FYI...
Fake Sage Invoice SPAM - malware
- http://blog.dynamoo....am-spreads.html
17 Oct 2014 - "This -fake- Sage email spreads malware using a service called Cubby, whatever that is.
Screenshot: https://2.bp.blogspo...s1600/sage3.png
Despite appearances, the link in the email (in this case) actually goes to https ://www.cubbyusercontent .com/pl/Invoice_032414.zip/_8deb77d3530f43be8a3166544b8fee9d and it downloads a file Invoice_032414.zip. This in turn contains a malicious executable Invoice_032414.exe which has a VirusTotal detection rate of 3/53*. The Malwr report shows HTTP conversations with the following URLs:
http :// 188.165.214.6 :15600/1710uk3/HOME/0/51-SP3/0/
http :// 188.165.214.6 :15600/1710uk3/HOME/1/0/0/
http :// 188.165.214.6 :15600/1710uk3/HOME/41/5/1/
http :// tonysenior .co.uk/images/IR/1710uk3.osa
188.165.214.6 is (not surprisingly) allocated to OVH France. In turn, it drops an executable bcwyw.exe (VT 6/54**...) which communicates with 66.102.253.25 (a China Telecom address located in the US in a Rackspace IP range) and also moxbk.exe (VT 1/52***...).
Recommended blocklist:
188.165.214.6
66.102.253.25
tonysenior .co.uk "
* https://www.virustot...sis/1413539374/
... Behavioural information
DNS requests
tonysenior .co.uk (66.7.214.212)
TCP connections
188.165.214.6: https://www.virustot....6/information/
66.7.214.212: https://www.virustot...12/information/
** https://www.virustot...sis/1413540238/
*** https://www.virustot...sis/1413540261/
___
Fake 'SalesForce Security Update' SPAM – malware
- http://myonlinesecur...update-malware/
17 Oct 2014 - "'October 17, 2014 SalesForce Security Update' pretending to come from SalesForce .com <no-reply@ salesforce .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The malware inside this zip file is at this time -undetected- by any antivirus on Virus Total* and to make it much worse the Virus Total engine tries to tell you that the file is Probably harmless! There are strong indicators suggesting that this file is safe to use. This is an even bigger problem than it normally would be because of the recent Poodle bug and servers consequently changing their encryption routines to remove the vulnerable SSLv3 version from being used. It is eminently believable that you might need to change the SSL certificate on your browser to comply with the new behaviour if you are not a security or network IT specialist. This is obviously -wrong- and this type of malware that disguises itself as a legitimate file and can apparently conceal the malicious functions from an antivirus scan and make it believe it is innocent is very worrying. The MALWR analysis doesn’t show -anything- wrong and doesn’t show any network connections or other files downloaded. Anubis also comes up with a -nothing- on this one... a couple of manual analysis done by Virus total** users who find it -is- malicious... drops this file which -is- detected... Our friends at TechHelpList(1) have done an analysis on this one which clearly shows its bad behaviour and what it connects to and downloads...
* https://www.virustot...sis/1413556548/
** https://www.virustot...3c241/analysis/
1) https://techhelplist...ty-update-virus
The email looks like:
Dear client,
You are receiving this notification because your Salesforce SSL certificate has expired.
In order to continue using Salesforce.com, you are required to update your digital certificate.
Download the attached certificate. Update will be automatically installed by double click.
According to our Terms and Conditions, failing to renew the SSL certificate will result in account suspension or cancelation... Thank you for using Salesforce .com
17 October 2014: cert_update.zip: Extracts to: cert_update.scr
Current Virus total detections: 0/52* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an icon of a white & red circular arrow instead of the .scr ( executable) file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1413556548/
___
Fake eFax SPAM
- http://blog.dynamoo....60204-spam.html
17 Oct 2014 - "This fake eFax spam leads to malware:
From: eFax [message@ inbound .claranet .co.uk]
Date: 17 October 2014 11:36
Subject: eFax message from "02086160204" - 1 page(s), Caller-ID: 208-616-0204
Fax Message [Caller-ID: 208-616-0204]
You have received a 1 page fax at 2014-10-17 09:34:48 GMT.
* The reference number for this fax is lon2_did11-4056638710-9363579926-02.
Please visit... to view this message in full...
The link in the email goes to some random hacked WordPress site or other with a URL with a format similar to the following:
http ://tadarok .com/wp-content/themes/deadline/mess.html
http ://107.170.219.47 /wp-content/themes/inove/mess.html
http ://dollfacebeauty .com.au/wp-content/themes/landscape/mess.html
Then (if your user agent and referrer are correct) it goes to a -fake- eFax page at http ://206.253.165.76 :8080/ord/ef.html which does look pretty convincing. (Incidentally if the UA or referrer are not right you seem to get dumped on a pills site of naturaldietpills4u .com).
Screenshot: https://1.bp.blogspo...s1600/efax2.png
The download link goes to http ://206.253.165.76 :8080/ord/FAX_20141008_1412786088_26.zip which is a ZIP file containing a malicious executable FAX_20141008_1412786088_26.exe which has a VirusTotal detection rate of 4/54*... Recommended blocklist:
107.170.19.156
212.59.117.207
206.253.165.76 "
* https://www.virustot...sis/1413545028/
___
Fake Virgin Media SPAM - phish/malware
- http://myonlinesecur...-media-malware/
17 Oct 2014 - "An email with a subject of 'Help & Advice – Virgin Media' pretending to come from Virgin Media is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Virgin Media Automated Billing Reminder
Date 17th October 2014
This e-mail has been sent you by Virgin Media to inform you that we were unable to process your most recent payment of bill. This might be due to one of the following reasons:
A recent change in your personal information such as Name or address.
Your Credit or Debit card has expired.
Insufficient funds in your account.
Cancellation of Direct Debit agreement.
Your Card issuer did not authorize this transaction.
To avoid Service interruption you will need to update your billing profile, failure to update your profile may lead in service cancellation and termination.
Please click on the link below to login to e-Billing. You will need to login using your primary E-mail address...
Be very careful with email attachments. -All- of these emails use Social engineering tricks to persuade you to open the attachments or follow the links... -Never- just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Most ( if not all) malicious files that are attached to emails will have a -faked- extension..."
___
More Free Facebook Hacks ...
- https://blog.malware...surface-online/
Oct 16, 2014 - "... more sites claiming to offer hacking services that target Facebook users. The sites are:
fbwand(dot)com
> https://blog.malware...4/10/fbwand.png
hackfbaccountlive(dot)com
> https://blog.malware...accountlive.png
One starts off by entering the profile URL of the Facebook user account (the target) he/she wants to hack. The site then makes him/her believe that an -actual- hacking is ongoing, firstly, by retrieving and displaying specific information from Facebook’s Graph Search*, such as user ID, user name, and a large version of the profile photo, to the page; and, secondly, by providing the attacker the progress of completion of each hacking attempt. Below are screenshots of these attempts, beginning with purportedly fetching the target’s email ID:
> https://blog.malware...erify.png?w=564
After a successful “hack”, the site informs the attacker that they have created an account for them on the website, complete with a generated user name and password, and that they have to log in to their accounts to retrieve the target’s Facebook account details. Just when it seems too easy, the attacker sees this upon logging in:
> https://blog.malware...ckers-panel.png
He/She is instructed to unlock the details in two ways. One is to share a generated referral link to their social networks (particularly Facebook and/or Twitter) in order to get 15 visitors to click it... Although it’s true that no website is perfectly secure one must not attempt to hack into them nor break into someone else’s online profile. These are illegal acts. Sites marketing themselves as free, user-friendly hacking-as-a-service (HaaS) tool, such as those I mentioned here, generally takes advantage of user distrust against someone and profits on it, promising big but deliver nothing in the end. Avoid them at all cost."
* https://www.facebook...out/graphsearch
___
Ebola Phishing Scams and Malware Campaigns
- https://www.us-cert....lware-Campaigns
Oct 16, 2014 - "... protect against email scams and cyber campaigns using the Ebola virus disease (EVD) as a theme. Phishing emails may contain links that direct users to websites which collect personal information such as login credentials, or contain malicious attachments that can infect a system. Users are encouraged to use caution when encountering these types of email messages and take the following preventative measures to protect themselves:
- Do not follow unsolicited web links or attachments in email messages.
- Maintain up-to-date antivirus software..."
___
CUTWAIL Spambot Leads to UPATRE-DYRE Infection
- http://blog.trendmic...dyre-infection/
Oct 16, 2014 - "... new spam attack disguised as invoice message notifications was recently seen spreading the UPATRE malware, that ultimately downloads its final payload- a BANKER malware related to the DYREZA/DYRE banking malware... In early October we observed a surge of spammed messages sent by the botnet CUTWAIL/PUSHDO, totaling to more than 18,000 messages seen in a single day. CUTWAIL/PUSHDO has been in the wild since as early as 2007 and was considered one of the biggest spam botnets in 2009. We spotted some spammed emails that disguise itself as invoice message notifications or “new alert messages” from various companies and institutions.
Screenshot of spammed messages related to CUTWAIL/PUSHDO:
> http://blog.trendmic...ail_samples.jpg
Top spam sending countries for this CUTWAIL spam run:
> http://blog.trendmic...ountries-01.jpg
... Based on our 1H 2014 spam report, UPATRE is the top malware seen in spam emails. With its continuously developing techniques, UPATRE remains as one of most prevalent malware today. Examples of newer UPATRE techniques are its ability to use password-protected archives as attachments, and abuse of online file storage platform, Dropbox in order to bypass spam filters.
Top malware distributed via spam as of August 2014:
> http://blog.trendmic...pambot_fig1.jpg
... in this attack, this UPATRE variant, TROJ_UPATRE.YYJS downloads the final payload, TSPY_BANKER.COR, which is related to DYREZA/DYRE banking malware. The DYREZA malware is a banking malware with the following capabilities:
- Performs man-in-the-middle attacks via browser injections
- Steals banking credentials and monitors online banking session/transactions
- Steals browser snapshots and other information
Based on our analysis, TSPY_BANKER.COR connects to several websites to receive and send information. Given this series of malware infections, affected systems also run the risk of having their sensitive data stolen (such as banking credentials data) in order to be used for other future attacks. Apart from the risk of stolen information, this spam attack also highlights the risk of traditional threats (like spam) being used as a vehicle for -other- advanced malware to infect systems. This may consequently even lead to infiltrating an entire enterprise network... We highly recommend that users take extra caution when dealing with emails that contain attachments and URLs in the email body. Ensure that the domains are legitimate and take note of the company name indicated in the email. Another tip is to steer clear of suspicious-looking archive files attached to emails, such as those ending in .ZIP, or .RAR. UPATRE is also known to use email templates through DocuSign with emails that come in the form of -bank- notifications, -court- notices, and -receipts- ..."
___
WhatsApp Spam
- http://threattrack.t...8/whatsapp-spam
Oct 16, 2014 - "Subjects Seen:
Voice Message Notification
Typical e-mail details:
You have a new voicemail!
Details:
Time of Call: Oct-13 2014 06:02:04
Lenth of Call: 07sec
Malicious URLs:
p30medical .com/dirs.php?rec=LLGIAmEUFLipINmiPz4S0g
Malicious File Name and MD5:
VoiceMail.zip (713A7D2A9930B786FE31A603CD06B196)
VoiceMail.exe (2B7E9FC5A65FE6927A84A35B5FEAC062)
Screenshot: https://gs1.wac.edge...SYyI1r6pupn.png
Tagged: Whatsapp, Kuluoz
Edited by AplusWebMaster, 17 October 2014 - 12:18 PM.
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 
