News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
September 30, 2014, 05:49:32
Pages: 1 ... 7 8 [9] 10
 81 
 on: August 26, 2014, 00:48:29  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Netis routers - backdoor open ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/
Aug 25, 2014 - "Routers manufactured by Netcore, a popular brand for networking equipment in China, have a wide-open backdoor that can be fairly easily exploited by attackers. These products are also sold under the Netis brand name outside of China. This backdoor allows cybercriminals to easily run arbitrary code on these routers, rendering it vulnerable as a security device. What is this backdoor? Simply put, it is an open UDP port listening at port 53413. This port is accessible from the WAN side of the router. This means that if the router in question has an externally accessible IP address (i.e., almost all residential and SMB users), an attacker from anywhere on the Internet can access this backdoor... This backdoor is “protected” by a single, -hardcoded- password located in the router’s firmware. Netcore/Netis routers appear to all have the -same- password. This “protection” is essentially -ineffective- as attackers can easily log into these routers and users cannot modify or disable this backdoor... In order to determine if their router is vulnerable, users can use an online port scanner... probe at port 53413:
> https://www.grc.com/port_53413.htm
... Users have relatively few solutions available to remedy this issue. Support for Netcore routers by open source firmware like dd-wrt and Tomato is essentially limited; only one router appears to have support at all. Aside from that, the only adequate alternative would be to -replace- these devices."
___

- http://blog.trendmicro.com/trendlabs-security-intelligence/shadowserver-scans-confirm-scale-of-netis-threat/
Sep 2, 2014
___

- http://atlas.arbor.net/briefs/
High Severity
28 Aug 2014

 Sad  Questioning or Suspicious

 82 
 on: August 25, 2014, 03:54:08  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake Invoice SPAM - PDF Malware
- http://myonlinesecurity.co.uk/please-find-attached-invoice-fake-pdf-malware/
25 Aug 2014 - "'Please find attached Invoice No.' < random number> pretending to come from portadown.372@eel .co.uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... These emails are -not- being sent from eel .co.uk or edmundson-electrical .co.uk, As far as we can determine they have not been hacked or their website or email system compromised. The bad guys have just decided to use Edmundson Electrical Ltd as a way to persuade you to open the attachment and become infected. It is a follow on campaign from this Broadoak toiletries attack:
> http://myonlinesecurity.co.uk/invoice-951266-fake-pdf-malware/
Once again this email template has several different sized malwares attached to it and it appears random which version you get... Email looks like:
   WALSALL
    MAHON RD IND EST. PORTADOWN
    CO. ARMAGH BT62 3EH
    T:028 3833 5316
    F:028 3833 8453
    Please find attached Invoice No. 3036 – 8340637
    Best
    Branch Manager
    Registered Office: PO Box 1 Knutsford Cheshire WA16 6AY ...


25 August 2014: 3036 – 8340637.zip (44kb): Extracts to Invoice 372 – 667911.exe
Current Virus total detections: 2/55*  
25 August 2014: 0463 – 485325.zip (47kb): Extracts to Invoice 829 – 991882.exe
Current Virus total detections: 2/51**
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e9b4e4ffb3943a08bc1c7b7bc7548aa5ce6e53375514081caf8d8973eadf5c87/analysis/1408955315/

** https://www.virustotal.com/en/file/cbd0a0fe8caa5e02e05ae196b89d3d1d1f6f680b00403add549b12356e2d8013/analysis/1408955404/
___

Fake Fax SPAM - pdf malware
- http://myonlinesecurity.co.uk/fax-arrived-remote-id-866-905-0884-fake-pdf-malware/
25 Aug 2014 - "'A fax has arrived from remote ID ’866-905-0884' pretnding to come from RFaxSMTP MTGm <RIGHTFAX@ mtgmfaxmail .bankofamerica .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
   A fax has arrived from remote ID ’866-905-0884′.
    ————————————————————
    Transmission Record
    Received from remote ID: ’866-905-0884′
    Inbound user ID derek, routing code 669164574
    Result: (0/352;0/0) Successful Send
    Page record: 1 – 2
    Elapsed time: 00:39 on channel 34 ...


25 August 2014: Fax_Remote_ID.zip ( 13kb) : Extracts to Fax_Remote_ID.scr
Current Virus total detections: 0/55* . This 'A fax has arrived from remote ID 866-905-0884' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6/analysis/1408971894/
___

Bank of America Activity Alert Spam
- http://threattrack.tumblr.com/post/95740068388/bank-of-america-activity-alert-spam
Aug 25, 2014 - "Subjects Seen:
   Bank of America Alert: A Check Exceeded Your Requested Alert Limit
Typical e-mail details:
   Activity Alert
    A check exceeded your requested alert limit
    We’re letting you know a check written from your account went over the limit you set for this alert.
    For more details please check attached file


Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/4bf4d24ed5d86a6ec8c689e611edac36/tumblr_inline_navd12Tu861r6pupn.png

Malicious File Name and MD5:
    report08252014_6897454147412.vcr (7ED898AA2A8B247F7C7A46D71B125EA8)
    report08252014_6897454147412.zip (FF4C74D80D3C7125962D7316F570A7FF)


Tagged: Bank of America, Upatre
___

Facebook Work From Home SCAM
- http://www.hoax-slayer.com/facebook-work-from-home-program-scam.shtml
Aug 25, 2014 - "Message claims that Facebook has launched a new 'Work From Home' program that will allow users to make money from the comfort of their own homes... The message is a scam. Facebook has not launched such a program and has no connection to the scheme. The link in the message takes you to a fake Facebook Page that tries to trick you into paying four dollars for a dodgy 'Facebook Millionaire' kit. Fine print on the signup form indicates that your credit card will be charged $94 per month for continued access. Do -not- be tempted to participate in this -bogus- program.
> http://www.hoax-slayer.com/images/facebook-work-from-home-program-scam-1.jpg
... It claims that people can potentially make thousands of dollars per month but warns that only a limited number of 'positions' are available... If this message comes your way, do -not- click any links it contains..."
___

Fake ADP SPAM - PDF malware
- http://myonlinesecurity.co.uk/adp-invoice-week-ending-08222014-invoice-447589545-fake-pdf-malware/
25 Aug 2014 - "'ADP Invoice for week ending 08/22/2014 Invoice: 447589545' pretending to come from Billing.Address.Updates@ ADP .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
   Your most recent ADP invoice is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number or e-mail address provided on the invoice for assistance.
    Thank you for choosing ADP for your business solutions.
    Important: Please do not respond to this message. It is generated from an unattended mailbox.


25 August 2014: invoice_447589545.zip (10kb): Extracts top invoice_447589545.exe
Current Virus total detections: 2/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/511aae72f63fd0256b7210d8a20afc75df7d1225ac054ec732a7fee43d11657b/analysis/1408992097/
___

BoA Merrill Lynch CashPro Spam
- http://threattrack.tumblr.com/post/95756978548/bank-of-america-merrill-lynch-cashpro-spam
Aug 25, 2014 - "Subjects Seen:
   Bank of America Merrill Lynch: Completion of request for ACH CashPro
Typical e-mail details:
   You have received a secure message from Bank of America Merrill Lynch
    Read your secure message by opening the attachment, securedoc.html. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser.
    If you have concerns about the validity of this message, contact the sender directly.
    First time users - will need to register after opening the attachment.


Malicious URLs:
    161.58.101.183/handler/jxpiinstall.exe

Malicious File Name and MD5:
    securedoc.html (D6E1DD6973F8FAA730941A19770C97F2)
    jxpiinstall.exe (C3110BFDD8536DC627336D7F7A6CC2E7)


Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f63cc48713e65cd81bd3d292795f917a/tumblr_inline_navorjRagN1r6pupn.png

Tagged: Bank of America, Merrill Lynch, tuscas

161.58.101.183: https://www.virustotal.com/en/ip-address/161.58.101.183/information/

 Evil or Very Mad  Sad

 83 
 on: August 24, 2014, 02:12:04  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

My Photos SPAM - malware
- http://myonlinesecurity.co.uk/photos-malware/
23 Aug 2014 - "'My Photos' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Very simple email with content just saying 'Please find attached photos of my birthday party.' This one is particularly nasty and dangerous because it doesn’t give any outward signs of infection. It downloads an auto-configure script from http ://construtoralondres.zip .net/JScript32.log which then attempts to send all traffic through a proxy server http ://supermercadorleves.ddns .net which then filters out UK banking traffic to another proxy where they can steal all your banking log on and account information. Each UK bank is sent to a -different- proxy where the sites are set up to intercept traffic to the genuine UK bank site. That way, you think that you are on the genuine UK bank site and you actually are, but the proxy between you and the bank can read -everything- you type or do on the bank site. You have absolutely no idea that this is happening & you still get a padlock in the address bar to say that you are on a safe site.

23 August 2014: My Photos.zip ( 8kb): Extracts to My Photos.exe
Current Virus total detections: 10/50* . All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, and then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
* https://www.virustotal.com/en/file/8ef000f729f060a55aabaae7f16dc0e4da1108cdb8fef189dbafaa5b220b5ff0/analysis/1408799346/

zip .net / 200.147.99.195: https://www.virustotal.com/en/ip-address/200.147.99.195/information/
- http://quttera.com/detailed_report/zip.net
Submission date: Aug 24 16:53:51 2014
Server IP address: 200.147.99.195
"Warning: This Website Is Blacklisted!..."

ddns .net / 8.23.224.108: https://www.virustotal.com/en/ip-address/8.23.224.108/information/
- http://quttera.com/detailed_report/ddns.net
Submission date: Aug 24 16:46:40 2014
Server IP address: 8.23.224.108
"Alert: Suspicious Content Detected On This Website!..."
___

Sony PlayStation Network taken down by attack
- http://www.reuters.com/article/2014/08/25/us-sony-network-idUSKBN0GP02620140825
Aug 24, 2014 - "Sony Corp said on Sunday its PlayStation Network was taken down by a denial of service-style attack and the FBI was investigating the diversion of a flight carrying a top Sony executive amid reports of a claim that explosives were on board. The company said in a posting on its PlayStation blog that no personal information of the network was accessed in the attack, which overwhelmed the system with heavy traffic... Sony is hoping its PlayStation network, with 52 million active users, can serve as a centerpiece of its plans to rebuild its business after years of losses in its flagship electronics operations..."

- http://www.reuters.com/article/2014/08/25/us-sony-network-idUSKBN0GP02620140825
Aug 25, 2014 - "Sony Corp's PlayStation Network was back online on Monday following a cyber attack that took it down over the weekend, which coincided with a bomb scare on a commercial flight carrying a top Sony executive in the United States. Sony said on its PlayStation blog that its PlayStation network had been taken down by a denial of service-style attack, which overwhelmed the system with traffic, but did not intrude onto the network or access any of its 53 million users' information..."

> http://support.xbox.com/en-US/xbox-live-status

 Evil or Very Mad Evil or Very Mad  Sad

 84 
 on: August 24, 2014, 01:50:26  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

3500 Domains Removed
- http://www.malwaredomains.com/?p=3642
August 23rd, 2014 - "3500 domains have been removed. Please update your files."

 Exclamation

 85 
 on: August 22, 2014, 13:39:22  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

OpenOffice 4.1.1 released
- http://www.openoffice.org/download/
Released 2014-08-21

Release Notes
- https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.1.1+Release+Notes
"Apache OpenOffice 4.1.1 is a micro release intended to fix critical issues. All users of Apache OpenOffice 4.1.0 or earlier are advised to upgrade. You can download Apache OpenOffice 4.1.1 here*. Please review these Release Notes to learn what is new in this version as well as important remarks concerning known issues and their workarounds. Our Bugzilla issue tracking database provides a detailed list of solved issues**..."
* http://www.openoffice.org/download/

** http://s.apache.org/AOO411-solved

- https://www.openoffice.org/security/cves/CVE-2014-3524.html

- https://www.openoffice.org/security/cves/CVE-2014-3575.html

Known Issues
- https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.1.1+Release+Notes#AOO4.1.1ReleaseNotes-KnownIssues
___

- http://www.securitytracker.com/id/1030754
CVE Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3575 - 4.3
Aug 22 2014
Impact: Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 4.1.1
Impact: A remote user can obtain potentially sensitive file information.
Solution: The vendor has issued a fix (4.1.1)...

- http://www.securitytracker.com/id/1030755
CVE Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3524 - 9.3 (HIGH)
Aug 22 2014
Impact: Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.1.0 and prior...
Solution: The vendor has issued a fix (4.1.1)...

 Exclamation Exclamation

 86 
 on: August 22, 2014, 10:35:30  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

PHP 5.5.16 released
- http://php.net/
22 Aug 2014 - "... immediate availability of PHP 5.5.16. This release fixes several bugs against PHP 5.5.15 and resolves CVE-2014-3538, CVE-2014-3587, CVE-2014-2497, CVE-2014-5120 and CVE-2014-3597. All PHP users are encouraged to upgrade to this new version..."

Change Log
- http://www.php.net/ChangeLog-5.php#5.5.16

Download
- http://www.php.net/downloads.php

- http://windows.php.net/download/

___

PHP 5.4.32 released
- http://php.net/
21 Aug 2014 - "... immediate availability of PHP 5.4.32. -16- bugs were fixed in this release, including the following security-related issues: CVE-2014-2497, CVE-2014-3538, CVE-2014-3587, CVE-2014-3597, CVE-2014-4670, CVE-2014-4698, CVE-2014-5120. All PHP 5.4 users are encouraged to upgrade to this version..."

Change Log
- http://php.net/ChangeLog-5.php#5.4.32

Download
- http://www.php.net/downloads.php

- http://windows.php.net/download/

 Exclamation Exclamation

 87 
 on: August 22, 2014, 04:51:40  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

WordPress attacks exploiting XMLRPC
- http://myonlinesecurity.co.uk/ongoing-wordpress-attacks-exploiting-xmlrpc/
Aug 22, 2014 - "We are experiencing Ongoing WordPress attacks exploiting XMLRPC. There appears to be a massive attack on WordPress sites today. So far I have had almost -1600- blocked attacks against ONE of my WordPress sites... Anybody using WordPress should make sure that they are plugged and use a good security system to prevent or -block- these attacks. It appears to be using the attack mentioned in this post:
> http://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html
... -None- of the current wordpress security plugins will -block- this and you need to make sure that you have a strong random password on your admin account. The -only- way to block them is on the perimeter, that is use a firewall that blocks the offending IP numbers that are responsible for the attacks. They are all coming from other compromised servers or hacked users computers..."
(More detail at the URL's above.)
___

Fake ADP 'Anti-Fraud Secure Update' SPAM – PDF malware
- http://myonlinesecurity.co.uk/adp-august-22-2014-anti-fraud-secure-update-fake-pdf-malware/
22 Aug 2014 - "'ADP: August 22, 2014 Anti-Fraud Secure Update' pretending to come from ADP_Netsecure@ adp .com  is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
Dear Valued ADP Client,
We are pleased to announce that ADP Payroll System released secure upgrades to your computer.
A new version of secure update is available.
Our development division strongly recommends you to download this software update.
It contains new features:
    The certificate will be attached to the computer of the account holder, which disables any fraud activity
    Any irregular activity on your account is detected by our safety centre
Download the attachment. Update will be automatically installed by double click.
We value our partnership with you and take pride in the confidence that you place in us to process payroll on your behalf. As always, your ADP Service Team is happy to assist with any questions you may have...


22 August 2014 : 2014 Anti-Fraud Secure Update_08222014.zip (9kb)
Extracts to   2014 Anti-Fraud Secure Update_08222014.exe
Current Virus total detections: 3/54* . This 'ADP: August 22, 2014 Anti-Fraud Secure Update' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/81e695f628436a4850bec46b3f90906433a0d11ae163f298f48fae788362d29a/analysis/1408710186/

- http://threattrack.tumblr.com/post/95457720908/adp-anti-fraud-update-spam
22 Aug 2014 - "Subjects Seen:
   ADP: August 22, 2014 Anti-Fraud Secure Update
Typical e-mail details:

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/0ce8b26a9ef99d5ebbb8f37a1f29e47d/tumblr_inline_napm4cGa8i1r6pupn.png

Malicious File Name and MD5:
    2014 Anti-Fraud Secure Update_08222014.scr (840B3B6A714F7330706F0C19F99D5EB8)
    2014 Anti-Fraud Secure Update_08222014.zip (AB0D93E0952BDCE45D6E6494DF4D94AD)


Tagged: ADP, Upatre
___

Backoff Point-of-Sale Malware Campaign
- https://www.us-cert.gov/ncas/current-activity/2014/08/22/Backoff-Point-Sale-Malware-Campaign
August 22, 2014 - "US-CERT is aware of Backoff malware compromising a significant number of -major-  enterprise networks as well as small and medium businesses. US-CERT encourages administrators and operators of Point-of-Sale systems to review the Backoff malware alert* to help determine if your network may be affected. Organizations that believe they have been infected with Backoff are also encouraged to contact their local US Secret Service Field Office."
* https://www.us-cert.gov/ncas/alerts/TA14-212A
Last revised: Aug 22, 2014 - "... the Secret Service currently estimates that over 1,000 U.S. businesses are affected..."

Backoff malware Q&A
- https://www.trustwave.com/Resources/Trustwave-Blog/Behind-the-scenes-of-Backoff--A-Q-A-on-the-latest-malware-danger/
"In light of a recent string of breaches involving a new point-of-sale malware family that our Trustwave researchers identified and named "Backoff," we have received many questions about the threat and how businesses can protect themselves..."
- https://gsr.trustwave.com/topics/backoff-pos-malware/backoff-malware-overview/
___

"FlashPack" - add-on targets Japanese users, leads To exploit kit
- http://blog.trendmicro.com/trendlabs-security-intelligence/website-add-on-targets-japanese-users-leads-to-exploit-kit/
Aug 21, 2014 - "... In order to affect users, this particular exploit kit does -not- rely on spammed messages or compromised websites: instead, it uses a compromised website add-on. This particular add-on is used by site owners who want to add social media sharing buttons on their sites. All the site owner would have to do is add several lines of JavaScript code to their site’s design template. This code is freely available from the website of the add-on. The added script adds an overlay like this to the site’s pages:
Added share buttons:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/toolbar.png
To do this, a JavaScript file on the home page of the add-on is loaded. This alone should raise red flags: it means that the site owner is loading scripts from an external server -not- under their control. It’s one thing if it loads scripts on trusted sites like Google, Facebook, or other well-known names; it’s another thing to load scripts on little-known servers with no name to protect. As it turns out, this script is being used for malicious purposes. On certain sites, instead of the original add-on script, the user is redirected to the script of FlashPack... loading the s.js file directly will simply load the “correct” script for the add-on. One site which, if found in the Referer header, will trigger the exploit kit is a well-known free blogging site in Japan. The exploit kit delivers various Flash -exploits- to -targeted- users... At least approximately 58,000 users have been affected by this attack, with more than 87% of these coming from Japan. The landing pages of the exploit kit are hosted in servers in the Czech Republic, the Netherlands, and Russia.
Number of hits by country from August 1 to 17
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/08/Number-of-Hits-by-Country-01.jpg
How can users and site owners prevent these attacks? Site owners should be very cautious about adding add-ons to their site that rely on externally hosted scripts. As shown in this attack, they are trivial to use in malicious activities. In addition, they can slow the site down as well. Alternatives that host the script on the same server as the site itself are preferable. This incident illustrates for end users the importance of keeping-software-patched. The vulnerability we mentioned above has been fixed for half-a-year. Various auto-update mechanisms exist which can keep Flash up-to-date..."

 Evil or Very Mad Evil or Very Mad  Sad

 88 
 on: August 21, 2014, 05:34:24  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Tech Support SCAMS rip big brand security software with fake warnings
- https://blog.malwarebytes.org/fraud-scam/2014/08/tech-support-scammers-rip-big-brand-security-software-with-fake-warnings/
Aug 21 2014 - "... bogus tech support. If you are looking to download one of the popular antivirus or anti-malware product on the market, watch out before you click.
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/listAVs-965x395.png
Lookalike pages: Fraudsters have set up -fake- download pages that look incredibly like the authentic ones... Hijacked software: Each page links to a download, which of course is -not- the actual software...
> https://blog.malwarebytes.org/wp-content/uploads/2014/07/software.png
The purpose of these fake programs is to trick people into thinking something is wrong with their computers:
> https://blog.malwarebytes.org/wp-content/uploads/2014/07/error.png
The fake pages are hosted here:
hzzzp ://onlineinstanthelp .com/antivirus-download.html
hzzzp ://onlineinstanthelp .com/norton-us/download.html
hzzzp ://onlineinstanthelp .com/mcafee-us/download.html
hzzzp ://onlineinstanthelp .com/avg-us/download.html
hzzzp ://onlineinstanthelp .com/malwarebytes-us/download.html
hzzzp ://onlineinstanthelp .com/winzip-us/download.html
hzzzp ://onlineinstanthelp .com/lavasoft-us/download.html
The company providing ‘support’ is: wefixbrowsers .com ... We are reporting the sites to the registrar and passing on the LogMeIn codes so that interested parties can take appropriate actions. To avoid these -fake- installers, users should always go to the company’s official website..."
(More detail at the malwarebytes URL at the top.)

wefixbrowsers .com / 23.91.123.204: https://www.virustotal.com/en/ip-address/23.91.123.204/information/

onlineinstanthelp .com / 118.139.186.35: https://www.virustotal.com/en/ip-address/118.139.186.35/information/
___

Fake HMRC SPAM - malware
- http://myonlinesecurity.co.uk/helping-business-onile-malware/
21 Aug 2014 - "'Helping your Business onile' pretending to come from 'HMRC Business Help and Education Emails' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/08/Helping-your-Business-onile.png

21 August 2014  Credit_file_961529461.zip ( 50 kb)... Current Virus total detections: 1/51*
...  targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened..."
* https://www.virustotal.com/en/file/050eae9a0470d35275c74159872ddf4232430ec6890b3d411769e2622c0183f8/analysis/1408620337/
___

Fake Credit reference SPAM - word Doc malware
- http://myonlinesecurity.co.uk/re-credit-reference-file-request-108278994-fake-word-doc-malware/
21 Aug 2014 - "'RE: Credit reference file request.(108278994)' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
   Dear <REDACTED>
    You have obtain a copy of your credit reference file.
    We’re happy to help you with any questions or concerns you may have. Please contact us directly 24/7 .
    Lynn Buck.


21 August 2014: Credit_file_108278994.zip (52 kb): Extracts to Credit reference file.doc.scr
Current Virus total detections: 2/52*
21 August 2014: Credit_file_642094175.zip (85kb): Extracts to credit_reference_file.xls.scr
Current Virus total detections: 2/52*
This 'RE: Credit reference file request.(108278994)' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word file instead of the .scr executable file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4326821ac04b6e7d4c36093065b01e7d2ea6931818532c01a5988d2782110aaf/analysis/1408613742/
___

JPMorgan customers targeted in phishing campaign
- http://www.reuters.com/article/2014/08/21/us-cybercrime-jpmorgan-spam-idUSKBN0GL20R20140821
Aug 21, 2014 - "Fraudsters are targeting JPMorgan Chase & Co customers in an email "phishing" campaign that is unusual because it attempts to collect credentials for that bank and also infect PCs with a virus for stealing passwords from -other- institutions. The campaign, dubbed "Smash and Grab," was launched on Tuesday with a widely distributed email that urged recipients to click to view a secure message from JPMorgan, according to security researchers with corporate email provider Proofpoint Inc. JPMorgan, the No. 1 U.S. bank by assets, confirmed that spammers had launched a phishing campaign targeting its customers... the bank believes most of the spam was stopped by fraud filters at large Internet providers, adding that the email looked realistic because the attackers apparently used a screen grab from an authentic email sent by the bank. Users who click on a malicious link are asked to enter credentials for accessing accounts with JPMorgan. Even if they did not comply, the site attempted to automatically install the Dyre banking Trojan* on their PCs, according to Proofpoint. Dyre is a recently discovered piece of malware that seeks credentials from customers of Bank of America Corp, Citigroup Inc and the Royal Bank of Scotland Group PLC, according to email security firm Phishme."
* http://blog.malcovery.com/blog/dyre-banking-trojan-what-you-need-to-know

> https://www.brainyquote.com/quotes/quotes/b/benjaminfr122731.html
"Distrust and caution are the parents of security" - Ben Franklin

 Evil or Very Mad Evil or Very Mad  Sad

 89 
 on: August 21, 2014, 01:19:20  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

UPS - data breach at 51 locations
- http://www.reuters.com/article/2014/08/20/united-parcel-cybercrime-idUSL4N0QQ5CF20140820
Aug 20 2014 - "UPS Store Inc, a unit of United Parcel Service Inc, warned of a potential data breach at about 51 of its franchised center locations in 24 states across the United States. There was no evidence of fraud arising from the incident, the company said. UPS Store said customers who used a credit or debit card at the stores between Jan. 20 and Aug. 11 may have been exposed to a malware identified in the company's systems at the locations. The company said the customer information that may have been exposed includes names, postal addresses, email addresses and payment card information. The UPS Store network is a franchise system of retail shipping, postal, print and business service centers in the Unites States. UPS Store has about 4,470 franchised center locations in the United States. UPS Store said the period of exposure to the malware began after March 26 at most of the locations. The malware was eliminated as of Aug. 11 and customers can shop securely at the company's locations, UPS Store said. The malware intrusion was notified by the U.S. government, the company said, adding it was among many other retailers alerted by the government. The malware was not present on the computing systems of any other UPS business entities, UPS Store said..."

- http://www.theupsstore.com/security/Pages/default.aspx
"... impacted center locations, along with the timeframe for potential exposure to this malware at each location..."

> https://www.us-cert.gov/ncas/alerts/TA14-212A
Last revised: Aug 18, 2014
___

- http://atlas.arbor.net/briefs/index#-966807597
High Severity
21 Aug 2014

 Shocked  Sad

 90 
 on: August 20, 2014, 06:31:01  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Apache OFBiz 12.04.04 released
- http://www.securitytracker.com/id/1030739
CVE-2014-0232
Aug 19 2014
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes 
Version(s): 12.04.* prior to 12.04.04, 11.04.* prior to 12.04.04 ...

> https://ofbiz.apache.org/download.html

 Exclamation

Pages: 1 ... 7 8 [9] 10
Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Page created in 2.8 seconds with 15 queries.