cexx.org - Support Forums

FYI...

147 pushdo, malvertising, malicious, iframe domains added
- http://www.malwaredomains.com/?p=3222
May 19th, 2013 - "Added 147 domains associated with malicious javascript, iframes, pushdo, etc. Sources include safebrowsing.clients.google.com, sucuri.net, secureworks.com..."

 

FYI...

Something evil on 50.116.28.24
- http://blog.dynamoo.com/2013/05/something-evil-on-501162824.html
19 May 2013 - "50.116.28.24 (Linode, US) is hosting the callback servers for some Mac malware as mentioned here* and here** plus some other suspect sites. I would advise that you assume that -all- domains hosted on this IP are malicious..."
(More detail at the dynamoo URL above.)

* http://www.f-secure.com/weblog/archives/00002554.html

** http://forums.macrumors.com/showthread.php?t=1583233
___

Wells Fargo Credentials Phish
- http://threattrack.tumblr.com/post/50913877787/wells-fargo-credentials-phish
20 May 2013 - "Subjects Seen:
   Account Update
Typical e-mail details:
   In order to safeguard your account, we require that you confirm your details.
    To help speed up this process, please access the following link so we can complete the verification of your Wells Fargo information details.
    To get started, visit the link below:
    Wells Fargo Online Confirmation

Malicious URLs
    update.id5027-wellsfargo .com/index.php?id=586616

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/b0d8988c075155635a6682da8f92e4a0/tumblr_inline_mn3umbkVzo1qz4rgp.png
___

Malicious Invoice Attachment Spam
- http://threattrack.tumblr.com/post/50914381181/malicious-invoice-attachment-spam
20 May 2013 - "Subjects Seen:
   invoice copy
Typical e-mail details:
   Kindly open to see export License and payment invoice attached,
    meanwhile we sent the balance payment yesterday.
    Please confirm if it has settled in your account or you can call if
    there is any problem.
    Thanks
    Karen parker

Spam contains malicious attachment.

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/cbdf76f6219dbb3755e51a541a68aad0/tumblr_inline_mn3v14O1qo1qz4rgp.png
___

Chase Bank Credentials Phish
- http://threattrack.tumblr.com/post/50929274377/chase-bank-credentials-phish
20 May 2013 - "Subjects Seen:
   Billing Code:[removed]
Typical e-mail details:
   During regularly scheduled account maintenance and verification procedures, we have detected a slight error in your billing information.
    This might be due to either of the following reasons:
    1. A recent change in your personal information ( i.e. change of address).
    2. Submitting invalid information during the initial sign up process.
    3. An inability to accurately verify your selected option of payment due to an internal error within our processors.
    Click on the guide-link below and follow the directions or please call our Online Helpdesk.
    Regards,
    Chase Online
    Billing Department
    Thanks for your co-operation.

Malicious URLs
    goodnickfitness .com.au/hnav.html
    diamondtek .cl/diamondtek .cl/http/online.chaseonline1/com/logon.html

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/04079d40aed3b5bc8b4adb60986fe381/tumblr_inline_mn45ob1itt1qz4rgp.png
___

Blackhole Spam Run evades detection using Punycode
- http://blog.trendmicro.com/trendlabs-security-intelligence/blackhole-spam-run-evades-detection-using-punycode/
May 20, 2013 - "...  we have seen a slew of spam crafted as a notice from the popular retail chain Walmart. However, this spam run offers something different.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/05/BHEK-walmart.jpg
... some of the URLs lead to Cyrillic domain names.  These domains were translated into the English alphabet through punycode. Punycode* is a way to convert Unicode characters into a smaller character set. URLs in punycode have to be decoded first in order to see its original format. The use of international domain names (IDNs) can pose additional security risks to users. Users can be redirected to a phishing page that appears to have the same URL as a legitimate site. IDNs also allow spammers to create more spam domains not limited to English characters. This can make blocking malicious sites more difficult. This technique is not new, but seeing punycode used in a BHEK email campaign is unusual. Users who click the links are redirected to several sites, until they are lead to the site hosting a malware (detected as TROJ_PIDIEF.SMXY), which exploits a in Adobe Reader and Acrobat (CVE-2009-0924) to download and execute other malware onto the vulnerable system. This attempt at evading detection is not surprising, given how 2013 is shaping up to be the year of refining existing tools. In our 1Q 2013 Security Roundup, we already noticed how dated threats like Asprox and banking Trojans like CARBERP were returning to the scene with new and improved features. We can expect this trend to continue this year, though new threats can always appear anytime soon..."
* http://www.ietf.org/rfc/rfc3492.txt

 

FYI...

Pushdo: Latest Variant ...
- http://www.secureworks.com/assets/pdf-store/other/mv20.pdf
05/15/13 - "... The Pushdo botnet is a “downloader” (or loader) primarily used to download and install the Cutwail spam bot. Pushdo is also aware of the IP address and geographical location of its victims. This allows the botmasters to target specific countries/areas for infections. The malware is also known to keep track of anti-virus products and firewall processes running on the system, which can be reported back to the C&C... The author of Pushdo made the botnet more robust by adding a DGA component* as the back up C&C method. This DGA attempts to contact 1,380 domains per day. The adoption of a DGA-based backup mechanism allows the botmaster to be more resilient against take down efforts. The back up mechanism trivially defeats detection methods based on sandboxing and signatures. Within the last two years Damballa Labs noted that Zeus, TDSS/TDL and now Pushdo are all employing DGAs in some aspects of their communications. Furthermore, the inclusion of RSA cryptography ensures that defenders will not be able to use the domains created by the DGA to take control of the botnet (e.g., by pushing a removal tool). Pushdo also utilizes a fake traffic generator to hide both its own C&C traffic and Cutwail’s C&C traffic. The actual malware payload from Pushdo’s C&C is encrypted and hidden within a fake JPEG image file embedded in HTML scraped from legitimate websites. The noisy traffic generator combined with the real C&C server using a fake image file for payloads show the Pushdo botnet controller’s commitment to make identification of the real C&C servers more difficult."
* Domain name generation algorithm (DGA)

- http://www.theregister.co.uk/2013/05/17/pushdo_extra_stealth/
17 May 2013 - "... Pushdo has been used to distribute other malware such as ZeuS and SpyEye, as well as conduct spam/phishing campaigns with its Cutwail module. Despite four takedowns in five years of Pushdo command-and-control servers, the botnet (believed to be run by a single Eastern European hacker group) endures. The malware is responsible between 175,000 and 500,000 active bots on any given day. The botnet is typically used to deliver malicious emails with links to websites that foist banking Trojans upon unsuspecting victims. Sometimes, the messages are made to look like credit card statements or they contain an attachment disguised as an order confirmation..."

- https://atlas.arbor.net/briefs/index#313945818
Elevated Severity
May 16, 2013
PushDo, a long-lived malware family that is most known for distributing the Cutwail spambot, has evolved. Network defenders should be aware of the changes.
Analysis: Some of the most serious uses of the Cutwail spambot involve the distribution of spam e-mail that help spread the Zeus banking malware. Since Cutwail and PushDo are so closely related, anyone detecting either should look deeper in order to gain the full incident response picture. Various types of obfuscation and encryption are nothing new for malware - even older malware using such tactics still flies beneath the radar of most - and we see good example of such tactics in the PushDo evolution...

- https://www.trustwave.com/support/labs/spam_statistics.asp
Statistics for Week ending May 12, 2013

 

FYI...

Ransomware - Reveton.B...
- https://www.net-security.org/malware_news.php?id=2497
May 17, 2013 - "... Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds. It is being delivered on the victims' computer via the Blackhole exploit kit, and on the surface acts like it always did: locks the computer screen and demands money to unlock it:
> https://www.net-security.org/images/articles/reveton-17052013.jpg
... in the background, the malware downloads a password-stealer component from its C&C server and runs it. "PWS:Win32/Reveton.B can steal passwords for a comprehensive selection of file downloaders, remote control applications, FTP, poker, chat and e-mail clients, as well as passwords stored by browsers and in protected storage," say* the researchers. "However, as it can load almost any DLL served by the C&C on the fly, this might change." Keeping your OS and software updates should minimize the possibility of being faced with malware, they say, but in case you do get hit by a Reveton infection, it's a good idea to change all your passwords once you remove the malware from the computer."
* http://blogs.technet.com/b/mmpc/archive/2013/05/16/no-paysafecard-needed-your-passwords-will-pay-off.aspx

   

FYI...

Wireshark 1.8.7 released
- https://www.wireshark.org/download.html
May 17, 2013 - "The current stable release of Wireshark is 1.8.7. It supersedes all previous releases..."

Bug Fixes
- https://www.wireshark.org/docs/relnotes/wireshark-1.8.7.html#BugFixes

- https://www.wireshark.org/lists/wireshark-announce/201305/msg00000.html

Wireshark 1.6.15
- https://www.wireshark.org/lists/wireshark-announce/201305/msg00001.html

- https://secunia.com/advisories/53425/
Release Date: 2013-05-20
Criticality level: Moderately critical
Impact: DoS
Where: From remote
CVE Reference(s): CVE-2013-2486, CVE-2013-2487
Solution: Update to version 1.6.15 or 1.8.7.

 

FYI...

RSA SecurID Agent discloses node Secret Encryption Key to Local Users
- http://www.securitytracker.com/id/1028573
CVE Reference: CVE-2013-0941
May 16 2013
Impact:  Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes ...
Impact: A local user can obtain the node secret key.
Solution: The vendor has issued the following fixes:
RSA Authentication Agent for Microsoft Windows 6.4.2 and 7.0
RSA SecurID Authentication Agent 5.3 for Web for Apache Web Server
RSA SecurID Authentication Agent 5.3 for Web for Internet Information Services
RSA SecurID Agent 6.0 for PAM ...

- http://www.emc.com/support/rsa/index.htm

- https://knowledge.rsasecurity.com

 

FYI...

SutraTDS, iframe, malvertising,malspam domains
- http://www.malwaredomains.com/?p=3217
May 17th, 2013 - "Added -111- SutraTDS, iframe, malvertising, malspam domains from blog.dynamoo.com, urlquery.net, and some private sources..."

 

FYI...

e-netprotections .su ?
- https://isc.sans.edu/diary.html?storyid=15818
Last Updated: 2013-05-17 - "Like with .biz, I sometimes have the impression that .su and .cc could be sinkholed in their entirety, because the bad domains seem to vastly outnumber whatever (if any) good is running under these TLDs as well. Earlier today, ISC reader Michael contacted us with information that several PCs on his network had started to communicate with iestats .cc, emstats .su, ehistats .su, e-protections .su and a couple other domains. I was pretty sure that I had seen the latter domain on an earlier occasion in a malware outbreak, but I couldn't find it in our records .. until I only searched for "e-protections", and found e-protections .cc. This domain had been implicated back in October 2012 in a malware spree that was linked to the nasty W32.Caphaw, a backdoor/information stealer... each infected box was apparently running a slightly different version of the EXE. Anti-Virus coverage is still thin (Virustotal*) , but the Heuristics of some products seem to be catching on. This sample looks more like a ransomware trojan than Caphaw, but we'll know more once we analyze all the information gathered so far..."
Partial list of IPs involved:
64.85.161.67
85.25.132.55
173.224.210.244
178.63.172.88
188.95.48.152
199.68.199.178
91.227.220.104
* https://www.virustotal.com/en/file/b19818bb463075327c6be9fd8e913c0d4bf9dff503a991cbbc670cc673db9041/analysis/
File name: dwdsrtrt
Detection ratio: 4/46
Analysis date: 2013-05-16

- https://www.abuse.ch/?p=3581
___

Malicious Wells Fargo Secure Message Spam
- http://threattrack.tumblr.com/post/50597669027/malicious-wells-fargo-secure-message-spam
16 May 2013 - "Subjects Seen:
   New Secure Message
Typical e-mail details:
   View attachment for details
    To Read This Message:
    Look for and open SecureMessage.zip (typically at the top or bottom; location varies by email service).

Malicious URLs
    mail.yaklasim .com:8080/forum/viewtopic.php
    116.122.158.195 :8080/forum/viewtopic.php
    mylifestylestormproducts .com/forum/viewtopic.php
    mysafefloridahomelife .com/forum/viewtopic.php
    ryulawgroup .com/Gsdw1.exe

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/fb3e5e3449eb83ff06490237ae80520d/tumblr_inline_mmwrmi4bl91qz4rgp.png
___

Malicious "Referral link" SPAM / rockingworldds .net and parishiltonnaked2013 .net
- http://blog.dynamoo.com/2013/05/referral-link-spam-rockingworlddsnet.html
17 May 2013 - "This spam comes from a hacked AOL email account and leads to malware on 62.76.190.11:
   From: [AOL sender]
    Sent: 17 May 2013 14:12
    To: [redacted]
    Subject: [AOL screen name]
    Subject :RE ( 8 )
    Sent: 5/17/2013 2:11:53 PM
    referral link
    http ://printcopy.co .za/elemqi.php?whvbcfm

The link goes through a legitimate -hacked- site and in this case ends up at [donotclick]rockingworldds .net/sword/in.cgi?6 (report here*) which either -redirects- to a weight loss spam site or alternatively a malware landing page at [donotclick]parishiltonnaked2013 .net/ngen/controlling/coupon_voucher.php (report here**) which appears to load the BlackHole Exploit Kit. Both these sites are hosted on 62.76.190.11 (Clodo-Cloud / IT House, Russia)... I have several IPs blocked in the 62.76.184.0/21 range, you may want to consider blocking the entire lot if you don't have any reason to send web traffic to Russia."
* http://urlquery.net/report.php?id=2512341

** http://urlquery.net/report.php?id=2512431
___

Fake Newegg .com SPAM / balckanweb .com
- http://blog.dynamoo.com/2013/05/neweggcom-spam-balckanwebcom.html
17 May 2013 - "This fake Newegg.com spam leads to malware:
   Date:      Fri, 17 May 2013 10:29:20 -0600 [12:29:20 EDT]
    From:      Newegg [info @newegg .com]
    Subject:      Newegg.com - Payment Charged
    Priority:      High Priority 1
    Newegg logo    
    My Account     My Account |     Customer Services     Customer Services
    Twitter     Twitter     You Tube     You Tube     Facebook     Facebook     Myspace     Myspace
    click to browse e-Blast     click to browse Shell Shocker     click to browse Daily Deals
    Computer Hardware     PCs & Laptops     Electronics     Home Theater     Cameras     Software     Gaming     Cell Phones     Home & Office     MarketPlace     Outlet     More
    Customer ID: [redacted]
    Account Number: 23711731
    Dear Customer,
    Thank you for shopping at Newegg.com.
    We are happy to inform you that your order (Sales Order Number: 97850177) has been successfully charged to your AMEX and order verification is now complete.
    If you have any questions, please use our LiveChat function or visit our Contact Us Page.
    Once You Know, You Newegg.
    Your Newegg.com Customer Service Team
    ONCE YOU KNOW, YOU NEWEGG. Ž
    Policy and Agreement | Privacy Policy | Confidentiality Notice
    Newegg.com, 9997 Rose Hills Road, Whittier, CA. 90601-1701 | Š 2000-2013 Newegg Inc. All rights reserved.

Screenshot: https://lh3.ggpht.com/-Si0jHOHqviw/UZZqyHxGvPI/AAAAAAAABOY/5HZq7dloGwE/s1600/newegg.png

In the version I have the link doesn't work, but I believe that it goes to [donotclick]balckanweb .com/news/unpleasant-near_finally-events.php (report here*) hosted or having nameservers on the following IPs:
5.231.24.162 (GHOSTnet, Germany)
71.107.107.11 (Verizon, US)
108.5.125.134 (Verizon, US)
198.50.169.2 (OVH, Canada)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
209.59.223.119 (Endurance International Group, US)
The domains and IPs indicate that this is part of the "Amerika" spam run.
Blocklist (including nameservers):
5.231.24.162
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
209.59.223.119 ..."
* http://urlquery.net/report.php?id=2504632

Also at: http://threattrack.tumblr.com/post/50671403152/malicious-newegg-order-spam
May 17, 2013
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/4122a83db45982e54ded798906a63447/tumblr_inline_mmyl9yAwpg1qz4rgp.png
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Product Order Quotation Attachment E-mail Messages - 2013 May 17
Fake Product Order E-mail Messages - 2013 May 17
Fake Purchase Order E-mail Messages - 2013 May 17
Fake Account Compromise Notification E-mail Messages - 2013 May 17
Fake Scanned Document Attachment E-mail Messages - 2013 May 17
Fake Social Media User Notification E-mail Messages - 2013 May 17
Fake Facebook Security Software E-mail Messages - 2013 May 17
Fake Incoming Fax Message E-mail Messages - 2013 May 17
Fake Document Sharing E-mail Messages - 2013 May 17
Fake Italian Shared Document E-mail Messages - 2013 May 17
Fake Invoice Statement Attachment E-mail Messages - 2013 May 17
Fake Money Transfer Notification E-mail Messages - 2013 May 17
Fake Xerox Scan Attachment E-mail Messages - 2013 May 17
(More detail and links at the cisco URL above.)

 

FYI...

iTunes 11.0.3 released
- https://support.apple.com/kb/HT5766
May 16, 2013

- http://prod.lists.apple.com/archives/security-announce/2013/May/msg00000.html
May 16, 2013

Use Apple Software Update
-or-
- https://www.apple.com/itunes/download/
iTunes 11.0.3 for Windows XP, Vista or Windows 7

- https://secunia.com/advisories/53471/
Release Date: 2013-05-17
Criticality level: Highly critical
Impact: Spoofing, System access
Where: From remote ...
Solution: Update to version 11.0.3.

- http://www.securitytracker.com/id/1028575
CVE Reference: CVE-2013-0879, CVE-2013-0991, CVE-2013-0992, CVE-2013-0993, CVE-2013-0994, CVE-2013-0995, CVE-2013-0996, CVE-2013-0997, CVE-2013-0998, CVE-2013-0999, CVE-2013-1000, CVE-2013-1001, CVE-2013-1002, CVE-2013-1003, CVE-2013-1004, CVE-2013-1005, CVE-2013-1006, CVE-2013-1007, CVE-2013-1008, CVE-2013-1010, CVE-2013-1011, CVE-2013-1014
May 16 2013
Impact: Execution of arbitrary code via network, Modification of authentication information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes ...
Impact: A remote user can execute arbitrary code on the target system.
A remote user can spoof digital certificates.
Solution: The vendor has issued a fix (11.0.3).

 

FYI...

Fake "Invoice Copy" SPAM / invoice copy.zip
- http://blog.dynamoo.com/2013/05/invoice-copy-spam-invoice-copyzip.html
16 May 2013 - This fake invoice email contains a malicious attachment:
   Date:      Thu, 16 May 2013 00:27:41 -0500 [01:27:41 EDT]
    From:      Karen Parker [Kk.parker @tiffany .com]
    Subject:      invoice copy
    Kindly open to see export License and payment invoice attached,meanwhile we sent the balance payment yesterday.Please confirm if it has settled in your account or you can call ifthere is any problem.ThanksKaren parker

The attachment is invoice copy.zip which in turn contains an executable invoice copy.exe which has an icon to make it look like a spreadsheet. VirusTotal results are a pretty poor 7/45* and indicate that this is a Zbot variant. The Comodo CAMAS report** indicates that the malware seems to be rummaging though address books and gives the following characteristics:
Size   331776
MD5   ebdcd7b8468f28932f235dc7e0cd8bcd
SHA1   a3d251b8f488ef1602e7016cb1f51ffe116d7917
SHA256   4b15971cf928a42d44afdf87a517d229e4aabbb5967cb9230a19592d2b939fe6
... The ThreatTrack report*** is nicely detailed and gives some details about network connections... As ever, blocking EXE-in-ZIP files at the perimeter is the best way to guard against this type of threat."
* https://www.virustotal.com/en/file/4b15971cf928a42d44afdf87a517d229e4aabbb5967cb9230a19592d2b939fe6/analysis/1368687945/
File name: invoice copy.exe
Detection ratio: 7/45
Analysis date:    2013-05-16

** http://camas.comodo.com/cgi-bin/submit?file=4b15971cf928a42d44afdf87a517d229e4aabbb5967cb9230a19592d2b939fe6

*** http://www.dynamoo.com/files/analysis_30635_ebdcd7b8468f28932f235dc7e0cd8bcd.pdf
___

Fake HMRC SPAM / VAT Returns Repot 517794350.doc
- http://blog.dynamoo.com/2013/05/hmrc-spam-vat-returns-repot-517794350doc.html
16 May 2013 - "This fake HMRC (UK tax authority) spam contains a malicious attachment:
   From: noreply @hmrc .gov.uk [mailto:noreply @hmrc .gov.uk]
    Sent: 16 May 2013 10:48
    Subject: Successful Receipt of Online Submission for Reference 517794350
    Thank you for sending your VAT Return online. The submission for reference 517794350 was successfully received on 2013-05-16 T10:45:27 and is being processed. Make VAT Returns is just one of the many online services we offer that can save you time and paperwork.
    For the latest information on your VAT Return please open attached report.
    The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
    Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

The attachment is VAT Returns Repot 517794350.doc which contains an exploit which is currently being analysed. It is likely to use the same vulnerability as this attack*. VirusTotal results are just 1/46**, so either this is something completely new or it is a corrupt sample. UPDATE: ThreatTrack reports*** that the malware sample appears to make contact with the following IPs which are all dynamic IP addresses, indicating perhaps a P2P version of Zeus:
62.103.27.242
76.245.44.216
86.124.111.218
92.241.139.165
122.179.128.38
189.223.139.172
190.42.161.35 ..."
* http://blog.dynamoo.com/2013/05/bank-of-america-spam.html

** https://www.virustotal.com/en/file/c6bdbe23857c0ca054d9fbc07f53ee0187b5ab6e86fea66091171e5b4268cb25/analysis/1368697862/
File name: VAT Returns Repot 517794350.doc
Detection ratio: 1/46
Analysis date:    2013-05-16

*** http://www.dynamoo.com/files/analysis_30639_f49ba87bdcbb24ecf22f9b5b3a8c2a34.pdf
___

Fake Walmart SPAM / bestunallowable .com
- http://blog.dynamoo.com/2013/05/walmartcom-spam-bestunallowablecom.html
16 May 2013 - "This fake Walmart spam leads to malware on bestunallowable .com:
   From:     Wallmart.com [deviledm978 @news.wallmart .com]
    Date:     16 May 2013 14:02
    Subject:     Thanks for your Walmart.com Order 3795695-976140
    Walmart    
    Visit Walmartcom  |     Help  |     My Account  |     Track My Orders
    [redacted]
    Thanks for ordering from Walmart.com. We're currently processing your order.
    Items in your order selected for shipping
    • You'll receive another email, with tracking information, when your order ships.
    • If you're paying by credit card or Bill Me Later®, your account will not be charged until your order ships. If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available. All other forms of payment are charged at the time the order is placed.
    Shipping Information
          Ship to Home    
    Hannah Johnson
    1961 12 Rd
    Orange, NC 68025-3157
    USA
---    
    Walmart.com     Order Number: 3795695-976140
    Ship to Home - Standard
    Items     Qty     Arrival Date     Price
    Philips UN65EH9060 50" 1080p 60Hz Class LED (Internet Connected) 3D HDTV     1     Arrives by Tue., May 21
    Eligible for Free Standard Shipping to Home.     $898.00
    Subtotal:     $898.00
    Shipping:     Free
    Tax:     $62.86
    See our Returns Policy or
    contact Customer Service     Walmart.com Total:     $960.86
    Order Summary
    Order Date:     05/15/2013
    Subtotal:     $898.00
    Shipping:     Free
    Tax:     $62.86
    Order Total:     $960.86
    Credit card:     $960.86
    Billing Information
    Payment Method:
    Credit card
    If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
    Thanks,
    Your Walmart.com Customer Service Team...
    Rollbacks     Sign Up for Email Savings and Updates
    Have the latest Rollbacks, hot new releases, great gift ideas and more sent right to your inbox!
    ©Walmart.com USA, LLC, All Rights Reserved.

The link goes through a legitimate hacked site and ends up on a malware page at [donotclick]bestunallowable .com/news/ask-index.php (report here*) hosted on:
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
The WHOIS details are characterstic of the Amerika gang...
Blocklist (including nameservers):
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
bestunallowable.com ..."
* http://urlquery.net/report.php?id=2494957
___

More Walmart SPAM / virgin-altantic .net
- http://blog.dynamoo.com/2013/05/walmartcom-spam-virgin-altanticnet.html
16 May 2013 - "Another -variant- of this spam* is doing the rounds, this time leading to a landing page on virgin-altantic .net:
   From: Wallmart.com [mailto:sculptsu @complains .wallmartmail .com]
    Sent: 16 May 2013 15:35
    Subject: Thanks for your Walmart.com Order 3450995-348882 ...
---
    Subtotal:    $898.00
    Shipping:    Free
    Tax:     $62.86
    See our Returns Policy or
    contact Customer Service
    Walmart.com Total:    $960.86
    Order Summary
    Order Date:    05/15/2013
    Subtotal:    $898.00
    Shipping:    Free
    Tax:     $62.86
    Order Total:    $960.86
    Credit card:    $960.86
            Billing Information
    Payment Method:
    Credit card
    If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
    Thanks,
    Your Walmart.com Customer Service Team...

The malicious payload is at [donotclick]virgin-altantic .net/news/ask-index.php (report here**). IP addresses are the same as in the other attack, although obviously if you are blocking by domain you should add virgin-altantic .net too."
* http://blog.dynamoo.com/2013/05/walmartcom-spam-bestunallowablecom.html

** http://urlquery.net/report.php?id=2496275
___

Fake Wells Fargo and Citi SPAM / SecureMessage.zip and Securedoc.zip
- http://blog.dynamoo.com/2013/05/wells-fargo-and-citi-spam.html
16 May 2013 - "This fake Wells Fargo message contains a malicious attachment:
   Date:      Thu, 16 May 2013 23:24:38 +0800 [11:24:38 EDT]
    From:      "Grover_Covington @wellsfargo .com" [Grover_Covington @wellsfargo .com]
    Subject:      New Secure Message
    Wells Fargo    
        Help
    To Read This Message:
    Look for and open SecureMessage.zip (typically at the top or bottom; location varies by email service).
    Secure Message    
    This message was sent to : [redacted]
    Email Security Powered by Voltage IBE
    Copyright 2013 Wells Fargo. All rights reserved

The attachment SecureMessage.zip contains a file SecureMessage.exe which has a SHA256 of 289bd82b66ed0c66f0e6a947cb61c928275c1053fa5d2b1119828217f61365ba and is only detected by 2/45 scanning engines at VirusTotal**.
The second version is a fake Citi spam with an attachment Securedoc.zip which contains Securedoc.exe. This is the same executable with the same SHA256, just a different name.
   Date:      Thu, 16 May 2013 10:16:27 -0500 [11:16:27 EDT]
    From:      "secure.email @citi .com" [secure.email @citi .com]
    Subject:      You have received a secure message
    You have received a secure message
    Read your secure message by opening the attachment, securedoc.html You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
    First time users - will need to register after opening the attachment.
    About Email Encryption - http ://www.citi .com/citi/citizen/privacy/email.htm

... the best analysis is this ThreatTrack report*... some IPs and domains worth blocking:
69.89.21.99
116.122.158.195
212.58.4.13
mail.yaklasim .com
ryulawgroup .com "
* http://www.dynamoo.com/files/analysis_30642_d5893c62d897d95a30c950cddcbdc604.pdf

** https://www.virustotal.com/en/file/289bd82b66ed0c66f0e6a947cb61c928275c1053fa5d2b1119828217f61365ba/analysis/1368718128/
File name: SecureMessage.exe
Detection ratio: 2/45
Analysis date:    2013-05-16
___

Get Free Followers! on Instagram? Get Free Malware, Survey Scams Instead
- http://blog.trendmicro.com/trendlabs-security-intelligence/get-free-followers-on-instagram-get-free-malware-survey-scams-instead/
May 16, 2013 - "The popular photosharing app Instagram is the latest social networking site targeted by the ubiquitous survey scams seen on Facebook and Twitter. This time, we found that these survey scams may also lead users to download an Android malware... these Instagram followers have repetitive account names like “Tawna Tawna” and “Concetta Concetta”... Given these suspicious signs, I then checked this “Get Free Followers” picture (which is actually clickable) and was led to this page that supposedly offers the “Get Followers” app. This app is detected by Trend Micro as ANDROIDOS_GCMBOT.A, which can be used to launch malicious webpages or send SMS from the device.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/05/instagram-survey-scam-4.jpg
Whether users download the said app or not (in my case, I tried to), in the end they are redirected to your run-of-the-mill survey scams. Since Instagram can also be accessed via a PC, we tried to access the malicious website and survey scam using a desktop. Fortunately, this ruse didn’t work. Cybercriminals profit from these survey scams via ad-tracking sites, which users are redirected to before the actual survey page. Plus, these bad guys can also use the data gathered from these scams by either peddling them to other cybercriminal groups or using them in their future schemes. Facebook, Pinterest, Tumblr, and now Instagram. The people behind these scams are jumping on every popular networking sites and potential engineering hooks like the Google Glass contest. To protect yourself against this scam, you must always double-check posts on your social media accounts, even if they come from friends, family members, or known acquaintance. Caution is your best defense..."