2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'invoice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
28 Jan 2015 - "'Windsor Flowers Invoice 1385' pretending to come from Windsor Flowers Accounts <windsorflowersaccounts@ hotmail .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has what appears to be a genuine word doc attached which is malformed and contains a macro script virus... The email looks like:
    Dear Accounts payable
    Please see attached invoice 1385 for flowers within January 15.
    Our bank details can be found at the bottom of the invoice.
    If paying via transfer please reference our invoice number.
    If you have any queries, please do not hesitate to contact me.
    Many thanks in advance
    Connie
    Windsor Flowers
    74 Leadenhall Market
    London
    EC3 V1LT
    Tel: 020 7606 4277...

28 January 23015: Windsor Flowers Invoice 1385 Sheet1.doc (2 different versions)
Current Virus total detections: (76kb) 3/57* | (84 kb) 3/57** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1422442083/

** https://www.virustot...sis/1422443094/
___

Fake 'RBS' SPAM - pdf-malware
- http://myonlinesecur...-pdf-malware-2/
28 Jan 2015 - "'RBS Morning commentary' pretending to come from RBS .COM <no-replay@ rbs .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Please refer to the details below if you are having problems reading the attached file.
    Please do not contact your Treasury Centre for technical issues – these should be routed to RBS FM support.The attached file is in zip format; first you have to unzip it (self-extracting archive, Adobe PDF) and then it can be viewed in Adobe Acrobat Reader 3.0 or above. If you do not have a copy of the software please contact your technical support department...

All the attachment numbers are random but all extract to same -malware- payload.
28 January 2015: attachment3532715.zip: Extracts to: attachment.exe
Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1422448752/
... Behavioural information
UDP communications
134.170.185.211: https://www.virustot...11/information/

- http://threattrack.t...commentary-spam
Jan 28, 2015
___

xHamster involved in large Malvertising campaign ...
- https://blog.malware...ising-campaign/
Jan 27, 2015 - "... a particular large malvertising campaign in progress from popular adult site xhamster[.]com, a site that boasts half a billion visits a month. In the past two days we have noted a 1500% increase in infections starting from xHamster. Contrary to the majority of drive-by download attacks which use an exploit kit, this one is very simple and yet effective by embedding landing page and exploit within a rogue ad network... The URL linked to is a simplified landing page hosted by what looks like a rogue ad network. The landing simply consists of preparing for a Flash Player exploit... the Flash exploit itself (0 detection on VT*), again hosted on the same ad network. Depending on your version of Flash you may get the recent 0-day:
> https://blog.malware...ash-300x262.png
Upon successful exploitation, a malicious payload (Bedep) VT 2/57**, is downloaded from:
hxxp ://nertafopadertam .com/2/showthread.php
What we see post exploitation is ad fraud as described here***... While malvertising on xHamster is nothing new, this particular campaign is extremely active. Given that this adult site generates a lot of traffic, the number of infections is going to be huge."
* https://www.virustot...sis/1422391909/

** https://www.virustot...sis/1422393597/

*** https://blog.malware...nd-in-the-wild/
 

 

Edited by AplusWebMaster, 28 January 2015 - 09:30 AM.

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
29 Jan 2015 - "'Invoice #10413 from SPOTLESS CLEANING pretending to come from paulamatos@ btinternet .com with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    This message contains Invoice #10413 from SPOTLESS CLEANING. If you have questions about the contents of this message or Invoice, please contact SPOTLESS CLEANING.
    SPOTLESS CLEANING
    GLYNDEL HOUSE
    BOWER LANE
    DA4 0AJ
    07956 379907

29  January 2015 : SPOTLESS CLEANING-Invoice-10413.doc - Current Virus total detections: 0/57*
... this malicious word doc with macros downloads from www .otmoorelectrical .co.uk/js/bin.exe which is saved as %temp%\hDnyDA.exe (dridex banking Trojan) which has a current detection rate of 2/57** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1422523082/

** https://www.virustot...sis/1422531540/
___

Fake 'BACS Transfer' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
29 Jan 2015 - "'Garth Hutchison BACS Transfer : Remittance for JSAG400GBP' pretending to come from Garth Hutchison <accmng2556@ blumenthal .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    We have arranged a BACS transfer to your bank for the following amount : 5821.00
    Please find details attached.

29 January 2015 : BACS_transfer_JS87123781237.doc - Current Virus total detections: 0/57*
...  same malware payload as today’s Invoice #10413 from SPOTLESS CLEANING – Word doc malware** ..."
* https://www.virustot...sis/1422524523/

** http://myonlinesecur...rd-doc-malware/
___

Swiss users inundated with malware-laden SPAM
- http://net-security....ews.php?id=2950
29.01.2015 - "Swiss users are being heavily targeted by a number of spam campaigns delivering the Tiny Banker (TinBa or Busy) e-banking Trojan. Starting with Tuesday, the spammy emails seem to come from email addresses opened with big Swiss free email service providers (bluewin .ch, gmx .ch) and Swiss telecom provider Orange (orange .ch), but actually originate from broadband lines located all over the world. They masquerade as emails containing images sent from iPhones, an MMS sent to the user by Orange, and an application for a job position:
> http://www.net-secur...am-29012015.jpg
Unfortunately for those who fall for these tricks, the attached ZIP files contain only malware. "While most of the Tinba versions I usually come across of are utilising a Domain Generation Algorithm (DGA) to calculate the current botnet C&C domain, the version of Tinba that has been spread in Switzerland since yesterday is using hard-coded botnet C&C domains," noted Swiss security activist Raymond Hussy*. Further investigation revealed that all the sending IP addresses are Cutwail infected IPs, and the malware tries to contact four distinct C&C servers, two of which have already been sinkholed. Hussy recommends to network administrators to block traffic to and from the remaining two active domains (serfanteg .ru, midnightadvantage .ru) and the following IPs: 91.220.131.216 and 91.220.131.61. "In general, 91.220.131.0/24 looks quite suspect. So you may want to block the whole netblock," he pointed out, adding that it would also be a good idea to block filenames with multiple file extentions on their email gateway."
* https://www.abuse.ch/?p=9095

91.220.131.61: https://www.virustot...61/information/

91.220.131.216: https://www.virustot...16/information/
 

 

Edited by AplusWebMaster, 30 January 2015 - 05:44 AM.

[AplusWebMaster]

FYI...

Fake 'BACS Transfer' SPAM - doc malware
- http://blog.dynamoo....remittance.html
30 Jan 2015 - "So far I have only seen one sample of this..
    From     "Garth Hutchison"
    Date     21/01/2015 11:50
    Subject     BACS Transfer : Remittance for JSAG400GBP
    We have arranged a BACS transfer to your bank for the following amount : 5821.00
    Please find details attached.

Attached is a malicious Word document BACS_transfer_JS87123781237.doc [VT 1/57*] which contains a macro... which downloads a file from:
http ://stylishseychelles .com/js/bin.exe
This is then saved as %TEMP%\iHGdsf.exe. This has a VirusTotal detection rate of 6/57** identifying it as a Dridex download... Sources indicate that this malware phones home to the following IPs which I recommend you block:
92.63.88.108
143.107.17.183
5.39.99.18
136.243.237.218 "
* https://www.virustot...sis/1422618493/

** https://www.virustot...sis/1422618468/
___

Fake BBB SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 Jan 2015 - "'BBB SBQ Form #2508(Ref#61-959-0-4)' pretending to come from Admin <no-replay@ bbbl .org> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...2015/01/BBB.png

30 January 2015: SBQForm-57675.zip ( 13kb) : Extracts to:  doc-PDF.exe
Current Virus total detections:  8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1422628270/
... Behavioural information
TCP connections
46.165.223.77: https://www.virustot...77/information/
31.170.162.203: https://www.virustot...03/information/
UDP communications
134.170.185.211: https://www.virustot...11/information/
208.91.197.54: https://www.virustot...54/information/
208.97.25.20: https://www.virustot...20/information/
___

Fake 'RE-CONFIRM' SPAM - malware
- http://myonlinesecur...1ll112-malware/
30 Jan 2015 - "'RE-CONFIRM P.O©{XX1ll112}' pretending to come from sensaire@ emirates .net .ae with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...O©XX1ll112.png

30 January 2015: Purchase order(1).zip: Extracts to: Purchase order.exe
Current Virus total detections: 12/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper file with an icon saying A instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1422633004/
___

Fake 'Apple Termination' – Phish ...
- http://myonlinesecur...ation-phishing/
30 Jan 2015 - "'Apple Termination' pretending to come from Apple Account <support@ apple-messages .com> is one of the latest -phish- attempts to steal your Apple Account and your Bank, credit card and personal details. This one only wants your personal details, Apple log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well...

Screenshot: http://myonlinesecur...Termination.png

If you follow the link you see a webpage looking like with a pre-filled in box with your email address in it:
> http://myonlinesecur...fy_apple_ID.png
When you fill in your user name and password you get a page looking like this ( split into sections), where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecur..._apple_ID_3.png
... these emails use Social engineering tricks to persuade you to open the attachments that come with the email... whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details..."
___

Fake 'Tesco Bank' – Phish ...
- http://myonlinesecur...-bank-phishing/
30 Jan 2015 - "'Latest estatement is ready – Tesco Bank' pretending to come from savings@ tescobank .com <pol@ tesco .com> is one of the latest -phish- attempts to steal your Tesco bank Account and your other personal details. This one only wants your personal details, Tesco log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well... a website that looks at first glance like the genuine Tesco bank website but you can clearly see in the address bar, that it is -fake-. Some versions of this phish will ask you fill in the html (webpage) form that comes attached to the email.
    Certain restriction has been placed on your tesco bank online services
     View your eDocument attached to proceed
     Tesco Bank is a retail bank in the United Kingdom which was formed in 1997,
    and which has been wholly owned by Tesco PLC since 2008
    ©Tesco Personal Finance plc 2014 / ©Tesco Personal Finance Compare Limited 2014.

If you open the attached html form you see this message:
    Your Latest Tesco Bank Saving Account Statement is ready.
    Certain restriction has been placed on your tesco bank online service
    You would be required to re – activate your online banking access to proceed
    Activate Your Online Access

If you follow that link you see a webpage looking like:
> http://myonlinesecur...o_vouchers1.jpg
Then you get a page asking for password and Security number:
> http://myonlinesecur...o_vouchers2.jpg
After you fill in your Security number and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecur...o_vouchers3.jpg
Then they send you to this page  and eventually it auto redirects you to the genuine Tesco bank site:
> http://myonlinesecur...o_vouchers4.jpg
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
 

 

Edited by AplusWebMaster, 30 January 2015 - 10:56 AM.

[AplusWebMaster]

FYI...

Super Bowl Phishing -and- SPAM ...
- https://isc.sans.edu...l?storyid=19261
2015-01-31 - "Beware of Super Bowl spam that may come to your email inbox this weekend. The big game is Sunday and the spam and phishing emails are -pouring- in complete with helpful -links- back-ended by malware and/or credential harvesting:
> https://isc.sans.edu...s/superbowl.PNG
... worth a reminder to friends and family if they see any emails about the Super Bowl that appears to be too-good-to-be-true - delete it..."
 

Edited by AplusWebMaster, 31 January 2015 - 11:59 AM.

[AplusWebMaster]

FYI...

Fake 'Facebook Account' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
2 Feb 2015 - "'Facebook Account Suspended' pretending to come from Facebook <noreply@ mail .fb .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and follow the link and run the downloaded file... Google seems to be -ignoring- the report to take down this url so far today or are far too busy complaining about Microsoft and other program makers not issuing patches inside the 90 day time period that Google insist on, to do something really useful in actually protecting users from malware like this one... The email looks like:

Screenshot: http://myonlinesecur...t-suspended.png

2 February 2015 : TermsPolicies.pdf.exe - Current Virus total detections: 11/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1422881129/
___

Fake 'Your Apple ID' - Phish ...
- http://myonlinesecur...ckups-phishing/
2 Feb 2015 - "'Your Apple ID,was used to restore a device from one of your iCloud backups' pretending to come from Apple iTunes <orders@ tunes .co .uk> is one of the latest phish attempts to steal your Apple Account and your Bank, credit card and personal details. This one only wants your personal details, Apple log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well... The original email looks like this It will NEVER be a genuine email from Apple or any other company so don’t ever click-the-link in the email. If you do it will lead you to a website that looks at first glance like the genuine Apple website but you can clearly see in the address bar, that it is -fake-. Some versions of this phish will ask you fill in the html (webpage) form that comes attached to the email. This one has a short url link ( https ://tr .im/JxUNR) in the email which -redirects- you... When you fill in your user name and password you get a page looking very similar to this one ( split into sections), where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
(Screenshots available at the myonlinesecurity URL at the top of this post.)
___

Facebook porn video trojan affects 110K users in 2 days
- http://www.theinquir...ers-in-two-days
Feb 02 2015 - "A TROJAN that has spread itself by posting links to a pornographic video has affected over 110,000 Facebook users in just 48 hours. The malware spreads from the account of previously infected users of the social network, tagging around 20 of their friends. If someone opens the link contained in the post, they will get a preview of a porn video which eventually stops and asks for a fake Flash player to be downloaded which contains the malware. The malware was uncovered by a security researcher called Mohammad Reza Faghan, who posted information about it on security mailing list archive Seclists.org*... the Trojan is different from previous examples seen on Facebook, which sent messages on behalf of the victim to a number of the victim's friends. Upon infection of those friends, the malware could go one step further and infect the friends of the initial friends. In the new technique, however, the malware has more visibility to the potential victims as it tags the friends of the victim in the malicious post. The malware is thought to be able to hijack keyboard and mouse movements if executed successfully once landing on a victim's machine."
* http://seclists.org/...re/2015/Jan/131
___

Fake Chrome update Spam drops CTB Locker/Critroni Ransomware
- https://blog.malware...oni-ransomware/
Feb 2, 2015 - "Beware of emails appearing to come from Google warning you that “Your version of Google Chrome is potentially vulnerable and out of date”. In this latest spam wave, cyber crooks are tricking users into downloading the well-known browser, except that it’s a dangerous Trojan that will encrypt your personal files and demand a hefty ransom to decrypt them back:
> https://blog.malware...015/02/spam.png
The payload is not attached to the email but instead gets downloaded from various websites that appear to have been compromised... Running “ChromeSetup.exe” will not install Google Chrome. Instead the Windows wallpaper will change to this:
> https://blog.malware.../encrypted1.png
This is not just a fake warning. The files on the systems are -indeed- encrypted:
> https://blog.malware.../encrypted4.png
The bad guys demand a ransom that can be paid using Bitcoins:
> https://blog.malware.../encrypted8.png
... The problem with ransomware is that while the active Trojans can be removed, it is much more difficult and sometimes impossible to recover the encrypted files. The folks at BleepingComputer* have some tips on how to restore your encrypted files. However, as is often the case, prevention is critical to avoid a nasty ransomware infection..."
* http://www.bleepingc...ormation#shadow

- http://net-security....ews.php?id=2952
03.02.2015
> http://www.net-secur...al-03022015.jpg
 

 

Edited by AplusWebMaster, 03 February 2015 - 07:02 AM.

[AplusWebMaster]

FYI...

Fake 'CIT' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
3 Feb 2015 - "'CIT Inv# 15000375 for PO# SP14161' pretending to come from Circor <_CIG-EDI@ CIRCOR .COM> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...-PO-SP14161.png

3 February 2015: FOPRT01.DOC - Current Virus total detections: 1/57*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1422951071/

- http://blog.dynamoo....icircorcom.html
3 Feb 2015
"... Recommended blocklist:
143.107.17.183
92.63.88.108 "
___

Fake 'Barclays Your Debit Card' – Phish ...
- http://myonlinesecur...ation-phishing/
3 Feb 2015 - "'Your Debit Card Notification' pretending to come from Barclays Bank Plc is one of the latest phish attempts to steal your Barclays Bank, debit card and personal details. This one only wants your Barclays log in details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well... The website at gardendecore .pl have cleaned up the phishing pages and hopefully plugged the security holes or vulnerabilities that let the bad guys get in in the first place. If you follow the link you see a webpage looking like the genuine Barclays log in page:

Screenshot: http://myonlinesecur...h_-feb_2015.png

When you fill in the required details there, the phishers then send you on to the next page where they ask you to fill in your name, details and passcodes, the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___

Fake 'Garrett' SPAM - malware
- http://myonlinesecur...489933-malware/
3 Feb 2015 - "'Garrett Courtright Copy from +07441489933' pretending to come from Garrett Courtright <ophidian@  nagsgolf .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Fax: +07441489933
    Date: 2015/01/18 16:43:04 CST
    Pages: 1
    Reference number: Y67969682C281D
    Filename: pulsar_instruments_plc57.zip
    Pulsar Instruments Plc
    Garrett Courtright

3 February 2015 : pulsar_instruments_plc57.zip: Extracts to: pulsar_instruments_plc57.scr
Current Virus total detections: 7/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1422985036/
... Behavioural information
TCP connections
213.186.33.2: https://www.virustot....2/information/
5.178.43.10: https://www.virustot...10/information/
___

Fake 'Halifax' SPAM – Phish ...
- http://myonlinesecur...lifax-phishing/
3 Feb 2015 - "'Update your account details' pretending to come from Halifax Online Banking <securitynews@halifax.co.uk> is one of the latest phish attempts to steal your Bank, credit card and personal details. An alternative email says 'We’re improving your Halifax account' also pretending to come from Halifax Online Banking <securitynews@ halifax .co .uk>. This one wants all your personal details including email address and password and your credit card and bank details. Many of them are also designed to specifically steal your facebook and other social network log in details as well... don’t -ever- open or fill in the html (webpage) form that comes attached to the email... If you do it will lead you to a website that looks at first glance like the genuine bank website but you can clearly see in the address bar, that it is -fake-. Some versions of this phish will ask you to follow a link in the body of the email to a phishing site. Both of today’s emails have different phish sites in the attached html files but otherwise the attachments are identical.

Screenshot: http://myonlinesecur...ish_email_2.png
-or-
Screenshot: http://myonlinesecur...ish_email_1.png

If you open the attached html file you see a webpage looking like this (split in 2 to get it all):
> http://myonlinesecur...x1-1024x587.png

> http://myonlinesecur...21-1024x620.png

... these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
 

 

Edited by AplusWebMaster, 03 February 2015 - 03:08 PM.

[AplusWebMaster]

FYI...

Fake 'USPS Delivery' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
4 Feb 2015 - "'USPS Delivery Notification' pretending to come from USPS <no-reply@ usps .gov> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...on-1024x614.png

4 February 2015: label_54633541.doc - Current Virus total detections: 2/55*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email..."
* https://www.virustot...sis/1423064590/
___

Pawn Storm Update: -iOS- Espionage App Found
- http://blog.trendmic...nage-app-found/
Feb 4, 2015 - "... spyware specifically designed for espionage on -iOS- devices. While spyware targeting -Apple- users is highly notable by itself, this particular spyware is also involved in a targeted attack... Operation Pawn Storm is an active economic and political cyber-espionage operation that targets a wide range of entities, like the military, governments, defense industries, and the media. The actors of Pawn Storm tend to first move a lot of pawns in the hopes they come close to their actual, high profile targets. When they finally successfully infect a high profile target, they might decide to move their next pawn forward: advanced espionage malware... The iOS malware we found is among those advanced malware. We believe the iOS malware gets installed on already compromised systems, and it is very similar to next stage SEDNIT malware we have found for Microsoft Windows’ systems... The obvious goal of the SEDNIT-related spyware is to steal personal data, record audio, make screenshots, and send them to a remote command-and-control (C&C) server. As of this publishing, the C&C server contacted by the iOS malware is -live- ...
C&C Communication: Besides collecting information from the iOS device, the app sends the information out via HTTP. It uses POST request to send messages, and GET request to receive commands... The exact methods of installing these malware is unknown. However, we do know that the iOS device doesn’t have to be jailbroken per se. We have seen one instance wherein a lure involving XAgent simply says “Tap Here to Install the Application.” The app uses Apple’s ad hoc provisioning, which is a standard distribution method of Apple for iOS App developers. Through ad hoc provisioning, the malware can be installed simply by clicking-on-a-link, such as in the picture below:
> http://blog.trendmic...1/pwnstrm10.png
There may be other methods of infection that are used to install this particular malware. One possible scenario is infecting an iPhone* after connecting it to a compromised -or- infected Windows laptop via a USB cable...
* http://blog.trendmic...nd-in-ios-apps/
The hashes of the related files are:
    05298a48e4ca6d9778b32259c8ae74527be33815
    176e92e7cfc0e57be83e901c36ba17b255ba0b1b
    30e4decd68808cb607c2aba4aa69fb5fdb598c64 ..."

- http://arstechnica.c...ts-ios-devices/
Feb 4 2015
___

Apps on Google Play Pose As Games - Infect Millions with Adware
- https://blog.avast.c...rs-with-adware/
Feb 3, 2015 - "A couple of days ago, a user posted a comment on our forum* regarding apps harboring adware that can be found on Google Play. This didn’t seem like anything spectacular at the beginning, but once I took a closer look it turned out that this malware was a bit bigger than I initially thought. First of all, the apps are on Google Play, meaning that they have a huge target audience – in English speaking and other language regions as well. Second, the apps were already downloaded by millions of users and third, I was surprised that the adware lead to some legitimate companies:
> https://blog.avast.c...rak-game-GP.png
The Durak card game app was the most widespread of the malicious apps with 5–10 million installations according to Google Play:
> https://blog.avast.c...les-300x168.png
When you install Durak, it seems to be a completely normal and well working gaming app. This was the same for the other apps, which included an IQ test and a history app. This impression remains until you reboot your device and wait for a couple of days. After a week, you might start to feel there is something wrong with your device. Some of the apps wait up to 30 days until they show their true colors. After 30 days, I guess not many people would know which app is causing abnormal behavior on their phone, right? Each time you unlock your device an ad is presented to you, warning you about a problem, e.g. that your device is infected, out of date or full of porn. This, of course, is a complete lie. You are then asked to take action, however, if you approve you get re-directed to harmful threats on fake pages, like dubious app stores and apps that attempt to send premium SMS behind your back or to apps that simply collect too much of your data for comfort while offering you no additional value.
> https://blog.avast.c...pps-300x261.jpg
An even bigger surprise was that users were sometimes directed to security apps on Google Play. These security apps are, of course, harmless, but would security providers really want to promote their apps via adware? Even if you install the security apps, the undesirable ads popping up on your phone don‘t stop. This kind of threat can be considered good social engineering. Most people won‘t be able to find the source of the problem and will face fake ads each time they unlock their device. I believe that most people will trust that there is a problem that can be solved with one of the apps advertised “solutions” and will follow the recommended steps, which may lead to an investment into unwanted apps from -untrusted- sources... the apps’ descriptions should make users skeptical about the legitimacy of the apps.  Both in English and in other languages such as German, were written poorly: “A card game called ‘Durak‘ – one of the most common and well known game“. The apps‘ secure hash algorithm (SHA256) is the following:
BDFBF9DE49E71331FFDFD04839B2B0810802F8C8BB9BE93B5A7E370958762836 9502DFC2D14C962CF1A1A9CDF01BD56416E60DAFC088BC54C177096D033410ED FCF88C8268A7AC97BF10C323EB2828E2025FEEA13CDC6554770E7591CDED462D "

* https://forum.avast....?topic=165003.0
___

Data Integrity: The Core of Security
- http://www.securityw...y-core-security
Feb 4, 2015 - "... Companies spend huge sums of money every year to maintain a security perimeter designed to fend off cyber and insider threats. According to Gartner*, worldwide spending on information security will reach $71.1 billion in 2014, an increase of 7.9 percent over 2013. Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Other Gartner figures show that in 2013, average budget allocations for information security were 5.1% of the overall IT budget, up 8.5% from 2012. However, the majority of investments are aimed at bolstering traditional perimeter security defenses, which is a losing battle... if we can prevent data from leaving the organization or being modified, protecting against network breaches becomes less critical. Unfortunately, data is often left unsecured... When it comes to information security, 100 percent protection in unattainable. However, by supplementing traditional perimeter defense mechanisms with data integrity principals, organizations can significantly reduce their exposure to Sony scale data breaches."
* http://www.gartner.c...room/id/2828722
___

YouTube dumps Flash for HTML5
- http://www.infoworld...-for-html5.html
Jan 30, 2015 - "In a blow to proprietary rich Internet plug-ins, YouTube, which had been a stalwart supporter of Adobe’s Flash plug-in technology, revealed this week that it now -defaults- to the HTML5 <video> tag. The move shows HTML5's continued march toward Web dominance... Late Apple founder Steve Jobs probably did the most to the further the decline by refusing to support Flash on the company’s wildly popular iOS handheld devices. In fact, Flash shows a downward trajectory on W3Techs' report* on the number of websites using Adobe’s multimedia platform. It has -dropped- to 11.9 percent this month versus more than 15 percent a year ago. The numbers are far worse for Microsoft’s late-arriving Flash rival, Silverlight..."
* http://w3techs.com/t...p-flash/all/all
 

 

Edited by AplusWebMaster, 04 February 2015 - 04:15 PM.

[AplusWebMaster]

FYI...

Fake HSBC SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
5 Feb 2015 - "'HSBC Payment Advice' pretending to come from HSBC <no-replay@ hsbci .co .uk> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Sir/Madam
     Upon your request, attached please find payment e-Advice for your
    reference.
     Yours faithfully
     HSBC
     We maintain strict security standards and procedures to prevent
    unauthorised access to information about you. HSBC will never contact
    you by e-mail or otherwise to ask you to validate personal information
    such as your user ID, password, or account numbers. If you receive such
    a request, please call our Direct Financial Services hotline.
     Please do not reply to this e-mail. Should you wish to contact us,
    please send your e-mail to commercialbanking@hsbc.co.uk and we will
    respond to you.
     Note: it is important that you do not provide your account or credit
    card numbers, or convey any confidential information or banking
    instructions, in your reply mail.
     Copyright. The Hongkong and Shanghai Banking Corporation Limited 2005.
    All rights reserved...

5 February 2015: HSBC-69695.zip: Extracts to: CashPro.exe
Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1423139205/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
93.157.100.56: https://www.virustot...56/information/
178.47.141.100: https://www.virustot...00/information/
___

Fake FedEx SPAM - malicious script
- http://blog.dynamoo....liver-your.html
5 Feb 2015 - "This -fake- FedEx spam has a malicious script attached.
From:    FedEx 2Day A.M.
Date:    5 February 2015 at 15:01
Subject:    PETRO, Unable to deliver your item, #0000220741
 Dear Petro,
We could not deliver your item.
You can review complete details of your order in the find attached.
Yours sincerely,
Marion Bacon,
Delivery Manager.
© 2014 FedEx. The content of this message is protected by copyright and trademark laws.

Attached is a file FedEx_0000220741.zip which contains a malicious javascript which is highly obfuscated... but it is a bit clearer when deobfuscated... This script has a moderate detection rate of 9/56*, and downloads a file from:
    http ://freesmsmantra .com/document.php?id=5451565E140110160B0824140110160B08000D160107104A070B09&rnd=3252631
Which is saved as %TEMP%\11827407.exe. This has a low detection rate of 3/56**. Automated analysis tools...  don't give much of a clue as it has been hardened against analysis."
* https://www.virustot...sis/1423149508/

** https://www.virustot...sis/1423148815/

50.31.134.98: https://www.virustot...98/information/
___

Fake Barclays SPAM – Phish ...
- http://myonlinesecur...otice-phishing/
5 Feb 2015 - "'New Barclays Service Important Notice' pretending to come from Barclays Service [mailto:secure@ barclaysalertid .com] is one of the latest phish attempts to steal your Barclays Bank  details. We have been seeing a quite large increase in Barclays phishing emails over the last week or so. Today’s version is particularly well done with a domain that will fool a lot of people...

Screenshot: http://myonlinesecur...ing-email_1.png

If you follow-the-link, you see a webpage looking like:
> http://myonlinesecur...lays_phish1.png
You then get:
> http://myonlinesecur...phish_check.png
Then you get this page which tries to convince you that various African IP addresses have accessed your account and scare you into going further:
> http://myonlinesecur...lays_phish2.png
You then get the  processing/checking screen again before being sent on to:
> http://myonlinesecur...h3-1024x646.png
Where they ask you to fill in your name, details and passcodes, the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and format. And then once again to the processing/checking screen before you are sent on to the final page where they say they will send you a new  pinsentry device by post:
> http://myonlinesecur...h4-1024x603.png
All of these emails use Social engineering tricks to persuade you to open-the-attachments that come with the email..."
 

 

Edited by AplusWebMaster, 05 February 2015 - 02:14 PM.

[AplusWebMaster]

FYI...

Something evil on 5.196.143.0/28 and 5.196.141.24/29 ...
- http://blog.dynamoo....143028-and.html
6 Feb 2015 - "... interesting blog post from Cyphort* got me digging into that part of the infection chain using nonsense .eu domains. It uncovered a whole series of IPs and domains that have been used to spread Cryptowall (possibly other malware too), hosted in the 5.196.143.0/28 and 5.196.141.24/29 ranges (and possibly more). These are OVH IP ranges, suballocated to a customer called Verelox .com. I think that Verelox is a legitimate but very small web host that has suffered a major compromise of their servers. The first range is 5.196.141.24/29 which has apparently compromised servers at:
5.196.141.24, 5.196.141.25, 5.196.141.26, 5.196.141.27
... The second range is 5.196.143.0/28 with apparently -compromised- servers at:
5.196.143.3, 5.196.143.4, 5.196.143.5, 5.196.143.6, 5.196.143.7, 5.196.143.8, 5.196.143.10, 5.196.143.11,
5.196.143.12, 5.196.143.13
In addition to this, some of these domains use nameservers on the following IP addresses:
168.235.70.106
168.235.69.219
These are allocated to Ramnode LLC in the US. I would suggest that they are under the control of the bad guys and are worth -blocking- traffic to.
Note that Cyphort identify these C&C servers for the malware:
asthalproperties .com:4444
pratikconsultancy .com:8080
The following IPs and domain names all seem to be connected and I would recommend -blocking- at least the IP addresses and domains... other domains look like they are probably throwaway ones:
5.196.143.0/28
5.196.141.24/29
168.235.69.219
168.235.70.106
asthalproperties .com
pratikconsultancy .com ..."
(More detail at the dynamoo URL at the top of this post.)

* http://www.cyphort.c...ing-cryptowall/
___

Fake 'CashPro Online' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
6 Feb 2015 - "'Your CashPro Online Digital Certificate' pretending to come from CashPro Online <no-replay@ cashpro .com> with  a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Dear CashPro Customer,
    This email is being sent to inform you that you have been granted a new
    digital certificate for use with Bank of America CashPro Online.
    Please open the attachment and you will be guided through a simple
    process to install your new digital certificate.
    If you have any questions or concerns, please contact the Bank of
    America technical help desk.
    Thank you for your business,
    Bank of America
    CashPro Online Security Team
    Please do not reply to this email .
    Copyright 2015 Bank of America Merrill Lynch. All rights reserved.
    CashPro is a registered trademark of Bank of America Corporation.

6 February 2015: docs-20276.zip: Extracts to: docs.exe
Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1423239330/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustot...70/information/
178.47.141.100: https://www.virustot...00/information/
192.185.35.92: https://www.virustot...92/information/
71.18.62.202: https://www.virustot...02/information/
UDP communications
77.72.174.163: https://www.virustot...63/information/

- http://threattrack.t...ca-cashpro-spam
Feb 6, 2014
docs.exe (1D38C362198AD67329FDF58B4743165E)
Tagged: bank of america, cashpro, Upatre
 

 

Edited by AplusWebMaster, 07 February 2015 - 04:52 PM.

[AplusWebMaster]

FYI...

Fake 'Lloyds new message' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 Feb 2015 - "'You have a new message pretending to come from Lloyds Commercial Banking <GrpLloydslinkHelpdesk@ lloydsbanking .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Lloyds Commercial Logo
    We want you to recognise a fraudulent email if you receive one. Lloyds Bank will always greet you personally using your title and surname and, where you hold an existing account with us, the last four digits of your account number: XXXX1328.
    Dear Lloyds Link Customer,
    You have a new message
    There’s a new message for you, messages contain information about your account, so it’s important to view them.
    If you’ve chosen to use a shared email address, please note that anyone who has access to your email account will be able to view your messages.
    Please check attached message for more details.
    Subject
    Date
    Account details
    Account number
    Important information about your account
    09 Feb 2015
    Lloyds Commercial
    XXXX1328
    Please note: this message is important and needs your immediate attention. Please check attached file straightaway to view it.
    Yours sincerely
    Signature image of Nicholas Williams - Consumer Digital Director
    Nicholas Williams,
    Consumer Digital Director
    Please do not reply to this email as this address is not manned and cannot receive any replies.
    Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales, number 2065. Telephone: 020 7626 1500.
    Lloyds Bank plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority under registration number 119278.

9 February 2015: ImportantMessage.zip: Extracts to: ImportantMessage.scr
Current Virus total detections: 6/57*  . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1423485253/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
94.41.208.125: https://www.virustot...25/information/
198.23.48.157: https://www.virustot...57/information/
UDP communications
77.72.174.165: https://www.virustot...65/information/
77.72.174.164: https://www.virustot...64/information/
___

Fake 'Lloyds new debit' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
9 Feb 2014 - "'You have received a new debit' pretending to come from Payments Admin <paymentsadmin@ lloydstsb .co .uk> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Monday 09 February 2014
    This is an automatically generated email by the Lloyds TSB PLC
    LloydsLink online payments Service to inform you that you have receive a
    NEW Payment.
    The details of the payment are attached.
    This e-mail (including any attachments) is private and confidential and
    may contain privileged material. If you have received this e-mail in
    error, please notify the sender and delete it (including any
    attachments) immediately. You must not copy, distribute, disclose or use
    any of the information in it or any attachments.

9 February 2015 : details#00390702.zip: Extracts to: details.exe
Current Virus total detections: 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1423485121/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
94.41.208.125: https://www.virustot...25/information/
91.103.216.71: https://www.virustot...71/information/
UDP communications
77.72.174.167: https://www.virustot...67/information/
77.72.174.166: https://www.virustot...66/information/
 

 

Edited by AplusWebMaster, 09 February 2015 - 10:18 AM.

[AplusWebMaster]

FYI...

Fake 'Amazon Order' SPAM – malware
- http://myonlinesecur...etails-malware/
10 Feb 2015 - "'Amazon Order Details' pretending to come from Amazon.com > <delivers@ amazon .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This one is a lazy attempt to spread the malware using an old email from last year saying Order R:121216 Placed on June 28, 2014...

Screenshot: http://myonlinesecur...ls-1024x422.png

Todays Date: order_report.zip: Extracts to: order_report_238974983274928374892374982.exe
Current Virus total detections: 2/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1423571463/
___

Fake 'Purchase Order' SPAM - malware
- http://blog.dynamoo....ade-groups.html
10 Feb 2015 - "This spam comes with a malicious attachment:
    From:    Megtrade groups [venkianch@ gmail .com]
    Reply-To:    venkanch@ gmail .com
    Date:    10 February 2015 at 15:47
    Subject:    RE: Purchase Order Copy
    Hello Vendor,
    I just got back from business trip, Please find attached our purchasing order let us know price so as to confirm sample with your company.
    You give us your payment terms but note our company payment policy 30% prepayment after confirming proforma invoice from you and the balance against copy of B/L.
    Kindly treat as urgent and send invoice, I await to have your urgent reply to proceed.
    Thanks & Best regards,
    Mr Venkianch
    Managing Director
    NZ Megtrade Groups Ltd ... Download Attachment As zip

Unusually, this email does -not- appear to be sent out by a botnet but has been sent through -Gmail-. The link in the email goes www .ebayonline .com .ng/download/ohafi/jfred/Purchase%20Order%20Copy_pdf.7z where it downloads a file Purchase Order Copy_pdf.7z  which (if you have 7-Zip installed) uncompresses to the trickily-named:
(1) Purchase Order Copy.pdf    ___________________   
(2) Delivery Time and Packing.pdf    _______________________    _____ Adobe Reader.pdf
... or in    .exe
As you might expect, this is malicious in nature and has a VirusTotal detection rate of 34/57*. The Malwr analysis** indicates that this installs a -keylogger- among other things."
* https://www.virustot...sis/1423585487/

** https://malwr.com/an...zdkMDRmYTM2NzI/
 

 

Edited by AplusWebMaster, 10 February 2015 - 01:29 PM.

[AplusWebMaster]

FYI...

Fake 'e-invoice' SPAM
- http://blog.dynamoo....voice-from.html
11 Feb 2015 - "This -fake- invoice spam has a malicious attachment:
    From:    Lydia Oneal
    Date:    11 February 2015 at 09:14
    Subject:    Your latest e-invoice from HSBC HLDGS
    Dear Valued Customer,
    Please find attached your latest invoice that has been posted to your online account. You’ll be pleased to know that your normal payment terms still apply as detailed on your invoice.
    Rest assured, we operate a secure system, so we can confirm that the invoice DOC originates from HSBC HLDGS and is authenticated with a digital signature.
    Thank you for using e-invoicing with HSBC HLDGS - the smarter, faster, greener way of processing invoices.
    This message and any attachment are confidential and may be privileged or otherwise protected from disclosure.
    If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system.
    If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person.

The company name and the name of the sender varies, but most of the body text remains identical. Some sample subjects are:
Your latest e-invoice from HSBC HLDGS
Your latest e-invoice from MAVEN INCOME & GROWTH VCT 3 PLC
Your latest e-invoice from DDD GROUP PLC
Your latest e-invoice from BAILLIE GIFFORD SHIN NIPPON
Your latest e-invoice from ACAL
Your latest e-invoice from PARAGON DIAMONDS LTD
Your latest e-invoice from TULLETT PREBON PLC
Your latest e-invoice from MERSEY DOCKS & HARBOUR CO
Your latest e-invoice from HOLDERS TECHNOLOGY
Your latest e-invoice from LED INTL HLDGS LTD
Your latest e-invoice from HALOS
Your latest e-invoice from ACORN INCOME FUND
The word document is randomly-named, for example 256IFV.doc, 19093WZ.doc and 097DVN.doc. There are three different versions of this malicious document, all with low detection rates [1] [2] [3] containing a slightly different macro in each case... The malware probably drops a Dridex DLL, although I have not been able to obtain this.
Recommended blocklist:
85.143.166.72
92.63.88.97
205.185.119.159
78.129.153.18
5.14.26.146
136.243.237.222
185.48.56.62
95.163.121.216 "
1] https://www.virustot...sis/1423650591/

2] https://www.virustot...sis/1423650604/

3] https://www.virustot...sis/1423650615/


- http://myonlinesecur...rd-doc-malware/
11 Feb 2015
Screenshot: http://myonlinesecur...-MINING-PLC.png
___

Fake 'Outstanding Invoice' SPAM - malware
- http://blog.dynamoo....ail-walker.html
11 Feb 2015 - "This fake invoice does -NOT- come from MBL Seminars, they are -not- sending this spam nor have their systems been compromised. Instead, this is a -forgery- with a malicious attachment.
    From:    Gail Walker [gail@ mblseminars .com]
    Date:    11 February 2015 at 09:52
    Subject:    Outstanding Invoice 271741
    Dear Customer
    Payment for your Season Ticket was due by 31 January 2015 and has not yet been received. A copy of the invoice is attached.
    By way of a reminder, the Season Ticket entitles all members of your organisation to save up to 50% on our public seminars and webinars. Since being a Season Ticket Holder your organisation has saved £728.50.
    Please arrange for payment by return by BACS, cheque, or credit card. If payment has been arranged and just not reached us yet then please ignore this email.
    If you have any queries, please do not hesitate to contact us.
    Regards
    Gail Walker
    MBL (Seminars) Limited ...

So far I have seen two different malicious Word documents (there may be more) with low detection rates [1] [2] containing a different macro each... This file is saved as %TEMP%\dsHHH.exe. It has a VirusTotal detection rate of 10/57*... It also drops a DLL with a detection rate of 3/57** which is probably Dridex.
Recommended blocklist:
37.139.47.105
5.39.99.18
136.243.237.218
66.110.179.66
78.140.164.160
109.234.38.70 "
1] https://www.virustot...sis/1423653571/

2] https://www.virustot...sis/1423653583/

* https://www.virustot...sis/1423653592/

** https://www.virustot...sis/1423654973/
 

- http://myonlinesecur...rd-doc-malware/
11 Feb 2015
Screenshot: http://myonlinesecur...oice-271741.png
 

 

Edited by AplusWebMaster, 11 February 2015 - 07:54 AM.

[AplusWebMaster]

FYI...

Fake BBB SPAM - malware
- http://blog.dynamoo....n-services.html
12 Feb 2012 - "This -fake- BBB email has a malicious attachment.
    From: BBB Accreditation Services [no-replay@ newyork .bbb .org]
    Date: Thu, 12 Feb 2015 10:50:01 +0000
    Subject: BBB SBQ Form
    Thank you for supporting your Better Business Bureau (BBB).
    As a service to BBB Accredited Businesses, we try to ensure that the information we provide to potential customers is as accurate as possible. In order for us to provide the correct information to the public, we ask that you review the information that we have on file for your company.
    We encourage you to print this SBQ Form, answer the questions and respond to us. (Adobe PDF)
    Please look carefully at your telephone and fax numbers on this sheet, and let us know any and all numbers used for your business (including 800, 900, rollover, and remote call forwarding). Our automated system is driven by telephone/fax numbers, so having accurate information is critical for consumers to find information about your business easily.
    Thank you again for your support, and we look forward to receiving this updated information.
    Sincerely,
    Accreditation Services

Attached is a file SQB Form.zip which contains a malicious executable SQB Form.exe. This has a VirusTotal detection rate of 4/57*. Automated analysis tools... show that attempts to connect to these following legitimate IPs and domains to determine the IP address and current time:
134.170.185.211: https://www.virustot...11/information/
time.microsoft.akadns .net
checkip.dyndns .org
Of these, checkip.dyndns .org is worth monitoring as it is often an indicator of infection.
The Anubis report also shows a DNS query to semiyun .com on 95.173.170.227*** (Netinternet, Turkey). Also the Malwr report shows connections to the following URLs:
http ://92.240.99.70:12112/1202uk11/HOME/0/51-SP:/0/ELHBEDIBEHGBEHK
http ://92.240.99.70:12112/1202uk11/HOME/41/7/4/
http ://semiyun .com/mandoc/previewa.pdf
Of these, 92.240.99.70 (Ukrainian High Technologies Ltd, Ukraine) looks like the C&C server and this should definitely be -blocked-. A file jeoQxZ5.exe is also dropped with a detection rate of 6/57**. This is most likely the Dyre banking trojan..."
* https://www.virustot...sis/1423739716/

** https://www.virustot...sis/1423741855/

*** 95.173.170.227: https://www.virustot...27/information/
___

Fake 'invoice :reminder' SPAM - leads to CVE-2012-0158 exploit
- http://blog.dynamoo....o-cve-2012.html
12 Feb 2015 - "This spam has a malicious attachment:
    From:    Hajime Daichi
    Date:    12 February 2015 at 15:59
    Subject:    invoice :reminder
    Greetings.
    Please find attached invoice copy for a transfer of USD29,900.00 payed to
    your company account yesterday.
    You can save, view and print this SWIFT message at your convenience.
    Please email should you require any additional information on this
    transaction.
    We thank you for your continued patronage.
    Corp. Office / Showroom:
    # 8-2-293/82/A/706/1,
    Road No. 36, Jubilee Hills,
    HYDERABAD - 500 033.
    Tel: +91 40 2355 4474 / 77
    Fax:+91 40 2355 4466
    E-mail: info@ valueline .in
    Branches : VIZAG | VIJAYAWADA | BANGALORE | MUMBA

Attached is a file INVOICE.doc which is actually not a DOC at all, but an RTF file. A scan of the file at VirusTotal indicates that it is malicious, with a detection rate of 6/57*. Those detections indicate that this is exploitng CVE-2012-0158 aka MS12-027, a security flaw patched almost three years ago. So if you keep your patches up-to-date, there's a good chance you will be OK. But if you are running an ancient version of Microsoft Office (for example Office 2000, 2002 or XP) then you could be in trouble. The Malwr report for this is quite enlightening, showing the malware downloading another document from directxex .net/7783ed117ba0d69e/wisdomjacobs.exe. This has a detection rate of 14/57** and the Malwr report for this indicates that among other things it installs a -keylogger- confirmed by the ThreatExpert report.
The domain directxex .net [Google Safebrowsing***] has an unsavoury reputation, and although it is currently hiding behind a Cloudflare IP, it actually appears to be hosted on an OVH France IP of 5.135.127.68. I definitely recommend that you -block- traffic to directxex .net."
* https://www.virustot...sis/1423764503/

** https://www.virustot...sis/1423765263/

*** https://www.google.c...e=directxex.net
"... listed for suspicious activity 122 time(s) over the past 90 days..."

> https://web.nvd.nist...d=CVE-2012-0158 - 9.3 (HIGH)
___

Fake 'INVOICE' SPAM - malware
- http://blog.dynamoo....-west-loop.html
12 Feb 2015 - "This -fake- invoice comes with a malicious attachment. It does not come from Minuteman Press, their systems have not been compromised in any way. Instead this is a simple email -forgery-.
From:    Minuteman Press West Loop [westloop@ minutemanpress .com]
Reply-To:    westloop@ minutemanpress .com
Date:    12 February 2015 at 09:00
Subject:    INVOICE 1398 - FEB 4 2015
(Please see attached file: INVOICE 1398 - FEB 4 2015.DOC)
Thank you for your business.
Julio Lopez  |  Design Manager  |  Minuteman Press West Loop
1326 W. Washington Blvd.  |  Chicago, IL 60607
p 312.291.8966  |  f 312.929.2472  |

I have seen just a single sample with an attachment INVOICE 1398 - FEB 4 2015.doc, although usually there are two or more variants so you may see slightly different ones. The DOC file has a VirusTotal detection rate of 0/57* and contains this malicious macro which downloads a second component from:
http ://ecinteriordesign .com/js/bin.exe
This is then saved as %TEMP%\\IHJfffFF.exe and has a detection rate of 7/57**. Automated analysis tools... show attempted connections to:
37.139.47.105
78.140.164.160
41.56.49.36
104.232.34.68
210.181.222.118
The Malwr report shows that it drops a DLL with an MD5 of 9001023d93beccd6c28ba67cbbc10cec which had a low detection rate at VT when it was checked a couple of hours ago***."
* https://www.virustot...sis/1423734590/

** https://www.virustot...sis/1423734603/

*** https://www.virustot...dd7c7/analysis/
___

CTB-Locker Ransomware Spoofs Chrome and Facebook Emails as Lures, Linked to Phishing
- http://blog.trendmic...ed-to-phishing/
Feb 12, 2015 - "... We are seeing another wave of CTB-Locker -ransomware- making their way into the wild. What’s highly notable about this current batch of crypto-ransomware is that they are using “big names” like Facebook and Google Chrome as social engineering lures.
The New Lures: We observed that the CTB-Locker ransomware arrives through spammed emails pretending to be from Google Chrome and Facebook. The -fake- Google Chrome email pretends to be a notification about updating the recipient’s Chrome browser. Upon clicking-the-link, the user will be directed to a site hosting the malware. The malware uses a Google Chrome -icon- to disguise itself as a legitimate installer package. This is actually a variant detected as TROJ_CRYPCTB.YUX.
Fake Google Chrome email:
> http://blog.trendmic.../02/CTB-L-1.png
Another lure used by cybercriminals is Facebook. The email arrives as an account suspension notificaiton. The email instructs the user to click on an embedded link. This link will lead to the download of the malware:
Fake Facebook email:
> http://blog.trendmic.../02/CTB-L-2.png
The malware uses a .PDF icon to disguise itself as a legitimate file. This malware is detected as TROJ_CRYPCTB.NSA. Our findings show that -both- variants are hosted in -compromised- sites. And interestingly enough, each variant is hosted on a group of compromised sites that is linked to one IP address. Connections to Phishing: Digging deeper into these compromised sites, we discovered that some of these URLs are associated with phishing spam, specifically those using -PayPal- as their lure.
Fake PayPal email:
> http://blog.trendmic.../02/CTB-L-3.png
The spammed email arrives with the subject, “Take Action PayPal.” The email instructs the recipient to log in to their PayPal account to settle an issue by clicking-a-link in the email. Upon clicking, the link redirects to a phishing site. The site asks not only for the user’s login credentials, but other important, sensitive information like contact details and credit card information.
Fake PayPal site:
> http://blog.trendmic.../02/CTB-L-4.png
Information requested by the phishing site:
> http://blog.trendmic.../02/CTB-L-5.png
Once the user completes all the information, the site then redirects the person to the legitimate PayPal login page. To avoid suspicion, it uses the excuse of needing to log in -again- for the changes to fully reflect in the PayPal account. Using the same URLs as those of the CTB-Locker malware suggests that the threat actors distributing the ransomware are also dabbling in phishing... CTB-Locker variants included language support for four languages: English, German, Italian, and Dutch. This new batch of ransomware now supports seven languages, namely, French, Spanish, Latvian, German, Dutch, Italian, and English.
Ransom message:
> http://blog.trendmic.../02/CTB-L-6.png
... The malware also now arrives in a Windows installer package. The two new variants identified were wrapped in an installer using using NSIS.  Cybercriminals leverage NSIS, which is an open source installer like InstallShield, to make analysis difficult. When executed, the malware drops an encrypted version of the CRYPCTB malware and a library (.DLL) file. The library file will decrypt and execute the ransomware. After the routine, the library file will delete itself. In a surprising move, the cybercriminals adjusted the ransom payment for the decryption of files to 2 BTC, a fee lower than the 3 BTC ransom fee of previous variants. The malware also uses new set of Tor Addresses to communicate with the affected system... the added languages are all for countries based in Europe. This suggests that these variants may be targeting the EMEA region...
Top countries affected by CRYPCTB malware family:
> http://blog.trendmic...02/CTB-L-72.jpg
... Conclusion: From what we’ve seen, the threat actors focused more on improving their chances of spreading the malware than improving the design of the code itself. Once the malware is in the system, it can be very challenging to recover the files without getting their help. As we have mentioned in previous entries, it might be tempting to give in and pay the ransom fee to get back encrypted files. However, there is no guarantee that the cybercriminals will actually honor the exchange. At the very worst, the victim is left with no files and no money..."
 

 

Edited by AplusWebMaster, 12 February 2015 - 03:11 PM.

[AplusWebMaster]

FYI...

Fake 'Remittance' SPAM - malware
- http://blog.dynamoo....xx12345678.html
13 Feb 2015 - "This -spam- comes from randomly-named companies, with slightly different body text and different subject in each case. Here is an example:
    From:    Gale Barlow
    Date:    13 February 2015 at 12:30
    Subject:    Remittance IN56583285
    Dear Sir/Madam,
    I hope you are OK. I am writing you to let you know that total amount specified in the contract has been paid into your bank account on the 12th of February at 15:25 via BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
    To see full payment details please refer to the remittance advice note attached to the letter.
    Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.
    Gale Barlow
    Accounts Manager
    4D PHARMA PLC
    Boyd Huffman
    Accounts Payable
    GETECH GROUP

There is a malicious Word document attached to the email, so far I have only seen one version of this but usually there are two or more. The document itself has a low detection rate of 1/57* and it contains a malicious macro which downloads a file from the following location:
http ://62.76.188.221 /aksjdderwd/asdbwk/dhoei.exe
This is saved as %TEMP%\dsHHH.exe and has a detection rate of 7/57**, identifed as a Dridex downloader. Automated analysis tools... show a variety of activities, including communications with the following  IPs:
85.143.166.72 (Pirix, Russia)
46.19.143.151 (Private Layer, Switzerland)
193.206.162.92 (Universita degli Studi dell'Insubria, Italy)
92.63.88.87 (MWTV, Latvia)
78.129.153.18 (iomart, UK)
205.185.119.159 (Frantech Solutions, US)
The malware then drops a Dridex DLL with a detection rate of 3/52*** and mysteriously drops another Dridex downloader with a detection rate of 6/57****. The Malwr report for that indicates there is some attempting traffic to nonexistent domains.
Recommended blocklist:
85.143.166.72
46.19.143.151
193.206.162.92
92.63.88.87
78.129.153.18
205.185.119.159 "
* https://www.virustot...sis/1423835743/

** https://www.virustot...sis/1423835772/

*** https://www.virustot...sis/1423836506/

**** https://www.virustot...sis/1423836488/
___

Fake 'PURCHASE ORDER' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
13 Feb 2013 - "'Alison Longworth PURCHASE ORDER (34663)' pretending to come from Alison Longworth <ALongworth@ usluk .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...ORDER-34663.png

13 February 2015 : 2600_001.doc - Current Virus total detections: 0/46*
... which downloads stroygp .ru/js/bin.exe which is a -dridex- banking trojan and has a virus total detection rate of 9/57**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1423834978/

** https://www.virustot...sis/1423836333/
... Behavioural information
TCP connections
37.139.47.105: https://www.virustot...05/information/
210.181.222.118: https://www.virustot...18/information/
86.104.134.156: https://www.virustot...56/information/
___

Something evil on 95.163.121.0/24
- http://blog.dynamoo....24-digital.html
13 Feb 2015 - "I've written about DINETHOSTING* aka Digital Network JSC many times before, and frankly their entire IP range is a sea of carp**, and I have a whole load of blocks in the 95.163.64.0/18 range (including the entirity of 95.163.64.0/10). This latest sea of badness seems to be suballocated to a customer using the 95.163.121.0/24 block.
* http://blog.dynamoo....el/DINETHOSTING
inetnum:        95.163.121.0 - 95.163.121.255
netname:        RU-CLOUDAVT-NET
descr:          LLC ABT Cloud Network
country:        RU ...
descr:          Digital Network JSC
descr:          Moscow, Russia ...
Just looking at blog posts, I can see badness occurring in the recent past... That's quite a high concentration of bad servers in a relatively small block. A quick look at what is currently hosted indicates (IMHO) nothing of value, and I would recommend blocking the entire 95.163.121.0/24 range as a precaution."
___

Fake Email 'Internet Fax' SPAM - trojan
- http://blog.mxlab.eu...ontains-trojan/
Feb 13, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “Internet Fax Job”. This email is send from the spoofed address “Fax job <no-replay@ fax-job .com>” and has the following body:
    Image data has been attached.

The attached file Docs.zip contains the 26 kB large file Docs.exe. The trojan is known as UDS:DangerousObject.Multi.Generic, TrojanDownloader:Win32/Upatre.AW, HEUR/QVM19.1.Malware.Gen or Win32.Trojan.Inject.Auto. At the time of writing, 7 of the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...93349/analysis/
___

Google International Lottery Spam
- http://threattrack.t...al-lottery-spam
12 Feb 2015 - "Subjects Seen:
GOOGLE int
Typical e-mail details:
    Congratulations on your victory in the international lottery GOOGLE INT and win in the amount of 10,000 euro.
    For winning fill out the form and send it to us investing in response.

Malicious File Name and MD5:
    form.exe (433DF3A8CD60E501EE0CB5B4849D82DC)

Screenshot: https://gs1.wac.edge...42TJ1r6pupn.png

Tagged: Google, Lottery, Upatre

- http://myonlinesecur...ke-pdf-malware/
12 Feb 2015
> https://www.virustot...sis/1423755189/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
92.240.99.70: https://www.virustot...70/information/
46.30.212.195: https://www.virustot...95/information/
UDP communications
198.27.81.168: https://www.virustot...68/information/
192.95.17.62: https://www.virustot...62/information/
 

 

Edited by AplusWebMaster, 13 February 2015 - 05:06 PM.

[AplusWebMaster]

FYI...

Fake 'invoice' SPAM - doc malware
- http://blog.dynamoo....-group-ltd.html
16 Feb 2015 - "This -fake- invoice does not come from The Automotive Group Ltd or any similarly-named company. Their systems have not been compromised in any way. Instead, this is a -forgery- with a malicious attachment. Note that the taghire .co.uk simply shows "Under Construction".
    From:    Lawrence Fisher [l.fisher@ taghire .co .uk]
    Date:    16 February 2015 at 08:25
    Subject:    invoice
    Here is the invoice
    Kind Regards,
    Lawrence Fisher
    T.A.G. (The Automotive Group) Ltd.
    Unit 22 Coney Green Business Centre Wingfield View, Clay Cross, Chesterfield...

So far I have only seen one sample of this, with an attachment named Invoice 0215.doc which has zero detections according to VirusTotal*. It contains an obfuscated Word macro which downloads an additional component from:
http ://laikah .de/js/bin.exe
Usually there are two or three versions of this document, but I have only seen one. If you look at the macro code itself, the download location is not encrypted in the code although other elements of the process are encrypted with a string + key combination. Those combinations contain non-printable characters, possibly in an attempt to avoid analysis. This .exe file is downloaded as %TEMP%\345435.exe and it has a VirusTotal detection rate of 3/57**. Automated reporting tools... show that this POSTS to 37.139.47.105. It appears that communication is attempted with the following IPs:
37.139.47.105 (Pirix, Russia)
78.140.164.160 (Webazilla, US)
95.163.121.179 (Digital Networks, Russia)
86.104.134.156 (One Telecom, Moldova)
117.223.58.214 (BSNL / Broadband Multiplay, India)
109.234.38.70 (McHost, Russia)
Also, according to the Malwr report***, a DLL is dropped with a detection rate of 3/57.
Recommended blocklist:
37.139.47.105
78.140.164.160
95.163.121.179
86.104.134.156
117.223.58.214
109.234.38.70 "
* https://www.virustot...sis/1424078591/

** https://www.virustot...sis/1424078636/

*** https://malwr.com/an...zUwOTQ3NjYwMDg/

- http://myonlinesecur...rd-doc-malware/
16 Feb 2015
Screenshot: http://myonlinesecur...tag-invoice.png
___

Fake 'order' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
16 Feb 2015 - "'L&A Plastic Order# 66990' pretending to come from Hannah <Hannah@ lapackaging .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...Order-66990.png

This email has exactly the same malware although different file/document name as today’s versions of Lawrence Fisher T.A.G. (The Automotive Group) Ltd invoice - Word doc malware* and downloads the same dridex banking Trojan** from the same locations***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecur...rd-doc-malware/

** https://www.virustot...sis/1424075902/

*** https://www.virustot...sis/1424078802/
... Behavioural information
TCP connections
37.139.47.105: https://www.virustot...05/information/
UDP communications
134.170.185.211: https://www.virustot...11/information/
___

Fake 'Copy of transaction' SPAM - xls malware
- http://blog.dynamoo....st-id91460.html
16 Feb 2015 - "This rather terse spam comes with a malicious attachment:
    From: Rosemary Gibbs
    Date:    16 February 2015 at 10:12
    Subject:    Re: Data request [ID:91460-2234721]
    Copy of transaction.

The sender's name, the ID: number and the name of the attachment vary in each case. Example attachment names are:
869B54732.xls
BE75129513.xls
C39189051.xls
None of the three attachments are detected by anti-virus vendors [1] [2] [3]. They each contain a slightly different macro... It's quite apparent that this is ROT13 encoded which you can easily decrypt at rather than working through the macro... So, these macros are attempting to use Powershell to download and execute the next step (possibly to avoid the UAC popup). The downloaded binary has a VirusTotal detection rate of 3/57* and automated analysis tools... show attempted communications with:
85.143.166.72 (Pirix, Russia)
205.185.119.159 (FranTech Solutions, US)
92.63.88.87 (MWTV, Latvia)
173.226.183.204 (TW Telecom, Taiwan)
27.5.199.115 (Hathway Cable and Datacom, India)
149.171.76.124 (University Of New South Wales, Australia)
46.19.143.151 (Private Layer, Switzerland)
It also drops a DLL with a 4/57** detection rate which is the same malware seen in this attack***.
Recommended blocklist:
85.143.166.72
205.185.119.159
92.63.88.87
173.226.183.204
27.5.199.115
149.171.76.124
46.19.143.151 "
1] https://www.virustot...sis/1424087084/

2] https://www.virustot...sis/1424087089/

3] https://www.virustot...sis/1424087096/

* https://www.virustot...sis/1424087041/

** https://www.virustot...sis/1424088561/

*** http://blog.dynamoo....-group-ltd.html

- http://myonlinesecur...el-xls-malware/
16 Feb 2015
___

Fake 'Order' SPAM - doc malware
- http://blog.dynamoo....rder-66990.html
16 Feb 2015 - "This -fake- financial spam does not come from LA Packaging, their systems are not compromised in any way. Instead, this is a simple -forgery- with a malicious attachment:
    From:    Hannah [Hannah@ lapackaging .com]
    Date:    16 February 2015 at 10:38
    Subject:    L&A Plastic Order# 66990
    For your records, please see attached L&A Order# 66990 and credit card receipt.
    It has shipped today via UPS Ground Tracking# 1Z92X9070369494933
    Best Regards,
    Hannah – Sales
    L&A Plastic Molding / LA Packaging
    714-694-0101 Tel - Ext. 110
    714-694-0400 Fax
    E-mail: Hannah@ LAPackaging .com

Attached is a malicious Word document 66990.doc - so far I have only seen one version of this, although there are usually several variants. This document contains a macro... an executable from:
http :// hoodoba.cba .pl/js/bin.exe = 95.211.144.65: https://www.virustot...65/information/
At present this has a detection rate of 6/57*. It is the same malware as seen in this spam run**."
* https://www.virustot...sis/1424089760/

** http://blog.dynamoo....-group-ltd.html

- http://myonlinesecur...rd-doc-malware/
16 Feb 2015
Screenshot: http://myonlinesecur...Order-66990.png
___

Money mule SCAM
- http://blog.dynamoo....saearnscom.html
16 Feb 2015 - "This spam email is attempting to recruit people to aid with money laundering ("money mules") and other illegal operations.
    Date:    16 February 2015 at 21:29
    Subject:    New offer
    Good day!
    We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.
    Our firm specializes in advertisment services realizing unique products of creative advertising and branding strategies
    and solutions to develop a distinctive brand value.
    We cooperate with different countries and currently we have many clients in the USA and the EU.
    Due to this fact, we need to increase the number of our destination representatives' regular staff.
    In their duties will be included the document and payment control of our clients.
    Part-time employment is currently important.
    We offer a wage from 3500 GBP per month.
    If you are interested in our offer, mail to us your answer on riley@ gbearn .com and
    we will send you an extensive information as soon as possible.
    Respectively submitted
    Personnel department

The reply-to address of gbearn .com has recently been registered by the -scammers- with false WHOIS details. There is also an equivalent domain usaearns .com for recruiting US victims. Although there is no website, both domains have a mail server at 93.188.167.170 (Hostinger, US) which also serves as one of the nameservers for these domains (ns1 .recognizettrauma .net). The other nameserver (ns2 .recognizettrauma .net) is on 75.132.186.90 (Charter Communications, US). Be in no doubt that the job being offered here is -illegal- and you should most definitely avoid it."
___

Banking Trojan Dyreza sends 30,000 malicious emails in one day
- http://net-security....ews.php?id=2964
16.02.2015 - "A massive spam wave is installing banking Trojan Dyreza on tens of thousands of computers to steal sensitive financial data from unsuspecting customers, warns Bitdefender*. 30,000 malicious emails were sent in just one day from spam servers in the UK, France, Turkey, US and Russia. The spam, which has been directed to customers of UK banks including NatWest, Barclays, RBS, HSBC, Lloyds Bank and Santander, carries links to HTML files which directs users to URLs pointing to highly obfuscated Javascript code. This automatically downloads a zip archive from a remote location... each downloaded archive is named differently to bypass antivirus solutions. This technique is called server-side polymorphism and ensures that the downloaded malicious file is always brand new. To take the con one step further, the same Javascript code -redirects- the user to the localized webpage of a fax service provider as soon as the archive is downloaded..."
* http://www.hotforsec...arns-11368.html
___

Banking malware VAWTRAK - malicious macro downloaders
> http://blog.trendmic...ows-powershell/
Feb 16, 2015
 

 

Edited by AplusWebMaster, 20 February 2015 - 09:22 AM.