News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
October 30, 2014, 10:13:46
Pages: [1] 2 3 ... 10
 1 
 on: Today at 02:07:22 
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake Securitas SPAM – PDF malware
- http://myonlinesecurity.co.uk/securitas-mail-report-attached-fake-pdf-malware/
30 Oct 2014 - "'From Securitas Mail Out Report Attached' pretending to come from Alert ARC Reports is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

   From Securitas, please do not reply to this e-mail as it is auto generated.
    For any problems please e-mail derry.andrews@ securitas .uk.com


30 October 2014: Q100982010_Mail Out Report.zip: Extracts to: Q100771292_Mail Out Report.exe
Current Virus total detections: 1/54* . This 'From Securitas Mail Out Report Attached' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/835a6a272b252576247a6f51bd1fc6e4ac972284435759baa8fd4f926c25bd97/analysis/1414659759/
___

Fake 'Accounts Payable' SPAM - malware .doc attachment
- http://myonlinesecurity.co.uk/reminder-word-doc-malware/
30 Oct 2014 - "An email with a Microsoft word doc attachment saying 'Please see attached statement sent to us' pretending to come from  random names with a subject of 'Further Reminder' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The name of the alleged sender matches the name of the 'Senior Accounts Payable Clerk from the Finance Department' in the body of the email... word macro malware*... The email looks like:
   Good afternoon,
     Please see attached statement sent to us, I have highlighted on this the payments made to you in full and attached a breakdown of each one for you to correctly allocate. Hope this helps.
    Thanking you in advance.
    Many Thanks & Kind Regards
    Vivian Dennis
    Senior Accounts Payable Clerk
    Finance Department ..


30 October 2014 : CopyHA779333.doc - Current Virus total detections: 0/53**. Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
* http://myonlinesecurity.co.uk/malformed-infected-word-docs-embedded-macro-viruses/

**  https://www.virustotal.com/en/file/949d05c3e51abcee43c74c5309a61b18ffa1cf17cb0be06bdab1a4e52cadb8f5/analysis/1414671500/
___

Fake Job offer SPAM - malware
- http://myonlinesecurity.co.uk/job-service-new-offer-job-malware/
30 Oct 2014 - "'Job service New offer Job' pretending to come from Job service is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/new-offer-job.png

30 October 2014: job.pdf.zip: Extracts to: job.pdf.exe
Current Virus total detections: 3/53*. same malware as today’s version of my new photo malware**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2723a595350cb632eac5f98a794265105e49e1be181a50437184482b32075b94/analysis/1414662840/

** http://myonlinesecurity.co.uk/new-photo-malware/
___

Malicious Browser Extensions
- http://blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-into-malicious-browser-extensions/
Oct 29, 2014 - "Malicious browser extensions bring about security risks as these often lead to system infection and unwanted spamming on Facebook. Based on our data, these attacks have notably affected users in Brazil. We have previously reported that cybercriminals are putting malicious browsers in the official Chrome Web store. We also came across malware that -bypasses- a Google security feature checks third party extensions... we performed an in-depth analysis of malicious Chrome browser extension and its evasion tactics, after receiving samples in from Facebook. Facebook’s Security team conducts their own malware research and they regularly collaborate with Trend Micro to keep their service safe... Based on our data starting from May 2014 onwards, Trend Micro HouseCall has helped about 1,000,000 users whose computers have been infected by malicious browser extensions. The top affected countries are mostly located in the Latin American region, such as Brazil, Mexico, Colombia, and Peru.
Top affected countries:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/FB-extension-infection.jpg
... We strongly advise users to avoid clicking links from messages, even if they appear to come from your friends. Users can also opt to use Trend Micro HouseCall* to secure their systems from online threats, including those that may leverage or abuse Facebook. Trend Micro and Facebook are working closely together to combat this threat. Below is the SHA1 hash of the malicious file:
    4733c4ea00137497daad6d2eca7aea0aaa990b46 "
* http://housecall.trendmicro.com/
___

Popular Science site compromised
- http://community.websense.com/blogs/securitylabs/archive/2014/10/28/official-website-of-popular-science-is-compromised.aspx
28 Oct 2014 - "... injected with a malicious code that -redirects- users to websites serving exploit code, which subsequently drops malicious files on each victim's computer... injected with a malicious iFrame, which automatically redirects the user to the popular RIG Exploit Kit..."

 Evil or Very Mad  Sad

 2 
 on: Today at 00:45:25 
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Microsoft Security Advisory 3009008
Vulnerability in SSL 3.0 Could Allow Information Disclosure
- https://technet.microsoft.com/en-us/library/security/3009008
V2.0 (October 29, 2014): Revised advisory to announce the deprecation of SSL 3.0, to clarify the workaround instructions for disabling SSL 3.0 on Windows servers and on Windows clients, and to announce the availability of a Microsoft Fix it solution for Internet Explorer. For more information see Knowledge Base Article 3009008*.
* https://support.microsoft.com/kb/3009008#FixItForMe
Last Review: Oct 29, 2014 - Rev: 2.3
Disable SSL 3.0 in Internet Explorer - Microsoft Fix it 51024

 Exclamation

 3 
 on: Today at 00:01:54 
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

313 New domains added
- http://www.malwaredomains.com/?p=3683
October 28th, 2014 - "Added 313 domains from mwsl.org.cn, spamhaus.org and others..."

 Exclamation

 4 
 on: October 29, 2014, 11:19:28  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

29 charged in Chicago with 'cracking cards' bank fraud
- http://www.reuters.com/article/2014/10/29/usa-chicago-bankfraud-idUSL1N0SO1VR20141029
Oct 29, 2014 - "Twenty-nine people in the Chicago area face state or federal charges for involvement with a bank fraud scheme known as 'cracking cards', which found participants through rap music and social media, prosecutors said on Wednesday. The multimillion-dollar scheme, which started on Chicago's South Side about three years ago, involved recruiting bank customers to give up their debit cards and PIN numbers with the promise of making fast cash, the U.S. Attorney's Office in Chicago said. Bank customers were recruited at parties, schools, on the street or through social media such as Instagram and Facebook, prosecutors said. The scheme, which has been seen in other areas of the country, is also known as 'card popping'. After the defendants got the cards and information, they made or bought counterfeit checks to deposit into the accounts, waited for the amount to be credited, and then withdrew money. Four defendants called themselves the "R.A.C.K. Boyz" or "Rack Boyz." They have Facebook and Twitter accounts and posted videos on YouTube, including a rap video called "For the Money," which refers to "cracking cards" and shows large amounts of cash, prosecutors said... One defendant, Matthew Mosley, 26, of Chicago, made counterfeit checks that he used and sold to others, prosecutors said. He was one of 16 people charged in Chicago with federal bank fraud for causing more than $1.7 million in bank losses. Ten of the defendants are still at large. Citibank, U.S. Bancorp, JP Morgan Chase & Co , Bank of America Corp and others were identified as victims of the scheme. Persons whose bank cards were used may also be victims if the bank made them pay the money back, or if they were promised money they didn't get..."
___

Two Charged in $5.8M reloadable Debit Card Extortion Scam
- http://www.justice.gov/usao/nj/Press/files/Patel,%20Alpeshkumar%20and%20Patel,%20Vijakkumar%20Arrests%20News%20Release.html
Oct 28, 2014 NEWARK, N.J. – "Two Philadelphia men were arrested this morning for allegedly conspiring to extort victims to load prepaid debit cards with funds that were stolen as part of the scheme, U.S. Attorney Paul J. Fishman announced. Special agents of the FBI and U.S. Immigration and Customs Enforcement, Homeland Security Investigations (HSI) arrested Alpeshkumar Patel, 30, and Vijaykumar Patel, 39, of Philadelphia at Vijaykumar Patel’s home on a complaint charging them with conspiracy to commit wire fraud. The pair, who are not related, are expected to appear this afternoon before U.S. Magistrate Judge Mark Falk in Newark federal court.
According to the complaint unsealed today:
From September 2013 through March 2014, Alpeshkumar Patel and Vijaykumar Patel were part of a conspiracy to steal money using reloadable debit cards. First, the conspirators would purchase reloadable Green Dot Cards, and register them in names other than their own. The conspirators – some of whom were located in India – contacted victims by phone and used threats or deceit to induce them to put money on MoneyPak cards, which are used along with assigned PIN codes to add funds to Green Dot Cards. The conspirators then used the reloadable cards to purchase money orders that were deposited into bank accounts. All of the steps were taken quickly so law enforcement and victims could not identify the conspirators or prevent or reverse the fraudulent transfers. As one example, a retail store located in New Jersey received a telephone call from an unknown caller on Sept. 10, 2013. The caller said there was a bomb in the store and the store manager had five minutes to comply with the caller’s demands or the bomb would detonate. The caller then demanded the manager load 10 $500 MoneyPak cards and provide the caller with the associated PIN codes.  The manager had provided the code for one card before law enforcement arrived at the store, instructed the manager to hang up the phone, and evacuated the building.
The $500 associated with that code was transferred to an existing prepaid reloadable Green Dot Card. Surveillance video showed Alpeshkumar Patel in the Philadelphia CVS where the Green Dot Card was bought. That card was then used by Vijaykumar Patel, who was caught on video purchasing two money orders in a Philadelphia Wal Mart. The money orders, in turn, were used to deposit funds into a bank account.

Phone numbers and IP addresses associated with the Sept. 10, 2013, call and other calls tied to the conspiracy were tied to approximately 2,500 Green Dot Cards that were funded in excess of $5.8 million..."

 Evil or Very Mad Evil or Very Mad  Sad

 5 
 on: October 29, 2014, 04:32:55  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake 'Order confirmation' from Amazon SPAM - trojan
- http://blog.mxlab.eu/2014/10/28/fake-order-confirmation-order-details-from-amazon-contains-trojan/
Oct 28, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Order Details”. This email is send from the spoofed address “Amazon .co.uk ” and has the following body:

   Good evening,
    Thank you for your order. We'll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon .co.uk.
    Order Details
    Order R:131216 Placed on October 09, 2014
    Order details and invoice in attached file.
    Need to make changes to your order? Visit our Help page for more information and video guides.
    We hope to see you again soon...


The 532 kB malicious file is not present in a ZIP file but attached directly and has the name order_report_72364872364872364872364872368.exe (numbers may vary). The trojan is known as Trojan.MSIL.BVXGen, BehavesLike.Win32.Dropper.qh or Win32.Trojan.Inject.Auto. At the time of writing, 3 of the 53 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/17de4b7fab716f6c87b5d3c941ecb5f5b01d5e4980cff71c88451acc90b22bb0/analysis/1414490630/

- http://myonlinesecurity.co.uk/amazon-com-alert-order-details-malware/
29 Oct 2014
- https://www.virustotal.com/en/file/6fb9d2d2de05751a90e70a2973a51a1cf38939075c6849b650b5f00b07183532/analysis/1414584579/
___

Phish - spoofed Google Drive
- http://blog.trendmicro.com/trendlabs-security-intelligence/phishers-improve-scheme-with-spoofed-google-drive-site/
Oct 29, 2014 - "Cybercriminals and attackers are leveraging Google Drive site and brand to go under the radar and avoid detection. Just last week, a targeted attack* uses Google Drive as a means into getting information from its victims. This time, phishers are using a modified version of the legitimate Google Drive login page to steal email credentials. This attack can be considered an improved version of attacks seen earlier this year, which asked for multiple email addresses**.
Fake Google Drive Site: Users may receive an email that contains links that lead to the spoofed Google Drive site.
Spammed message containing links to fake site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/fakegdrive1.jpg
The phishing site allows user to log in using different email services, which is highly unusual as Google Drive only uses Google credentials. The site also has a language option that does not work.
Fake Google Drive site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/fakegdrive2.jpg
To trick the user into thinking nothing suspicious is afoot, the phishing site -redirects- the user to a .PDF file from a -legitimate- site about investments. However, this redirection to a site about investments may still raise suspicions as nothing in the email indicates the specific content of the “document” is related to finances.
After logging in, users are redirected to a legitimate site:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/fakegdrive3.jpg
... Mobile Users, Also Affected: Based on our investigation, this attack will also work on mobile devices. When users clicked the “Sign in” button, the PDF file download is prompted and the users’ credentials are sent out to the cybercriminals.
Screenshot of PDF prompt download in mobile devices:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/google_drive_fig8.jpg
... Users should exercise caution when opening emails, even those from known contacts. Avoid clicking links that are embedded in emails. Users can also check first by hovering their mouse over the link; doing so can reveal the true URL of the link in the status bar. Users can also check the legitimacy of the site before sharing any personal data, be it login credentials or contact details. They can check if the site address has any discrepancy (misspellings, different domain names) from the original site (e.g., <sitename .com> versus <sitename .org>). They should also check the security of the site before sharing any information... We have notified Google about this phishing page."

* http://blog.trendmicro.com/trendlabs-security-intelligence/targeted-attacks-stealing-information-through-google-drive/
   
** http://blog.trendmicro.com/trendlabs-security-intelligence/phishers-cast-wider-net-now-asking-for-multiple-emails/
___

Fake ticketmaster SPAM – PDF malware
- http://myonlinesecurity.co.uk/ticketmaster-tickets-sent-fake-pdf-malware/
29 Oct 2014 - "'ticketmaster tickets have been sent' pretending to come from confirmation-noreply@ ticketmaster .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
 
    Thank you for choosing Ticketmaster.
    This email is to confirm ticket(s) have been purchased and attached:
    Your Delivery Option is: printed
    Your Transaction number is: 869064,00410 ...


29 October 2014: tikets224069_order_type_print_order_details.pdf.zip:
Extracts to:  tikets109873_order_type_print_order_details.pdf.exe
Current Virus total detections: 7/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/203daa7fed582e06c8fd7bb770e1f8104c625261e0a03e44ab8ab7296bd4ffac/analysis/1414593309/
___

'Virtual Assistant' - PUP download site
- https://blog.malwarebytes.org/online-security/2014/10/pup-download-site-makes-use-of-virtual-assistant/
Oct 29, 2014 - "... suddenly there’s a person talking at you from the bottom right hand corner of the screen about how you should buy product X or make use of service Y? We recently saw a page asking visitors to upgrade their media player, which Malwarebytes Anti-Malware detect as PUP.Optional.SaferInstall (VirusTotal 12/53*). It looks a lot like many similar download sites out there [1], [2], with one curious addition standing over on the right hand side:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/virtual1.jpg
A virtual assistant! She isn’t very interactive, instead launching into a recorded voiceover after a minute or so of the visitor doing nothing on the webpage. She says:
Please upgrade your media player for faster hd playback.
It only takes a minute on broadband and theres no restart required
Just click this button and follow the easy steps onscreen.

> https://blog.malwarebytes.org/wp-content/uploads/2014/10/virtual2.jpg
... I haven’t seen a virtual assistant / automated online assistant / video spokesperson / video web presenter / whatever they’re called this week used to promote a PUP (Potentially Unwanted Program) download before... Who knows what.. advertising will offer up next..."
* https://www.virustotal.com/en/file/cf192f2c0c433b10ef963f199ae759264749c72a100d4b5907d555ec748cf519/analysis/1414085568/
... Behavioural information
TCP connections
66.77.96.162: https://www.virustotal.com/en/ip-address/66.77.96.162/information/
87.248.208.11: https://www.virustotal.com/en/ip-address/87.248.208.11/information/
90.84.55.33: https://www.virustotal.com/en/ip-address/90.84.55.33/information/
63.245.201.112: https://www.virustotal.com/en/ip-address/63.245.201.112/information/

1] http://blog.malwarebytes.org/wp-content/uploads/2014/01/asosvouchers5.jpg

2] http://blog.malwarebytes.org/wp-content/uploads/2013/12/obamapads4.jpg
___

Hacks use Gmail Drafts to update their Malware and Steal Data
- http://www.wired.com/2014/10/hackers-using-gmail-drafts-update-malware-steal-data/
10.29.14 - "... Researchers at the security startup Shape Security say they’ve found a strain of malware on a client’s network that uses that new, furtive form of “command and control” — the communications channel that connects hackers to their malicious software — allowing them to send the programs updates and instructions and retrieve stolen data. Because the commands are hidden in unassuming Gmail drafts that are never even sent, the hidden communications channel is particularly difficult to detect. “What we’re seeing here is command and control that’s using a fully allowed service, and that makes it superstealthy and very hard to identify,” says Wade Williamson, a security researcher at Shape. “It’s stealthily passing messages back and forth without even having to press send. You never see the bullet fired.” Here’s how the attack worked in the case Shape observed: The hacker first set up an anonymous Gmail account, then infected a computer on the target’s network with malware. (Shape declined to name the victim of the attack.) After gaining control of the target machine, the hacker opened their anonymous Gmail account on the victim’s computer in an invisible instance of Internet Explorer — IE allows itself to be run by Windows programs so that they can seamlessly query web pages for information, so the user has no idea a web page is even open on the computer. With the Gmail drafts folder open and hidden, the malware is programmed to use a Python script to retrieve commands and code that the hacker enters into that draft field. The malware responds with its own acknowledgments in Gmail draft form, along with the target data it’s programmed to exfiltrate from the victim’s network. All the communication is encoded to prevent it being spotted by intrusion detection or data-leak prevention. The use of a reputable web service instead of the usual IRC or HTTP protocols that hackers typically use to command their malware also helps keep the hack hidden. Williamson says the new infection is in fact a variant of a remote access trojan (RAT) called Icoscript first found by the German security firm G-Data* in August. At the time, G-Data said that Icoscript had been infecting machines since 2012, and that its use of Yahoo Mail emails to obscure its command and control had helped to keep it from being discovered. The switch to Gmail drafts, says Williamson, could make the malware stealthier still..."
* https://www.virusbtn.com/virusbulletin/archive/2014/08/vb201408-IcoScript
___

Dangers of opening suspicious emails: Crowti ransomware
- http://blogs.technet.com/b/mmpc/archive/2014/10/28/the-dangers-of-opening-suspicious-emails-crowti-ransomware.aspx
28 Oct 2014 - "... MMPC has seen a spike in number of detections for threats in the Win32/Crowti ransomware this month as the result of new malware campaigns. Crowti is a family of ransomware that when encountered will attempt to encrypt the files on your PC, and then ask for payment to unlock them. These threats are being distributed through spam email campaigns and exploits. Crowti impacts -both- enterprise and home users, however, this type of threat can be particularly damaging in enterprise environments. In most cases, ransomware such as Crowti can encrypt files and leave them inaccessible. That’s why it’s important to back up files on a regular basis... We also recommend you increase awareness about the dangers of opening suspicious emails – this includes not opening email attachments or links from untrusted sources. Attackers will usually try to imitate regular business transaction emails such as fax, voice mails, or receipts. If you receive an email that you’re not expecting, it’s best to ignore it. Try to validate the source of the email first -before- clicking on a link or opening the attachment... The graph below shows how Crowti ransomware has impacted our customers during the past month.
Daily encounter data for Win32/Crowti ransomware:
> http://www.microsoft.com/security/portal/blog-images/a/crowti1.png
Computers in the United States have been most affected with 71 percent of total infections, followed by Canada, France and Australia.
Telemetry data for Win32/Crowti by country, 21 September – 21 October 2014:
> http://www.microsoft.com/security/portal/blog-images/a/crowti2.png
Crowti is being distributed via spam campaigns with email attachments designed to entice the receiver to open them. We have seen the following attachment names:
    VOICE<random numbers>.scr
    IncomingFax<random numbers>.exe
    fax<random numbers>.scr/exe
    fax-id<random numbers>.exe/scr
    info_<random numbers>.pdf.exe
    document-<random numbers>.scr/exe
    Complaint_IRS_id-<random numbers>.scr/exe
    Invoice<random numbers>.scr/exe
The attachment is usually contained within a zip archive. Opening and running this file will launch the malware... Our telemetry and research shows that Win32/Crowti is also distributed via exploits kits such as Nuclear, RIG, and RedKit V2. These kits can deliver different exploits, including those that exploit Java and Flash vulnerabilities... Crowti's primary payload is to encrypt the files on your PC. It usually brands itself with the name CryptoDefense or CryptoWall... we saw a Crowti sample distributed with a valid digital certificate which was issued to Trend... This is not associated with Trend Micro and the certificate has since been revoked. Crowti has used digital certificates to bypass detection systems before - we have previously seen it using a certificate issued to The Nielsen Company... There are a number of security precautions that can help prevent these attacks in both enterprise and consumer machines. As well as being aware of suspicious emails and backing up your files, you should also keep your security products and other applications up-to-date. Attackers are taking advantage of unpatched vulnerabilities in software to compromise your machine. Most of the exploits used by Crowti target vulnerabilities found in browser plugin applications such as Java and Flash. Making a -habit- of regularly updating your software can help reduce the risk of infection... we also recommend running a real-time security product..."

 Evil or Very Mad  Sad

 6 
 on: October 29, 2014, 03:41:52  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Adblock Plus 1.8.7 for Chrome and Opera released
- https://adblockplus.org/releases/adblock-plus-187-for-chrome-and-opera-released
2014-10-28
Install/update links at the URL above.

 Exclamation

 7 
 on: October 28, 2014, 17:40:20  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Firefox 33.0.2 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Release notes
- https://www.mozilla.org/en-US/firefox/33.0.2/releasenotes/
Oct 28, 2014
Fixed: 33.0.2: Fix a startup crash with some combination of hardware and drivers

 Exclamation

 8 
 on: October 28, 2014, 07:19:01  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake Invoice SPAM - Word doc malware
- http://myonlinesecurity.co.uk/please-find-attached-invoice-number-224244-power-ec-ltd-word-doc-malware/
28 Oct 2014 - "An email saying 'Please find attached INVOICE number 224244 from Power EC Ltd' pretending to come from soo.sutton[random number]@ powercentre .com with a subject of 'INVOICE [random number] from Power EC Ltd' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

Please find attached INVOICE number 224244 from Power EC Ltd

28 October 2014 : INVOICE263795.doc - Current Virus total detections: 3/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... macro malware**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/472f0f4a671a76b4f5773b3f64033bf5bf8933134786797525d2c6590cdf3398/analysis/1414506485/

** http://myonlinesecurity.co.uk/malformed-infected-word-docs-embedded-macro-viruses/

- http://blog.dynamoo.com/2014/10/invoice-101760-from-power-ec-ltd-spam.html
28 Oct 2014
> https://www.virustotal.com/en/file/472f0f4a671a76b4f5773b3f64033bf5bf8933134786797525d2c6590cdf3398/analysis/1414519923/
Recommended blocklist:
62.75.184.70: https://www.virustotal.com/en/ip-address/62.75.184.70/information/
116.48.157.176: https://www.virustotal.com/en/ip-address/116.48.157.176/information/
___

Fake 'Ebola Alert Tool' ...
- https://blog.malwarebytes.org/online-security/2014/10/new-online-ebola-alert-tool-is-anything-but/
Oct 27, 2014 - "... More news of infection outside Africa such as this could further fuel the ever-increasing fear and anxiety for one’s own life and well-being, especially in terms of how one interacts with the outside world. People are trying to be more careful in their dealings than usual, always wanting to be on the know about the latest happenings. This is why web threats banking on perennial hot topics like Ebola could be effective lures against users, especially in the long run... Upon initial visit to the page, users are presented with the following prompt at the top-middle part of the screen:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/ebola-with-prompts-1024x341.jpg
Below is a screenshot of the downloaded file with an overview of its details:
> http://blog.malwarebytes.org/wp-content/uploads/2014/10/ebolafile.png
EbolaEarlyWarningSystem.exe has a low detection rate as of this writing—four vendors detect it out of 53*... Upon execution, it displays a user interface prompting users to install the ONLY Search toolbar with links to its EULA and Privacy Policy pages. Once users click the “Agree” button, they are again presented with other offers to download, such as a program called Block-n-Surf (a supposed tool used to protect children from adult-related content, System Optimizer Pro (a tool that purportedly optimizes the user’s system), oneSOFTperday (a tool that gives users access to free apps), and a remote access tool among others:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/install5.png?w=564
Once programs are installed, the following have been observed from affected systems: All browser default search pages are changed to ONLY Search:
> http://blog.malwarebytes.org/wp-content/uploads/2014/10/onlysearch.png
Once users open a new browser tab, affiliate sites are loaded up (e.g. a site offering insurance):
> http://blog.malwarebytes.org/wp-content/uploads/2014/10/insurance-affiliate.png
Browser windows open to prompt user to install more programs:
> http://blog.malwarebytes.org/wp-content/uploads/2014/10/pckeeper.png
System Optimizer Pro executes:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/sysoppro-autoexec.png?w=555
- Affected machine slows down
- Shortcut files are created on the desktop
During testing, we haven’t seen any installation of the Ebola Early Warning System toolbar or evidence of warning alerts. We implore users not to be easily swayed with software solutions banking on the Ebola scare. They may be more about enticing internet users into downloading programs that may potentially do harm on their systems, instead of helping them be aware of the current situation**..."
* https://www.virustotal.com/en/file/4c7647ff605a9880f875010b5a09e7f1435b002ad4635dff6c4d14f218eb7dd7/analysis/1414142257/

** http://www.cdc.gov/vhf/ebola/

 Evil or Very Mad  Sad

 9 
 on: October 27, 2014, 16:02:09  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Another Big Update: 502 Domains
- http://www.malwaredomains.com/?p=3677
October 26th, 2014 - "Added 502 domains from pwnedlist, nictasoft.com, virustotal.com and others..."

 Exclamation

 10 
 on: October 27, 2014, 03:48:49  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake KLM e-Ticket SPAM – PDF malware
- http://myonlinesecurity.co.uk/klm-e-ticket-fake-pdf-malware/
27 Oct 2014 - "'KLM e-Ticket' pretending to come from e-service@ klm .com is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/klm_air_ticket.png

27 October 2014: e-Ticket_klm_Itinerary _pdf.zip: Extracts to:  e-Ticket_klm_Itinerary _pdf.exe
Current Virus total detections: 2/53* . This 'KLM e-Ticket' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d0a28086129c3e01e37868532f79cd72acb21d88443fb0a377b3b8a3c184ad88/analysis/1414404573/
___

Phish... linked with “Dyre” Banking Malware
- https://www.us-cert.gov/ncas/alerts/TA14-300A
Oct 27, 2014 - "Systems Affected: Microsoft Windows. Overview:
Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payloads... Although this campaign uses various tactics, the actor’s intent is to entice recipients into opening attachments and downloading malware... The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to capture user login information and send the captured data to malicious actors... Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in -unpatched- versions of Adobe Reader... After successful exploitation, a user's system will download Dyre banking malware..."
___

Fake 'invoice xxxxxx October' SPAM - malicious Word doc
- http://blog.dynamoo.com/2014/10/randomly-generated-invoice-xxxxxx.html
27 Oct 2014 - "There have been a lot of these today:
   From:     Sandra Lynch
    Date:     27 October 2014 12:29
    Subject:     invoice 0544422 October
    Please find attached your October invoice, we now have the facility to email invoices,
    but if you are not happy with this and would like a hard copy please let me know.
    New bank details for BACS payments are Santander Bank Sort Code 0544422 Account No 5600544422.
    Thanks very much
    Kind Regards
    Sandra Lynch


The numbers in the email are randomly generated, as is the filename of the attachment (in this example it was invoice_0544422.doc). The document itself is malicious and has a VirusTotal detection rate of 5/53*. Inside the Word document is a macro that attempts to download an execute a malicious binary from http ://centrumvooryoga .nl/docs/bin.exe which is currently 404ing which is a good sign. There's a fair chance that the spammers will use this format again, so always be cautious of unsolicited email attachments."
* https://www.virustotal.com/en/file/7dcc2db732fc3c3c8bfbee2539644c8fbc19648d6b82c2fd35bc3a513cd059e6/analysis/1414436717/

83.96.174.219: https://www.virustotal.com/en/ip-address/83.96.174.219/information/
___

FTC gets courts to shut down tech support scammers
- http://www.theinquirer.net/inquirer/news/2377916/us-ftc-gets-courts-to-shut-down-tech-support-scammers
Oct 27 2014 - "... the company, which called itself PairSys, would call people at home and claim to be from Microsoft or Facebook. This is a common scam, and the caller will often claim that the victim has a PC-based problem. In some cases people fall for this. It is estimated that PairSys made $2.5m from the scam and that it employed online adverts as well as phone calls as lures. "The defendants behind Pairsys targeted seniors and other vulnerable populations, preying on their lack of computer knowledge to sell ‘security' software and programs that had no value at all," said Jessica Rich, director of the FTC's Bureau of Consumer Protection... The defendants in the case, Pairsys, Uttam Saha and Tiya Bhattacharya, have agreed to the terms of a preliminary injunction, which includes an instruction to shut down their websites and telephone lines and not to sell on their customer data lists."
* http://www.ftc.gov/news-events/press-releases/2014/10/ftcs-request-court-shuts-down-new-york-based-tech-support-scam

> http://www.consumer.ftc.gov/blog

 Evil or Very Mad  Sad

Pages: [1] 2 3 ... 10
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines Page created in 1.952 seconds with 16 queries.