2072 replies to this topic

[AplusWebMaster]

FYI...

'Dark market' websites seized in U.S., European busts - Silk Road 2.0
- http://www.reuters.c...N0IR0Z120141107
Nov 7, 2014
> http://s4.reutersmed...r=LYNXMPEAA60EZ
"U.S. and European authorities on Friday announced the seizure of more than 400 secret website addresses and arrests of 16 people in a sweep targeting black markets for drugs and other illegal services. The developments were announced a day after prosecutors in New York unveiled criminal charges against the alleged operator of underground online drug marketplace Silk Road 2.0. U.S. authorities called the global sweep the largest law enforcement action to date against illegal websites operating on the so-called Tor network, which lets users communicate anonymously by masking their IP addresses... Europol, in a statement, said U.S. and European cyber crime units, in a sweep across 18 countries, had netted $1 million worth of Bitcoin, the digital currency, 180,000 euros in cash, silver, gold and narcotics. The more than 400 websites and domains seized on Thursday existed on the Tor network and were used by dozens of online marketplaces where such things as child pornography, guns and murder-for-hire could be purchased, authorities said. Sixteen people operating illegal sites were arrested in addition to the defendant in the Silk Road 2.0 case, Europol added, without specifying the charges... On Thursday, U.S. authorities said they had shut down Silk Road 2.0, a successor website to underground online drugs marketplace Silk Road. Blake Benthall, the alleged operator of Silk Road 2.0, was arrested and charged with -conspiracy- to commit drug trafficking, computer hacking, money laundering and other crimes. Troels Oerting, head of Europol's cybercrime center, said the operation knocked out a significant part of the infrastructure for illegal online drugs and weapons trade in the countries involved... The websites had complete business models, Oerting said, and displayed what they sold, including drugs, weapons, stolen credit cards..."
- http://www.fbi.gov/n...n-federal-court
___

Fake invoice SPAM - malicious Word macro attachment
- http://blog.dynamoo....l-contains.html
7 Nov 2014 - "This -fake- invoice spam (all pretending to be from someone called Sue Morckage) comes with a malicious Word macro attachment.
    From:     Sue Morckage
    Date:     7 November 2014 13:10
    Subject:     inovice 9232088 November
    This email contains an invoice file attachment

The number in the subject is random, and attached is a document with the same format name (in this example invoice_9232088.doc). So far I have seen two attachments both with VT detection rates of 4/54 [1] [2]... which contains one of two malicious macros... which then go and download a binary from one of the following locations:
http ://ksiadzrobak .cba .pl/bin.exe > https://www.virustot...89/information/
http ://heartgate .de/bin.exe > https://www.virustot...56/information/
This binary gets copied into %TEMP%\AKETVJIJPZE.exe and it has a VirusTotal detection rate of just 1/54*, but so far automated analysis tools... are inconclusive as to what this does, however the payload is likely to be Cridex."
* https://www.virustot...sis/1415369050/

1] https://www.virustot...sis/1415365398/

2] https://www.virustot...sis/1415368736/

- http://myonlinesecur...rd-doc-malware/
7 Nov 2014
>  https://www.virustot...sis/1415372037/
___

Fake invoice SPAM - malicious Word macro attachment
- http://blog.dynamoo....l-contains.html
7 Nov 2014 - "This -fake- invoice spam (all pretending to be from someone called Sue Morckage) comes with a malicious Word macro attachment.
    From:     Sue Morckage
    Date:     7 November 2014 13:10
    Subject:     inovice 9232088 November
    This email contains an invoice file attachment

The number in the subject is random, and attached is a document with the same format name (in this example invoice_9232088.doc). So far I have seen two attachments both with VT detection rates of 4/54 [1] [2]... which contains one of two malicious macros... which then go and download a binary from one of the following locations:
http ://ksiadzrobak .cba .pl/bin.exe
http ://heartgate .de/bin.exe
This binary gets copied into %TEMP%\AKETVJIJPZE.exe and it has a VirusTotal detection rate of just 1/54*, but so far automated analysis tools... are inconclusive as to what this does, however the payload is likely to be Cridex."

* https://www.virustot...sis/1415369050/

1] https://www.virustot...sis/1415365398/

2] https://www.virustot...sis/1415368736/

- http://myonlinesecur...rd-doc-malware/
7 Nov 2014
>  https://www.virustot...sis/1415372037/
___

Fake job sites ...
- http://blog.dynamoo....r-fake-job.html
7 Nov 2014 - "This tip* from @peterkruse about a spam run pushing -fake- jobs using the domain europejobdays .com caught my eye, especially the mention of the nameservers using the stemcellcounseling.net domain. These -fake- job sites tend not to go alone, and a look a the other domains using  the same namesevers comes up with a whole list of related -fake- sites... avoid**. You should be aware that the jobs on offer are actually part of some criminal enterprise such as money laundering or parcel reshipping. You can see a video that explains the parcel reshipping scam and the role of the parcel mule below:
>

* https://twitter.com/...628073264517120

** (Long list at the dynamoo URL at the top.)
___

Fake Tech Support website infections ...
- https://blog.malware...u-even-dial-in/
Nov 6, 2014 - "... Many websites that are promoted via ads on search engines or pop ups often turn out to be impostors or crooks and it doesn’t matter whether they are overseas or here in the U.S. This time around, our focus is on a company that seems to want a big piece of the U.S. market and boasts their infrastructure as being 'ahead of time technology equipment' while 'your computer issues are fixed securely'. This couldn’t be further from the truth. For some reason, looking at the site gives an impression of déjà-vu. Perhaps it is the template and stock photos typically used by many overseas tech support companies... While we shouldn’t judge a book by its cover, there is something really wrong that happens when you visit their website:
> https://blog.malware...ed-1024x817.png
... One of the html files (a banner) contains a malicious script loading a page from a compromised website. This site contains an -iframe- with a dynamic URL that silently -redirects- the user to the Angler Exploit Kit... In this case, if your system was outdated and you had no security solution, you would have been victim of the fileless infection followed by additional malware... This drive-by infection almost seems like the perfect segue into a malware diagnostic. In fact, right from the beginning of our call, the technician already assumed our computer was infected... Sadly, the service provided by American Tech Help is not up to par either. The technicians are quick to point out errors and ‘hackers’ that have compromised your computer by simply showing the (typical) warnings displayed in the Windows Event Viewer:
> https://blog.malware...er-1024x728.png
... here’s the problem: Before browsing to their site and calling them up we had made sure our computer was fully patched. So while the site attempted to exploit our system, it never succeeded. So the technician’s report is completely -bogus- . It is quite possible that the tech support site was simply hacked because of poor security practices and that their owners aren’t aware of it. Or perhaps they don’t even care until the major browsers start blacklisting them and they see their traffic take a dive... There was a time when we could say that as long as you didn’t let scam artists take remote control of your computer, you were fine. Now the mere fact of browsing to one of their sites could be the beginning of some real troubles. It is -not- entirely surprising that such sites are dangerous to visit: they are built quickly, on the cheap and with little to no maintenance. This is just a recipe for disaster as any good website owner would tell you. For more information on tech support scams and general advice, please check out our Tech Support -Scams- resource page*."
* https://blog.malware...-support-scams/

- http://www.symantec....meet-ransomlock
7 Nov 2014 - "A technical-support phone scam uses Trojan.Ransomlock.AM to lock the user’s computer and trick them into calling a technical help phone number to resolve the issue...
Top ten ransomware detections as of 11-07-14:
> http://www.symantec....ansomlock 2.png
Fake BSoD lock screen:
> http://www.symantec....lock 3 edit.png ..."

- http://www.ftc.gov/n...ch-support-scam
 

 

Edited by AplusWebMaster, 09 November 2014 - 04:47 AM.

[AplusWebMaster]

FYI...

Fake Invoice SPAM - Word doc malware
- http://myonlinesecur...rd-doc-malware/
10 Nov 2014 - "'invoice 6330089 November' pretending to come from 'Kate Williams' with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... DO NOT follow the advice they give to enable macros to see the content... Almost all of these malicious word documents appear to be -blank- when opened in protected view mode... The email looks like:

    Please find attached your November invoice, we now have the facility to email invoices,
    but if you are not happy with this and would like a hard copy please let me know.
    New bank details for BACS payments are Santander Bank Sort Code 6330089 Account No 5606330089.
    Thanks very much
    Kate Williams

10 November 2014 : invoice_6330089.doc - Current Virus total detections: 0/51*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1415612495/

- http://blog.dynamoo....6-november.html
10 Nov 2014 - "...  the malware connecting to 84.40.9.34 (Hostway, UK)..."

1] https://www.virustot...sis/1415613432/

2] https://www.virustot...sis/1415613431/

84.40.9.34: https://www.virustot...34/information/
___

Fake Amazon SPAM - malware-macros
- http://net-security....ews.php?id=2912
Nov 10, 2014 - "... According to AppRiver* researchers, two distinct malware delivery campaigns impersonating e-commerce giant Amazon are currently hitting inboxes. The first one is directed at UK users, and the company has already quarantined over 600,000 of these messages. The malicious email takes the form of a 'delivery confirmation message' and carries a Word document that supposedly contains the needed information. Unfortunately for those who open the file and have -macros- enabled in Word, the action triggers the installation of a Trojan dropper that downloads additional malware aimed at harvesting login credentials for various online services, including online banking. The second campaign comes in the form of an order confirmation from Amazon .com:
> http://www.net-secur...0112014-big.jpg
... AppRiver* pointed out. Also, this campaign is less intense than the first one - the company has blocked "only" about -160,000- messages so far. The supposed 'invoice file attached' is actually a Trojan dropper that will download additional malware once the host is infected..."
* http://blog.appriver...oliday-shoppers
"... This is a very popular time of the year for these types of scams with so many people in shopping mode in preparation for the holidays. With many people expecting purchase confirmations and shipping confirmations with much more frequency, it increases the likelihood that people will far for this scam. Be extra cautious this holiday shopping season and if you are suspicious of unauthorized activity on your Amazon account -never- follow the link in an email such as this, go directly to the website and check your account from there."
___

'Darkhotel malware' is targeting travelling execs via hotel WiFi
- http://www.theinquir...-via-hotel-wifi
Nov 10, 2014 - "... 'Darkhotel' has been targeting travelling executives via hotel WiFi for the past four years, Kaspersky has warned, and is still active today. According to the security firm, 'Darkhotel' infects hotel networks with spying software which in turn infects the computers of targeted executives as soon as they connect to the hotel WiFi network. The executives are tricked into installing the information-stealing malware by disguising it as an update for legitimate software such as Adobe Flash, Google Toolbar or Windows Messenger. The malware then searches the computer for sensitive corporate data, cached passwords and log-in credentials..."
* https://securelist.c...-darkhotel-apt/
Nov 10, 2014
___

Home Depot drops Windows for Mac ...
- http://www.theinquir...after-data-hack
Nov 10 2014 - "... Home Depot is reportedly shutting out the Windows operating system in favour of the Apple alternative as the firm continues to respond to the catastrophic breach on its systems. The hardware chain has confessed in some detail about the attack on its checkout and sales systems, and admitted to losses of data that affect tens of millions of customers... The Wall Street Journal* has more information on the Home Depot hack..."
* http://online.wsj.co...ndor-1415309282
"... hackers got into its systems last April by stealing a password from a vendor, opening a tiny hole that grew into the biggest retail-credit-card breach on record. On Thursday, the company announced the breach was worse than earlier thought. In addition to the 56 million credit-card accounts that were compromised, Home Depot now says around 53 million customer email addresses were stolen as well..."
___

'All Your iOS Apps Belong to Us' - FireEye
- http://www.fireeye.c...long-to-us.html
Nov 10, 2014 - "In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation. All apps can be replaced except iOS preinstalled apps, such as Mobile Safari. This vulnerability exists because iOS doesn't enforce matching certificates for apps with the same bundle identifier. We verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. An attacker can leverage this vulnerability both through wireless networks and USB. We named this attack “Masque Attack," and have created a demo video here:
>
We have notified Apple about this vulnerability on July 26... After looking into WireLurker, we found that it started to utilize a limited form of Masque Attacks to attack iOS devices through USB. Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can -replace- authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which -wasn't- removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly. We have seen proofs that this issue started to circulate. In this situation, we consider it urgent to let the public know, since there could be existing attacks that haven’t been found by security vendors. We are also sharing mitigation measures to help iOS users better protect themselves... By leveraging Masque Attack, an attacker can lure a victim to install an app with a deceiving name crafted by the attacker (like “New Angry Bird”), and the iOS system will use it to replace a legitimate app with the same bundle identifier. Masque Attack couldn't replace Apple's own platform apps such as Mobile Safari, but it can replace apps installed from app store. Masque Attack has severe security consequences... In one of our experiments, we used an in-house app with a bundle identifier “com.google.Gmail” with a title “New Flappy Bird”. We signed this app using an enterprise certificate. When we installed this app from a website, it replaced the original Gmail app on the phone:
> http://www.fireeye.c...1/Untitled1.jpg
... Masque Attack happens completely over the wireless network, without relying on connecting the device to a computer.
-- Mitigations: iOS users can protect themselves from Masque Attacks by following three steps:
- Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization.
- Don’t click “Install” on a pop-up from a third-party web page, as shown in Figure 1©, no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker
- When opening an app, if iOS shows an alert with “Untrusted App Developer”, as shown in Figure 3, click on “Don’t Trust” and uninstall the app immediately..."
Figure 3:
> http://www.fireeye.c...11/IMG_0001.jpg
 

 

Edited by AplusWebMaster, 10 November 2014 - 06:06 PM.

[AplusWebMaster]

FYI...

Fake 'Bank Payment' SPAM - malicious attachment
- http://blog.dynamoo....chley-bank.html
11 Nov 2014 - "This -fake- invoice spam pretending to be from a care home in the UK comes with a malicious attachment.
    From:     Accounts Finchley [accounts.finchley@ nazarethcare .com]
    Date:     11 November 2014 10:34
    Subject:     Bank Payments
    Good Afternoon,
    Paying in sheet attached
    Regards
    Sandra Whitmore
    Care Home Administrator
    Nazareth House
    162 East End Road
    East Finchley
    London...
    Nazareth Care Charitable Trust...

... The "from" field in an email is trivially easy to fake, as it looks like the body text may have been stolen from a compromised mailbox. Attached is a file 2014_11_07_14_09_19.doc which comes in two versions both with low VirusTotal detection rates [1] [2]. If macros are enabled then one of two macros... which then downloads a file from one of the following locations:
http ://www.grafichepilia .it/js/bin.exe
http ://dhanophan .co.th/js/bin.exe
This file gets copied to %TEMP%\HZLAFFLTDDO.exe and it has a VirusTotal detection rate of 3/53*. The Malwr report shows it phoning home to:
http ://84.40.9.34 /kPm/PQ0Zs8L.Wtg%26/thtqJJSo%2B/LsB6v/
It also drops a DLL identified by VirusTotal** as Dridex."
1] https://www.virustot...sis/1415703941/

2] https://www.virustot...sis/1415703952/

* https://www.virustot...sis/1415704632/

** https://www.virustot...sis/1415705610/


- http://myonlinesecur...rd-doc-malware/
11 Nov 2014
Screenshot: http://myonlinesecur...ts-Finchley.png
___

Fake 'Duplicate Payment' SPAM – Word doc malware
- http://myonlinesecur...rd-doc-malware/
11 Nov 2014 - "'Duplicate Payment Received' pretending to come from various random names with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Good afternoon,
     I refer to the above invoice for which we received a bacs payment of £660.94 on 10th November 14.  Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.
     I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer.  If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details.  
     If you have any queries regarding this matter, please do not hesitate to contact me.
     I look forward to hearing from you .
     Many thanks
    Lenora Dunn
    Accounts Department

11 November 2014 : De_VY955279R.doc - Current Virus total detections: 2/55*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1415704035/

- http://blog.dynamoo....d-spam-has.html
11 Nov 2014
... Recommended blocklist:
178.254.57.146
213.140.115.29
62.76.180.133
62.76.189.108 "
___

Trojan SMS Found on Google Play
- https://blog.malware...on-google-play/
Nov 11, 2014 - "... this one slipped under Google Play’s radar, but an SMS Trojan app with the package name com.FREE_APPS_435.android claims to be a download for wallpapers, videos, and music is actively on the Google Play store (at least at the time of this writing it was).
> https://blog.malware...ScreenShot1.jpg
... This tactic has been seen since malware started appearing on Android devices.  If you visit the developer’s website from the link provided on the Google Play page, it takes you to a page with two banners and a couple of links.
> https://blog.malware...ScreenShot3.jpg
... Google Play has been notified of the existence of this SMS Trojan. The last update of this app was August 20th 2013, which was most likely the date it was added to the Play store. Many variants of this Trojan have been seen that are not currently on the Play store. We flag this Trojan and similar variants as Android/Trojan.SMS.Agent. This is proof that Google Play isn’t perfect at alleviating all malware."
___

Predator Pain and Limitless... the Fraud
- http://blog.trendmic...hind-the-fraud/
Nov 11, 2014 - "ZeuS/ZBOT has been one of the most talked about malware families for several years, and with good reason... It is estimated that ZBOT has enabled cybercriminals to steal more than $100 million US dollars since its inception... the Commercial Crime Bureau of Hong Kong Police Force estimates this kind of fraud has netted attackers up to $75 million US dollars in the first half of this year, from Hong Kong alone... cybercriminals in a single city, within six-months, equaled all the losses from ZBOT up to the present. Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable... clever targeting, patience, cunning and simple keyloggers have netted these cybercriminals large sums of money. These highlight that cybercrime activities are dependent not only on the sophistication of the tools used, but on how well organized the entire scheme is... The following graphs show the distribution of the victims that we observed, both by country and by industry:
Predator Pain/Limitless Victims by Country:
> http://blog.trendmic...ribution-01.jpg
Predator Pain/Limitless Victims by Industry:
> http://blog.trendmic...ribution-01.jpg

- http://www.trendmicr...-predator-pain/
"... The cybercriminals instead went after SMBs (small and medium-sized businesses), which led us to realize how vulnerable they are to the threat..."
___

NRF says Congress should include Banks under Data Breach Law
- https://nrf.com/news...data-breach-law
Nov 6, 2014 - "NRF told Congress today that a federal data breach notification law should cover banks, not just retailers. “Given the breadth of these invasions, if Americans are to be adequately protected and informed, any legislation to address these threats must cover all of the types of entities that handle sensitive personal information,” NRF said in a letter*. “Exemptions for particular industry sectors not only ignore the scope of the problem but create risks criminals can exploit". “Payment card data has been targeted by criminals in data breaches at every type of entity that handles such data,” the letter said. “Consumers deserve to know when they are placed at risk regardless of where the risk arises". The letter was sent to House and Senate leaders and was signed by NRF and 43 other organizations representing retailers, restaurants, hotels and other businesses..."
* https://nrf.com/site...Data Breach.pdf

2014 DBIR:
- http://www.verizonen....com/DBIR/2014/
"... “We have more incidents, more sources, and more variation than ever before — and trying to approach tens of thousands of incidents using the same techniques simply won’t cut it..."
 

 

Edited by AplusWebMaster, 11 November 2014 - 06:58 PM.

[AplusWebMaster]

FYI...

Fake 'Police' SPAM ...
- http://blog.dynamoo....eadquaters.html
12 Nov 2014 - "I got a lot of these yesterday..

    From:     omaniex@ investigtion .com
    Subject:     Exchange House Fraud (Police Headquaters)
    please note that your attension is needed in our station, as we got information on this fraud information as transactions detailed in attachment. kindly acknowledge this letter and report to our office as all report and contact details are in attachment. failure to this you will be held responsible.
   Note: come along with your report as it will be needed
    regards,
    Police headquarters.
    Investigtion dept.

Attached is a file EXCH DETAILS PR 7777709.zip which contains two files:
7 TRANSACTION RPPP 00000123-PDF.jar
PR0JECT INVESTIGATI 011111-PDF.jar
... malicious application written in Java (top tip - if you have Java installed on your computer, remove it. You probably -don't- need it). It has a VirusTotal detection rate of 7/55*..."
* https://www.virustot...sis/1415792881/
___

ADP Past Due Invoice Spam
- http://threattrack.t...ue-invoice-spam
Nov 12, 2014 - "Subjects Seen:
    ADP Past Due Invoice#54495150
Typical e-mail details:
    Your ADP past due invoice is ready for your review at ADP Online Invoice Management .
    If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
    Review your ADP past due invoice here.
    Important: Please do not respond to this message. It comes from an unattended mailbox.

Malicious URLs:
    kurdogluhotels .com/docfiles/invoice_1211.php
    kevalee .ac.th/docfiles/invoice_1211.php
Malicious File Name and MD5:
    invoice1211_pdf27.zip (05FC7646CF11B6E7FB124782DAF9FB53)
    invoice1211_pdf.exe (78CF05FAA79B41B4BE4666E3496D1D54)

Screenshot: https://gs1.wac.edge...Bx451r6pupn.png

Tagged: ADP, Upatre

- http://blog.dynamoo....11564-spam.html
12 Nov 2014
... Recommended blocklist:
188.165.206.208
shahlart .com
mboaqpweuhs .com "

- http://www.threattra...e-invoice-spam/
Nov 13, 2014 - "... the Upatre Trojan, which in turn downloaded and decrypted the banking-credential-stealing Trojan Dyre..."
Screenshot: http://www.threattra...Due-Invoice.png

94.23.49.77: https://www.virustot...77/information/
 

 

Edited by AplusWebMaster, 14 November 2014 - 07:13 PM.

[AplusWebMaster]

FYI...

Fake 'BankLine' SPAM - targets RBS customers
- http://blog.mxlab.eu...-rbs-customers/
Nov 13, 2014 - "... intercepted -fake- emails regarding a new secure message from BankLine that targets RBS customers. The subject line is “You have received a new secure message from BankLine#24802254″ this email is sent from the spoofed address “Bankline <secure.message @ bankline .com>” and has the following body:
    You have received a secure message.
    Read your secure message by following the link bellow:
    link-
    You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 1196.
    First time users – will need to register after opening the attachment...

The embedded URL in our sample leads to hxxp ://vsrwhitefish .com/bankline/message.php. This will open up and HTML document with an integrated Javascript script that will make use of ActiveXObject or a regular HTTP request, opens up a download in order to open and/or save the malicious file as instructed."

216.251.43.98: https://www.virustot...98/information/
... 5/60 2014-11-13 13:23:41 http ://vsrwhitefish .com/bankline/message.php
___

Fake 'Voice mail' SPAM ...
- http://blog.mxlab.eu...ecurity-threat/
Nov 13, 2014 - "... intercepted a large campaign by email with the subject “Voice Message #0768384921 (numbers may vary)” and is continuation of the previous campaign targeting RBS customers. This email is sent from the spoofed address “Message Admin <martin.smith@ essex .org.uk>” and has the following body:

    Voice redirected message
    hxxp ://crcmich .org/bankline/message.php
    Sent: Thu, 13 Nov 2014 11:54:24 +0000

The embedded URL in our sample leads to hxxp ://crcmich .org/bankline/message.php. This will open up and HTML document with an integrated Javascript script that will make use of ActiveXObject or a regular HTTP request, opens up a download in order to open and/or save the malicious file as instructed."

69.160.53.51: https://www.virustot...51/information/
... 3/61 2014-11-13 15:04:47 http ://crcmich .org/bankline/message.php?
___

Alert (TA14-317A)
Apple iOS "Masque Attack" Technique
- https://www.us-cert....lerts/TA14-317A
Nov 13, 2014
Systems Affected:
iOS devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta.
Overview:
A technique labeled “Masque Attack” allows an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances...
(More detail at the URL above.)
 

 

Edited by AplusWebMaster, 13 November 2014 - 03:38 PM.

[AplusWebMaster]

FYI...

Fake 'Amazon frozen account' – Phish ...
- http://myonlinesecur...arily-phishing/
14 Nov 2014 - "'Your account has been frozen temporarily' pretending to come from Amazon <auto-confirm@ amazon .co.uk> is one of the latest -phish- attempts to steal your Amazon Account and your Bank, credit card and personal details. This one only wants your personal details, Amazon log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details...
Screenshot: http://myonlinesecur...shing-email.png
If you open the -attached- html file you see a webpage looking like:
> http://myonlinesecur...mazon_login.png
When you fill in your user name and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format. After submitting the information you get -bounced- on to the genuine Amazon .co.uk website:
> http://myonlinesecur...erification.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___

CoinVault - new ransomware
- http://www.webroot.c...1/14/coinvault/
Nov 14, 2014 - "Today we encountered a new type of encrypting ransomware that looks to be of the cryptographic locker family. It employs the same method of encryption and has a very similar GUI (kills VSS, increases required payment every 24hr, uses bitcoin payment, etc.).
CoinVault GUI:
> https://i.imgur.com/ADEO21U.png
Here is the background* that it creates – also very similar.
* https://i.imgur.com/LAHkjT8.png
... this is the first Encrypting Ransomware that I’ve seen which actually gives you a free decrypt. It will let you pick any single file that you need after encryption and will decrypt it for you.
> http://i.imgur.com/F3enAqN.png
... it gives a good insight into what the actual decryption routine is like if you find yourself actually having to pay them. I suspect that this freebie will increase the number of people who will pay..."

- http://arstechnica.c...m-drug-dealers/
Nov 14 2014
___

Fraudulent Online Ads For Autos, RV.s, Boats, and other Outdoor Equipment leading to $20 Million losses
- https://www.ic3.gov/...014/141114.aspx
14 Nov 2014 - " From June 2009 to June 2014 the Internet Crime Complaint Center (IC3) received over -6800- complaints regarding criminals targeting online consumers by posting false advertisements for high priced items such as automobiles, boats, heavy equipment, recreational vehicles, lawn mowers, tractors, and other similar items. These complaints total more than $20 million in reported losses. The scam initiates when the criminals post a false advertisement offering the item for sale. The advertisement usually includes a fraudulent photo to entice the consumer to purchase the item. Within the advertisement, the criminal includes a contact telephone number. The consumer leaves a message and the perpetrator responds via text message. The text message normally requests that the consumer provide an e-mail address. Once the e-mail address is provided the consumer is sent additional details to include multiple images of the item for sale. The perpetrator provides logical reasons for offering the item at such a discounted price such as moving to another location; therefore, the item needs to be sold quickly; the sale was part of a divorce settlement; or overseas deployment. Consumers normally negotiate a price. Many -scammers- advise the consumer the transaction will be conducted through -Ebay- to ensure a safe and easy transaction. In reality the scammer is only pretending to use Ebay. The consumer receives a -false- e-mail that appears to be legitimate from Ebay. The e-mail provides instructions on how to complete the transaction. The perpetrator provides the consumer with all the information necessary to complete the wire transfer - the bank account name, address, and account number. The scammer provides a fraudulent toll-free Ebay customer service number for the consumer to use when they are ready to wire the money. These numbers were also used by many victims to confirm a successful wire transfer or to check transaction status and shipping information. After the transaction, the consumer is sent a false Ebay confirmation e-mail that includes the fraudulent transaction or confirmation number and the expected delivery date of the item. Any follow-up calls, text messages or e-mails to the perpetrator(s) are normally ignored and many victims report the toll-free customer service telephone numbers provided are constantly busy. As a result, the consumer never receives the purchased item(s) and suffers a financial loss. The FBI recommends that consumers ensure they are purchasing the actual merchandise from a reputable source by verifying the legitimacy of the seller. Below are some consumer tips when purchasing items online:
- Use search engines or other websites to research the advertised item or person/company selling the item.
- Search the Internet for any negative feedback or reviews on the seller, their e-mail addresses, telephone numbers, or other searchable identifiers.
- Research the company policies before completing a transaction. For example, ensure the seller accepts payments via credit card as Ebay does -not- conduct wire transfers and only uses PayPal to conduct transactions.
- Be cautious when responding to advertisements and special offers.
- Be cautious when dealing with persons/companies from outside the country.
- Maintain records for all online transactions..."
___

Flash Player updated ...
- https://blog.malware...r-flash-player/
Nov 14, 2014 - "Adobe has fixed -18- vulnerabilities in their Flash Player, and you should update immediately, if you haven’t already done so. However, please ensure you’re installing / updating from the right place. For example:
> https://blog.malware...11/adobupd1.jpg
The above site claims:
It is recommended that you update Flash to the latest version to view this page. Please update to continue. Your Flash Plugin version is too low, causing the current sites and related softwares can not be opened properly, please update your Flash Plugin now!
The site -forwards- visitors to a sign-up page offering a “Mac cleaning” tool... confusing for anybody expecting Adobe Flash updates.
> https://blog.malware...11/adobupd2.jpg
The Adobe Flash Player website is the place to go for Flash installs*... Always cast a critical eye at the URL of any “Flash Player” site you happen to be on, and check the small print in case you end up with more than you bargained for. Fake Flash Player websites have been around for many years, and are often a prime source of unwanted PUP installs and the occasional slice of Malware..."
* http://get.adobe.com/flashplayer/ ... (Uncheck the 'McAfee' option if you choose not to use it...)
 

 

Edited by AplusWebMaster, 16 November 2014 - 12:36 AM.

[AplusWebMaster]

FYI...

Fake Fax SPAM - malicious .DOCM attachment
- http://blog.dynamoo....ssion-spam.html
17 Nov 2014 - "This -fake- fax spam comes with a malicious attachment
    From:     Interfax [uk@ interfax .net]
    Date:     13 November 2014 20:29
    Subject:     Failed Fax Transmission to 01616133969@fax.tc<00441616133969>
    Transmission Results
    Destination Fax:      00441616133969
    Contact Name:      01616133969@ fax .tc
    Start Time:      2014/11/13 20:05:27
    End Time:      2014/11/13 20:29:00
    Transmission Result:      3220 - Communication error
    Pages sent:      0
    Subject:      140186561.XLS
    CSID:     
    Duration (In Seconds):      103
    Message ID:      485646629
    Thank you for using Interfax ...

Attached is a malicious Word macro file called 00000293.docm which is currently undetected at VirusTotal*... Inside this .DOCM file is a malicious macro... which attempts to download a malicious binary from http ://agro2000 .cba .pl/js/bin.exe . This file is downloaded to %TEMP%\MRSWZZFEYPX.exe and the binary also has zero detections at VirusTotal**, and the Malwr report shows that it tries to connect to the following URL: http ://84.40.9.34 /lneinn/mo%26af.lipgs%2Bfn%7El%3Fboel%3D%3F+%3Fa%20%3F~pigc_k/ci$slf%2B%20l%3D%7E . It then drops a malicious DLL onto the target system which has a rather better detection rate of 12/53***. If you are a corporate email admistrator they you might consider blocking .DOCM files at the perimeter as I can see no valid reason these to be sent by email. You should definitely block 84.40.9.34 (Hostway, Belgium) as this is a known bad server that has been used in several recent attacks."
* https://www.virustot...sis/1416221806/

** https://www.virustot...sis/1416222127/

*** https://www.virustot...sis/1416222797/

84.40.9.34: https://www.virustot...34/information/

- http://myonlinesecur...rd-doc-malware/
17 Nov 2014
> https://www.virustot...sis/1416212735/
___

Fake Investment SPAM ...
- http://myonlinesecur...reland-malware/
17 Nov 2014 - "'Investment Opportunities in Ireland' pretending to come from IDA Ireland (Home of Foreign Businesses) <info@idaireland.com> with a link to a malicious zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...-in-Ireland.png

Todays Date: investmentareas.rar: Extracts to:  investmentareas.scr
Current Virus total detections: 26/55* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1416215003/
___

Fake 'Payment Declined' Phish ...
- http://myonlinesecur...lined-phishing/
17 Nov 2014 - "Any phishing attempt wants to get as much personal and financial information from you as possible. This 'BT Account- Payment Declined' pretending to come from BT .com <noreplymail@ btc .com> phishing scam is one of them. The phishers try to use well known companies or Government departments like British Telecom, HMRC, Inland Revenue, Virgin Media, British Gas or any company that many people are likely to have an account with. This one wants your personal details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details...

Screenshot: http://myonlinesecur...nt-Declined.png

The link in the email leads you to a webpage looking like:
Screenshot2: http://myonlinesecur...fake-log-in.png

That leads on to a page to enter all your details, including bank account, credit card, mother’s maiden name and everything else necessary to steal your identity and clean out your bank and credit card accounts:
Screenshot3: http://myonlinesecur...ake-details.png

Then you get a success page, where they kindly inform you that “The Anti Fraud System has been succesfully added to your account” and then are bounced to the real BT site:
Screenshot4: http://myonlinesecur...ls-success-.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
___

Fake 'Test message' SPAM plague continues..
- http://blog.dynamoo....-continues.html
17 Nov 2014 - "This plague of spam "test messages" have been going on for two days now, probably sourced from "Botnet 125"* which sends most of the spam I get. These messages are annoying but no harmful in themselves, I suspect they are probing mail servers for responses. If you have a catch-all email address then you will probably see a lot of these. The targets are either completely random or have been harvested from one data breach or another as far as I can see.
    From: Hollie <Laurie.17@ 123goa .com>
    Date: 17 November 2014 19:04
    Subject: Test 8657443T
  test message.
    Murphy became a free agent on October 15, after refusing a minor league assignment. Silva implies the last cycle has begun, believing herself to be the host.
    Icelandic had been heard. American CIA contract air crews and pilots from the Alabama Air Guard... ..."
* http://www.proofpoin...g-customers.php
 

 

Edited by AplusWebMaster, 17 November 2014 - 05:06 PM.

[AplusWebMaster]

FYI...

Fake Invoice SPAM - Word doc malware attached
- http://myonlinesecur...rd-doc-malware/
18 May 2014 - "'Invoice #1633370 May' with a malicious word doc attachment saying 'This email contains an invoice file attachment' is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

    This email contains an invoice file attachment

So far today, I have seen 3 different size files attached to this email, All file names are random:
18 November 2014 : invoice_796732903.doc (59kb)       Current Virus total detections: 1/55*

18 November 2014 : invoice_1952581.doc (41kb)      Current Virus total detections: 1/55**

18 November 2014 : invoice_80943810.doc (22kb)      Current Virus total detections: 0/54***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1416303264/

** https://www.virustot...sis/1416304606/

*** https://www.virustot...sis/1416304325/
___

Another Fake FAX SPAM run ...
- http://blog.dynamoo....lets-party.html
18 Nov 2014 - "... 'need to load some more papyrus into the facsimile machine...:
From:     Incoming Fax [no-reply@ efax .co.uk]
Date:     18 November 2014 13:16
Subject:     INCOMING FAX REPORT : Remote ID: 766-868-5553
INCOMING FAX REPORT
Date/Time: Tue, 18 Nov 2014 14:16:58 +0100
Speed: 4222bps
Connection time: 01:09
Pages: 5
Resolution: Normal
Remote ID: 963-864-5728
Line number: 1
DTMF/DID:
Description: Internal report
We have uploaded fax report on dropbox, please use the following link to download your file...

This is (of course) utter bollocks, and the link in the email downloads a ZIP file document_8731_pdf.zip which in turn contains a malicious executable document_8731_pdf.exe which has a VirusTotal detection rate of 4/54*. According to the Malwr report it makes these following HTTP requests:
http ://108.61.229.224:13861 /1811us1/HOME/0/51-SP3/0/
http ://108.61.229.224:13861 /1811us1/HOME/1/0/0/
http ://159593.webhosting58 .1blu. de/mandoc/narutus1.pmg
It also drops a file EXE1.EXE onto the target system which has a detection rate of 7/55**...
Recommended blocklist:
108.61.229.224
159593.webhosting58 .1blu .de "
* https://www.virustot...sis/1416318405/
... Behavioural information
TCP connections
108.61.229.224: https://www.virustot...24/information/
178.254.0.111: https://www.virustot...11/information/

** https://www.virustot...sis/1416318784/

- http://myonlinesecur...ke-pdf-malware/
18 Nov 2014
- https://www.virustot...sis/1416321619/
___

Fake Voice msg SPAM again - PDF malware
- http://myonlinesecur...ke-pdf-malware/
18 Nov 2014 - "'voice message from 685-869-9737 for mailbox 226' pretending to come from 'Voice Mail <voicemail_sender@  voicemail .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:
     You have received a voice mail message from 685-869-9737
    Message length is 00:00:30. Message size is 225 KB.
    Download your voicemail message from dropbox service below (Google Disk Drive Inc.)...

18 November 2014: document_8731_pdf.zip (12 kb): Extracts to: document_8731_pdf.exe
Current Virus total detections: 4/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1416321619/
 

 

Edited by AplusWebMaster, 18 November 2014 - 12:14 PM.

[AplusWebMaster]

FYI...

Fake Bank phish ...
- http://myonlinesecur...count-phishing/
19 Nov 2014 - "There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like :
  -We’re improving your current account
    -There have been unauthorised or suspicious attempts to log in to your account, please verify
    -Your account has exceeded its limit and needs to be verified
    -Your account will be suspended !
    -You have received a secure message from < your bank>
    -New Secure Message
    -We are unable to verify your account information
    -Update Personal Information
    -Urgent Account Review Notification
    -We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
    -Confirmation of Order

This one is Lloyds bank 'We’re improving your current account' pretending to come from Lloyds Banking Group Plc <info@ emails.very .co.uk> The original email looks like this. It will NEVER be a genuine email from PayPal or Your Bank so don’t ever fill in the html (webpage) form that comes attached to the email. Some versions of this phish will have a link to a website that looks at first glance like the genuine bank website. Lloyds actually -do- allow you to pay in and perform some transactions at a Post Office rather than going to your branch, so many users might get unwittingly caught out by this one and think they need to notify the bank.
Email looks like:

Screenshot: http://myonlinesecur...ent-account.png

This one wants your personal details and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. If it says .EXE then it is a problem and should -not- be run or opened."
___

Azure cloud outages - MSN web portal offline
- http://www.reuters.c...N0J309E20141119
Nov 18, 2014 11:53pm EST - "Microsoft Corp's Azure cloud-computing service, which hosts websites and lets customers store and manage data remotely, suffered serious outages on Tuesday taking its popular MSN web portal offline. According to Microsoft's Azure status page*, the problems started around 5pm Pacific time and have still not been fully solved..."
* http://azure.microso...status/#history

>> http://azure.microso...e-interruption/
Nov 19, 2014
 

 

Edited by AplusWebMaster, 20 November 2014 - 08:02 PM.

[AplusWebMaster]

FYI...

Angler Exploit Kit adds New Flash Exploit...
- http://threatpost.co...014-8440/109498
Nov 20, 2014 - "... Angler is just one of the many such exploit kits available to attackers, but the creators of this one seem to be especially quick about adding exploits for new vulnerabilities to the kit. In October, a week after Adobe released its monthly patch update, researchers saw Angler exploiting an integer overflow in Flash that had just been patched. “This is really, really fast,” Kafeine, a French security researcher who identified the attack at the time, said. “The best I remember was maybe three weeks in February 2014.” Now, Kafeine said he already has seen Angler exploiting a Flash vulnerability that was patched Nov. 11 in Adobe’s November update release*. This vulnerability is CVE-2014-8440, a memory corruption flaw in Flash that can allow an attacker to take control of a target system. The bug exists in Flash on multiple platforms, including Windows, OS X and Linux, and Kafeine said it is getting its share of attention from attackers. “The vulnerability is being exploited in blind mass attack. No doubt about it: the team behind Angler is really good at what it does,” he said in a blog post*..."
* http://malware.dontn...-2014-8440.html

> https://web.nvd.nist...d=CVE-2014-8440 -  10.0 (HIGH)
Last revised: 11/12/2014

Flash test site: https://www.adobe.co...re/flash/about/
___

 

Fake Donation Overpayment SCAM
- https://www.ic3.gov/...014/141120.aspx
Nov 20, 2014 - "... received numerous complaints from businesses, charitable organizations, schools, universities, health related organizations, and non-profit organizations, reporting an online donation scheme. The complaints reported subjects who had donated thousands of dollars, via stolen credit cards. Once donations were made, the subjects immediately requested the majority of the donation back, but credited to a different card. They claimed to have mistakenly donated too much by adding an extra digit to the dollar amount (i.e., $5000 was ‘accidently’ entered instead of $500). However, very few complainants actually returned the money to the second credit card. Many, through their own investigations, discovered the original card was -stolen- or the credit card company notified them of such. Also, some of the organizations’ policies did not allow funds to be returned to a different credit card."

 

 

Edited by AplusWebMaster, 20 November 2014 - 07:50 PM.

[AplusWebMaster]

FYI...

 

Something evil on 46.8.14.154
- http://blog.dynamoo....n-46814154.html
21 Nov 2014 - "46.8.14.154 (Netart Group S.r.o. / Movenix International Inc) forms part of an exploit chain that starts with compromised OpenX servers and appears to end up with an exploit kit of some sort... subdomains have been active on that server, they are ALL hijacked GoDaddy domains... (Long list @ the dynamoo URL above) ... The best thing to do is to -block- traffic to 46.8.14.154 because these domains seem to change every few minutes."
___

 

Fake 'Payment Received' SPAM - malicious DOC attachment
- http://blog.dynamoo....-spam-from.html
21 Nov 2014 - "This -fake- financial spam has a malicious Word document attached.
 From:     Enid Tyson
 Date:     21 November 2014 15:36
 Subject:     INV209473A Duplicate Payment Received
Good afternoon,
I refer to the above invoice for which we received a bacs payment of £675.74 on 10th November 14. Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.
I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer.  If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details. 
If you have any queries regarding this matter, please do not hesitate to contact me.
I look forward to hearing from you .
Many thanks
Enid Tyson
 Accounts Department

 

 In this case the attachment is De_209473A.doc but it will probably vary with the subject name, the document itself has zero detections at VirusTotal (the Malwr report is inconclusive).This contains a malicious macro.. which connects to the following URL:
 http ://79.137.227.123 :8080/get1/get1.php
...This has a VirusTotal detection rate of just 1/55*. The malware is hardened against analysis in a Sandbox so automated results are inconclusive...
UPDATE: A second version is going the rounds, with zero detections** and a download location of http :// 61.221.117.205 :8080/get1/get1.php ..."
* https://www.virustot...sis/1416584784/

** https://www.virustot...sis/1416584533/

 

Edited by AplusWebMaster, 22 November 2014 - 08:49 AM.

[AplusWebMaster]

FYI...

Fake 'Herbal Root' email SCAM
- http://blog.dynamoo....-root-scam.html
22 Nov 2014 - "... there is no such thing as "Oplamo Herbal Root". So, this spam is almost definitely a scam.
From:     Mr. Tom Good Hope [mrtomgood@ gmail .com]
Reply-To:     mrtomgoodhope@ gmail .com
Date:     22 November 2014 02:24
Subject:     SUPPLY BUSINESS OF OPLAMO
My name is Tom Goodhope i based in Liverpool,UK working with a pharmaceutical company.
I have decided to contact you directly to discuss briefly via email about the ongoing supply that came up in our company. I think if you can understand English and India Language (Hindi,Tamil etc) you can take up this business proposal to buy out OPLAMO HERBAL ROOT from the local producer in India and make supply to our company as the direct producer to enable our company be buying direct from you on every subsequent order after this first purchase. OPLAMO ROOT its used for production of Anti-viral drugs & Animal Vaccines.Our company have been purchasing the materials from Pakistan but it is very scarce and expensive now in Pakistan. I've found out the truth that this Pakistan people purchases this product in India at the rate of $210 USD, while they supply to our company at the rate of $430 USD... Upon your reply i will clarify you more on how to start this business immediately, please drop your contact phone number for me to be able to contact you ASAP.
Thanks,
Mr Tom Goodhope
Company Secretary ...

... the originating IP address is actually 123.239.58.103 in Delhi, sent via 198.20.245.154 [eas.easylhost .com] in the US... give it a very wide berth."
___

Fake 'my new photo' SPAM - malware - Google’s webp images
- http://myonlinesecur...es-webp-images/
22 Nov 2014 - "... a persistent attack by email for some time now. The subject is always “my new photo” or the equivalent in Spanish. Until 2 days ago the -zip- attached to the email just contained a single malware file which is generally identified as Androm or Gamarue or Wauchos depending on which antivirus you have installed. It obviously takes a few hours or even a day or more for the antivirus companies to catch up with new versions so some users get infected. Over the last few days there has been a change in delivery methods. Along with the “normal” executable file there is what appears to be a standard jpg that won’t display natively in window explorer or in the majority of imaging/photo editing/viewing programs. It will display in Chrome browser. Looking at the file headers, the image is a genuine image but is the “new” webp format from google https ://developers.google .com/speed/webp/ which needs a codec from google to display in windows explorer or a plug in to display or use in common image editing/viewing programs. We will almost certainly see requests or comments in various forums or facebook or other tech help sites. It is believed that if a user “accidentally” or otherwise runs the exe file then the image is displayed in the browser (if chrome is default) or the google plugin or codec has been installed and the user thinks that it was just an image and not a malware file. Of course the .exe file has the extension hidden by default and the icon suggests it is a jpg image file which makes the unwary more likely to click on it and consequently become infected. I have been charting the progress of this malware for some time now, since it first appeared at end of August... we do see quite a few posts saying that the user cannot see the jpg image in an email or on a webpage in IE, FF etc but it -does- in chrome OR why they cannot view or edit a downloaded jpg. The zip file contains 2 files - 1 is a standard .exe with an icon that looks like a jpg that if you don’t have show hidden extensions shown can confuse a user and lead to infection when clicked on... If you open the image files in a hex editor or analysis program you will see the file type headers information:
for jpg they are ……JFIF…..`.`……Exif..MM
for PNG they are .PNG……..IHDR……………g…..sRGB………gAMA……a…..pHYs……….
For Webp they are RIFFhs..WEBPVP8  "
(Comparison example images shown at the URL at the top.)
 

  

[AplusWebMaster]

FYI...

RFID Payment Cards Hack possible with Android App
- http://blog.trendmic...th-android-app/
Nov 24, 2014 - "... high-risk Android app detected as ANDROIDOS_STIP.A in Chile. This app, found distributed through forums and blogs, can be used to hack into the user’s RFID bus transit card to recharge the credits... Paying via RFID cards is becoming more popular nowadays as more mobile devices add NFC support. Banks, merchants or public services issue RFID cards to their customers with prepaid credits... Using widely available tools, the attacker cracked the card’s authentication key. With the cracked key and the native NFC support in Android and the device, cloning a card and adding credits can be easily implemented in a mobile app... These particular MIFARE models were discontinued years ago and supplemented with more secure models. However, it appears that card issuers have opted for cheaper solutions which put their customers at risk...
> http://blog.trendmic...ood-nfc-habits/
We recommend customers take steps to protect RFID cards in their possession. They should also periodically check the balances of their accounts as well. In addition, if possible, they should check if any cards they are currently using are vulnerable and report these to their providers. RFID/NFC attacks are a well-known risk..."
> http://blog.trendmic...for-businesses/
___

Fake MyFax SPAM - poorly-detected malware
- http://blog.dynamoo....spam-leads.html
24 Nov 2014 - "Fax spam again... This spam appears to come from the person receiving it (which is an old trick).
    From: victim@ victimdomain .com
    Sent: 24 November 2014 15:31
    To: norep.c@ mefax .com
    Subject: MyFax message from "unknown" - 3 page(s)
    Fax Message [Caller-ID: 1-407-067-7356]
    http ://159593 .webhosting58 .1blu .de/messages/get_message.php
    You have received a 3 page fax at Mon, 24 Nov 2014 15:31:23 +0000.
    * The reference number for this fax is chd_did11-14186364797-10847113200-628.
    View this fax using your PDF reader.
    Thank you for using the MyFax service!

The link in the message downloads a file faxmessage_7241_pdf61.zip which in turn contains a malicious executable faxmessage_7241_pdf.exe which has a VirusTotal detection rate of 4/53*... connects to the following URLs:
http ://95.211.199.37 :16792/2411us3/HOME/0/51-SP3/0/
http ://95.211.199.37 :16792/2411us3/HOME/1/0/0/
http ://lasuruguayas .com/images/refus3.pnk
A file EXE1.EXE is also dropped, with a VirusTotal detection rate of just 1/54**..."
* https://www.virustot...sis/1416846678/

** https://www.virustot...sis/1416846980/

95.211.199.37: https://www.virustot...37/information/

199.26.87.212: https://www.virustot...12/information/
___

Regin: spy tool
- http://www.symantec....hy-surveillance
Updated: 24 Nov 2014 - "... A back door-type Trojan, Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen. Customizable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals...
Regin’s five stages:
> http://www.symantec....rchitecture.png
... Almost half of all infections  targeted private individuals and small businesses. Attacks on telecoms companies appear to be designed to gain access to calls being routed through their infrastructure.
Confirmed Regin infections by sector:
> http://www.symantec....ig2-sectors.png
The discovery of Regin highlights how significant investments continue to be made into the development of tools for use in intelligence gathering. Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist..."
> http://www.symantec....-121221-3645-99

- http://community.web...h-as-regin.aspx
24 Nov 2014
___

FTC Obtains Court Orders Temporarily Shutting Down Massive Tech Support Scams
FTC, State of Florida Charge Companies Bilked $120 Million from Consumers for Bogus Software and Tech Support Service
- http://www.ftc.gov/n...wn-massive-tech
Nov 19, 2014 - "At the request of the Federal Trade Commission and the State of Florida, a federal court has temporarily shut down two massive telemarketing operations that conned tens of thousands of consumers out of more than $120 million by deceptively marketing computer software and tech support services. The orders also temporarily freeze the defendants’ assets and place the businesses under the control of a court-appointed receiver. According to complaints filed by the FTC, since at least 2012, the defendants have used software designed to trick consumers into thinking there are problems with their computers, then subjected those consumers to high-pressure deceptive sales pitches for tech support products and services to fix their non-existent computer problems... In this latest action, the FTC and the State of Florida have filed two separate cases against companies who allegedly sold the -bogus- software and the deceptive telemarketing operators who allegedly sold -needless- tech support services:
- In the first case, the defendants selling software include PC Cleaner Inc.; Netcom3 Global Inc.; Netcom3 Inc., also doing business as Netcom3 Software Inc.; and Cashier Myricks, Jr. The telemarketing defendants include Inbound Call Experts LLC; Advanced Tech Supportco. LLC; PC Vitalware LLC; Super PC Support LLC; Robert D. Deignan, Paul M. Herdsman, and Justin M. Wright.
- In the second case, the defendants selling software include Boost Software Inc. and Amit Mehta, and the telemarketing defendants include Vast Tech Support LLC, also doing business as OMG Tech Help, OMG Total Protection, OMG Back Up, downloadsoftware.com, and softwaresupport.com; OMG Tech Help LLC; Success Capital LLC; Jon Paul Holdings LLC; Elliot Loewenstern; Jon-Paul Vasta; and Mark Donahue.
According to the FTC’s complaints, each scam starts with computer software that purports to enhance the security or performance of consumers’ computers. Typically, consumers download a free trial version of software that runs a computer system scan. The defendants’ software scan always identifies numerous errors on consumers’ computers, regardless of whether the computer has any performance problems..."
 

Edited by AplusWebMaster, 25 November 2014 - 06:02 AM.

[AplusWebMaster]

FYI...

What the heck is with 104.152.215.0/25?
- http://blog.dynamoo....4152215025.html
25 Nov 2014 - "A contact gave me the heads up to an exploit-kit running on 104.152.215.90* [virustotal] which appears to be using MS16-064** among other things [urlquery***]. 104.152.215.90 belongs to Query Foundry LLC in Wyoming, however they suballocated it to a customer... The random structure of most of the domains is an indicator of possible maliciousness. The few domains that don't meet these pattern seem to be .fr domains which look like they have been hijacked or re-registered.. and oddly they are all registered to different (often obviously fake) people at the same address in France... not much data about the range, there are a couple of domains that are also flagged a malicious:
sxzav .xyz [Google diagnostics]: http://www.google.co...?site=sxzav.xyz
klioz .xyz [Google diagnostics]: http://www.google.co...?site=klioz.xyz
...  there is enough evidence to treat 104.152.215.0/25 as a suspect network. It does not appear to have any legitimate sites, the sites that do exist are of an unknown purpose and often have apparently fake WHOIS details for the domains. Blocking or monitoring for traffic to and from that /25 is the easiest way of doing it..."
* https://www.virustot...90/information/

** https://technet.micr...y/ms14-064.aspx

*** http://urlquery.net/...d=1416802220951
___

Fake 'my photo' SPAM - new trojan variant
- http://blog.mxlab.eu...trojan-variant/
Nov 25, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “my photo”.
This email is sent from a spoofed address and has the following body:

    my new photo

The attached file my_iphone_photo.zip contains the folder with the 54 kB large file 1my_photo.exe and the 30 kB large file 2my_photo.jpg. The trojan is known as a variant of MSIL/Injector.GMB, UDS:DangerousObject.Multi.Generic, Trojan.MSIL.BVXGen or Win32.Trojan.Inject.Auto. At the time of writing, 4 of the 54 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...sis/1416912927/
 

 

Edited by AplusWebMaster, 25 November 2014 - 11:16 AM.

[AplusWebMaster]

FYI...

QuickBooks Payment Overdue Spam
- http://threattrack.t...nt-overdue-spam
Nov 26, 2014 - "Subjects Seen:
    Payment Overdue
Typical e-mail details:
    Please find attached your invoices for the past months. Remit the payment by 07/22/2014 as outlines under our “Payment Terms” agreement.
    Thank you for your business,
    Sincerely,
    Lucio Gee
    This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

Malicious File Name and MD5:
    Invoice_[-var=partorderb].zip (A3374A3639D4F8EBF105B8FFA1ACB4D1)
    Invoice_0128648.scr (08AEA8B75143DC788A52568E823DD10E)

Screenshot: https://gs1.wac.edge...zuuJ1r6pupn.png

Tagged: QuickBooks, Upatre