cexx.org - Support Forums

FYI...

Chrome v27.0.1453.93 released
- http://googlechromereleases.blogspot.ca/2013/05/stable-channel-release.html
May 21, 2013 - "Chrome 27.0.1453.93 for Windows, Mac, Linux, and Chrome Frame contains a number of new items... ongoing internal security work was as usual responsible for a wide range of fixes..."

 

FYI...

Fake NATO jobs SPAM ...
- http://blog.webroot.com/2013/05/21/cvs-and-sensitive-info-soliciting-email-campaign-impersonates-nato/
May 21, 2013 - "Want to join the North Atlantic Treaty Organization (NATO)?... you’d be involuntarily sharing your information with what looks like an intelligence gathering operation...
Sample screenshot of the -fake- NATO Employment Application Form:
> https://webrootblog.files.wordpress.com/2013/05/fake_nato_employment_application.png
    A copy of the -fake- NATO Employment Application Form
> http://webrootblog.files.wordpress.com/2013/05/nato-employment-application-form.pdf
    A copy of the -fake- NATO Interview Form
> http://webrootblog.files.wordpress.com/2013/05/nato-interview-form.pdf
... NATO impersonating domain name reconnaissance:
nspa-nato.int.tf – 188.40.117.12; 188.40.70.27; 188.40.70.29
Name server: ns1.idnscan .net
Name server: ns2.idnscan .net
usnato-hr.org – 208.91.198.24
Name Server: DNS1.SPIRITDOMAINS .COM
Name Server: DNS2.SPIRITDOMAINS .COM
... We know that on 2013-05-10 07:01:46 CET, responding to the same IP (188.40.117.12) was also the following Black Hole Exploit Kit redirecting URLs...
Always watch where you apply and be aware of offers which sound too good to be true."
(More detail at the webroot URL above.)
___

Fake Delivery_Information_ID-000512430489234.zip
- http://blog.dynamoo.com/2013/05/deliveryinformationid-000512430489234zip.html
21 May 2013 - "The file Delivery_Information_ID-000512430489234.zip is being promoted by a spam run (perhaps aimed at Italian users, although all the hosts are German)... best guess is that it is a fake package delivery report. So far I have identified three download locations for the malicious ZIP file:
[donotclick]www.interapptive .de/get/Delivery_Information_ID-000512453420234.zip
[donotclick]www.vankallen .de/get/Delivery_Information_ID-000512453420234.zip
[donotclick]www.haarfashion .de/get/Delivery_Information_ID-000512430489234.zip
The ZIP file decompresses to Delivery_Information_ID-000512453420234.Pdf_______________________________________________________________.exe (note all those underscores!) which has a VirusTotal detection rate of 23/47* and has the following checksums:
MD5: 791a8d50acfea465868dfe89cdadc1fc
SHA1: be67a7598c32caf3ccea0d6598ce54c361f86b0a
SHA256: 9ae8fe5ea3b46fe9467812cbb2612c995c21a351b44b08f155252a51b81095d7
The Anubis report is pretty inconclusive but ThreatTrack reports** [pdf] some peer-to-peer traffic and also some rummaging around the Window Address Book (WAB)."
* https://www.virustotal.com/en/file/9ae8fe5ea3b46fe9467812cbb2612c995c21a351b44b08f155252a51b81095d7/analysis/1369127051/
File name: Delivery_Information_ID-000512453420234.Pdf______________________...
Detection ratio: 23/47
Analysis date:    2013-05-21
** http://www.dynamoo.com/files/analysis_30721_791a8d50acfea465868dfe89cdadc1fc.pdf
___

Malicious eFax Corporate Spam
- http://threattrack.tumblr.com/post/50992552536/malicious-efax-corporate-spam
21 May 2013 - "Subjects Seen:
   Corporate eFax message from [removed]
Typical e-mail details:
   You have received a 3 fax at 2013-05-07 10:24:18 CST.
    * The reference number for this fax is [removed].
    Please visit efaxcorporate.com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport @mail.efax.com.
    Thank you for using the eFax Corporate service!

Malicious URLs
    116.122.158.195 :8080/ponyb/gate.php
    mail.yaklasim .com:8080/ponyb/gate.php
    debthelpsmart .org/ponyb/gate.php
    debtsmartretirement .com/ponyb/gate.php
    50.63.222.182 /GGBG2H.exe

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/04b210cbaad377d10a19ce26b5dfe3a7/tumblr_inline_mn5mcsC2PH1qz4rgp.png
___

Oklahoma tornado charitable organization scams, malware, and phishing
- https://isc.sans.edu/diary.html?storyid=15854
Last Updated: 2013-05-21 17:09:55 UTC - "... Be very wary of any charity that is raising funds for victims of any disaster, particularly one that has -not- been around for very long. There are many legit charities, I would recommend sticking to ones you are already familiar with. The American Red Cross for example has been around for a long time, does amazing work, and is always in need of funding. They are just one example of a well established charity that does good work and is already involved in helping out in Moore, Oklahoma. Routine monitoring of newly registered domain names shows a number of brand new ones that have words like Oklahoma, Moore, tornado, recovery, help, assistance, and similar. I am certain that a number are registered by well meaning people, however I am equally sure that many are fake or scams. It does not take long for any recent newsworthy topic to be the subject line of phishing, malware, and scammers..."
___

prospectdirect .org SPAM
- http://blog.dynamoo.com/2013/05/prospectdirectorg-spam.html
21 May 2013 - "Everything that this spammer says is a lie:
    From:     Emily Norton [emily.norton @prospectdirect .org]
    To:     [redacted]
    Date:     21 May 2013 16:33
    Subject:     Cater to your email marketing needs
    Signed by:     prospectdirect .org
    Hello,
    I hope you don’t mind but I just wanted to contact you to discuss your email marketing strategy. If you don’t currently have one that is working for you then our client can help.
    The company I am contacting you on behalf of have the dedicated knowledge and services to cater to your email marketing needs.
    If you would like a quote please complete this form: http ://prospectdirect .org/email-marketing-strategy
    Leave your details at the link above or reply with any requirements.
    Kind Regards,
    Emily Norton
    75 Glandovey Terrace, Newquay, Cornwall TR8 4QD
    Tel: 0843 289 4698
    This email (including any attachments) is intended only for the recipient(s) named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not the named recipient please contact the sender and delete the email from your system. If you would no longer like to receive emails from us please unsubscribe here http ://www.prospectdirect .org/landing/page.php?jq=[snip]

Firstly, the email was sent to a scraped address from the website of the Slimeware Corporation and isn't any sort of opted-in address at all. The address of "75 Glandovey Terrace, Newquay, Cornwall TR8 4QD" simply does -not- exist, and the telephone number of 0843 289 4698 appears to belong to a completely -unrelated- company. I very much doubt there is anybody called "Emily Norton" involved, and there is no company in the UK with the name "Prospect Direct". The website prospectdirect .org itself carefully hides any contact details, the WHOIS details are anonymous, the domain was created on 2012-07-19 and is hosted on 109.235.51.98 (Netrouting / Xeneurope , Netherlands). There are no contact details on the website and there is no identifying information at all.. it hasn't just been omitted by accident, the whole thing has been left meticulously clean by a professional spamming outfit.
> https://lh3.ggpht.com/-t6eWqUjKl84/UZvEKHeSs4I/AAAAAAAABOo/XRPXQOIt8rg/s400/prospect-direct.png
I would recommend giving these spammers a wide berth given their catalogue of lies."

   

FYI...

147 pushdo, malvertising, malicious js, iframe domains added
- http://www.malwaredomains.com/?p=3222
May 19th, 2013 - "Added 147 domains associated with malicious javascript, iframes, pushdo, etc. Sources include safebrowsing.clients.google.com, sucuri.net, secureworks.com..."

 

FYI...

Something evil on 50.116.28.24
- http://blog.dynamoo.com/2013/05/something-evil-on-501162824.html
19 May 2013 - "50.116.28.24 (Linode, US) is hosting the callback servers for some Mac malware as mentioned here* and here** plus some other suspect sites. I would advise that you assume that -all- domains hosted on this IP are malicious..."
(More detail at the dynamoo URL above.)

* http://www.f-secure.com/weblog/archives/00002554.html

** http://forums.macrumors.com/showthread.php?t=1583233
___

Wells Fargo Credentials Phish
- http://threattrack.tumblr.com/post/50913877787/wells-fargo-credentials-phish
20 May 2013 - "Subjects Seen:
   Account Update
Typical e-mail details:
   In order to safeguard your account, we require that you confirm your details.
    To help speed up this process, please access the following link so we can complete the verification of your Wells Fargo information details.
    To get started, visit the link below:
    Wells Fargo Online Confirmation

Malicious URLs
    update.id5027-wellsfargo .com/index.php?id=586616

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/b0d8988c075155635a6682da8f92e4a0/tumblr_inline_mn3umbkVzo1qz4rgp.png
___

Malicious Invoice Attachment Spam
- http://threattrack.tumblr.com/post/50914381181/malicious-invoice-attachment-spam
20 May 2013 - "Subjects Seen:
   invoice copy
Typical e-mail details:
   Kindly open to see export License and payment invoice attached,
    meanwhile we sent the balance payment yesterday.
    Please confirm if it has settled in your account or you can call if
    there is any problem.
    Thanks
    Karen parker

Spam contains malicious attachment.

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/cbdf76f6219dbb3755e51a541a68aad0/tumblr_inline_mn3v14O1qo1qz4rgp.png
___

Chase Bank Credentials Phish
- http://threattrack.tumblr.com/post/50929274377/chase-bank-credentials-phish
20 May 2013 - "Subjects Seen:
   Billing Code:[removed]
Typical e-mail details:
   During regularly scheduled account maintenance and verification procedures, we have detected a slight error in your billing information.
    This might be due to either of the following reasons:
    1. A recent change in your personal information ( i.e. change of address).
    2. Submitting invalid information during the initial sign up process.
    3. An inability to accurately verify your selected option of payment due to an internal error within our processors.
    Click on the guide-link below and follow the directions or please call our Online Helpdesk.
    Regards,
    Chase Online
    Billing Department
    Thanks for your co-operation.

Malicious URLs
    goodnickfitness .com.au/hnav.html
    diamondtek .cl/diamondtek .cl/http/online.chaseonline1/com/logon.html

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/04079d40aed3b5bc8b4adb60986fe381/tumblr_inline_mn45ob1itt1qz4rgp.png
___

Blackhole Spam Run evades detection using Punycode
- http://blog.trendmicro.com/trendlabs-security-intelligence/blackhole-spam-run-evades-detection-using-punycode/
May 20, 2013 - "...  we have seen a slew of spam crafted as a notice from the popular retail chain Walmart. However, this spam run offers something different.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/05/BHEK-walmart.jpg
... some of the URLs lead to Cyrillic domain names.  These domains were translated into the English alphabet through punycode. Punycode* is a way to convert Unicode characters into a smaller character set. URLs in punycode have to be decoded first in order to see its original format. The use of international domain names (IDNs) can pose additional security risks to users. Users can be redirected to a phishing page that appears to have the same URL as a legitimate site. IDNs also allow spammers to create more spam domains not limited to English characters. This can make blocking malicious sites more difficult. This technique is not new, but seeing punycode used in a BHEK email campaign is unusual. Users who click the links are redirected to several sites, until they are lead to the site hosting a malware (detected as TROJ_PIDIEF.SMXY), which exploits a in Adobe Reader and Acrobat (CVE-2009-0924) to download and execute other malware onto the vulnerable system. This attempt at evading detection is not surprising, given how 2013 is shaping up to be the year of refining existing tools. In our 1Q 2013 Security Roundup, we already noticed how dated threats like Asprox and banking Trojans like CARBERP were returning to the scene with new and improved features. We can expect this trend to continue this year, though new threats can always appear anytime soon..."
* http://www.ietf.org/rfc/rfc3492.txt

 

FYI...

Pushdo: Latest Variant ...
- http://www.secureworks.com/assets/pdf-store/other/mv20.pdf
05/15/13 - "... The Pushdo botnet is a “downloader” (or loader) primarily used to download and install the Cutwail spam bot. Pushdo is also aware of the IP address and geographical location of its victims. This allows the botmasters to target specific countries/areas for infections. The malware is also known to keep track of anti-virus products and firewall processes running on the system, which can be reported back to the C&C... The author of Pushdo made the botnet more robust by adding a DGA component* as the back up C&C method. This DGA attempts to contact 1,380 domains per day. The adoption of a DGA-based backup mechanism allows the botmaster to be more resilient against take down efforts. The back up mechanism trivially defeats detection methods based on sandboxing and signatures. Within the last two years Damballa Labs noted that Zeus, TDSS/TDL and now Pushdo are all employing DGAs in some aspects of their communications. Furthermore, the inclusion of RSA cryptography ensures that defenders will not be able to use the domains created by the DGA to take control of the botnet (e.g., by pushing a removal tool). Pushdo also utilizes a fake traffic generator to hide both its own C&C traffic and Cutwail’s C&C traffic. The actual malware payload from Pushdo’s C&C is encrypted and hidden within a fake JPEG image file embedded in HTML scraped from legitimate websites. The noisy traffic generator combined with the real C&C server using a fake image file for payloads show the Pushdo botnet controller’s commitment to make identification of the real C&C servers more difficult."
* Domain name generation algorithm (DGA)

- http://www.theregister.co.uk/2013/05/17/pushdo_extra_stealth/
17 May 2013 - "... Pushdo has been used to distribute other malware such as ZeuS and SpyEye, as well as conduct spam/phishing campaigns with its Cutwail module. Despite four takedowns in five years of Pushdo command-and-control servers, the botnet (believed to be run by a single Eastern European hacker group) endures. The malware is responsible between 175,000 and 500,000 active bots on any given day. The botnet is typically used to deliver malicious emails with links to websites that foist banking Trojans upon unsuspecting victims. Sometimes, the messages are made to look like credit card statements or they contain an attachment disguised as an order confirmation..."

- https://atlas.arbor.net/briefs/index#313945818
Elevated Severity
May 16, 2013
PushDo, a long-lived malware family that is most known for distributing the Cutwail spambot, has evolved. Network defenders should be aware of the changes.
Analysis: Some of the most serious uses of the Cutwail spambot involve the distribution of spam e-mail that help spread the Zeus banking malware. Since Cutwail and PushDo are so closely related, anyone detecting either should look deeper in order to gain the full incident response picture. Various types of obfuscation and encryption are nothing new for malware - even older malware using such tactics still flies beneath the radar of most - and we see good example of such tactics in the PushDo evolution...

- https://www.trustwave.com/support/labs/spam_statistics.asp
Statistics for Week ending May 12, 2013

 

FYI...

Ransomware - Reveton.B...
- https://www.net-security.org/malware_news.php?id=2497
May 17, 2013 - "... Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds. It is being delivered on the victims' computer via the Blackhole exploit kit, and on the surface acts like it always did: locks the computer screen and demands money to unlock it:
> https://www.net-security.org/images/articles/reveton-17052013.jpg
... in the background, the malware downloads a password-stealer component from its C&C server and runs it. "PWS:Win32/Reveton.B can steal passwords for a comprehensive selection of file downloaders, remote control applications, FTP, poker, chat and e-mail clients, as well as passwords stored by browsers and in protected storage," say* the researchers. "However, as it can load almost any DLL served by the C&C on the fly, this might change." Keeping your OS and software updates should minimize the possibility of being faced with malware, they say, but in case you do get hit by a Reveton infection, it's a good idea to change all your passwords once you remove the malware from the computer."
* http://blogs.technet.com/b/mmpc/archive/2013/05/16/no-paysafecard-needed-your-passwords-will-pay-off.aspx

   

FYI...

Wireshark 1.8.7 released
- https://www.wireshark.org/download.html
May 17, 2013 - "The current stable release of Wireshark is 1.8.7. It supersedes all previous releases..."

Bug Fixes
- https://www.wireshark.org/docs/relnotes/wireshark-1.8.7.html#BugFixes

- https://www.wireshark.org/lists/wireshark-announce/201305/msg00000.html

Wireshark 1.6.15
- https://www.wireshark.org/lists/wireshark-announce/201305/msg00001.html

- https://secunia.com/advisories/53425/
Release Date: 2013-05-20
Criticality level: Moderately critical
Impact: DoS
Where: From remote
CVE Reference(s): CVE-2013-2486, CVE-2013-2487
Solution: Update to version 1.6.15 or 1.8.7.

 

FYI...

RSA SecurID Agent discloses node Secret Encryption Key to Local Users
- http://www.securitytracker.com/id/1028573
CVE Reference: CVE-2013-0941
May 16 2013
Impact:  Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes ...
Impact: A local user can obtain the node secret key.
Solution: The vendor has issued the following fixes:
RSA Authentication Agent for Microsoft Windows 6.4.2 and 7.0
RSA SecurID Authentication Agent 5.3 for Web for Apache Web Server
RSA SecurID Authentication Agent 5.3 for Web for Internet Information Services
RSA SecurID Agent 6.0 for PAM ...

- http://www.emc.com/support/rsa/index.htm

- https://knowledge.rsasecurity.com

 

FYI...

SutraTDS, iframe, malvertising,malspam domains
- http://www.malwaredomains.com/?p=3217
May 17th, 2013 - "Added -111- SutraTDS, iframe, malvertising, malspam domains from blog.dynamoo.com, urlquery.net, and some private sources..."

 

FYI...

e-netprotections .su ?
- https://isc.sans.edu/diary.html?storyid=15818
Last Updated: 2013-05-17 - "Like with .biz, I sometimes have the impression that .su and .cc could be sinkholed in their entirety, because the bad domains seem to vastly outnumber whatever (if any) good is running under these TLDs as well. Earlier today, ISC reader Michael contacted us with information that several PCs on his network had started to communicate with iestats .cc, emstats .su, ehistats .su, e-protections .su and a couple other domains. I was pretty sure that I had seen the latter domain on an earlier occasion in a malware outbreak, but I couldn't find it in our records .. until I only searched for "e-protections", and found e-protections .cc. This domain had been implicated back in October 2012 in a malware spree that was linked to the nasty W32.Caphaw, a backdoor/information stealer... each infected box was apparently running a slightly different version of the EXE. Anti-Virus coverage is still thin (Virustotal*) , but the Heuristics of some products seem to be catching on. This sample looks more like a ransomware trojan than Caphaw, but we'll know more once we analyze all the information gathered so far..."
Partial list of IPs involved:
64.85.161.67
85.25.132.55
173.224.210.244
178.63.172.88
188.95.48.152
199.68.199.178
91.227.220.104
* https://www.virustotal.com/en/file/b19818bb463075327c6be9fd8e913c0d4bf9dff503a991cbbc670cc673db9041/analysis/
File name: dwdsrtrt
Detection ratio: 4/46
Analysis date: 2013-05-16

- https://www.abuse.ch/?p=3581
___

Malicious Wells Fargo Secure Message Spam
- http://threattrack.tumblr.com/post/50597669027/malicious-wells-fargo-secure-message-spam
16 May 2013 - "Subjects Seen:
   New Secure Message
Typical e-mail details:
   View attachment for details
    To Read This Message:
    Look for and open SecureMessage.zip (typically at the top or bottom; location varies by email service).

Malicious URLs
    mail.yaklasim .com:8080/forum/viewtopic.php
    116.122.158.195 :8080/forum/viewtopic.php
    mylifestylestormproducts .com/forum/viewtopic.php
    mysafefloridahomelife .com/forum/viewtopic.php
    ryulawgroup .com/Gsdw1.exe

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/fb3e5e3449eb83ff06490237ae80520d/tumblr_inline_mmwrmi4bl91qz4rgp.png
___

Malicious "Referral link" SPAM / rockingworldds .net and parishiltonnaked2013 .net
- http://blog.dynamoo.com/2013/05/referral-link-spam-rockingworlddsnet.html
17 May 2013 - "This spam comes from a hacked AOL email account and leads to malware on 62.76.190.11:
   From: [AOL sender]
    Sent: 17 May 2013 14:12
    To: [redacted]
    Subject: [AOL screen name]
    Subject :RE ( 8 )
    Sent: 5/17/2013 2:11:53 PM
    referral link
    http ://printcopy.co .za/elemqi.php?whvbcfm

The link goes through a legitimate -hacked- site and in this case ends up at [donotclick]rockingworldds .net/sword/in.cgi?6 (report here*) which either -redirects- to a weight loss spam site or alternatively a malware landing page at [donotclick]parishiltonnaked2013 .net/ngen/controlling/coupon_voucher.php (report here**) which appears to load the BlackHole Exploit Kit. Both these sites are hosted on 62.76.190.11 (Clodo-Cloud / IT House, Russia)... I have several IPs blocked in the 62.76.184.0/21 range, you may want to consider blocking the entire lot if you don't have any reason to send web traffic to Russia."
* http://urlquery.net/report.php?id=2512341

** http://urlquery.net/report.php?id=2512431
___

Fake Newegg .com SPAM / balckanweb .com
- http://blog.dynamoo.com/2013/05/neweggcom-spam-balckanwebcom.html
17 May 2013 - "This fake Newegg.com spam leads to malware:
   Date:      Fri, 17 May 2013 10:29:20 -0600 [12:29:20 EDT]
    From:      Newegg [info @newegg .com]
    Subject:      Newegg.com - Payment Charged
    Priority:      High Priority 1
    Newegg logo    
    My Account     My Account |     Customer Services     Customer Services
    Twitter     Twitter     You Tube     You Tube     Facebook     Facebook     Myspace     Myspace
    click to browse e-Blast     click to browse Shell Shocker     click to browse Daily Deals
    Computer Hardware     PCs & Laptops     Electronics     Home Theater     Cameras     Software     Gaming     Cell Phones     Home & Office     MarketPlace     Outlet     More
    Customer ID: [redacted]
    Account Number: 23711731
    Dear Customer,
    Thank you for shopping at Newegg.com.
    We are happy to inform you that your order (Sales Order Number: 97850177) has been successfully charged to your AMEX and order verification is now complete.
    If you have any questions, please use our LiveChat function or visit our Contact Us Page.
    Once You Know, You Newegg.
    Your Newegg.com Customer Service Team
    ONCE YOU KNOW, YOU NEWEGG. Ž
    Policy and Agreement | Privacy Policy | Confidentiality Notice
    Newegg.com, 9997 Rose Hills Road, Whittier, CA. 90601-1701 | Š 2000-2013 Newegg Inc. All rights reserved.

Screenshot: https://lh3.ggpht.com/-Si0jHOHqviw/UZZqyHxGvPI/AAAAAAAABOY/5HZq7dloGwE/s1600/newegg.png

In the version I have the link doesn't work, but I believe that it goes to [donotclick]balckanweb .com/news/unpleasant-near_finally-events.php (report here*) hosted or having nameservers on the following IPs:
5.231.24.162 (GHOSTnet, Germany)
71.107.107.11 (Verizon, US)
108.5.125.134 (Verizon, US)
198.50.169.2 (OVH, Canada)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
209.59.223.119 (Endurance International Group, US)
The domains and IPs indicate that this is part of the "Amerika" spam run.
Blocklist (including nameservers):
5.231.24.162
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
209.59.223.119 ..."
* http://urlquery.net/report.php?id=2504632

Also at: http://threattrack.tumblr.com/post/50671403152/malicious-newegg-order-spam
May 17, 2013
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/4122a83db45982e54ded798906a63447/tumblr_inline_mmyl9yAwpg1qz4rgp.png
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Product Order Quotation Attachment E-mail Messages - 2013 May 17
Fake Product Order E-mail Messages - 2013 May 17
Fake Purchase Order E-mail Messages - 2013 May 17
Fake Account Compromise Notification E-mail Messages - 2013 May 17
Fake Scanned Document Attachment E-mail Messages - 2013 May 17
Fake Social Media User Notification E-mail Messages - 2013 May 17
Fake Facebook Security Software E-mail Messages - 2013 May 17
Fake Incoming Fax Message E-mail Messages - 2013 May 17
Fake Document Sharing E-mail Messages - 2013 May 17
Fake Italian Shared Document E-mail Messages - 2013 May 17
Fake Invoice Statement Attachment E-mail Messages - 2013 May 17
Fake Money Transfer Notification E-mail Messages - 2013 May 17
Fake Xerox Scan Attachment E-mail Messages - 2013 May 17
(More detail and links at the cisco URL above.)