Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92810 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
2072 replies to this topic

#1126 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 04 February 2014 - 05:05 AM

FYI...

GameOver Zeus now using Encryption to bypass detection
- http://threatpost.co...etection/104019
Feb 3, 2014 - "Cybercriminals have begun to tweak the way the GameOver Zeus Trojan is being delivered to users’ machines, making it easier for the banking malware to evade detection and steal victims’ credentials. To get the job done the malware has been working in tandem with the malware Upatre. For about a week now criminals have been changing the .exe files Upatre downloads to non-executable .enc files. According to a computer forensics expert, this is how the malware, which spreads via spam e-mails and malicious attachments, can avoid being spotted by firewalls, Web filters and other security defenses. Gary Warner, a director of research in computer forensics at the University of Alabama at Birmingham posted* about the trick and included a handful of spam email examples on his Cybercrime & Doing Time blog yesterday... Warner noticed the trend when a colleague, Brendan Griffin, a malware analyst at the firm Malcovery sent along a series of -spam- messages, some purporting to come from the Better Business Bureau, Skype and the IRS, among other agencies, spreading the malware..."
* http://garwarner.blo...ryption-to.html

- https://www.virustot...2fee8/analysis/
File name: vti-rescan
Detection ratio: 0/50
Analysis date: 2014-02-05

- https://slashdot.org...ie-from-a-user/
Feb 4, 2014 - "... The newest version of the GameOver Zeus variant slipped through -50- anti-virus filters at online anti-virus service VirusTotal by encrypting its malicious payload and changing the name to make it look inert, according to security researcher Gary Warner at Malcovery, who blogged about it Feb. 2. “Why? Well, because technically, it isn’t malware. It doesn’t actually execute!” Warner wrote*. “All Windows EXE files start with the bytes “MZ”. These files start with “ZZP”. They aren’t executable, so how could they be malware? Except they are.” Rather than launching its own malicious payload, the attachment downloads an encrypted file ending in .enc, then decrypts it, renames it and stores the new payload somewhere else on the infected machine – as an executable scheduled to launch sometime later. It was easier when botnets used IRC to control malware-infected zombies, but the state of the art is now to use TCP and HTTP, which helps botnets hide their tracks among gigabytes of legitimate HTTP traffic..."

- http://www.fortiguar...usanalysis.html
___

Email malware at 5-year high - Jan 2014
- http://blogs.apprive...nuary-in-Review
Feb 3, 2014 - "... a few metrics that we saw in January:
> http://blogs.apprive...resized-600.jpg
Though traffic was close to normal, the four day -spike- from the 7th-10th was enough to push this month’s total virus message count to the highest monthly total since Q3 of 2008. (269,108,311 virus-laden messages were quarantined in January 2014.) The traffic on Jan.7th-10th was roughly -40- times the daily average, which is typically about 2+million emails containing a virus attachment..."
 

:ph34r: :ph34r:  :(


Edited by AplusWebMaster, 05 February 2014 - 04:02 PM.

  • jorgeub4 likes this

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

    Advertisements

Register to Remove


#1127 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 05 February 2014 - 04:35 AM

FYI...

Fake Barclays transaction SPAM
- http://blog.dynamoo....ation-spam.html
5 Feb 2014 - "This -fake- Barclays spam comes with a malicious payload:
    Date:      Wed, 5 Feb 2014 03:02:52 -0500 [03:02:52 EST]
    From:      Barclays Bank [support@ barclays .net]
    Subject:      Barclays transaction notification #002601
    Transaction is completed. £9685 has been successfully transfered.
    If the transaction was made by mistake please contact our customer service.
    Receipt of payment is attached.
    Barclays is a trading name of Barclays Bank PLC and its subsidiaries. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702). Registered in England. Registered Number is 1026167 with registered office at 1 Churchill Place, London E14 5HP.


Attached is a file Payment receipt Barclays PA77392733.zip which is turn contains a malicious executable Payment receipt Barclays PA77392733.exe with a surprisingly poor VirusTotal detection rate of just 1/51* (only Sophos detects it). Automated analysis tools are pretty inconclusive about the payload... with only the Malwr report** having any real detail."
* https://www.virustot...sis/1391591290/

** https://malwr.com/an...jdkMGRlOTc5ODI/
___

Hacked Within Minutes: Sochi Visitors Face Internet Minefield
- http://www.nbcnews.c...ld-137647171983
Feb 4, 2014 - "... they should have “no expectation of privacy,” even in their hotel rooms."
___

Fake  "LloydsLink reference" SPAM - malicious attachment
- http://blog.dynamoo....comes-with.html
5 Feb 2014 - "This -fake- Lloyds TSB spam comes with a malicous payload:
    Date:      Wed, 5 Feb 2014 20:38:29 +0100 [14:38:29 EST]
    From:      GRP Lloydslink Tech [GRPLloydslinkTech@ LLOYDSBANKING .COM]
    Subject:      LloydsLink reference: 8255820 follow up email and actions to be taken
    Lloyds TSB    
        Help
    (New users may need to verify their email address)
    If you do not see or cannot click / tap the Download attachment button:
    Desktop Users:
    You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
    Mobile Users:
     Install the mobile application.
    Protected by the Voltage SecureMail Cloud
    SecureMail has a NEW LOOK to better support mobile devices!
    Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.
    Email Security Powered by Voltage IBE™
    Copyright 2002-2014 Voltage Security, Inc. All rights reserved.
    Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500
    Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000.  Telephone: 08457 21 31 41 ...


Screenshot: https://lh3.ggpht.co.../lloyds-tsb.png

The attachment is SecureMessage.zip which in turn contains a malicious executable SecureMessage.scr which has an icon that looks like Internet Explorer. Despire the .scr suffix, this file is a plain old .exe file and will execute if you double-click it (-don't!-). VirusTotal detections are 11/51*, and automated analysis... show an attempted download from [donotclick]asianfarm .org/images/pdf.enc and [donotclick]ideasempurna .com .my/wp-content/uploads/2014/02/pdf.enc with the following IPs being involved:
108.90.186.161 (AT&T, US)
111.90.133.246 (Piradius Net, Malaysia)
121.117.209.51 (NTT, Japan)
124.217.241.34 (Piradius Net, Malaysia)
174.103.25.199 (Time Warner Cable, US)
The .enc file is an encoded executable, explained in detail here**. I haven't tried to decode it but obviously that too will be malicious."
Recommended blocklist:
asianfarm .org
ideasempurna .com .my
108.90.186.161
111.90.133.246
121.117.209.51
124.217.241.34
174.103.25.199
"
* https://www.virustot...sis/1391616188/

** http://blog.crysys.h...enc-encryption/
___

Malware uses ZWS compression for evasion tactic
- http://blog.trendmic...evasion-tactic/
Feb 5, 2013 - "... We have seen many instances wherein malware came equipped with improved evasion techniques, such as preventing execution of analysis tools, hiding from debuggers, blending in with normal network traffic, along with various JavaScript techniques. Security researchers have now come across malware that uses a legitimate compression technique to go unnoticed by security solutions. This malware, detected as TROJ_SHELLCOD.A, is an exploit that targets an Adobe Flash Player vulnerability (CVE-2013-5331). The malware is a document file with an embedded Flash file, which has been compressed using ZWS. Released in 2011, ZWS uses the Lempel-Ziv-Markove Algorithm (LZMA) to compress data with no data loss... Typically, malware is often downloaded and executed, which means a physical copy of the malware is dropped in the infected machine. This allows security solutions to detect the malware. However, this particular malware allots memory using VirtualAlloc and executes it, acting like a backdoor. Doing so makes it harder to trace the routines of the malware as there is no physically dropped file; instead the payload is copied directly into memory. This is the reason why this malware is able to evade most security solutions, even those that support ZWS compression. We urge users to regularly install security updates as soon as they are made available. These patches can mean the difference between protection and infection. For example, the vulnerability used in this attack was patched by Adobe in December 2013..."
 

:ph34r: :ph34r: <_<


Edited by AplusWebMaster, 05 February 2014 - 09:22 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1128 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 06 February 2014 - 07:25 AM

FYI...

Fake HMRC "VAT Return" SPAM
- http://blog.dynamoo....eturn-spam.html
6 Feb 2014 - "This -fake- HMRC spam comes with a malicious attachment:
    Date:      Thu, 6 Feb 2014 20:32:34 +0100 [14:32:34 EST]
    From:      "noreply@ hmrc .gov .uk" [noreply@ hmrc .gov .uk]
    Subject:      Successful Receipt of Online Submission for Reference 3608005
    Thank you for sending your VAT Return online. The submission for reference 3608005 was
    successfully received on Thu, 6 Feb 2014 20:32:34 +0100  and is being processed. Make VAT
    Returns is just one of the many online services we offer that can save you time and
    paperwork.
    For the latest information on your VAT Return please open attached report.
    The original of this email was scanned for viruses by the Government Secure Intranet
    virus scanning service supplied by Cable&Wireless Worldwide in partnership with
    MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
    certified virus free...


... this thing comes with a malicious payload. Attached to the message is an archive Reference.zip which in turn contains a malicious executable Reference.scr (a plain old executable, not a screensaver). This has a VirusTotal detection rate of 2/50*. Automated analysis tools... show an encrypted file** being downloaded from:
[donotclick]wahidexpress .com/scripts/ie.enc[donotclick]bsitacademy.com/img/events/ie.enc
Recommended blocklist:
182.18.188.191
wahidexpress .com
bsitacademy .com

* https://www.virustot...sis/1391686048/

** http://blog.crysys.h...enc-encryption/

Update: A -second- version of the email is circulating with the following body text:
    The submission for reference 485/GB1392709 was successfully received and was not
    processed.
    Check attached copy for more information.
    This is an automatically generated email. Please do not reply as the email address is not
    monitored for received mail.

___

Fake "TNT UK Limited " SPAM - zero detections
- http://blog.dynamoo....-with-zero.html
6 Feb 2014 - This -fake- TNT spam comes with a malicious attachment that is currently not detected by any AV vendors.
    Date:      Thu, 6 Feb 2014 11:48:18 +0100 [05:48:18 EST]
    From:      TNT COURIER SERVICE [tracking@ tnt .co .uk]
    Subject:      TNT UK Limited - Package tracking 798950432737
    Your package have been picked up and is ready for dispatch.
    Connote #    :    798950432737
    Service Type    :    Export Non Documents - Intl
    Shipped on    :    05 Feb 14 00:00
    Order No            :    2819122
    Status            :       Driver's Return Description      :       Wrong Address
    Service Options: You are required to select a service option below.
    TNT COURIER SERVICE (TCS)
    Customer/Delivery Services Department
    Central Pk Est/Mosley Rd, Trafford Park
    Manchester, M17 1TT UK.
    DETAILS OF PACKAGE
    Reg order no: 798950432737
    The options, together with their associated conditions...


Attached is a file Label_798950432737.zip which contains a malicious executable Label02062014.scr (an executable despite the .scr extension) with a VirusTotal detection rate of 0/41*. Despite the zero detection rate, there is plenty of badness going on... including downloads of an encrypted file from the following locations:
[donotclick]newz24x .com/wp-content/uploads/2014/02/pdf.enc
[donotclick]oilwellme .com/images/banners/pdf.enc
The Malwr report** indicates lots of IPs being communicated with, some of these look like Cloudflare addresses where newz24x .com is hosted. Take care with these if you are thinking about blocking them.
Recommended blocklist:
182.18.151.160
newz24x .com
oilwellme .com
"
* https://www.virustot...sis/1391684255/

** https://malwr.com/an...WUxZGU3YTljNDk/
___

Visa/MasterCard Important Notification Spam
- http://threattrack.t...tification-spam
Feb 6, 2014 - "Subjects Seen:
    ATTN: Important  notification for a Visa / MasterCard holder!
Typical e-mail details:
    Dear <email name>, Your Bank debit card has been temporarily blocked
    We’ve detected unusual activity on your Bank debit card . Your debit card has been temporarily blocked, please fill document in attachment and contact us


Malicious File Name and MD5:
  <email name>_Account_Report_7552804B13.zip (F08171CEF69EFD04CFC0F525ABD862FD)
PDF_Account_Details_User_543857394652798346597456987235986498756234798573280945-4353452345-32453245324532-45.pdf.exe (A1E61D4628E8381F47CE2E8424410A39


Screenshot: https://31.media.tum...l4t81r6pupn.png

Tagged: Visa, MasterCard, Tepfer
___

Swedish newssite compromised - Fake AV
- http://bartblaze.blo...ompromised.html
Feb 6, 2014 - "... a Swedish and well-visited newssite, AftonBladet (http ://www .aftonbladet .se), was -compromised- and serving visitors a fake antivirus or rogueware. There are two possibilities as to the cause:
- A (rotating) ad where malicious Javascript was injected
- AftonBladet itself had malicious Javascript injected
Whoever the cause, the injected script may have been as simple as:
document.write('< script src=http ://http ://www .aftonbladet .se/article/mal.php'); When trying to reproduce, it appeared it already was cleaned up, fast actions there...
File:  svc-ddrs.exe
Image icon: https://lh3.ggpht.co...6Ok/s1600/1.png
Size:    1084416 bytes
Type:    PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5:     be886eb66cc39b0bbf3b237b476633a5
SHA1:    36c3671f37f414ad6e0954e094a1a7bd0dcc34fc
ssdeep: 24576:M2xJbbGmTvmN9BfQ0lc4Bt4Xsk2QkibF5BOWe8JH0:M6bb3MQ0lc434n2Qhh5kWe8JU
Date:    0x52F1C3E1 [Wed Feb  5 04:53:53 2014 UTC]
EP:      0x5a8090 UPX1 1/3 [SUSPICIOUS]
CRC:     Claimed: 0x0, Actual: 0x10eeb0 [SUSPICIOUS]
Packers: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
VirusTotal: https://www.virustot...d2dd0/analysis/
Anubis: http://anubis.isecla...ae2&format=html
When executing the sample: Windows Efficiency Master:
> https://lh3.ggpht.co...600/fakeav2.PNG
Fake scanning results:
> https://lh3.ggpht.co...1600/FakeAV.PNG
Besides dropping the usual EXE file in the %appdata% folder, it also drops a data.sec file with predefined scanning results (all fake obviously). Here's a pastebin with the contents of data.sec: http://pastebin.com/DCtDWEbi
It also performs the usual actions:
- Usual blocking of EXE and other files
- Usual  blocking of browser like Internet Explorer
- Callback to 93.115.86.197 C&C
- Stops several antivirus services and prevents them from running
- Reboots initially to stop certain logging and monitoring tools
- Uses mshta.exe (which executes HTML application files) for the usual payment screen
- Packed with UPX, so fairly easy to unpack
- Connects to http ://checkip .dyndns .org/ to determine -your- IP
This rogueware or fake AV belongs to the Tritax family, which has been going around for quite some time and has lots and lots of different names, but the design, concept and initial social engineering attack are all the same... an excellent post on this family, which you can read here:
> http://blog.0x3a.com...ly-their-active
Prevention: In this case, no exploit -nor Java/Adobe, nor browser- was used. Only Javascript was injected. Install an antivirus and antimalware product and keep it up-to-date & running. Use NoScript in Firefox or NotScripts in Chrome. -Block- the above IP...
Disinfection: Perform a full scan with your installed antivirus and a scan with another antivirus or antimalware product. You can check on VirusTotal which antivirus applications already detect this malware. If you are having issues doing this, reboot your machine in Safe Mode and remove the malware..."
___

Payroll Report Spam
- http://threattrack.t...oll-report-spam
Feb 5, 2014 - "Subjects Seen:
    Jan Report
Typical e-mail details:
    Hello ,
    Please find attached reports for this year for checking.
    Please could you sign the BACs form and return it as your approval that I am to go ahead with the transmission.
    Kind regards
    Wilton
    Payroll Manager


Malicious File Name and MD5:
    January.zip (F261B2109FD733559191CCCB7DEC79F8)
    January.scr (811AD8F76AD489BAF15DB72306BD9F34)


Screenshot: https://31.media.tum...xUm21r6pupn.png

Tagged: Payroll, Upatre
___

Fake "Payment Fund" SPAM - Wire.Transfer.rar attachment
- http://blog.dynamoo....ransferrar.html
5 Feb 2014 - "It's rare to see malware with a .RAR attachment, but this is one of those unusual beasts..
    From:     Alison George allison.george@ transferduc .nl
    Date:     5 February 2014 22:41
    Subject:     Payment Fund
    ALERT! A bank Wire transaction, Has just been rejected from checking 656778*** account.
    to your bank confirmed by the FedWire.
    Transaction ID: 99076900
    Date: 2/3/2014
    Transfer Origination: Fedline
    Please review the attached copy of transaction report,
    Federal Reserve Financial Services
    Creating Nationwide Solutions for Your Payment Needs
    20th Street and Constitution Avenue N.W.
    Washington, D.C. 20551


Attached is a file Wire.Transfer.rar which you will need to unpack with a suitable application. In turn this creates a file Wire-Report which is actually an executable, but missing the .exe extension.. so you have to add that to get infected. Hmmm.. the phrase "some assembly required" springs to mind. The VirusTotal detection rate is 7/50* but most automated analysis tools seem to be having problems with the executable, so perhaps it is hardened against analysis or is simply corrupt. The ThreatExpert report (for some reason -not- showing in their database right now) has the following details:
Submission Summary:
    Submission details:
        Submission received: 5 February 2014, 04:39:38 PM
        Processing time: 6 min 0 sec
        Submitted sample:
            File MD5: 0x12F1265162AAD712C271DAC6A9B5E564
            Filesize: 248,320 bytes
    Summary of the findings:
What's been found     Severity Level
Creates a startup registry entry.     
Technical Details:
    Memory Modifications
    There was a new process created in the system:
Process Name     Process Filename     Main Module Size
server.exe     %Temp%\server.exe     57,344 bytes
    Registry Modifications
    The newly created Registry Values are:
        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
            babe8364d0b44de2ea6e4bcccd70281e = ""%Temp%\server.exe" .."
        so that %Temp%\server.exe runs every time Windows starts
        [HKEY_CURRENT_USER\Environment]
            SEE_MASK_NOZONECHECKS = "1"
        [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
            5PmM1jWi05 = "%AppData%\y183imD2\java.exe.lnk"
            babe8364d0b44de2ea6e4bcccd70281e = ""%Temp%\server.exe" .."
        so that %Temp%\server.exe runs every time Windows starts
    Other details
    To mark the presence in the system, the following Mutex object was created:
        babe8364d0b44de2ea6e4bcccd70281e "
* https://www.virustot...sis/1391640427/
 

:ph34r:  :ph34r:  <_<


Edited by AplusWebMaster, 06 February 2014 - 06:40 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1129 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 07 February 2014 - 06:24 AM

FYI...

Something evil on 69.64.39.166
- http://blog.dynamoo....-696439166.html
7 Feb 2014 - "69.64.39.166 (Hosting Solutions International, US) appears to be hosting an exploit kit (possibly Fiesta*) according to URLquery reports such as this one**. The code is being -injected- into target websites, possibly through a malvertising campaign. I would recommend blocking the IP address as the simplest option, although I can identify the following domains on that same IP, all of which are likely to be malicious..."
(Long list of URLs at the dynamoo URL above.)
* http://blog.0x3a.com...ng-msie-exploit

** http://urlquery.net/....php?id=9258190

- https://www.virustot...66/information/
___

Fake rbs .co .uk "Important Docs" SPAM
- http://blog.dynamoo....-docs-spam.html
7 Feb 2014 - "This -fake- spam claiming to be from the Royal Bank of Scotland has a malicious attachment:
    Date:      Fri, 7 Feb 2014 15:44:19 +0530 [05:14:19 EST]
    From:      Doris Clay [Doris@ rbs .co .uk]
    Subject:      Important Docs
    Account report.
    Tel:  01322 589422
    Fax: 01322 296116
    email: Doris@rbs .co .uk
    This information is classified as Confidential unless otherwise stated.
    CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
    confidential and are intended solely for the use of the person or entity to whom the
    message was addressed. If you are not the intended recipient of this message, please be
    advised that any dissemination, distribution, or use of the contents of this message is
    strictly prohibited. If you received this message in error, please notify the sender.
    Please also permanently delete all copies of the original message and any attached
    documentation. Thank you.


Attached is a file AccountReport.zip which in turn contains a malicious executable AccountReport.scr which has a VirusTotal detection rate of 4/50*. Automated analysis tools... show a downlad of en encrypted file from the following locations:
[donotclick]professionalonlineediting .com/theme/cc/images/07UKex.enc
[donotclick]mararu .ro/Media/07UKex.enc
Both those sites are hosted by Mochanin Corp in the US, indicating perhaps a wider problem with that host.
Recommended blocklist:
204.93.165.33
50.31.147.54
professionalonlineediting .com
mararu .ro
"
* https://www.virustot...sis/1391768230/

- http://threattrack.t...0/rbs-bank-spam
Feb 7, 2014 - "Subjects Seen:
    Important Docs
Typical e-mail details:
    Account report.
    Tel:  01322 052736
    Fax: 01322 513203
    email: Trenton@ rbs .co .uk
    This information is classified as Confidential unless otherwise stated.


Malicious File Name and MD5:
    AccountReport.zip (0D143292B014E22DEE91930C488CBCE0)
    AccountReport.scr (61DF278485C8012E5B2D86F825E12D0D)


Screenshot: https://gs1.wac.edge...Yk421r6pupn.png

Tagged: RBS, Upatre
___

Fake Authorization SPAM
- http://blog.dynamoo....tely-owned.html
7 Feb 2014 - "We've seen this particular type of malware-laden spam before..
    Date:      Fri, 7 Feb 2014 17:08:16 +0700 [05:08:16 EST]
    From:      Callie Figueroa [Callie@ victimdomain]
    Subject:      Annual Form - Authorization to Use Privately Owned Vehicle on State Business
    All employees need to have on file this form STD 261 (attached).  The original is
    retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement.
    The form can be used for multiple years, however it needs to re-signed annually by
    employee and supervisor.
    Please confirm all employees that may travel using their private car on state business
    (including training) has a current STD 261 on file. Not having a current copy of this
    form on file in Accounting may delay a travel reimbursement claim.


The email appears to originate from within the victim's own domain but doesn't. Attached is an archive file Form_STD261.zip which in turn contains a malicious executable Form_STD261.scr which has a VirusTotal detection rate of just 3/51*. Anubis reports** an attempted connection to faneema .com on 198.38.82.223 (Mochahost, US). I recommend blocking both the domain and IP address in this case.
* https://www.virustot...sis/1391770188/

** http://anubis.isecla...92b&format=html
 

:ph34r: <_<


Edited by AplusWebMaster, 09 February 2014 - 08:18 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1130 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 10 February 2014 - 06:52 AM

FYI...

Evil .pw domains on 31.41.221.131 to 31.41.221.135
- http://blog.dynamoo....1221131-to.html
10 Feb 2014 - "Thanks to Malekal for the heads up*, the current batch of evil .pw domains that have been distributing malware appear to have shifted to the following IP addresses:
31.41.221.131
31.41.221.132
31.41.221.133
31.41.221.134
31.41.221.135

These IP addresses belong to Besthosting in Ukraine. A typical payload of one of these malicious sites looks like this URLquery report**.
The evil .pw domains in use all use a subdomain of one of the following:
(Long list at the dynamoo URL above)
I would recommend blocking those domains and the above-listed IPs (or alternatively 31.41.221.128/29 or 31.41.221.128/25). A full list of all the subdomains I can find is here [pastebin]***"
* https://twitter.com/...804655374938112

** http://urlquery.net/....php?id=9308286

*** http://pastebin.com/xSHmpKQR
___

81.4.106.132 / oochooch .com / 10qnbkh .xip .io
- http://blog.dynamoo....qnbkhxipio.html
10 Feb 2014 - "... don't like the look of this [urlquery*], seems to be the payload site for some sort of injection attack. Might be worth blocklisting 81.4.106.132 **...
> https://lh3.ggpht.co...00/oochooch.png "

* http://urlquery.net/...14-02-10&max=50

** https://www.virustot...32/information/
___

Malicious Android apps hit 10 million ...
- http://www.theinquir...10-million-mark
Feb 10, 2014 - "THE ANDROID OPERATING SYSTEM (OS) has over 10 million malicious apps, security firm Kaspersky has warned in its latest report. In the Kaspersky Security Bulletin 2013, researchers said that by late January 2014 they had found 200,000 unique samples of mobile malware at the Google Play store and other sources, which get re-used and re-packaged to look like different apps... (cybercriminals used 10,604,273 unique hosts)... Kaspersky said in its report*... in most cases, malware targets the user's financial information**..."
* https://www.secureli...ics_for_2013#09

** https://www.secureli...ics_for_2013#02

Corporate Threats: Target organizations
- https://www.secureli...rate_threats#01
 

xph34r.png.pagespeed.ic.GOH20nhrx_.pngdry.png.pagespeed.ce.iCXmiFQmCf.png


Edited by AplusWebMaster, 10 February 2014 - 01:02 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1131 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 11 February 2014 - 10:38 AM

FYI...

TrendMicro 2013 report
- http://blog.trendmic...curity-roundup/
Feb 11, 2014 - "... We saw almost a -million- new banking malware variants, which was double what we saw in 2012. Much of this growth occurred in the latter half of the year:
Volume of new banking malware
> http://blog.trendmic...013roundup1.jpg
Two countries – the United States and Brazil – accounted for half of all banking malware victims:
Countries most affected by banking malware
> http://blog.trendmic...013roundup2.jpg
... CryptoLocker became as serious a problem for end users as fake antivirus malware had in previous years. The fall of the Blackhole Exploit Kit in 2013 due to the arrest of its creator... was a significant event that appreciably changed the threat landscape. It significantly cut the use of malicious links in spam messages by attackers... other exploit kits have emerged into the threat landscape since then...
Types of mobile malware threats
> http://blog.trendmic...013roundup4.jpg
... Attacks delivered via social media (combined with social engineering) have now become the norm, with newer social networks like Instagram, Pinterest, and Tumblr suffering from their own scams as well. Indeed, attacks on -all- social media platforms have become so common, it may almost be considered “business as usual”..."
___

NatWest Bank Credit Card Spam
- http://threattrack.t...redit-card-spam
Feb 11, 2014 - "Subjects Seen:
    Cards OnLine E-Statement E-Mail Notification
Typical e-mail details:
    Dear Customer
    Your February 11, 2014 E-Statement for account number xxxxxxxxxxxx9496 from Cards OnLine is now available.
    For more information please check attached copy
    Thank you
    Cards OnLine


Malicious File Name and MD5:
    E-Statement.zip (3B17E8E5BADF9ADB41974C2DDED1464E)
    E-Statement.exe (20E7520948EE772E192127374569B219)


Screenshot: https://gs1.wac.edge...Cyrt1r6pupn.png

Tagged: NatWest, Upatre
___

'Incoming Fax Report' - Malware Email
- http://www.hoax-slay...are-email.shtml
Feb 11, 2014 - "Email purporting to be a notification about an incoming payroll related fax claims that users can click a link to read the file online... The link in the email opens a compromised website that harbours malware. If downloaded and installed, this malware may steal information from the infected computer, make connections with remote servers operated by criminals and download further malware components. If you receive one of these fake fax emails do not click any links or open any attachments that it contains.
Example:
*********************************************************
INCOMING FAX REPORT
*********************************************************
Date/Time: 10/02/2014 05:13:13 EST
Speed: 25903 bps
Connection time: 04:08
Pages: 7
Resolution: Normal
Remote ID: 8102702342
Line number: 4
DTMF/DID:
Description: Payroll
Click here to view the file online
*********************************************************


... Those who go ahead and click the link in the hope of viewing the supposed fax file will be taken to a website that displays a 'please wait' message. The compromised site may attempt to load malicious scripts, which then redirect to a malware page. The exact configuration and payload of the malware sites may vary. Typically, however, malware downloaded from such sites may perform one or more nefarious tasks. It may harvest information from the infected computer and send it to cybercriminals. It may allow criminals to control the computer remotely and join it to a botnet. It may download and install even more malware that can perform various other functions... The criminals bank on the fact that at least a few customers of such services may click on the link without due caution. And, even people that have never used such a service may be panicked into clicking the link in the mistaken belief that their bank account has been compromised or payments have been made in their names..."
 

xph34r.png.pagespeed.ic.GOH20nhrx_.png  xsad.png.pagespeed.ic.5zxzyGiJz0.png


Edited by AplusWebMaster, 11 February 2014 - 09:32 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1132 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 12 February 2014 - 01:59 PM

FYI...

Fake FedEx SPAM
- http://blog.dynamoo....fedex-spam.html
12 Feb 2014 - "This -fake- FedEx spam leads to malware:
    Date:      Wed, 12 Feb 2014 07:53:36 -0700 [09:53:36 EST]
    From:      FedEx [yama@ rickyz .jp]
    Subject:      Track shipments/FedEx 7487214609167750150131 results: Delivered
    Track shipments/FedEx Office orders summary results:
    Tracking number        Status              Date/Time
    7487214609167750150131  Delivered           Feb 11, 2014  11:20 AM     
    Track shipments/FedEx Office orders detailed results:
    Tracking number       7487214609167750150131
    Reference             304562545939440100902500000000
    Ship date             Feb 03, 2014
    Ship From           NEW YORK, NY
    Delivery date         Feb 11, 2014 11:20 AM
    Service type          FedEx SmartPost
    Tracking results as of Feb 11, 2014 3:37 PM CST
    Click Here and get Travel History ...


Screenshot: https://lh3.ggpht.co...1600/fedex2.png

In this case, the link in the email goes to [donotclick]pceninternet .net/tracking.php?id_7487214609167750150131 which downloads an archive file track_shipments_FedEx.zip. In turn, this ZIP file contains the malicious executable with the lovely name of Track_shipments_FedEx_Office_orders_summary_results_Delivered_tracking_number_9384758293431234834312_idju2f83f9hjv78fh7899382r7f9sdh8wf.doc.exe which has an icon that makes it look like a Word document. This has a VirusTotal detection rate of 15/49*, but automated analysis tools are inconclusive as to its payload..."
* https://www.virustot...sis/1392219267/
___

Malware (Neutrino EK?) sites to block
- http://blog.dynamoo....lock-12214.html
12 Feb 2014 - "The following IPs and domains appear to be in use for spreading exploit kits via injection attacks - 108.178.7.118 (Singlehop, US) [1] [2] and 212.83.164.87 (Online SAS, France) [3] [4]. The payload isn't clear, but some of the URLquery reports indicate Neutrino*. In the case I saw, the victim was directed to the EK from a compromised site at greetingstext .com. I cannot reproduce the problem with URLquery or any other tool, but log files do not lie. I would recommend that you block these following IPs and domains as a precaution:
108.178.7.118
212.83.164.87
jakiewebs .com
sheethoo .com
chaefooh .com
goldnclouds .com
nofledno .com
zeuriele .com
wqywdo .xip .io
glindeb.com
"
1) https://www.virustot...18/information/

2) http://urlquery.net/...14-02-12&max=50

3) https://www.virustot...87/information/

4) http://urlquery.net/...14-02-12&max=50

* http://urlquery.net/....php?id=9410080
___

In the wild: Phony SSL certificates impersonating Google, Facebook, and iTunes
- http://arstechnica.c...ook-and-itunes/
Feb 12, 2014 - "Researchers have found dozens of fake certificates impersonating the secure sections of online banks, e-commerce sites, and social networks. Google, Facebook, iTunes, and even a POP e-mail server belonging to GoDaddy are a small sample of the services affected by the fraudulent credentials, which in some cases can allow attackers to read and modify encrypted traffic passing between end users and protected servers.
> http://cdn.arstechni...2/facebook1.png
The secure sockets layer (SSL) certificates don't pose much of a threat to people using a popular Web browser to visit spoofed websites, because the credentials aren't digitally signed by a trusted certificate authority, researchers from Netcraft wrote in a blog post published Wednesday*. They went on to say that people accessing sensitive websites with smartphone apps or other non-browser software may -not- be so lucky... Many of the fake SSL certificates discovered by Netcraft were created with malicious intentions. A wildcard certificate for *.google.com suggests an attempt to spoof a variety of Google services. The fake certificate was served by a machine in Romania hosting other sites with .ro and .com domains. The phony credential claims to have been issued by America Online Root Certification Authority 42. The name closely mimics a legitimate trusted root certificate that is installed in all browsers, although it's not enough to trick them. Other fraudulent credentials masqueraded as certificates for Facebook, iTunes, and a payment service and bank located in Russia. Yet another bogus certificate covered pop.where.secureserver.net, a server address belonging to GoDaddy's POP e-mail service...  given the large number of e-mail clients, smartphone apps, and other non-browser programs available, it's not a stretch to think the certificates discovered by Netcraft are fooling some people right now. You should carefully consider the source of any app that connects to an SSL-protected server before installing it, and you should -never- click through pop-up windows that warn of self-signed certificates."
* http://news.netcraft...e-internet.html

- http://www.theregist...ssl_cert_peril/
14 Feb 2014
 

xph34r.png.pagespeed.ic.GOH20nhrx_.png  dry.png.pagespeed.ce.iCXmiFQmCf.png


Edited by AplusWebMaster, 14 February 2014 - 08:03 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1133 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 13 February 2014 - 05:21 AM

FYI...

Fake MS 'Reactivate Your Email Account' Phish
- http://www.hoax-slay...hing-scam.shtml
Feb 13, 2014 - "Email purporting to be from Microsoft claims that recipients must click a link to complete a 'one time automatic verification' in order to avoid having their email account suspended. The email is not from Microsoft. It is a crude phishing scam designed to trick recipients into giving their email address and password to online criminals. The criminals will use the stolen data to hijack the compromised email accounts and use them to send further spam and scam messages in the names of their victims. Example:
Subject: REACTIVATE YOUR EMAIL ACCOUNT!!!
Attention;
In compliance with the email upgrade instructions from
Microsoft Corporation and WWW email domain host, all unverified email accounts would be suspended for verification.
To avoid suspension of your email account and also to retain all email Contents, please perform one time automatic verification by completing the online verification form.
Please CLICK HERE
for the online verification form.
As a confirmation of complete and successful verification, you shall be automatically be redirected to your email web page.
Please move this message to your inbox, if found in bulk folder. Please do this for all your email accounts.
Thank you.
WWW. mail Support Team.
© 2014 Microsoft Corporation.


Screenshot: http://www.hoax-slay...scam-2014-1.jpg

According to this email, which purports to be from Microsoft, the recipient must complete a verification of his or her email account by clicking a link in the message. The message warns that all unverified email accounts will face suspension and the loss of all 'email contents' in the accounts... the email is -not- from Microsoft. It is a phishing scam designed to trick recipients into giving their email address and password to Internet criminals. Clicking the link in the fake email takes users to an equally fake site that asks for their email address, email password and date of birth. After supplying this information, users are automatically redirected away from the scam website. Meanwhile, the scammers can use the data that they have stolen to access the compromised email accounts and use them to launch further spam and scam campaigns. Since the scam emails are sent via the hijacked accounts of victims, the emails cannot be traced back to the criminals responsible... No legitimate email provider is likely to send an unsolicited email asking customers to provide their email password by clicking a link, opening an attachment or replying. Be very wary of any email that makes such a request."
 

xph34r.png.pagespeed.ic.GOH20nhrx_.pngxph34r.png.pagespeed.ic.GOH20nhrx_.png  dry.png.pagespeed.ce.iCXmiFQmCf.png


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1134 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 14 February 2014 - 11:09 AM

FYI...

DoubleClick malvertising campaign exposes... malvertising infrastructure
- http://www.webroot.c...infrastructure/
Feb 14, 2014 - "... we became aware of a possible evasive/beneath the radar malvertising  based g01pack exploit kit attack, taking place through the DoubleClick ad network using an advertisement featured at About .com. Investigating further, we were able to identify the actual domains/IPs involved in the campaign, and perhaps most interestingly, managed to establish a rather interesting connection between the name servers of one of the domains involved in the attacks, and what appears to be a fully operational and running Ukrainian-based ad platform, Epom in this particular case...
Malvertising domains/URLs/IPs involved in the campaign:
adservinghost1 .com – 212.124.112.232; 212.124.112.226 (known to have responded to the same IP is also cpmservice1 .com); 212.124.112.229; 74.50.103.41; 68.233.228.236
ad.onlineadserv .com – 37.59.15.44; 37.59.15.211, hxxp ://188.138.90.222 /ad.php?id=31984&cuid=55093&vf=240
IP reconnaissance:
188.138.90.222 – The following domains are also known to have responded to the same IP: rimwaserver .com; notslead .com; adwenia .com – Email: philip.woronoff@ yandex .ru (also known to have responded to 188.138.74.38 in the past; as well as digenmedia .com)
Based on BrightCloud’s database, not only is adservinghost1 .com already flagged as malicious, but also, we’re aware that MD5: dc35b211b5eb5bd8af02c412e411d40e (Rogue:Win32/Winwebsec)* is known to have phoned back to the same IP as the actual domain, hxxp ://212.124.112.232 /cb_soft.php?q=dcee08c46ea4d86769a92ab67ff5aafa in particular...
> https://www.webroot....alvertising.png
Here comes the interesting part. Apparently, the name servers of adservinghost1 .com are currently responding to the same IPs as the name servers of the Epom ad platform.
NS1.ADSERVINGHOST1 .COM – 212.124.126.2
NS2.ADSERVINGHOST1 .COM – 74.50.103.38
... domains are also responding to the same IP as the Epom .com domain at 198.178.124.5 ..."
(More detail at the webroot URL above.)
* https://www.virustot...f7bbb/analysis/
___

Malware sites to block 14/2/14
- http://blog.dynamoo....lock-14214.html
14 Feb 2014 - "This bunch of OVH Canada hosted nameserver and IP ranges are supporting malware distribution via the Nuclear Exploit Kit (as described here* by Umbrella Labs). OVH Canada have a long history with this bad actor (who I believe to be r5x .org), and these /29 and /30 blocks spread throughout OVH's range make it more difficult to block the IPs. Are OVH providing snowshoe malware distribution services? It does look like it. Perhaps OVH can prove me wrong by banishing this bad customer once and for all. First of all, we have a set of nameservers being used to support mostly .pw domains hosting the Nuclear EK. The nameservers I can see that are active... (Long list at the dynamoo URL above)
Those nameservers are hosted in the following ranges, exclusively supplied by OVH Canada. If you are in a security-sensitive environment then I would recommend using larger blocks.
142.4.194.0/29
192.95.6.24/29
192.95.10.16/29
192.95.46.56/30
192.95.46.60/30
192.95.47.232/30
192.95.47.236/30
198.50.164.240/30
198.50.172.64/30
198.50.172.68/30
198.50.172.72/30
198.50.172.76/30
198.50.197.28/30
198.50.197.48/30
198.50.197.52/30
198.50.197.56/30
198.50.197.60/30
198.50.204.240/30
198.50.204.244/30
198.50.212.172/30
198.50.219.240/30
198.50.219.248/30
198.50.224.240/30
198.50.235.196/30
198.50.242.120/30
198.50.246.240/30
198.50.247.248/30
198.50.247.252/30
198.50.251.168/30
198.50.251.172/30

I can see the following domains being actively supported by these nameservers, all of which should be considered hostile..." (Long list at the dynamoo URL above)

* http://labs.umbrella...ips-go-nuclear/
Feb 14, 2014
___

Fake Flash install via Silverlight
- http://community.web...ilverlight.aspx
Feb 14, 2014 - "... discovered attempts to infect users using the commonly distributed plug-in, Silverlight. Silverlight allows development of web and mobile applications that consist of streaming media, multimedia, graphics, and animation. It has been used for video streaming of events such as the 2008 Summer Olympics in Beijing, the 2010 Winter Olympics in Vancouver, and the 2008 conventions of both major United States political parties. Streaming services such as Netflix use Silverlight for Digital Rights Management (DRM). By leveraging two Silverlight plug-in vulnerabilities, CVE-2013-3896 and CVE-2013-0074, attackers have been able to infect victims via dropper files and subsequently through calls home to the command and control (C&C) server... the plug-in is a Base64 encoded Visual Basic Script (VBS). Silverlight generates the VBS file and places it in the directory C:\Users\<user name>\AppData\Local\Temp\Log... The downloaded binary is encrypted with the XOR key “m3S4V”. Using the ADODB.Stream ability to read and write text and binary files, a file named 4bb213.exe is created and run... At the time of initial investigation, fewer than 10% of AV vendors* had detection for the malicious files. The dropper files involved in this campaign are currently being identified as a Trojan threat by AV vendors. Based on call back activity, infected machines may be updated with additional dropper files by the C&C server when communication is established. The C&C server hosting the dropper file was registered via a domain privacy provider, while the resolving IP address is owned by the hosting provider 3NT Solutions. Communication attempts to the C&C server have been observed from the following countries:
> http://community.web...407.blog007.png
While Silverlight is not commonly used for business purposes, its use for web applications and streaming gives it a strong presence on devices owned by everyday users. With many companies embracing BOYD policies, applications such as Silverlight provide malicious actors with another potential cyber-attack vector..."
* https://www.virustot...9ff77/analysis/

Silverlight current version: 5.1.20913.0 - http://www.microsoft.com/silverlight/

MS13-087
- http://technet.micro...lletin/ms13-087
Oct 08, 2013 - "...  upgrades previous versions of Silverlight to Silverlight version 5.1.20913.0..."

- https://web.nvd.nist...d=CVE-2013-0074 - 9.3 (HIGH)

- https://web.nvd.nist...d=CVE-2013-3896 - 4.3
 

xph34r.png.pagespeed.ic.GOH20nhrx_.pngxph34r.png.pagespeed.ic.GOH20nhrx_.pngdry.png.pagespeed.ce.iCXmiFQmCf.pngxph34r.png.pagespeed.ic.GOH20nhrx_.png


Edited by AplusWebMaster, 15 February 2014 - 04:44 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1135 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 16 February 2014 - 07:18 AM

FYI...

400Gbps DDoS attacks ...
- http://atlas.arbor.n...index#411367071
High Severity
13 Feb 2014
NTP reflection/amplification attacks continue to gain momentum. Indicators of attacks up to 400Gbps have been discussed. Mitigations are ongoing, however the situation is still volatile.
Analysis: Despite multiple efforts to notify those running NTP servers that are not yet up to date and allow for a much larger amplification attack, the number of NTP servers that function beautifully as attack amplification sources is still quite high. Stressor services are known to implement NTP amplification attacks (along with SNMP and DNS amplification attacks and likely others) and lists of vulnerable NTP servers are shared on underground forums, leading to many copycat attacks. Several NTP amplification attack scripts have been shared on underground forums and elsewhere which makes this attack within easy reach of anyone who has a system that can originate spoofed traffic...

- https://www.us-cert....lerts/TA14-013A
Last revised: Feb 05, 2014 - "... all versions of ntpd prior to 4.2.7 are vulnerable... upgrade all versions of ntpd that are publically accessible to at least 4.2.7... where it is not possible to upgrade the version of the service, it is possible to -disable- the monitor functionality in earlier versions of the software. To disable “monlist” functionality on a public-facing NTP server that cannot be updated to 4.2.7, add the “noquery” directive to the “restrict default” line in the system’s ntp.conf, as shown below:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery "

- https://web.nvd.nist...d=CVE-2013-5211 - 5.0
Last revised: 01/24/2014 - "... as exploited in the wild in December 2013."

>> http://www.ntp.org/downloads.html
2014/02/10 - 4.2.7p421

NTP attacks continue ...
- http://www.arbornetw...ast-few-months/
3/10/2014
___

FTP sites compromised to serve malware and scams
- https://net-security...ews.php?id=2709
Feb 14, 2014 - "Some 7,000 FTP sites and servers have been compromised to serve malware, and its administrators are usually none the wiser... FTP sites function as online file caches and are accessible remotely - usually via Web browsers. Users who have the required login credentials can upload and download files from them, but other users can also retrieve certain files hosted on such a server if given a specific link that leads to the file (and without needing to provide login credentials). It is this latter capacity that makes login credentials to FTP servers a prized haul for cyber scammers, as they upload malware and malicious links to the server, then embed direct links to them in spam emails delivered to potential victims. Access to a FTP server can also be occasionally leveraged by the attackers to compromise connected web services. "The victim companies hosting exploited FTP sites are spread across the spectrum – from small companies and individual accounts with ISPs to major multi-national corporations," noted the researchers*. "Hackers planted PHP scripts armed with backdoors (shells) and viruses in multiple directories hoping that these directories map to web servers of the victim companies to gain control of the web services. They also uploaded HTML files with seamless re-directs to malicious sites"... It is unknown who stole the FTP credentials, and who is using them, but judging by the complexity of some of the passwords, it's natural to assume that they haven't been guessed, but stolen via information-stealing malware. Also, some sites have default or publicized login credentials, so exploitation of them is easy."
* http://www.holdsecur...!news2013/c13i1
Feb 13, 2014
___

Fake "Account Credited" / TTCOPY.jar SPAM
- http://blog.dynamoo....pyjar-spam.html
16 Feb 2014 - "This spam email comes with a malicious .JAR attachment:
    From:     Tariq Bashir muimran@ giki .edu .pk
    Reply-To:     Tariq Bashir [ta.ba@ hot-shot .com]
    Date:     15 February 2014 11:03
    Subject:     Account Credited
    Dear Sir,
    I am sorry for my late response; our bank has credited 50% of Total amount on invoice to your bank account, the balance will be paid against BOL.
    Find attached Bank TT  and update us on delivery schedule.
    Regards,
    Tariq Bashir
    Remal Al Emarat Travel & Tourism L.L.C.
    Al Muteena Street, Salsabeel Building, 103
    P.O. Box 56260, Dubai, UAE
    Tel: +971 4 271 54 06
    Fax: +971 4 271 50 65
    Mobile: +971 50 624 62 05
    e-mail: ta.ba@ hot-shot .com


The spam email originates from 121.52.146.226 (mail.giki .edu .pk) and comes with a malicious attachment TTCOPY.jar which is a Java application. This has a VirusTotal detection rate of 12/50* and the Malwr analysis reports** an attempted connection to clintiny.no-ip .biz on 67.215.4.123 (GloboTech, Canada / MaXX Ltd, Germany). Although this is an unusual threat, Java attacks are one of the  main ways that an attacker will gain access to your system. I strongly recommend -deinstalling- Java if you have it installed. I can find two highly suspect IP blocks belonging to MaXX Ltd which I recommend blocking, along with the domains specified below:
67.215.4.64/28
67.215.4.120/29
u558801.nvpn .so
jagajaga.no-ip .org
jazibaba.no-ip .org
cyberx2013.no-ip .org
deltonfarmhouse.no-ip .biz
deltoncowstalls.no-ip .org
can2-pool-1194.nvpn .so
jazibaba1.no-ip .biz
ns2.rayaprodserver .com
kl0w.no-ip .org
jajajaja22.no-ip .org
mozillaproxy.zapto .org
"
* https://www.virustot...sis/1392589951/

** https://malwr.com/an...zE1M2QwNTAyNjI/

- https://www.virustot...23/information/
 

xph34r.png.pagespeed.ic.GOH20nhrx_.pngxph34r.png.pagespeed.ic.GOH20nhrx_.png


Edited by AplusWebMaster, 11 March 2014 - 05:26 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

    Advertisements

Register to Remove


#1136 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 17 February 2014 - 03:34 PM

FYI...

Fake Evernote SPAM
- http://blog.dynamoo....-sent-spam.html
17 Feb 2014 - "... the RU:8080 gang appears to have been back for a while, but I haven't had a lot of samples.. here's a new one...
Date:      Mon, 17 Feb 2014 16:19:40 -0700 [18:19:40 EST]
From:      accounts@ pcfa .co .in
Subject:      Image has been sent
Image has been sent.
DSC_990341.jpg 33 Kbytes
Go To Evernote
Copyright 2014 Evernote Corporation. All rights reserved


The links in the email go to:
[donotclick]www.aka-im .org/1.html
[donotclick]bluebuddha .us/1.html
Which in turn loads a script from:
[donotclick]merdekapalace .com/1.txt
[donotclick]www.shivammehta .com/1.txt
That in turn attempts to load a script from [donotclick]opheevipshoopsimemu .ru:8080/dp2w4dvhe2 which is multihomed on the following IPs:
31.222.178.84 (Rackspace, UK)
37.59.36.223 (OVH, France)
54.254.203.163 (Amazon Data Services, Singapore)
78.108.93.186 (Majordomo LLC, Russia)
78.129.184.4 (Iomart Hosting, UK)
140.112.31.129 (TANET, Taiwan)
180.244.28.149 (PT Telkom Indonesia, Indonesia)
202.22.156.178 (Broadband ADSL, New Caledonia)
The URLquery report* on the landing site indicates a possible Angler Exploit Kit, although the code itself is hardened against analysis. There are a number of other hostile sites on those same IPs... I would recommend blocking the following IPs and domains:
31.222.178.84
37.59.36.223
54.254.203.163
78.108.93.186
78.129.184.4
140.112.31.129
180.244.28.149
202.22.156.178
afrikanajirafselefant .biz
bakrymseeculsoxeju .ru
boadoohygoowhoononopee .biz
bydseekampoojopoopuboo .biz
jolygoestobeinvester .ru
noaphoapofoashike .biz
opheevipshoopsimemu .ru
ozimtickugryssytchook .org
telaceeroatsorgoatchel .biz
ypawhygrawhorsemto .ru
aka-im .org
bluebuddha .us
merdekapalace .com
shivammehta .com
"
* http://urlquery.net/....php?id=9484541
___

Fake Evernote emails serve client-side exploits ...
- http://www.webroot.c...-side-exploits/
Feb 18, 2014 - "Cybercriminals continue to populate their botnets, with new infected hosts, through the persistent and systematic spamvertising of tens of thousands of fake emails which impersonate popular and well known brands – all in an attempt to socially engineer prospective victims into interacting with the scam. We’ve recently intercepted a currently circulating malicious spam campaign, impersonating Evernote, serving client-side exploits to prospective victims who click on the links found in the -fake- emails...
Sample screenshot of the spamvertised email:
> https://www.webroot....pamvertised.png
Sample redirection chain: hxxp ://nortonfire .co .uk/1.html (82.165.213.55) -> hxxp ://merdekapalace .com/1.txt – 202.71.103.21 -> hxxp ://www.shivammehta .com/1.txt – 181.224.129.14 -> hxxp ://ypawhygrawhorsemto .ru:8080/z4ql9huka0
Domain name reconnaissance for the fast-fluxed ypawhygrawhorsemto .ru:
37.59.36.223
180.244.28.149
140.112.31.129
31.222.178.84
54.254.203.163
78.108.93.186
202.22.156.178
54.254.203.163
78.108.93.186
140.112.31.129
202.22.156.178
31.222.178.84
37.59.36.223
180.244.28.149

Responding to 78.108.93.186, are also the following malicious domains:
ypawhygrawhorsemto .ru – 78.108.93.186
jolygoestobeinvester .ru – 78.108.93.186
afrikanajirafselefant .biz – 78.108.93.186
bakrymseeculsoxeju .ru – 78.108.93.186
ozimtickugryssytchook .org – 78.108.93.186
bydseekampoojopoopuboo .biz – 78.108.93.186
Name servers used in the campaign:
Name server: ns1.ypawhygrawhorsemto .ru – 173.255.243.199
Name server: ns2.ypawhygrawhorsemto .ru – 119.226.4.149
Name server: ns3.ypawhygrawhorsemto .ru – 192.237.247.65
Name server: ns4.ypawhygrawhorsemto .ru – 204.232.208.115 ...
Detection rate for a sample served client-side exploit:
MD5: c81b2b9fbee87c6962299f066b983a46*  
Domain name reconnaissance for the fast-fluxed opheevipshoopsimemu .ru:
31.222.178.84
180.244.28.149
78.108.93.186
140.112.31.129
78.129.184.4
54.254.203.163
202.22.156.178
37.59.36.223

Name servers part of the campaign’s infrastructure:
Name server: ns1.opheevipshoopsimemu .ru. 173.255.243.199
Name server: ns2.opheevipshoopsimemu .ru. 119.226.4.149
Name server: ns3.opheevipshoopsimemu .ru. 192.237.247.65
Name server: ns4.opheevipshoopsimemu .ru. 204.232.208.115 ..."
* https://www.virustot...71e46/analysis/
 

xph34r.png.pagespeed.ic.GOH20nhrx_.pngxph34r.png.pagespeed.ic.GOH20nhrx_.png  dry.png.pagespeed.ce.iCXmiFQmCf.png


Edited by AplusWebMaster, 18 February 2014 - 06:17 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1137 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 19 February 2014 - 06:10 AM

FYI...

Phishing Scam – 'Apple ID Used to Download OS X Mavericks' Email
- http://www.hoax-slay...hing-scam.shtml
Feb 19, 2014 - "Email purporting to be from the Apple Security Department warns recipients that their Apple ID was used to download OS X Mavericks and urges them to open an attached file to confirm their accounts if they did not initiate the download. The email is -not- from Apple. It is a phishing scam designed to trick users into giving their Apple account login details and financial information to criminals. The attached file contains a -bogus- HTML form that requests account and credit card details. Example:
Dear Apple Customer,
Your Apple ID, was just used to download OS X Mavericks from the Mac App
Store on a computer or device that had not previously been associated with
that Apple ID.
This download was initiated from Spain.
If you initiated this download, you can disregard this email. It was only
sent to alert you in case you did not initiate the download yourself.
If you did not initiate this download, you have to confirm your account and
validate your informations, so we recommend you to :
1- Download the attached document and open it in a secure browser.
2- Follow the verification process to protect your account.
Your sincerely.
Apple Security Department.
Apple Support


This email, which purports to be from Apple's Security Department, warns recipients that their account was used to download a copy of OSX Mavericks from a computer or device not previously associated with their Apple ID. The message claims that the download was initiated from Spain. It suggests that, if recipients did not initiate the download, they should open an attached file to confirm their account and validate their 'informations'. However, the email is -not- from Apple and the warning about an unauthorized download is designed to trick people into opening the attached file. The attachment contains a HTML form that lodes in the user's browser when opened. The -bogus- form first asks for the user's Apple account login details. It then asks for ID and credit card information, ostensibly so that the user's account can be verified and 'protected'. All the information submitted on the fake from can be harvested by criminals and used to hijack the real Apple accounts belonging to victims. The criminals may also conduct fraudulent credit card transactions and try to steal the identities of victims. The scammers responsible for the email hope that at least a few recipients will be panicked into opening the attachment and supplying the requested information in the mistaken belief that their Apple ID has been compromised. Like other high profile companies, Apple is almost continually targeted in phishing campaigns. Apple will never send you an unsolicited email that asks you to login and verify account details by clicking a link or opening an attached file."

___

'Product Testing UK' Facebook Survey Scam
- http://www.hoax-slay...rvey-scam.shtml
Feb 19, 2014 - "Facebook messages originating from a Facebook Page called 'Product Testing UK' claim that testers are needed for iPhones and other products and invite users to click a link to fill in a 'Product Testing Application Form'... The messages and associated Facebook Page are part of a survey scam. The 'Application Form' link takes users to suspect third party survey websites that ask them to provide personal information to go in the draw for various prizes. Users will never get to test and keep the promised products. Do -not- click any links in these scam messages. Example:
PRODUCT TESTER NEEDED
Get brand new iPhone for Review it! Test it! Rate it & you will keep it!
CLICK HERE TO REGISTER YOURSELF-->[Link Removed]
*PRODUCT IS GIVING ACCORDING TO FIRST COME FIRST GET BASIS AND OFFER FOR ONLY UK.

> http://www.hoax-slay...g-uk-scam-1.jpg
According to messages currently appearing on Facebook, users can sign up as product testers for iPhones and other tech products by following a link and filling in an application form. The messages come from a Facebook Page called 'Product Testing UK'. The messages claim that users can keep the product they test after the testing process is over. However, the claims in the posts are -lies- and the Page is fraudulent. Those who click the link will not be taken to a 'Product Testing Application Form' as claimed.Instead, they will be redirected to various suspect 'survey' or 'offer' websites that promise the chance to win prizes in exchange for providing personal information. Some of the pages ask users to provide name, address and contact details, supposedly to allow them to go in the draw for a prize. Others will claim that users must provide their mobile phone number - thereby subscribing to absurdly expensive text messaging services - in order to get the results of a survey or go in the running for a prize. Users will be trapped in a confusing tangle of open webpages, all offering supposedly free gifts or services in exchange for participating. Often, trying to exit the pages will call up various pop-ups that try to convince the person to stay on the page rather than navigate away. The people who set up these scams earn a commission via dodgy affiliate marketing schemes whenever one of their victims completes an 'offer' or 'survey'. And, alas, no matter how many surveys or offers users complete, they will never get to fill in the product testing application form. Nor, of course, will they ever get to test and keep one of the promised testing products..."
___

Malicious mobile apps on Google Play up 400 percent
- https://net-security...ews.php?id=2713
Feb 19, 2014 - "RiskIQ* announced research findings on the presence of malicious apps contained in the Google Play store. The company found that malicious apps have grown 388 percent from 2011 to 2013, while the number of malicious apps removed annually by Google has -dropped- from 60% in 2011 to 23% in 2013. Apps for personalizing Android phones led all categories as most likely to be malicious. The most downloaded -malicious- app in 2013 was Talking Angela..."
* http://www.riskiq.co...iked-nearly-400
 

xph34r.png.pagespeed.ic.GOH20nhrx_.pngxph34r.png.pagespeed.ic.GOH20nhrx_.png  dry.png.pagespeed.ce.iCXmiFQmCf.png


Edited by AplusWebMaster, 19 February 2014 - 07:45 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1138 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 20 February 2014 - 06:39 AM

FYI...

Cushion redirect on 62.212.128.22
- http://blog.dynamoo....6221212822.html
20 Feb 2014 - "... there is an apparent cushion redirect running on 62.212.128.22 (XenoSite, Netherlands) using hijacked GoDaddy domains (which is never a good sign). An example can be found with this URLquery report* but in this case it seems to end up at a wallpaper site (picture here**). VirusTotal sees the IP*** as being somewhat suspect. Given that this is abusing subdomains of legitimate GoDaddy domains then on balance I would regard this as being malicious. All the subdomains I can find are listed here**** [pastebin], but they are all covered by this recommended blocklist:
46.231.87.57
310casting .com
analacrobatsfree .com
dovizpiyasa .net
dovmeara .com
dovmebakirkoy .com
dovmeblog .com
dovmeci .co
dovmeciadresleri .com
dovmecibul .com
dovme-resimlerim .com
"
* http://urlquery.net/....php?id=9546681

** http://urlquery.net/....php?id=9546681

*** https://www.virustot...22/information/

**** http://pastebin.com/4UhwdY3a
___

Exploit Kits in Fake Skype, Evernote Themed Attacks
- http://community.web...ploit-kits.aspx
Feb 19, 2014 - "... recent campaigns were themed around fake -Skype- voicemail notifications (Feb 19, 2014), and fake -Evernote- image notifications (Feb 7, 17-18, 2014). The emails try to lure the victim to click a link that will redirect through an intermediate site into pages that host the Angler Exploit Kit (later switched to "Goon" Exploit kit). The kits will exploit Java, Flash or Silverlight vulnerabilities and try to load an encrypted executable, to help evade detection...
Fake Skype messages:
> http://community.web...ler_5F00_EK.jpg
Fake Evernote Messages:
> http://community.web...er_5F00_EK1.jpg
... Checking in Virus Total to provide context about AV coverage for this malware, we can see detection when first seen is 7/50*, and it looks like a Zeus variant...
* https://www.virustot...sis/1392844805/
... We have seen evidence and reports of the "ru:8080" gang switching to Angler Exploit Kit as far back as December 2013... The "ru:8080" criminal gang typically pushes trojans such as Cridex, Zeus GameOver, Click-Fraud trojans like ZeroAccess, and we have seen instances in the past of Ransomware such as RansomLock and worms like Andromeda. It looks like after a period of relatively little use of exploit kits, cyber criminals resume use of different exploit kits to deliver malware in email based attacks. However, the switch from one exploit kit to the other indicates several possibilities, one being that continuing to use a single Malware-as-a-Service for a long period is deemed too risky to maintain a profitable operation. Alternatively, the attackers are evaluating multiple exploit kits to determine which works the best, or multiple attackers may be leveraging the same bot-net and redirect structures... we see a relatively heavy bias from the attackers towards targets located in the UK, followed by US and Germany:
> http://community.web...F00_targets.jpg "
___

Zeus banking Trojan - back with another variant, ZeusVM
- http://www.theinquir...-variant-zeusvm
Feb 19 2014 - "... Dubbed ZeusVM, the modded version of the infamous Trojan is being distributed in many different ways, but typically through phishing emails or web-based attacks, including "malvertising", whereby people are infected by visiting websites containing malicious ads. "The Zeus/Zbot Trojan is one the most notorious banking Trojans ever created; it's so popular it gave birth to many offshoots and copycats," Malwarebytes* said in a blog post... Malwarebytes senior security researcher Jerome Segura explained that there are various parts to this piece of malware. While the main executable - the bot - will bury itself into your computer and ensure it is reactivated every time you reboot, at regular intervals it also checks with its command and control server for new instructions while monitoring user activity... It can also perform wire transfers while the victim is logged in, Segura said, and even alter the appearance of the current account balance to ensure that it remains unnoticed... Fireeye has said that hackers are dropping standard malware like Zeus in favour of more advanced but harder to use remote access Trojans (RATs) such as Xtreme RAT... Xtreme RAT is a notorious RAT that has been freely available on a number of cyber black markets since June 2010. The RAT is dangerous as it can be used for a variety of purposes, including interacting with the victim machine via a remote shell, uploading and downloading files, interacting with the registry and manipulating running processes and services."
* http://blog.malwareb...banking-trojan/
 

xph34r.png.pagespeed.ic.GOH20nhrx_.pngxph34r.png.pagespeed.ic.GOH20nhrx_.pngdry.png.pagespeed.ce.iCXmiFQmCf.png


Edited by AplusWebMaster, 20 February 2014 - 09:52 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1139 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 21 February 2014 - 07:07 AM

FYI...

Something evil on 74.50.122.8, 5.61.36.231 and 94.185.85.131
- http://blog.dynamoo....136231-and.html
21 Feb 2014 - "Thanks to @Techhelplistcom for the heads up on this little mystery..
> http://3.bp.blogspot...echhelplist.png
It all starts with a spam evil (described here*).. The link goes to a URLquery report that seems pretty inconclusive**, mentioning a URL of [donotclick]overcomingthefearofbeingfabulous .com/xjvnsqk/fbktojkxbxp.php [an apparently poorly secured*** server at 74.50.122.8, Total Internet Solutions Pvt. Ltd in India] that just does a redirect to a spammy diet pill site at thefxs .com [94.177.128.10, Linkzone Media Romania] if you have a Windows User Agent set. As Techhelplist says, set the UA to an Android one**** and you get a very different result. In this case you get bounced to a site hosted on 5.61.36.231 (3NT Solutions / Inferno .name)
[donotclick]mobile.downloadadobecentral .ru/FLVupdate.php  then to
[donotclick]mobile.downloadadobecentral .ru/FLVupdate2.php from where it attempts to download a file FlashUpdate.apk . 3NT Solutions / inferno .name is a known bad actor[5] and you should block all their IPs on sight, in this case they have a netblock 5.61.32.0/20 which I strongly recommend that you route to the bitbucket. FlashUpdate.apk has a VirusTotal detection rate of 22/47[6], but most Android users are probably not running anti-virus software. The Andrubis analysis[7] of that .apk shows a network connection to 94.185.85.131 (Netrouting Telecom, Sweden) plus (oddly) some pages loaded from ticketmaster .com. It just goes to show that what you think might be harmless spam can actually be something very, very different if you access it on a mobile device.
Recommended blocklist:
5.61.32.0/20
94.177.128.10
74.50.122.8
94.185.85.131
downloadadobecentral .ru
jariaku .ru
350600700200 .ru
overcomingthefearofbeingfabulous .com
"

* http://techhelplist....owed-up-one-day

** http://www.urlquery.....php?id=9558246

*** https://www.virustot....8/information/

**** http://www.useragent...Webkit Browser/

[5] http://blog.dynamoo....arch/label/Iran

[6] https://www.virustot...sis/1392977002/

[7] http://anubis.isecla...314&format=html
___

Zeus variant targets Salesforce .com accounts, SaaS applications
- http://atlas.arbor.n...ndex#1152292298
Elevated Severity
20 Feb 2014
The Zeus malware - typically used as a banking trojan - was used to copy data from Salesforce .com after infecting a vulnerable home machine.
Analysis: Researchers speculate that pharming - redirecting traffic by manipulating settings such as hosts files on target systems and DNS servers in infrastructure gear - may have been a vector. Considering the home machine was most likely connected via a broadband router, it is possible that the router was exploited however enough information is not yet available to determine this. Initial indicators suggest that Zeus and other contemporary banking trojans in general have not been used to target Salesforce, therefore this maybe a targeted attack, or an opportunistic attack that was leveraged in a more targeted manner once the threat actors understood the value of the compromised asset. It is also possible that access to this particular machine was purchased in the underground once a potentially opportunistic attacker realized they could sell access to other threat actors who have more strategic goals.
Source: http://www.zdnet.com...ons-7000026557/
___

Fake inTuit TurboTax email - "Issue on Your Refund"
- http://security.intu.../alert.php?a=99
2/20/14 - "People are receiving -fake- emails with the title "Issue on Your Refund". Below is a copy of the email people are receiving.
> http://security.intu...tt2014phish.jpg
This is the end of the -fake- email.
Steps to Take Now
 Do -not- open any attachment or -click- any links in the email...
 Delete the email
."
.

 

xph34r.png.pagespeed.ic.GOH20nhrx_.pngdry.png.pagespeed.ce.iCXmiFQmCf.png  xph34r.png.pagespeed.ic.GOH20nhrx_.png


Edited by AplusWebMaster, 21 February 2014 - 06:05 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1140 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 22 February 2014 - 06:39 AM

FYI...

Attack code exploits critical bug in majority of Android phones
- http://atlas.arbor.n...index#610868271
Elevated Severity
Feb 20, 2014
Public exploit code has been released for a 14 month old vulnerability in a large number of Android devices. The exploit code is trivial to use and is freely available in the Metasploit Framework.
Analysis: The slow update cycle for Android devices is a serious security consideration. Combining the risks of the typical BYOD work environment and the popularity of accessing enterprise resources with personal devices, such publicly released exploit code will make it easier for targeted attacks to leverage a compromised Android device in attack campaigns. The video that demonstrates the exploit shows the -malicious- URL being delivered to the device in the form of a QR code - an attack vector previously discussed but rarely observed... Apparently using an alternate browser other than the built-in Android browser (based on WebView) such as Google Chrome will -mitigate- this vulnerability, however many users are likely to be taking advantage of the default configuration which includes a WebView based browser...
Source: http://arstechnica.c...android-phones/
 

:ph34r: <_<


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Related Topics



5 user(s) are reading this topic

0 members, 4 guests, 0 anonymous users


    Google (1)