FYI...
Dridex Phish uses malicious word docs
- https://isc.sans.edu...l?storyid=19011
2014-12-01 - "... During the past few months, Botnet-based campaigns have sent waves of phishing emails associated with Dridex... The emails contained malicious Word documents, and with macros enabled, these documents -infected- Windows computers with Dridex malware. Various people have posted about Dridex [1] [2], and some sites like Dynamoo's blog and TechHelpList... often report on these and other phishing campaigns... On 11 Nov 2014, I saw at least 60 emails with 'Duplicate Payment Received' in the subject line. This appeared to be a botnet-based campaign from compromised hosts at various locations across the globe... Monitoring the infection traffic on Security Onion, we found alerts for Dridex traffic from the EmergingThreats signature set (ET TROJAN Dridex POST Checkin) [3]... File hashes changed during this wave of emails, indicating at least 3 different Word documents were used. During this phishing run, Dridex malware came from IP addresses in the 62.76.185.0/24 block..."
1] http://stopmalvertis...eodo-bugat.html
2] http://www.abuse.ch/?p=8332
3] https://isc.sans.edu...mages/brad5.png
4] http://doc.emergingthreats.net/2019478
62.76.185.127: https://www.virustot...27/information/
___
Fake 'New offer Job' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
1 Dec 2014 - "'New offer Job' with a zip attachment pretending to come from Job service <billiond8@ greatest3threeisland .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
New offer for you, see attached here.
There is also a version around with the subject of 'Tiket alert' pretending to come from FBR service <newspaperedixv@ greatest3threeisland .com>
Look at the attached file for more information.
Assistant Vice President, FBR service
Management Corporation
Both emails contain the same malware as does today’s version of 'my new photo malware'*
1 December 2014 : tiket.zip: Extracts to: tiket.exe
Current Virus total detections: 5/19** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecur...-photo-malware/
** https://www.virustot...sis/1417475226/
___
Phishing scam that hit Wall Street might work against you
- http://arstechnica.c...gainst-you-too/
Dec 1 2014 - "Researchers have uncovered a group of Wall Street-savvy hacks that have penetrated the e-mail accounts of more than 100 companies, a feat that has allowed them to obtain highly valuable plans concerning corporate acquisitions and other insider information.
> http://cdn.arstechni...ish-640x359.jpg
FIN4, as the group is known, relies on a set of extremely simple tactics that in many cases has allowed them to remain undetected since at least the middle of 2013, according to a report published Monday from security firm FireEye*. Members boast a strong command of the English language and knowledge of corporate finance and Fortune 500 culture. They use that savvy to send highly targeted spearphishing e-mails that harvest login credentials for Microsoft Outlook accounts. The group then uses compromised accounts of one employee, customer, or partner to send spearphishing e-mails to other company insiders. At times, the attackers will -inject- a malicious message into an ongoing e-mail discussion among multiple people, furthering their chances of success. E-mails are sent from the accounts of people the target knows, and they discuss mergers, acquisitions, or other topics already in progress. The attackers often bcc other recipients to make it more difficult to detect the malicious e-mail. The messages appear to be written by native English speakers and often contain previously exchanged Microsoft Office documents that embed hidden malicious macros. This results in fraudulent e-mails that are extremely hard to detect, even by some people who have been trained to spot such phishing campaigns... FireEye researchers said FIN4 members have compromised the accounts of C-level executives, legal counsel, regulatory and compliance personnel, scientists, and advisors of more than 100 companies. About 80 of them are publicly traded companies, while the remaining 20 are Wall Street firms that advise corporations on legal or securities matters or possible or pending mergers and acquisitions. As a result, the group stood to make a windfall if it used the insider information to buy or sell stocks before the information became widely known... Embedded in the previously stolen documents are Visual Basic Applications (VBA) macros that prompt readers to enter the Outlook user names and passwords. The scripts then funnel the credentials to servers controlled by the attackers. In other, earlier cases, the spearphishing e-mails contained links to fake Outlook Web App login pages that prompted visitors to enter their passwords. Some of the attacks FireEye observed targeted multiple parties inside law firms, consultancies, and corporations as they discussed particular pending business deals. In one instance, attackers used previously acquired access to e-mail accounts at an advisory firm to harvest information being exchanged about an acquisition under consideration involving one of its clients... the best thing any potential target can do is to educate employees how to spot phishing attacks. The FIN4 attackers have just raised the bar, so chances are most education programs should be revised to help employees spot these new and improved tactics."
* https://www.fireeye....ling_insid.html
- http://www.reuters.c...deoId=347691634
Dec 01, 2014
Video: 02:09
- http://www.computerw...ock-market.html
Dec 1, 2014
> http://core0.staticw...-large.idge.jpg
- http://www.reuters.c...N0JF29420141202
Dec 2, 2014
- http://www.theregist..._stock_markets/
2 Dec 2014
> http://regmedia.co.u...12/02/11223.png
___
Europol and US customs seize 292 domains selling counterfeit goods
- http://www.theinquir...unterfeit-goods
Dec 1, 2014 - "... Interpol in conjunction with US Immigration and Customs Enforcement has seized the domains of almost 300 websites that were selling counterfeit merchandise. The law enforcement agencies, not to mention politicians, are concerned that citizens are being taken for mugs online and cannot resist spending good money on fake rubbish... Europol said that the seizures involved 25 law enforcement agencies from 19 countries and participation from the US National Intellectual Property Rights Coordination Center... The websites offered a mix of content, ranging from luxury goods and sportswear to CDs and DVDs. The domains are now in the hands of the national governments involved in the shutdowns, and the gear is presumably facing some sort of immolation. Operation In Our Sites has closed down 1,829 domains so far..."
___
O/S Market Share - Nov 2014
- http://www.netmarket...=10&qpcustomd=0
Browser Market Share - Nov 2014
- http://www.netmarket...d=0&qpcustomd=0
___
PoS Malware 'd4re|dev1|' attacking Ticket Machines and Electronic Kiosks
- https://www.intelcrawler.com/news-24
Nov 26, 2014 - "... new type of Point-of-Sale malware called “d4re|dev1|”. This new strain of malware, which is hitting Mass Transit Systems, acts as an advanced backdoor with remote administration, having RAM scrapping and keylogging features. This new POS malware find adds to a growing list of POS variants being developed by underground cyber criminals because of the high ROI when they hit payloads like a Target or Home Depot. Variants recently identified and profiled by IntelCrawler include POSCLOUD, Nemanja, JackPOS, BlackPOS, and Decebal. The exploitation of merchants is taking place on a global scale as outlined by the IntelCrawler POS infection map*.
* https://www.intelcra.../analytics/pmim
... The malware has a “File Upload” option, which can be used for remote payload updating. The process of malware was masked under “PGTerm.exe” or “hkcmd.exe”, as well as legitimate names of software such as Google Chrome. Adversaries use this option for the installation of additional backdoors and tools, which allows them to avoid infrastructure limitations and security policies designed for detection. This broad lateral approach shows that serious cybercriminals are not interested in just one particular Point-of-Sale terminal – they are looking for enterprise wide network environments, having tens of connected devices accepting payments and returning larger sets of spoils to their C2 servers... As this POS malware market is evolving, new security measures are needed to combat the seemingly continuous strains being developed by the underground. In addition to consulting your PCI vendor, IntelCrawler strongly recommends to encapsulate any administration channels to the -VPN- as well as to limit the software environment for operators, using proper access control lists and updated security polices..."
Edited by AplusWebMaster, 02 December 2014 - 08:40 AM.
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 
