2072 replies to this topic

[AplusWebMaster]

FYI...

Airlines - infected ticket invoices...
Attachment contains same Trojan horse that stole 1.6M records from Monster.com last year
- http://preview.tinyurl.com/66ayhz
July 28, 2008 (Computerworld) - "Several airlines, including Delta Air Lines Inc. and Northwest Airlines Corp., have warned customers that bogus e-mails posing as ticket invoices contain malware and urged them to immediately delete the messages. A researcher at McAfee Inc. confirmed the campaign in a post to the company's blog*. The e-mails, which purport to be from an airline, thank the recipient for using a new "Buy flight ticket Online" service on the airline's site, provide a log-in username and password, and say the person's credit card has been charged an amount usually in the $400 range. An attachment claims to be the invoice for the ticket and credit card charge..."
* http://www.avertlabs...m-takes-flight/

More...
- http://www.f-secure....s/00001477.html
July 30, 2008 - "... Today when we saw a large spam run sending out fake JetBlue etickets... The mail contains a ZIP file that contains the file eTicket#1721.exe which we detect as Trojan-Spy:W32/Zbot.QO. The malware itself tries to steal usernames and passwords to online banks..."
(Screenshot available at the F-secure URL above.)

- http://www.us-cert.g...et_email_attack
July 31, 2008

Edited by AplusWebMaster, 05 August 2008 - 04:29 AM.

[AplusWebMaster]

FYI...

News update emails - CNN.com Daily Top 10
- http://isc.sans.org/...ml?storyid=4828
Last Updated: 2008-08-05 00:45:33 UTC - "If you missed last week's chance to get your "airplane ticket", you currently have a second opportunity. Emails are making the rounds that claim to come from CNN, and carry a subject of "CNN.com Daily Top 10". Well, they are neither. But the emails contain click-friendly headlines with enticing subjects like "Will all Americans be obese by 2030?" Now who wouldn't want to read THAT?!
Clicking takes you to the netherworld, of course. You currently receive a file called "get_flash_update.exe" (yeah, sure!). Detection for the sample is coming on line, see http://www.virustota...bf236533b03c945
[Result: 10/35 (28.57%)]
The domain "idoo .com" seems to be up to no good. Other involved domains are too numerous to list, but about 50 of them currently resolve to 200.46.83.233. That's in Panama."

[AplusWebMaster]

FYI...

Phishers play the Olympics
- http://blog.trendmic...y-the-olympics/
08.04.2008 - "Olympic tickets anyone? They are available in the Internet of course, but users beware: the bad guys are still working hard to steal from online users as the 2008 Beijing Olympic approaches... fake Beijing Olympics Web site supposedly selling tickets. The Los Angeles Times reports* that Olympics officials have already asked federal courts to shut down certain Web sites that pose as sellers of tickets but actually are stealing credit card numbers and other confidential information..."
* http://www.latimes.c...0,7568966.story

- http://securitylabs....lerts/3152.aspx
08.05.2008 - "Websense... has discovered a rogue Beijing Olympics ticket lottery Web site. The Web site uses the hostname beij***2008.cn, a clear typo-squat to the official Olympic Games Web site at http://www.beijing2008.cn/. Benefiting from the hype around the purchasing of tickets for the Games, the social engineering tactic behind this scam is to lure users into dialling a toll number to retrieve an access code for an available ticket. The toll number is likely an additional revenue generator for the scammers as callers would then be charged a premium rate for making that phone call. Users who input the supplied access code are forwarded to a further Web page designed to collect personal information. They then have the incentive to enter credit card details, to pay a relatively small sum of RMB600 for the ticket (approximately 87 USD). This phishing Web site goes a step further than most phishing sites by employing a phone-call "verification" step. This higher level of interactivity and supposed verification garners more trust from unsuspecting users..."

(Screenshots available at the TrendMicro and Websense URLs above.)

[AplusWebMaster]

FYI...

FAKE Adobe Flash Player
- http://www.us-cert.g...be_flash_player
August 5, 2008 - "Adobe has issued a Security Bulletin* warning of malware spreading via a fraudulent Flash Player installer. Adobe warns that a worm is making fraudulent posts on social networking sites. These posts include links that lead to fake sites that prompt users to update their versions of Flash Player. If users attempt to use the installer to make the update, malware may be downloaded and installed onto their systems..."
* http://blogs.adobe.c...installers.html
"...do -not- download Flash Player from a site other than adobe.com... If the download is from an unfamiliar URL or an IP address, you should be suspicious..."

Edited by AplusWebMaster, 05 August 2008 - 07:55 PM.

[AplusWebMaster]

More...

Compromised Web Servers Serving Fake Flash Players
- http://ddanchev.blog...rving-fake.html
August 05, 2008 - "...This campaign serving fake flash players is getting so prevalent these days due to the multiple spamming approaches used, that it's hard not to notice it - and expose it... As far as the owner's are concerned, it appears that some of them are already seeing the malware page popping-up on the top of their daily traffic stats, and have taken measures to remove it... The structure of the malware campaign is pretty static, with several exceptions where they also take advange of client-side vulnerabilities (Real player exploit) attempting to automatically deliver the fake flash update or player depending on the campaign. On each and every site, there are dnd.js and master.js scripts shich serve the rogue download window, and another .html file, where an IFRAME attempts to access the traffic management command and control, in a random URL it was 207.10.234.217/cgi-bin/index.cgi?user200. A sample list of participating URLs, most of which are still active and running... (the list is way too long to post here - see ddanchev.blogspot URL above.)...
Sample detection rate : flashupdate.exe
Scanners Result: 35/36 (97.23%)
Trojan-Downloader.Win32.Exchanger.hk; Troj/Cbeplay-A
File size: 78848 bytes
MD5...: c81b29a3662b6083e3590939b6793bb8
SHA1..: d513275c276840cb528ce11dd228eae46a74b4b4

The downloader then "phones back home" at 72.9.98.234 port 443 which is responding to the rogue security software AntiSpy Spider...
Sample detection rate : antispyspider.msi
Scanners Result: 11/35 (31.43%)
FraudTool.Win32.AntiSpySpider.b;
File size: 1851904 bytes
MD5...: 2f1389e445f65e8a9c1a648b42a23827
SHA1..: e32aa6aa791e98fe6fdef451bd3b8a45bad0acd8

The bottom line - over a thousand domains are participating, with many other apparently joining the party proportionally with the web site owner's actions to get rid of the malware campaign hosted on their servers."

---

* http://www.adobe.com/go/getflashplayer
Current Adobe Flash Player version 9.0.124.0

Edited by AplusWebMaster, 07 August 2008 - 11:48 AM.
Added link to current Adobe Flash Player...

[AplusWebMaster]

FYI...

Bogus CNN Custom Alerts
- http://securitylabs....lerts/3154.aspx
08.08.2008 - " Websense... has discovered replica CNN Custom Email Alerts being sent out via spam emails. These emails contain links to a legitimate news page, but have been designed to encourage users to download a malicious application posing as a video codec. Over the last few days, the ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN-themed templates - most recently email alerts listing the Daily Top 10 Stories and Videos, which also encouraged users to download a video codec (again a malicious file)... The malicious payload is only accessed when the user clicks on the ‘FULL STORY’ link - the first link behind the story title leads to a legitimate news page hosted on CNN. The news story is a recent article centered around the Beijing Olympics. The ‘FULL STORY’ link takes users to a Web page by the name of cnn****.html. This issues a pop-up encouraging users to download a ‘missing’ video codec, a file called adobe_flash.exe... Our Security Labs have also seen evidence of this campaign and recent others being distributed via blog spam to further increase the chance of success..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Fake IE 7 update SPAM...
- http://isc.sans.org/...ml?storyid=4852
Last Updated: 2008-08-10 09:56:42 UTC - "A number of readers have alerted us to a round of IE7 update spam being sent out. The e-mails read:

"You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice."

Well, true enough Microsoft will not be responsible as its not from them! (Shock / Horror). For the sample we received, VT has good coverage:
- http://www.virustota...1a8542a90401b6f ..."

[AplusWebMaster]

FYI...

IM: Instant Malware... Yahoo! Messenger fraud
- http://blog.trendmic...nstant-malware/
08.10.2008 - "Instant messaging (IM) applications are popular infection vectors — malware authors are known to use instant messaging platforms to spread malware by sending either malicious files or URLs. Trend Micro researchers have recently witnessed spammed email messages that use the popular IM application Yahoo! Messenger in propagating malware, but in a very different way than previosuly mentioned... Clicking the Download now link downloads the file msgr8.5us.exe into the affected system. When executed, it drops the following files:
* mirc.ini - detected by Trend Micro as Mal_Zap
* csrss.exe - detected by Trend Micro as BKDR_ZAPCHAST.AX
* sup.exe - detected by Trend Micro as BKDR_MIRCHACK.CE
For targeted victims which do, in fact, use Yahoo! Messenger, the promised update may prove hard to resist. The same email message even instructs users to pass the news to friends by sending them the source - not very friendly if the supposed update would lead one’s contacts to malware... Downloading from the software vendors themselves still is the safest way to go."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

Bogus IE7 and MSRT - SPAM
- http://blog.trendmic...cious-software/
August 12, 2008 - "Spam claiming to be from Microsoft and offering download links to Internet Explorer 7.0 and Windows Malicious Software Removal Tool appear in the wild... To buy themselves some credibility, spammers added what seems to be a disclaimer from MSN Featured Offers, which is a newsletter service by MSN, where users subscribe to “offers” from a number of categories. MSN then sends certain discounts and offers to the subscribers depending on the category they have chosen. Upon clicking the links, malicious files are downloaded onto the user’s system. Trend Micro detects the downloaded files as TROJ_RENO.ADX and TROJ_MONDER.HM..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

Bogus CNN/MSNBC news...
- http://securitylabs....lerts/3159.aspx
08.13.2008 - "Websense.... has discovered a new replica wave of 'msnbc.com - BREAKING NEWS' alerts that are being sent out via spam emails. Similar to previous attacks related to 'Bogus CNN Custom Alerts', these emails contain links to a legitimate news page, but are designed to encourage users to download a malicious application posing as a video codec... Over the last few days, the ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN-themed templates - most recently email alerts listing the different popular events and news articles, which also encouraged users to download a video codec, which was actually a malicious file. (The malicious payload is only accessed when the user clicks on the ‘breakingnews.msnbc.com’ link, which takes users to a Web page named up.html. This page issues a pop-up encouraging users to download a ‘missing’ video codec, a file called adobe_flash.exe.)
Here are a few examples of the varied subjects we have seen in this campaign:
msnbc.com - BREAKING NEWS: Michael Phelps wins 10th career gold, making him the winningest Olympian in history
msnbc.com - BREAKING NEWS: China beats out U.S. for gold in women's team gymnastics
msnbc.com - BREAKING NEWS: Dark Knight establishes dominance with 400 million mark
msnbc.com - BREAKING NEWS: How to save money on gas
msnbc.com - BREAKING NEWS: Preliminary polls for the election
msnbc.com - BREAKING NEWS: McDonald's found to breach FDA regulations, suspended from trading
msnbc.com - BREAKING NEWS: Jury duties for you
msnbc.com - BREAKING NEWS: Find out how to get top returns for your money at minimum risk
msnbc.com - BREAKING NEWS: Abortion outlawed in California
msnbc.com - BREAKING NEWS: Buy gold at lowest prices and make immediate profits
msnbc.com - BREAKING NEWS: Anthrax case solved
msnbc.com - BREAKING NEWS: Arsenal buys Ronaldo from Man Utd
msnbc.com - BREAKING NEWS: Too much freedom will destroy America
msnbc.com - BREAKING NEWS: Copycat murderer beheads woman on Greyhound bus
msnbc.com - BREAKING NEWS: NASDAQ index gains 720 points overnight upon war announcement
msnbc.com - BREAKING NEWS: Sony announces replacement to successful PSP gaming system
msnbc.com - BREAKING NEWS: Americans loves to sue people
msnbc.com - BREAKING NEWS: Please give your opinions for change
msnbc.com - BREAKING NEWS: Sandwich recall amid Salmonella outbreak ..."
(Screenshot available at the Websense URL above.)

- http://www.f-secure....s/00001485.html
August 13, 2008 - "...Apparently people stopped clicking on -fake- CNN links as today the attackers switched the mails to look like they are now coming from MSNBC..."

CNN and MSNBC Olympic spoof emails - 5 million spam messages per hour
- http://securitylabs....Blogs/3160.aspx
08.14.2008

Edited by AplusWebMaster, 15 August 2008 - 02:59 AM.
Added F-secure and 2nd Websense link...

[AplusWebMaster]

FYI...

Fake AV Trojans Ramping Up
- http://blog.trendmic...ans-ramping-up/
August 14, 2008 - "...new set of rogue antivirus software circulating in the wild. Based on initial analysis, these threats arrive mainly via spammed email messages that contain a link to a bogus celebrity video scandal, although we have also received reports that the said link is also circulating in instant messaging applications and private messages in social networking Web sites. Once the said URL link is clicked, the Web threat infection chain begins and ultimately leads to the downloading of a Trojan detected by Trend Micro as TROJ_FAKEAV.CX, a rogue antivirus that displays very convincing (and for some, alarming) messages... TROJ_FAKEAV.CX also drops another malware, detected as TROJ_RENOS.ACG. RENOS Trojans are known to have very visual payloads that may further alarm users (for example, they modify the system’s wallpaper and screensaver settings to display BSOD). Thus, users may be more convinced that something’s wrong with their system, not knowing that their new software is the one causing it. Rogue antispyware isn’t entirely new, although our researchers have been seeing an increase in activity for the past couple of months... Perhaps it’s because this is also the time of the year when the more legitimate security suites are releasing their latest software updates, and cybercriminals are riding on this season to ramp up their profits. Bad news for the infected users though, as their latest versions of “antivirus software” are actually adding more threats to their system..."

(Screenshots available at the URL above.)

Edited by AplusWebMaster, 15 August 2008 - 03:17 AM.

[AplusWebMaster]

FYI...

- http://isc.sans.org/...ml?storyid=4913
Last Updated: 2008-08-17 21:43:58 UTC - "The spoofed CNN and MSNBC messages from last week have altered a bit, taking on a more generic approach. The subject of the message is still: BREAKING NEWS. Michael has been tracking these botnets for a while, his work is available here: http://www.vivtek.co.../stormspam.html .
Like the others, this first stage is a downloader, still reaching out to 66.199.240.138* to get the rest of the goodies. Unlike the previous waves, the first executable is named install.exe instead of adobe_flash.exe..."

* http://centralops.ne...ainDossier.aspx
canonical name: 66-199-240-138.reverse.ezzi.net.
Registrant: EZZI.net
A Service of AccessIT
75 Broad Street
Suite 1902
New York, NY 10004 US
Domain Name: EZZI.NET

[AplusWebMaster]

FYI...

Fake FedEx emails
- http://securitylabs....lerts/3161.aspx
08.18.2008 - "...The notifications claim to be from FedEx and explain that a package sent by the recipient in the past month was not delivered. The message has an attachment claimed to be a copy of the invoice. The attachment is in a zip file but is actually a Trojan Downloader. This spam wave is a continuation of an ongoing theme used in recent months of using a parcel service invoice as the social engineering attack vector..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

Facebook - Viral SPAM
- http://securitylabs....Blogs/3162.aspx
08.18.2008 - "... We've had to create numerous tools and methods to detect these types of attacks because most Web 2.0 social networking sites are difficult to track due to limited public access to most accounts. Most social networking accounts can only be viewed if the account holder explicitly accepts or requests another account to be added as a "friend". A generic Web crawler and even a search engine Web crawler would not be able to mine the pages on a social networking site due to lack of permission... attacks on Facebook and MySpace are nothing new. There have been continual, targeted Facebook attacks for some time now... A very enticing email was sent to one of our test accounts, letting us know that something had been written about us, and that we'd probably want to read more about it. An average user would probably want to know what was written about them, especially because it's on a public blog such as blogspot. Most users have an enormous amount of trust in their fellow Facebook friends. So, the chances of a user clicking on one of these emails is tremendously high. The attackers in this case were able to legitimately have Facebook send a spam email by compromising an account that the test user was "friends" with, and writing a comment on the test user's wall. Writing on the wall triggered an automatic email to the test user's email account with the message that was written on the wall. So, in this case Facebook wall writing is being used as a mechanism to send spam... this particular attack has been going on for over six months. The phishing URL... was registered in July 2008, but several domains have been used in this ongoing attack. It's nameserver is responsible for a load of other phishing domains, including numerous MySpace phishing pages. Users are clicking on these links manually, either when they receive them in email or read them on their walls. They click on the link, get redirected to a phishing page, and manually input their credentials. Attackers are then using their credentials to post manually and perhaps automatically to their wall, as well as their friends' walls, allowing them to spread within the walls of the social networking world. As social networking sites become the place where the majority of Web users are spending the majority of their Internet time, we're going to see more and more MySpace, Facebook, and other social networking attacks. Web 2.0 Web sites open up a huge attack vector to exploit transitive trust. Attackers know it, and are actively taking advantage of it.
References:
http://pi3141.wordpr...ishing-warning/
http://www.matthewbi...cebook-forgery/
http://thenextweb.or...ack-from-china/ "

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI... (Screenshot available at the URL below.)

Photobucket phish...
- http://blog.trendmic...t-gets-phished/
August 19, 2008 - "Photobucket is, by far, one of the largest photo-sharing sites in the world. It is generally used for personal photographic albums, remote storage of avatars displayed on Internet forums, and storage of videos. Lots of people may like to keep their albums private, allowing password-protected guest access, or open them up to the public. And now this photo-sharing site is being attacked by phishers... The login page above looks exactly like the original site that lures the users to enter their user name and password. Once victims enter their credentials, phishers can use them to obtain full access to their Photobucket account, and may use their albums to insert malicious code... popular image hosting sites have become the targets of several different attacks:

Turkish Hackers Relive Memories in Photobucket
- http://blog.trendmic...-in-photobucket
06.25.2008

Two New Yahoo Phish Sites
- http://blog.trendmic...hoo-phish-sites ..."
07.31.2008