 - invoice 0257241 needs to be paid
Dear Sir.
The attached invoice from Villmarksmessen 2014 has still not been settled.
Please advise as soon as possible.
Thank you and regards,
Geir
Med vennlig hilsen/ Kind Regards
Geir Myklebust
Product Manager, Avd. Trade Fairs & Events
DHL Global Forwarding (Norway) AS
Avd. Trade Fairs & Events
Messeveien 14
2004 Lillestrøm ...

Attached is a ZIP file of various different names (e.g. invoice_0257241.zip), containing a malicious executable file invoice_3466198.exe which has a VirusTotal detection rate of 3/54*. The Comodo CAMAS report** shows an attempted connection to voladora .com/Imagenes/qaws.cab which is currently coming up with a socket error. I would recommend that you block access to that domain. Further analysis is pending..."
* https://www.virustot...sis/1410342283/

** http://camas.comodo....da704a26cac5038

"UPDATE: a second malicious binary is doing the round, this time with a detection rate of 2/53***..."
*** https://www.virustot...sis/1410353017/

92.43.17.6: https://www.virustot....6/information/

- http://myonlinesecur...ke-pdf-malware/
10 Sep 2014
- https://www.virustot...sis/1410350810/
___

Fake Overdue invoice SPAM – doc malware
- http://myonlinesecur...ke-doc-malware/
10 Sep 2014 - "'Overdue invoice #1197419584' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Good afternoon,
    I was hoping to hear from you by now. May I have payment on invoice #1197419584 today please, or would you like a further extension?
    Best regards,
    Cherish Schaunaman
    +07540 61 15 69
... or like this one:
    This email contains an invoice file in attachment.

10 September 2014 : bill_2014-09-10_09-16-23_1197419584.arj :
Extracts to:  bill_2014-09-10_09-16-23_1197419584.exe
Current Virus total detections: 6/55*
Alternative version 10 September 2014 : Invoice4777_2C7.zip :
Extracts to: attachment_scaned.doc            .exe
Current Virus total detections: 2/54**
This 'Overdue invoice #1197419584' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft word.doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410342531/

** https://www.virustot...sis/1410341816/
___

'Outstanding Warrant' Phone SCAMS
- http://www.hoax-slay...one-scams.shtml
Sep 10, 2014 - "Scammers posing as law-enforcement officers are cold-calling people and tricking them into paying over the phone to resolve supposedly outstanding warrants. The scammers warn victims that, if they don't pay the requested fee, police may come to their home and arrest them... The scammers are reportedly quite skilled at impersonating police officers and are often able to convince victims that they are legitimate. When victims call back on the number provided, the scammers may identify their 'office' as a seemingly legitimate entity such as the 'County Warrants Department'. This simple -ruse- may further convince victims that the scammer's claims are true... This type of -scam- is certainly nothing new and has been around in various forms for many years... a flurry of reports from several US states suggests that these scammers are currently quite active. The scammers are also using variations of the old jury duty phone scam to steal money from victims. Police will -never- call you and demand an immediate payment to resolve an outstanding warrant. If you receive such a suspect call, do -not- give the caller any personal and financial information and do -not- comply with their instructions. If in doubt, call your local police to check. Do -not- use a phone number provided by the caller. Find a number for police in a local phone directory..."
___

Malvertisements - YouTube, Amazon and Yahoo
- http://www.computerw...-and-yahoo.html
Sep 9, 2014 - "Malicious advertisements have popped up on websites such as YouTube, Amazon and Yahoo, part of a sophisticated campaign to spread malware, Cisco said*... When encountered, the malicious advertisements cause the user to be -redirected- to a different website, which triggers a download based on whether the computer is running Windows or Apple's OS X... Cisco didn't identify the advertising network that is serving the malicious advertisements. Although ad networks try to filter out malicious ones, occasionally bad ones slip in, which for a high-traffic site means a large pool of potential victims...  Some of the malicious ads were served on youtube.com, amazon.com and ads.yahoo.com, Pelkmann wrote. All told, 74 domains were serving the ads. When a victim is -redirected- by one of the ads, the computer downloads a piece of malware with a unique checksum, making it harder for security software to detect. The download may also contain legitimate software such as a media player. To be infected, the user must be convinced to open the file. 'The attackers are purely relying on social engineering techniques in order to get the user to install the software package,' Pelkmann wrote. 'No drive-by exploits are being used thus far'..."
* http://blogs.cisco.c.../kyle-and-stan/
 

 

Edited by AplusWebMaster, 10 September 2014 - 09:17 AM.