News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
July 22, 2014, 11:20:58
Pages: [1] 2 3 ... 10
 1 
 on: Today at 06:26:29 
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Firefox 31.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-

Download: https://www.mozilla.com/firefox/all.html

Security Advisories for 31.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox31
Fixed in Firefox 31
MFSA 2014-66 IFRAME sandbox same-origin access through redirect
MFSA 2014-65 Certificate parsing broken by non-standard character encoding
MFSA 2014-64 Crash in Skia library when scaling high quality images
MFSA 2014-63 Use-after-free while when manipulating certificates in the trusted cache
MFSA 2014-62 Exploitable WebGL crash with Cesium JavaScript library
MFSA 2014-61 Use-after-free with FireOnStateChange event
MFSA 2014-60 Toolbar dialog customization event spoofing
MFSA 2014-59 Use-after-free in DirectWrite font handling
MFSA 2014-58 Use-after-free in Web Audio due to incorrect control message ordering
MFSA 2014-57 Buffer overflow during Web Audio buffering for playback
MFSA 2014-56 Miscellaneous memory safety hazards (rv:31.0 / rv:24.7)

Release notes
- https://www.mozilla.org/en-US/firefox/31.0/releasenotes/
July 22, 2014

... complete list of changes in this release... 3025 bugs found.

 Exclamation

 2 
 on: Today at 06:17:59 
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Opera 23 released
- https://secunia.com/advisories/60283/
Release Date: 2014-07-22
Criticality: Moderately Critical
Where: From remote
Impact: Unknown ...
... vulnerabilities are caused due to a bundled, vulnerable version of Chromium...
Original Advisory:
- http://www.opera.com/docs/changelogs/unified/2300/
"... includes updates to the latest Chromium/Blink release, version 36."

 Exclamation

 3 
 on: Today at 04:09:10 
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Facebook SCAM - 'Actual Footage Missile MH-17'
- http://www.hoax-slayer.com/footage-missile-mh-17-survey-scam.shtml
July 22, 2014 - "Facebook message claims that users can see actual footage of the missile fired at downed Malaysian Airlines flight MH17 by pro-Russian militants. The promised video does not exist. The message is a -scam- designed to trick people into spamming their friends with the same fake material and participating in -bogus- online surveys. If this message comes your way, do not click any links that it contains.
> http://www.hoax-slayer.com/images/footage-missile-mh-17-survey-scam-1.jpg
This message, which is being distributed on Facebook, promises users actual footage showing the missile that destroyed Malaysian Airlines flight MH17. The message invites users to click a link to view the footage... The supposed video is just a trick to get you to click the link in the message.  In fact, the message is a typical 'shocking video' survey scam. If you click the link in the message, you will be taken to a fake Facebook Page that supposedly hosts the video. The fake page comes complete with equally fake user comments... scammers quickly exploit every high-profile disaster and the MH17 tragedy is no exception. In coming days and weeks, be wary of any message that asks you to click a link to access video or breaking news pertaining to MH17..."
___

Spammy Tumblr Apps and Stalker Hunting
- http://blog.malwarebytes.org/fraud-scam/2014/07/spammy-tumblr-apps-and-stalker-hunting/
July 22, 2014 - "... the latest one currently bouncing around the popular social network. You’ll notice it apes the template of the site in the linked blog [1] – same spam posts, same spam application name – although the website for this one looks fairly slick. It’s possible this one is closely related to the February spamrun, as the same Bit.ly user account created shortening URLs for both. Here’s the spam popping up on various blogs:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/07/tumbstalk1.jpg
Below is the site it leads to, located at reviewsloft(dot)com/a/?3
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/07/tumbstalk2.jpg
... Once the install is done, they’ll show the inevitable surveys to the end-user to make some money. As before, a bit.ly link is used... With this current spamrun we can see that we’re hitting about 19,000 in 12 days, with around 2,000 clicks listed as coming from Tumblr and the rest classed as “unknown”. Not a huge amount of information to go on, then, but a good reminder that people continue to fall for this type of scam which has been around for the longest time. As a final note, the -rogue- application will continue to post to your Tumblr until you go into your user settings and remove the app... follow the instructions listed on the Tumblr account security page*. At that point, the spam posts can stop..."
* https://www.tumblr.com/docs/en/account_security

1] http://blog.malwarebytes.org/fraud-scam/2014/02/application-spams-my-top-followers-posts-to-tumblr-users/
___

Fake Credit Applicaiton – PDF malware
- http://myonlinesecurity.co.uk/fw-credit-applicaiton-fake-pdf-malware/
22 July 2014 - "Fw: Credit Application is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
... Please see credit application for West Star Environmental.
The job we have for them is for $ 46,214.00
Thank you,
From: Jimmy Robertson
Sent: Tue, 22 Jul 2014 11:57:13 +0100
Subject: Credit Applicaiton
Good Afternoon,
Here is our credit application. If you should require further information please feel free to contact me.
Jimmy Robertson
West Star Environmental, Inc.
4770 W. Jennifer
Fresno, CA 93722 ...


22 July 2014: SWF_CREDIT_APPLICATION.pdf.zip (10kb)  Extracts to SWF_CREDIT_APPLICATION.pdf.scr... Current Virus total detections: 5/53*
This Fw: Credit Applicaiton is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/121480753e44c1c34f23d471486c16bd35ff1e530323f0ee0565a438c6aecc1c/analysis/1406038205/
___

Over 30 financial institutions defrauded by phone apps used to intercept passwords
- http://www.reuters.com/article/2014/07/22/cybersecurity-banks-apps-idUSL2N0PX02T20140722
Jul 22, 2014 - "More than 30 financial institutions in six countries have been defrauded by sophisticated criminal software that convinces bank customers to install -rogue- smartphone programs... Though many of the elements of the malicious software, including the interception of one-time passwords sent to phones, have been used elsewhere, the latest criminal campaign is unusual in that it combines many different techniques and leaves few traces... Banks in Austria, Sweden, Switzerland and Japan have all been hit, with damages somewhere in the millions of dollars... The least sophisticated part of the gang's work so far appears to be in the delivery of the software, according to a report by Trend Micro researchers*. Emails that appear to be from major retailers come with attachments that, when opened, prompt the user to download a malicious attachment of an unusual type, called a control panel item. If users do not click again, they are safe. If they do, the software goes to work and hides itself out of view of most antivirus protection. When an infected user later tries to visit the website of one of the targeted banks, the software redirects them to a -fake- site, which asks for login details and then prompts the user to download a smartphone app. That app later intercepts the one-time passwords, giving the gang both that data as well as the login information, enough to clean out an account..."
* http://blog.trendmicro.com/trendlabs-security-intelligence/finding-holes-operation-emmental/
___

"Commingled" user data...
- http://www.reuters.com/article/2014/07/22/us-google-privacy-lawsuit-idUSKBN0FR1XA20140722
July 22, 2014 - "A federal judge rejected Google Inc's bid to dismiss a privacy lawsuit claiming it commingled user data across different products and disclosed that data to advertisers without permission... Google must face breach of contract and fraud claims by users of Android-powered devices who had downloaded at least one Android application through Google Play. Other parts of the lawsuit were dismissed, including claims brought on behalf of account users who switched to non-Android devices from Android devices after Google had changed its privacy policy in 2012 to allow the 'commingling'... The lawsuit arose after Google on March 1, 2012 scrapped a variety of privacy policies for different products, and created a single, unified policy letting it -merge- user data generated through platforms such as Gmail, Google Maps and YouTube. Users complained that Google made this change -without- their consent and with no way to opt out, in a bid to better compete for ad revenue against Facebook Inc and other social media companies "where all of a consumer's personal information is available in one site." They said this jeopardized their privacy by exposing names, email addresses and geographic locations, increasing the threat of harassment or identity theft by third parties. Google reported $15.42 billion of revenue in the first quarter, of which 90 percent came from advertising. The case is In re: Google Inc Privacy Policy Litigation, U.S. District Court, Northern District of California, No. 12-01382."
___

Scams exploit MH17 Disaster
- http://www.hoax-slayer.com/m17-scams.shtml
July 21, 2014 - "... callous criminals waste no time in exploiting disasters such as air-crashes, terrorist attacks, storms, or tsunamis. The MH17 missile attack tragedy is no exception. In coming days and weeks, Internet users should be wary of scam attacks that attempt to trick people into following links or opening attachments in messages that are supposedly related to MH17... callous criminals waste no time in exploiting disasters such as air-crashes, terrorist attacks, storms, or tsunamis. The MH17 missile attack tragedy is no exception. In coming days and weeks, Internet users should be wary of scam attacks that attempt to trick people into following links or opening attachments in messages that are supposedly related to MH17... after clicking such a link, you are told that, before you proceed, you must share the post, participate in a survey, install an app or browser extension, or download a video player update or other software, close the page immediately..."

- http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-hitchhike-on-the-news-of-mh17-crash/
July 18, 2014
___

Facebook SCAM - Mercedes Benz CLA 45' Giveaway
- http://www.hoax-slayer.com/mercedes-benz-giveaway-like-farming-scam.shtml
July 21, 2014 - "Facebook Page claims that users can win a 'Mercedes Benz CLA 45 just by liking the page, liking and sharing a promotional post... The Page is -bogus- and the competitions that it promotes are not legitimate. There are no winners and no cars are being given away. This is a like-farming scam designed to fraudulently increase the number of likes garnered by the Page. Facebook Pages with high like-numbers can later be used to perpetrate further scams to a large audience. Alternatively, the Pages may be sold on the black market to other scammers...
> http://www.hoax-slayer.com/images/mercedes-benz-giveaway-like-farming-scam-1.jpg
According to a 'Competitions' Facebook Page that is currently being promoted across the network, you could win one of 6 Mercedes Benz CLA 45's just by liking the Page, liking and sharing a Page post... The scammers may also use the bogus Pages to perpetrate advance fee scams... the like-heavy Pages can be sold via a lucrative black market to other scammers who will repurpose it to further their own goals..."

 Evil or Very Mad  Sad

 4 
 on: Today at 03:31:24 
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

This week’s updates
- http://www.malwaredomains.com/?p=3632
July 21st, 2014 - "Added about -500- domains (malvertising, fake virus alerts and other maliciousness). Sources include mwsl.org.cn, safebrowsing.clients.google.com, app.webinspector.com and others..."

 Exclamation

 5 
 on: July 21, 2014, 19:38:25  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Card Breach at Goodwill Industries
- http://krebsonsecurity.com/2014/07/banks-card-breach-at-goodwill-industries/
July 21, 2014 - "... Financial institutions across the country report that they are tracking what appears to be a series of credit card breaches involving Goodwill locations nationwide. For its part, Goodwill Industries International Inc. says it is working with the U.S. Secret Service on an investigation into these reports. Headquartered in Rockville, Md., Goodwill Industries International, Inc. is a network of 165 independent agencies in the United States and Canada with a presence in 14 other countries. The organizations sell donated clothing and household items, and use the proceeds to fund job training programs, employment placement services and other community-based initiatives. According to sources in the financial industry, multiple locations of Goodwill Industries stores have been identified as a likely point of compromise for an unknown number of credit and debit cards. In a statement sent to KrebsOnSecurity, Goodwill Industries said it first learned about a possible incident last Friday, July 18. The organization said it has not yet confirmed a breach, but that it is working with federal authorities on an investigation into the matter... It remains unclear how many Goodwill locations may have been impacted, but sources say they have traced a pattern of fraud on cards that were all previously used at Goodwill stores across at least 21 states, including Arkansas, California, Colorado, Florida, Georgia, Iowa, Illinois, Louisiana, Maryland, Minnesota, Mississippi, Missouri, New Jersey, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, Washington and Wisconsin. It is also not known at this time how long ago this apparent breach may have begun, but those same financial industry sources say the breach could extend back to the middle of 2013. Financial industry sources said the affected cards all appear to have been used at Goodwill stores, but that the fraudulent charges on those cards occurred at non-Goodwill stores, such as big box retailers and supermarket chains. This is consistent with activity seen in the wake of other large data breaches involving compromised credit and debit cards, including the break-ins at Target, Neiman Marcus, Michaels, Sally Beauty, and P.F. Chang’s."

 Evil or Very Mad  Sad

 6 
 on: July 21, 2014, 06:31:26  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Apache 2.4.10 released
- https://secunia.com/advisories/60170/
Release Date: 2014-07-21
Criticality: Moderately Critical
Where: From remote
Impact: DoS
Solution Status: Vendor Workaround
Software: Apache HTTP Server 2.4.x
CVE Reference(s): CVE-2014-0117, CVE-2014-0118, CVE-2014-0231, CVE-2014-3523
... vulnerabilities are reported in versions 2.4.9 and prior...
Original Advisory: Apache:
- https://httpd.apache.org/security/vulnerabilities_24.html
"... security vulnerabilities fixed in released versions of Apache httpd 2.4..."

> https://httpd.apache.org/download.cgi#apache24
Stable Release - Latest Version: 2.4.10 (released 2014-07-21)

ZDI: http://zerodayinitiative.com/advisories/ZDI-14-239/

- http://news.netcraft.com/archives/2014/06/06/june-2014-web-server-survey.html
___

- http://www.securitytracker.com/id/1030615
CVE Reference: CVE-2014-0117, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231, CVE-2014-3523
July 21 2014
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes 
Version(s): prior to 2.4.10 ...

 Exclamation

 7 
 on: July 21, 2014, 05:32:26  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Something evil on 188.120.198.1 - (IP4ISP / LuckyNet, Czech Republic)
- http://blog.dynamoo.com/2014/07/something-evil-on-1881201981-ip4isp.html
21 July 2014 - "... Cushion Redirect sites closely related to this attack a few weeks ago* but this time hosted on 188.120.198.1 (IP4ISP / LuckyNet, Czech Republic). You can see the -redirect- in action in this URLquery report** and VirusTotal*** has a clear indication of badness on this IP. All the sites are -hijacked- subdomains of legitimate domains, a peculiar mix of pornography and Dora the Explorer... the most effective way of securing your network is to permablock 188.120.198.1.
Recommended blocklist:
188.120.198.1
e-meskiesprawy24 .com.pl
dora-explorer .co.uk
adultvideoz .net
alsancakescort .org
anadoluyakasiescort .asia
"
* http://blog.dynamoo.com/2014/07/something-evil-on-3718714057-ovh-france.html

** http://urlquery.net/report.php?id=1405937345878

*** 188.120.198.1: https://www.virustotal.com/en-gb/ip-address/188.120.198.1/information/
___

Facebook video scam leaves unamusing Trojan
- http://net-security.org/malware_news.php?id=2814
21.07.2014 - "... video spreading on Facebook leaves a not-so-hilarious Trojan in its wake on users’ computers, according to research by Bitdefender. The malware, believed to originate from Albania, can access a large amount of data from the user’s internet browser. The scam begins with what appears to be a funny video of a Facebook friend. Once the video is clicked on, users are directed to a fake YouTube page, which then -redirects- them to a malicious Flash Player.exe for an Adobe update... Malware writers faked the number of views so the video seems to have been watched by over a million users... In an attempt to bypass security, the hackers got their hands on over 60 bit.ly API keys that helped them generate shortened URLs. The unique links are then spread on Facebook timelines. As API keys are randomly selected, blacklisting a couple does not stop the scam from spreading. Bitdefender has notified bit.ly of the issue. The malware writers used an add-on framework that allows their code to function on several browsers. With Google Chrome, the malicious YouTube video -redirects- users to a fake FlashPlayer install. The file, detected by Bitdefender as Trojan.Agent.BDYV, drops a password-protected archive on the computer and a .bat file, designed to run the executable in the archive after providing the password as a parameter. With Firefox, the page prompts for a malicious add-on install. On both browsers, the add-on tags 20 Facebook friends at a time and injects ad services into the page. The extension also fiddles with some of the social network’s functionalities so that users can't delete the malicious posts from their timeline and activity log..."
___

Bank of America - Activity Alert Spam
- http://threattrack.tumblr.com/post/92440887228/bank-of-america-activity-alert-spam
July 21, 2014 - "Subjects Seen:
   Activity Alert: A Check Exceeded Your Requested Alert Limit
Typical e-mail details:
   Activity Alert
    A check exceeded your requested alert limit
    We’re letting you know a check written from your account went over the limit you set for this alert.
    For more details please check attached file


Malicious File Name and MD5:
    report072114_349578904357.exe (23E32D6A9A881754F1260899CB07AC55)
    report072114_349578904357.zip (4FE1365C55AA0C402384F068CDA7DF8E)


Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/c8f68a61af6020d3439e36d7e6090d69/tumblr_inline_n92lonNlop1r6pupn.png

Tagged: Bank of America, Upatre

- http://myonlinesecurity.co.uk/activity-alert-check-exceeded-requested-alert-limit-fake-pdf-malware/
21 July 2014
> https://www.virustotal.com/en/file/e9b50b3c3191a3e20957e458620398d52c767c1fd1fb7e89e6edfe085f8a71f7/analysis/1405960609/
___

Bitly API key and MSNBC unvalidated redirects
- http://community.websense.com/blogs/securitylabs/archive/2014/07/21/the-bitly-api-key-and-msnbc-unvalidated-redirects.aspx
21 Jul 2014 - "... observed a -spam/fraud- campaign whereby a user is -redirected- from a real news site to a -fake- news site. In this case the real site is msnbc.com, which belongs to the well-known cable and satellite channel MSNBC. We have discovered that cyber criminals appear to have gained access to the publicly available MSNBC Bitly API key. This is being abused to create custom URL shorteners. Websense Security Labs has been tracking fraudulent sites of this kind since 2012, but this was the first time that a redirection technique of this type was observed. Executive Summary: The various methods used by this group include:
- Use of publicly available Bitly API key for redirection
- Use of a famous news site to redirect to a fake news site
- Four redirection steps from real news site to fake news site
- Spreading the link through Google and Yahoo groups and spam mail
Here is the -fake- news site to which the user is directed, hosted on a legitimate-looking host of hxxp ://fcxnws .com/:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Components.ImageFileViewer/CommunityServer.Blogs.Components.WeblogFiles.securitylabs/4011.fake-news-site.jpg_2D00_550x0.jpg
So far, Websense Security Labs has identified that the spam is spread through Google and Yahoo groups, and email. Example post on Google groups:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Components.ImageFileViewer/CommunityServer.Blogs.Components.WeblogFiles.securitylabs/1263.google-groups.jpg_2D00_550x0.jpg
Example post on Yahoo groups:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Components.ImageFileViewer/CommunityServer.Blogs.Components.WeblogFiles.securitylabs/2821.yahoo-groups.jpg_2D00_550x0.jpg
... Bitly is a service to shorten URLs into a more user-friendly format. Shortened URLs are very convenient as they are easier to exchange due to their length, and can improve the look of a message. Businesses can set up their own 'short domains' and change their DNS settings to Bitly's servers. Each Bitly customer has their own API key that they can use to generate short URLs from full URLs. If the API key relates to an account that has set up their own short domain, the custom short domain will be used when generating a short URL... Bitly are currently blocking the redirection page at the time of writing.  Kudos to them.
>> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Components.ImageFileViewer/CommunityServer.Blogs.Components.WeblogFiles.securitylabs/7206.blocked-by-bitly.jpg_2D00_550x0.jpg
... Websense Security Labs identified other websites that keep their Bitly API key in public view. Exposing your Bitly API key is a risk if you have a short domain, as it allows anybody to generate short URLs on your short domain that redirect to anywhere of that person's choosing. This can make it appear as if your business is the one redirecting to malware/phishing/fraud etc. Fortunately, there's not much more that anybody can do with an API key as any account-related or link editing features can only be accessed after an OAuth login. All requests to the Bitly API should be done on the website's back end, on the server-side. This means that the API key will never be seen by public users on the front end and your API key remains safe. You can read about Bitly's API best practices here: http://dev.bitly.com/best_practices.html . URL shorteners are very useful, but come with their own security risks and should be used with caution from a developer and from a user point of view."

 Evil or Very Mad  Sad

 8 
 on: July 18, 2014, 18:58:39  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

AskMen .com compromised again
- http://blog.malwarebytes.org/exploits-2/2014/07/askmen-com-compromised-again/
July 18, 2014 - "Last month, security firm Websense reported that popular website AskMen .com was compromised to serve malicious code. Today, our honeypot captured an attack coming from AskMen .com in what appears to have been malicious code injected in their server... an iframe (injection)... is what is used to do a -redirection- to a malicious site... a landing page for the Nuclear EK:
- Flash exploit: https://www.virustotal.com/en/file/97d7e3975fd7d0982c6d6092a3ca74cc9224369ffecff230c8eb02bb4a34d0fa/analysis/
- PDF exploit: https://www.virustotal.com/en/file/05efd8d19e9bcaf810171357024307a812ba6966464e3c5d3b54720900480646/analysis/1405699036/
- Java exploit: https://www.virustotal.com/en/file/0b1a173172a1fde75b5ed957667c3fdf3a168715c210895eed58e9c500573239/analysis/
Finally the following payload is dropped and executed:
- https://www.virustotal.com/en/file/d1c42ba5eb3dfe8ac861172b755e7779aa33811debfdccc6c2f16c956879955a/analysis/1405699015/
... Our free Malwarebytes Anti-Exploit* blocked this threat:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/07/blocked.png
We notified AskMen .com and they promptly replied that they were looking into the matter immediately..."
(More detail at the first malwarebytes URL of this post.)
* http://www.malwarebytes.org/antiexploit/

 Evil or Very Mad  Sad

 9 
 on: July 18, 2014, 06:37:20  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Something evil on 5.135.211.52 and 195.154.69.123
- http://blog.dynamoo.com/2014/07/something-evil-on-513521152-and.html
18 July 2014 - "This is some sort of malware using insecure OpenX ad servers to spread... don't know quite what it is, but it's running on a bunch of -hijacked- GoDaddy subdomains and is triggering a generic Javascript detection on my gateway... The two IPs in use both belong to OVH France, but 5.135.211.52 is suballocated to QHoster Ltd (Bulgaria) [VT*] and 195.154.69.123 is suballocated to Iliad Entreprises (France) [VT**]. This second IP has also been used to host "one two three" malware sites back in May***.
Recommended blocklist:
* 5.135.211.52: https://www.virustotal.com/en-gb/ip-address/5.135.211.52/information/
** 195.154.69.123: https://www.virustotal.com/en-gb/ip-address/195.154.69.123/information/
somerspointnjinsurance .com
risleyhouse .net
ecofloridian .info
ecofloridian .com
trustedelderlyhomecare .net
trustedelderlyhomecare .org
trustedelderlyhomecare .info
theinboxexpert .com
"
*** http://blog.dynamoo.com/2014/05/one-two-three-network-operations-center.html
___

Law Firm Spam
- http://threattrack.tumblr.com/post/92145853968/law-firm-spam
July 18, 2014 - "Subjects Seen:
   Notice of appearance
Typical e-mail details:
   Notice to Appear,
    To view copy of the court notice click here. Please, read it thoroughly. Note: If you do not attend the hearing the judge may hear the case in your absence.


Malicious URLs:
    encoretaxcpa .com/wp-content/plugins/pm.php?notice=rAKMA0yBTjJaHycjLxYiPxWIuHzgUE6cEU/ZGGio7m4=


Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/db9965c8bdb5c17672b8f07008ff0699/tumblr_inline_n8wv8en8BS1r6pupn.png

Tagged: Law firm, Kuluoz
___

Hotel Business Center Machines - targeted by keyloggers
- https://atlas.arbor.net/briefs/index#802927307
Elevated Severity
July 17, 2014 - "The U.S. Secret Service has issued an advisory warning users to avoid using hotel business center computers, as cybercriminals frequently target these machines to install keylogging malware.
Analysis: Any publicly accessible computer, even those perceived to be in secure locations, should not be used to access personal or company data. If printing services are needed, users should consider forwarding the information to a throw-away email address, which is then accessed from the public computer.
- http://krebsonsecurity.com/2014/07/beware-keyloggers-at-hotel-business-centers


 Evil or Very Mad  Evil or Very Mad

 10 
 on: July 18, 2014, 04:47:28  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Gameover Zeus Variant Resumes Activity
- https://atlas.arbor.net/briefs/index#170748218
17 Jul 2014
A new variant based on the GameOver Zeus Trojan has been identified distributing spam.
Analysis: While the original GameOver Zeus was taken down by law enforcement last month, this new variant suggests that cyber criminals will continue to leverage this malware. Past law enforcement operations on active botnets, while temporarily successful, have done little to fully disrupt malicious activity, as criminals frequently find new available malware and tools. [ http://blog.malcovery.com/blog/breaking-gameover-zeus-returns , http://nakedsecurity.sophos.com/2014/07/13/gameover-malware-returns-from-the-dead/ ]

- http://www.secureworks.com/resources/blog/research/gameover-zeus-re-emerges-without-peer-to-peer-capability/
July 11, 2014

- https://www.virustotal.com/en-gb/file/3ff49706e78067613aa1dcf0174968963b17f15e9a6bc54396a9f233d382d0e6/analysis/#comments

 Evil or Very Mad Evil or Very Mad

Pages: [1] 2 3 ... 10
Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Page created in 1.205 seconds with 16 queries.