News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
October 19, 2014, 20:22:46
Pages: 1 ... 7 8 [9] 10
 81 
 on: September 16, 2014, 02:02:44  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

MS14-055 revised - Vulnerabilities in Lync could allow denial of service ...
- https://technet.microsoft.com/library/security/MS14-055
V2.0 (September 15, 2014): Bulletin revised to remove* Download Center links for Microsoft security update 2982385 for Microsoft Lync Server 2010...
* Update FAQ
Why was this bulletin revised on September 15, 2014?
Microsoft revised this bulletin to address a known issue that prevented users from successfully installing security update 2982385 for Microsoft Lync Server 2010. Microsoft is investigating behavior associated with the installation of this update, and will update this bulletin when more information becomes available. As an added precaution, Microsoft has removed the download links to the 2982385 security update...

Related: https://support.microsoft.com/kb/2990928
Last Review: Sep 16, 2014 - Rev: 2.0

 Exclamation

 82 
 on: September 16, 2014, 01:20:07  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake 'Payments' SPAM ...
- http://blog.mxlab.eu/2014/09/16/trojan-genvariant-graftor-155439-present-in-fake-emails-regarding-payments/
Sep 16, 2014 - "...  intercepted different campaigns where the trojan Gen:Variant.Graftor.155439 is present in the attached ZIP archive. The trojan is known as Gen:Variant.Graftor.155439 by most AV engines but it’s also known as Trojan/Win32.Zbot, HW32.Paked.1F59, Generic-FAUS!BA7599C952BE or PE:Malware.XPACK-HIE/Heur!1.9C48. The first email comes with the subject “Re: today payment done” is sent from a spoofed address and has the following body:
   Dear sir,
    Today we have able to remit the total amount of US$ 51,704.97 to your account. Details of our payments are as follows:
    Cont. #41 SPV001/APR/13 US$34,299.13 – 11,748.82 (50% disc. For R008 & R016) =
    Cont. #42 EXSQI013/MAY/13 US$29,154.66
    Total Remittance: US$ 51,704.97
    Attached is the TT copy, check with your bank and let us know when you will proceed with shipment.
    Thank you very much.
    Best regards,
    Me


The attached ZIP file has the name swift copy.zip and contains the swift copy.scr file. At the time of writing, 11 of the 54 AV engines did detect the trojan at Virus Total*...
* https://www.virustotal.com/en/file/db9eb842deb7cbda56c3df7c1e198fac5f0d65d0d8ef9df2f13618d18416c686/analysis/
The second email comes with the subject “Re: Balance payment” is sent from a spoofed address and has the following body:
   The attached TT copy is issued at the request of our customer. The advice is for your reference only.
    Yours faithfully,
    Global Payments and Cash Management
    Bank of America (BOA)
    This is an auto-generated email, please DO NOT REPLY. Any replies to this
    email will be disregarded...


The attached ZIP file has the name original copy.zip and contains the original copy.scr file. At the time of writing, 12 of the 55 AV engines did detect the trojan at Virus Total**..."
** https://www.virustotal.com/en/file/f7f1b10365b995c308d1cc4a3f025e5e7f249fbfee82f7bcd8297e1c5fcc1635/analysis/
___

Fake 'My new photo Wink' SPAM - malware attachment
- http://blog.mxlab.eu/2014/09/16/email-my-new-photo-contains-a-variant-of-trojan-win32-swizzor-2o-trojan/
Sep 16, 2014 - "... intercepted a new trojan variant distribution campaign by email with the subject “My new photo Wink”. This email is sent from a spoofed address and has the following short body in very poor English:
   my new photo Wink
    if you like my photo to send me u photo


The attached ZIP file has the name photo.zip, once extracted a folder photo is available with that contains the 127 kB large file photo.exe. The trojan is known as a variant of Trojan.Win32.Swizzor.2!O. At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/83d322707828350ba51301b1a0d02ee0c831b88bb9722036ade2b7d8827817cb/analysis/
... Behavioural information
TCP connections:
131.253.40.1: https://www.virustotal.com/en/ip-address/131.253.40.1/information/
137.254.60.32: https://www.virustotal.com/en/ip-address/137.254.60.32/information/
134.170.188.84: https://www.virustotal.com/en/ip-address/134.170.188.84/information/
157.56.121.21: https://www.virustotal.com/en/ip-address/157.56.121.21/information/
91.240.22.62: https://www.virustotal.com/en/ip-address/91.240.22.62/information/
___

Fake USPS SPAM - word doc malware
- http://myonlinesecurity.co.uk/usps-postal-notification-service-fake-word-doc-malware/
16 Sep 2014 - "'USPS Postal Notification Service' pretending to come from USPS  is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/usps-postal-notification-service.png

16 September 2014: Label.zip ( 82 kb): Extracts to:  Label.exe            
Current Virus total detections: 20/54* . This USPS Postal Notification Service is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft Word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6678ff966e942e4bf669d8a240acbab79971c871152f3c16478a3ec0c3f5c805/analysis/1410841682/
___

Fake 'inovice' SPAM ...
- http://blog.dynamoo.com/2014/09/inovice-0293991-september-spam.html
16 Sep 2014 - "This spam mis-spells "invoice" in the subject line, and has an .arj file attached that contains a malicious binary.
Example subjects:
inovice 8958508 September
inovice 7682161 September
inovice 4868431 September
inovice 0293991 September
Body text:
This email contains an invoice file attachment


The name of the attachment varies, but is in the format invoice_8958508.arj which contains a malicious executable invoice_38898221_spt.exe which has a VirusTotal detection rate of just 3/54*. The ThreatTrack report...and Anubis report show a series a DGA domains... that are characteristic of Zbot, although none of these domains are currently resolving. If your organisation can -block-  .arj files at the mail perimeter then it is probably a good idea to do so."
* https://www.virustotal.com/en-gb/file/ee43410ecaba583a03eb3cfbf1af1afb38a5f25cd8742b47372b853d83fc7089/analysis/1410860283/
... Behavioural information
TCP connections:
208.91.197.27: https://www.virustotal.com/en/ip-address/208.91.197.27/information/
___

Fake FAX SPAM... again
- http://blog.dynamoo.com/2014/09/youve-received-new-fax-spam.html
16 Sep 2014 - "... a facsimile transmission...
From:     Fax
Date:     16 September 2014 11:05
Subject:     You've received a new fax
New fax at SCAN0204102 from EPSON by ...
Scan date: Tue, 16 Sep 2014 15:35:59 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can download your fax message at: ...
(Google Disk Drive is a file hosting service operated by Google, Inc.) ...


The link is so obviously not anything to do with Google. Clicking on it loads another script from triera .biz.ua/twndcrfbru/zjliqkgppi.js which in turn downloads a ZIP file from www .yerelyonetisim .org.tr/pdf/Message_2864_pdf.zip which has a VirusTotal detection rate of 3/55*. This malware then phones home... Recommended blocklist:
188.165.204.210
brisamarcalcados .com.br
triera .biz.ua
yerelyonetisim .org.tr
ngujungwap .mobi.ps
"
* https://www.virustotal.com/en-gb/file/8f0aab0abbbe1519dadff8bc206568b144dfd36b605be090fe3098898e926832/analysis/1410862754/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustotal.com/en/ip-address/188.165.204.210/information/
198.143.152.226: https://www.virustotal.com/en/ip-address/198.143.152.226/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake forgeries 'Copied invoices' SPAM
- http://blog.dynamoo.com/2014/09/kifilwe-shakong-copied-invoices-spam.html
16 Sep 2014 - "Kifilwe Shakong is a real person who works for Cashbuild in South Africa. She is  not the person sending these messages, they are forgeries. Cashbuild's systems have not been compromised in any way. As you might guess, these messages have a malicious attachment.
From:     Kifilwe Shakong [kshakong@ cashbuild .co.za]
Date:     16 September 2014 12:17
Subject:     Copied invoices
The attached invoices are copies. We will not be able to pay them. Please send clear invoices.
This outbound email has been scanned by the IS Mail Control service.
For more information please visit http ...
The attached invoices are copies. We will not be able to pay them. Please send clear invoices...


Attached is a file with a filename in the format SKMBT_75114091015230.zip which in turn contains a malicious executable SKMBT_75114091015230.exe which has a very low detection rate at VirusTotal of just 1/54*... the malware attempts to phone home to the following domains and IPs which are worth blocking:
golklopro .com
94.100.95.109
31.134.29.175
176.213.10.114
176.8.72.4
176.99.191.49
78.56.92.46
195.114.159.232
46.98.234.76
46.185.88.110
46.98.122.183
46.211.198.56
195.225.147.101
176.53.209.231
..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/e324d73b36f1fd31c53f6ae21457c2fd57f90be56dcd776efbe06b01fdaf3d5d/analysis/1410866733/
... Behavioural information
DNS requests
golklopro .com
cosjesgame .su
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake 'Unpaid invoice' SPAM - leads to Angler Exploit Kit
- http://blog.dynamoo.com/2014/09/unpaid-invoice-notification-spam-leads.html
16 Sep 2014 - "This convincing-looking but -fake- spam leads to an exploit kit.
   From:     Christie Foley [christie.foley@ badinsky .sk]
    Reply-to:     Christie Foley [christie.foley@ badinsky .sk]
    Date:     16 September 2014 13:55
    Subject:     Unpaid invoice notification ...


Screenshot: https://1.bp.blogspot.com/-4dVURai9zaE/VBg551t4f-I/AAAAAAAAFoA/l2blM5UgsbU/s1600/invoice.png

The link in the email goes to:
[donotclick]tiragreene .com/aspnet_client/system_web/4_0_30319/invoice_unn.html
Which in turn goes to an Angler EK landing page at:
[donotclick]108.174.58.239:8080 /wn8omxftff
You can see the URLquery report for the EK here*. I would strongly recommend blocking web traffic to 108.174.58.239 (ColoCrossing, US)."
* http://urlquery.net/report.php?id=1410873578924

- http://myonlinesecurity.co.uk/notification-amount-overdue-recent-invoice-java-exploit-malware/
16 Sep 2014
___

Fake 'PAYMENT SCHEDULE' email -  419 SCAM
- http://myonlinesecurity.co.uk/reyour-payment-schedule-pretending-come-dr-mrs-ngozi-o-iweala/
16 Sep 2014 - "'RE:YOUR PAYMENT SCHEDULE' pretending to come from Dr Mrs Ngozi O. Iweala is a -scam- . After all the current batches of very nasty and tricky malware being attached to emails or as links in emails, it really is a change to see a good old fashioned 419 scam:
   Attn:Beneficiary,
     My name is Mrs Ngozi Okonjo Iweala,I am the current minister of finance of Nigeria.
     Your payment file has been in our desk since two weeks ago and Mr.Croft from Australia submitted claims on your funds stating that
    you have given him the authority to claim the funds but we stopped him first until we receive a confirmation from any of you. You are
    therefore requested to get back to us to confirm the authenticity of the application of claim submitted by Mr Croft or if you did not
    authorized him for any reason,urgently get back to us so that we can direct you on how you are going to receive your fund via Automated
    Teller Machine System( ATM CARD).
     Please,response back with all your full details mostly your confidential address where you will have the ATM card delivered to you. Your urgent response is highly needed.
     Reply also to : fminister88 @gmail .com
     Your faithfully.
     Dr Mrs Ngozi O. Iweala.
    Finance Of Minister.


[Arrgghh...]
___

Fake Nat West SPAM - PDF malware
- http://myonlinesecurity.co.uk/nat-west-bacs-transfer-remittance-jsag828gbp-fake-pdf-malware/
16 Sep 2014 - "'Nat West BACS Transfer : Remittance for JSAG828GBP' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    We have arranged a BACS transfer to your bank for the following amount : 4933.00
    Please find details at our secure link below: ...


This is another version of the same upatre zbot downloaders that have been spammed out today with exactly the same payload as 'NatWest You have a new Secure Message – file-4430 – fake PDF malware'*. This 'Nat West BACS Transfer : Remittance for JSAG828GBP' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/natwest-new-secure-message-file-4430-fake-pdf-malware/

- https://www.virustotal.com/en/file/8f0aab0abbbe1519dadff8bc206568b144dfd36b605be090fe3098898e926832/analysis/1410862754/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustotal.com/en/ip-address/188.165.204.210/information/
198.143.152.226: https://www.virustotal.com/en/ip-address/198.143.152.226/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake 'Dhl Delivery' SPAM - contains trojan
- http://blog.mxlab.eu/2014/09/16/fake-email-fwd-dhl-delivery-attempt-contains-trojan/
Sep 16, 2014 - "... intercepted a new trojan distribution campaign by email with the subject 'Fwd: Dhl Delivery Attempt (Invoice Documents)'. This email is sent from the spoofed address 'enquiry@ dhl .com' and has the following body:
    We attempted to deliver your item at 17:32pm on Sept 15th, 2014.
    The delivery attempt failed because nobody was present at the shipping address, so this notification has been automatically generated.
    You may rearrange delivery by visiting the link on the attached document or pick up the item at the DHL depot/office indicated on the receipt attached.
    If the package is not rescheduled for delivery or picked up within 48 hours, it will be returned to the sender.
    Airway Bill No: 7808130095
    Class: Package Services
    Service(s): Delivery Confirmation
    Status: eNotification sent
    Print this label to get this package at our depot/office.
    Thank you
    © 2014 Copyright© 2013 DHL. All Rights Reserved...


The attached ZIP file has the name DHL EXPRESS DELIVERY ATTEMPT.zip and contains the 293 kB large file DHL EXPRESS DELIVERY ATTEMPT.exe. The trojan is known as Trojan/Win32.Necurs, a variant of Win32/Injector.BLYN, W32/Injector.GLA!tr, Backdoor.Bot or Win32.Trojan.Bp-generic.Ixrn. At the time of writing, 6 of the 55 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/57d37614dd81d48c25bec02f4481e1757cd7a5b84ccc31904635a51d70db1a44/analysis/1410870424/

 Evil or Very Mad Evil or Very Mad  Sad

 83 
 on: September 15, 2014, 02:15:43  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake Termination SPAM – malware
- http://myonlinesecurity.co.uk/termination-due-policy-violation-malware/
15 Sep 2014 - "There can’t be a much more alarming email to open first thing on a Monday Morning than one that pretends to say that you have been fired... 'Termination due to policy violation #33205939124' pretending to come from random names at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Today’s email template  attaches an arj file. This sort of compressed file is rarely used nowadays and many popular zip file programs will not automatically extract them. -Any- email received with an ARJ attachment should be immediately -deleted- . NO legitimate company or program ever uses that form of compression nowadays. To make it even harder to quickly detect, all the attachments are randomly named and extract to a different randomly named file and each one has a totally different SH1 or MD5#. Loads of slightly different subjects with this one, including
    Policy violation #59892665326
    Termination due to policy violation #33205939124
    Termination #59147901198
All the alleged infringements or violations have different numbers... The email looks like:
    Hello,
    We regret to inform you that your employment with A&M Defence & Marine Services Ltd is being terminated. Your termination is the result of the following violations of company policy:
    - 0A4 44 12.09.2011
    - 0A4 46 12.09.2011
    - 0A4 85 12.09.2011
     You were issued written warnings on 19.08.2014. As stated in your final warning, you needed to take steps to correct your behavior by 15.09.2014. Your failure to do so has resulted in your termination. To appeal this termination, you must return written notification of your intention to appeal to Wynona Kinnare in A&M Defence & Marine Services Ltd no later than 06:00PM on 21.09.2014.
     Sincerely,
    Pauletta Stephens ...


15 September 2014: disturbance_2014-09-15_08-38-12_33205939124.arj:
Extracts to:  disturbance_2014-09-15_08-38-12_33205939124.exe
Current Virus total detections: 3/53* . This 'Termination due to policy violation #33205939124' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/eb62d2fc255b934706b15eb5fa4f07fdf3a900810820ef60db62b77de1d4c4ef/analysis/
... Behavioural information
TCP connections:
187.45.193.139: https://www.virustotal.com/en/ip-address/187.45.193.139/information/
213.186.33.87: https://www.virustotal.com/en/ip-address/213.186.33.87/information/
23.62.99.33: https://www.virustotal.com/en/ip-address/23.62.99.33/information/
66.96.147.117: https://www.virustotal.com/en/ip-address/66.96.147.117/information/
UDP communications:
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

LinkedIn feature exposes Email Addresses
- http://krebsonsecurity.com/2014/09/linkedin-feature-exposes-email-addresses/
Sep 15, 2014 - "One of the risks of using social media networks is having information you intend to share with only a handful of friends be made available to everyone. Sometimes that over-sharing happens because friends betray your trust, but more worrisome are the cases in which a social media platform itself exposes your data in the name of marketing... According to researchers at the Seattle, Wash.-based firm Rhino Security Labs, at the crux of the issue is LinkedIn’s penchant for making sure you’re as connected as you possibly can be. When you sign up for a new account, for example, the service asks if you’d like to check your contacts lists at other online services (such as Gmail, Yahoo, Hotmail, etc.). The service does this so that you can connect with any email contacts that are already on LinkedIn, and so that LinkedIn can send invitations to your contacts who aren’t already users... Rhino Security founders Benjamin Caudill and Bryan Seely have a recent history of revealing how trust relationships between and among online services can be abused to expose or divert potentially sensitive information... In an email sent to this reporter last week, LinkedIn said it was planning at least two changes to the way its service handles user email addresses..."
(More at the krebsonsecurity URL above.)
___

Fake Overdue invoice SPAM - malicious .arj attachment  
- http://blog.dynamoo.com/2014/09/overdue-invoice-6767390-spam-has.html
15 Sep 2014 - "This -fake- invoice email has a malicious attachment:
   From:     Mauro Reddin
    Date:     15 September 2014 10:32
    Subject:     Overdue invoice #6767390
    Morning,
    I was hoping to hear from you by now. May I have payment on invoice #84819995669 today please, or would you like a further extension?
    Best regards,
    Mauro Reddin ...


The attachment is an archive file invc_2014-09-15_15-07-11_6767390.arj so in order to get infected you would need an application capable of handling ARJ archives. Once unpacked, there is a malicious executable called invc_2014-09-15_15-07-11_88499270.exe which has a VirusTotal detection rate of just 1/55*... recommend that you apply the following blocklist (Long list at the dynamoo URL above.) ..."
* https://www.virustotal.com/en-gb/file/c21b719a9cf4c5aa9d8927c185be4181d7c465b01fa85e38c7a3d459930e2203/analysis/1410773681/
___

Fake Sage 'Outdated Invoice' SPAM ...
- http://blog.dynamoo.com/2014/09/sage-outdated-invoice-spam_15.html
15 Sep 2014 - "... another -fake- Sage email leading to malware:

Screenshot: http://4.bp.blogspot.com/-knPfcbJT0Q4/VBbJyysrTNI/AAAAAAAAFnI/YbEjR56dgRU/s1600/sage.png

... This ZIP file contains a malicious executable Invoice18642.scr which has a VirusTotal detection rate of just 1/55*. The ThreatTrack report... shows that it attempts to communicate with the following resources:
188.165.204.210/1509uk1/NODE01/0/51-SP3/0/
188.165.204.210/1509uk1/NODE01/1/0/0/
green-fuel .us/upload/box/1509uk1.ltc
www .green-fuel .us/upload/box/1509uk1.ltc
Recommended blocklist:
188.165.204.210
green-fuel .us
petitepanda .net
florensegoethe .com.br
coursstagephoto .com
vicklovesmila .com
flashsavant .com
"
* https://www.virustotal.com/en/file/90ad158dd663e0bfc1f848d8a00890dbd9a24618d7a25d377d9de6baac0b61f4/analysis/1410779812/
___

Fake 'secure' NatWest SPAM – PDF malware
- http://myonlinesecurity.co.uk/received-new-secure-message-natwest-fake-pdf-malware/
15 Sep 2014 - "'You have received a new secure message from NatWest' pretending to come from NatWest <secure@natwest.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
[ NatWest logo ]
You have a new private message from NatWest
To view/read this your secure message please click here
Email Encryption Provided by NatWest. Learn More.
Email Security Powered by Voltage IBE
Copyright 2014 National Westminster Bank Plc. All rights reserved.
Footer Logo NatWest
To unsubscribe please click here ...

   
15 September 2014: SecureMessage.zip ( 8kb) : Extracts to:   SecureMessage.scr
Current Virus total detections: 1/55* . This 'You have received a new secure message from NatWest' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/90ad158dd663e0bfc1f848d8a00890dbd9a24618d7a25d377d9de6baac0b61f4/analysis/1410779812/

- http://threattrack.tumblr.com/post/97567721558/natwest-secure-message-spam
Sep 15, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/65aed37f33dcaf8e16e0b2e828d4f53e/tumblr_inline_nby6ovZu2c1r6pupn.png
___

Phish - LLoyds 'Secure' SPAM...
- http://myonlinesecurity.co.uk/lloyds-bank-new-secure-message-phishing/
15 Sep 2014 - "There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like:
- There have been unauthorised or suspicious attempts to log in to your account, please verify
- Your account has exceeded its limit and needs to be verified
- Your account will be suspended !
- You have received a secure message from < your bank>
- New Secure Message
- We are unable to verify your account information
- Update Personal Information
- Urgent Account Review Notification
- We recently noticed one or more attempts to log in to your PayPal account  from a foreign IP address
- Confirmation of Order
This one is 'LLoyds bank New Secure Message' pretending to come from Eli.Ray@ lloydsbank .com or David.Ricard@ lloydsbank .com... Email looks like:
[ Lloyds TSB logo ]    
    (New users may need to verify their email address)
    If you do not see or cannot click “Read Message” / click here
    Desktop Users:
    You will be prompted to open (view) the file or save (download) it to your computer. For best results, click Read Message button.
    Mobile Users:
    Install the mobile application.
    Protected by the Voltage SecureMail Cloud
    SecureMail has a NEW LOOK to better support mobile devices!
    Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender...


Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/lloyds_bank_secure_message.png

This one wants your personal details and bank details..."
___

Fake Fax SPAM - malware attachment
- http://myonlinesecurity.co.uk/received-fax-fake-pdf-malware/
15 SEP 2014 - "'You have received a fax' pretending to come from fax .co.uk <fax@ documents55 .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
   You have received a new fax. This fax was received by Fax Server.
    The fax has been downloaded to dropbox service (Google Inc).
    To view your fax message, please download from the link below. It’s
    operated by Dropbox and safety...
    Received Fax Details
    Received on:1 5/09/2014 10:14 AM
    Number of Pages: 1 ...


15 September 2014: Docs0972.zip ( 8kb): Extracts to:  Docs0972.scr
Current Virus total detections: 0/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/bec0ac2711f99f90f27a29a9e021bedfede02c139f26dcfae36e2d8895babf52/analysis/1410804563/
___

Twitch users shook by money spending malware
- http://www.theinquirer.net/inquirer/news/2367489/twitch-users-shook-by-money-spending-malware
15 Sep 2014 - "... F-Secure has warned gamers that the Twitch video streaming service has been hit with malware that can spend users' money. The firm revealed its concerns in a blog post on Friday*, shining a dark light on the new gaming console darling and its role in the world of Steam. F-Secure said that an alarmed Twitch user - not Amazon - approached it with some concerns, explaining that a lure in the Twitch chat feature offers access to a raffle. We all know what can and usually does follow the clicking an unsolicited link, and that is the start of a one-way trip to malware. This link, which purports to offer gaming gewgaws, is yet another lie, said F-Secure. It explained that a "Twitch-bot" account "bombards" the chat feature and tickles users with its lure..."
More detail here:
* http://www.f-secure.com/weblog/archives/00002742.html

 Evil or Very Mad Evil or Very Mad  Sad

 84 
 on: September 14, 2014, 17:28:19  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

9/8 and 9/12 Updates
- http://www.malwaredomains.com/?p=3655
September 13th, 2014 - "Added -258- domains on 9/8 and -348- on 9/12 (malvertising, zeus, phishing etc). Sources include mwsl.org.cn, blog.dynamoo.com and others..."

 Exclamation

 85 
 on: September 14, 2014, 16:47:10  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Phish - Paypal ...
- http://myonlinesecurity.co.uk/paypal-account-will-limited-hear-phishing/
14 Sep 2014 - "'Paypal Your account will be limited until we hear from you' pretending to come from service_paypal=cczazmam .com@ wpengine .com; on behalf of; service_paypal@ cczazmam .com. There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card... The original email looks like this. It will NEVER be a genuine email from  PayPal or Your Bank so don’t ever follow the links in the email...
    PayPal account information :
    Hello,
    Dear PayPal user ,
    Your account will be limited if you not confirm it .
    Need Assistance?
    Some information on your account appears to be missing or incorrect.
    Please update your account promptly so that you can continue to enjoy
    all the benefits of your PayPal account.
    If you don’t update your account within 37 days, we’ll limit what you can do with your PayPal account.
    Please Login to confirm your information :
    http ://rangeviewrentals .com//wp-content/themes/twentytwelve/wester.html
    Reference Number: PP-003-211-347-423
    Yours sincerely,
    PayPal


This particular phishing campaign starts with an email with a link. In this case to a hacked compromised website, which looks nothing like any genuine PayPal page:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/rangeview_paypal_phishing-scam.png
This one wants your personal details, your Paypal account log in details and your credit card and bank details and your email log in details . Many of them are also designed to specifically steal your facebook and other social network log in details..."

 Evil or Very Mad  Shocked

 86 
 on: September 13, 2014, 05:37:57  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

JPMorgan still seeks to determine extent of Attack
- http://www.nytimes.com/2014/09/13/technology/after-breach-jpmorgan-still-seeks-to-determine-extent-of-attack.html
Sep 12, 2014 - "The headache caused by the attack on JPMorgan Chase’s computer network this summer may not go away anytime soon. Over two months, hackers gained entry to dozens of the bank’s servers, said three people with knowledge of the bank’s investigation into the episode who spoke on the condition of anonymity. This, they said, potentially gave the hackers a window into how the bank’s individual computers work. They said it might be difficult for the bank to find every last vulnerability and be sure that its systems were thoroughly secured against future attack. The hackers were able to review information about a million customer accounts and gain access to a list of the software applications installed on the bank’s computers. One person briefed said more than -90- of the bank’s servers were affected, effectively giving the hackers high-level administrative privileges in the systems. Hackers can potentially crosscheck JPMorgan programs and applications with known security weaknesses, looking for one that has not yet been patched so they can regain access. A fourth person with knowledge of the matter, also speaking on condition of anonymity, said hackers had not gained access to account holders’ financial information or Social Security numbers, and may have reviewed only names, addresses and phone numbers. The hack began in June and was not detected until late July. JPMorgan briefed financial regulators on the extent of the damage last week. Investigators say they believe that at least four other banks or financial institutions were also affected..."

 Shocked  Sad

 87 
 on: September 12, 2014, 16:38:19  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Firefox 32.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Release notes
- https://www.mozilla.org/en-US/firefox/32.0.1/releasenotes/
Sep 12, 2014
Fixed: 32.0.1 - Stability issues for computers with multiple graphics cards
Fixed: 32.0.1 - Mixed content icon may be incorrectly displayed instead of lock icon for SSL sites
Fixed: 32.0.1 - WebRTC: setRemoteDescription() silently fails if no success callback is specified...

Mobile:
- https://www.mozilla.org/en-US/mobile/32.0.1/releasenotes/
Fixed: 32.0.1 - Link tap selection is offset on some Android devices
Fixed: 32.0.1 - WebRTC: setRemoteDescription() silently fails if no success callback is specified...

 Exclamation

 88 
 on: September 12, 2014, 04:22:05  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Update for OneDrive for Business (KB2889866)
- https://support.microsoft.com/kb/2889866
Last Review: Sep 10, 2014 - Rev: 2.0
"Notice: We are investigating an issue that is affecting the September 2014 update for Microsoft OneDrive for Business. Therefore, we have removed the update from availability for now..."

- http://blogs.technet.com/b/office_sustained_engineering/archive/2014/09/10/september-2014-office-update-release.aspx
10 Sep 2014 - "UPDATE - We have discovered an issue with update KB 2889866. We have removed the update from availability while we investigate."
___

- http://www.infoworld.com/t/microsoft-windows/microsofts-new-update-tuesday-looks-whole-lot-the-old-black-tuesday-250304
Sep 11, 2014
___

September 2014 Security Bulletin Webcast Q&A
- http://blogs.technet.com/b/msrc/archive/2014/09/12/september_2d00_2014_2d00_security_2d00_bulletin_2d00_release_2d00_webcast_2d00_q_2d00_a.aspx
12 Sep 2014 - "Today we’re publishing the September 2014 Security Bulletin Webcast Questions & Answers page*..."
* http://blogs.technet.com/b/msrc/p/september-2014-security-bulletin-release-webcast-q-a.aspx

 Exclamation

 89 
 on: September 12, 2014, 02:41:40  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

VMSA-2014-0009 - VMware NSX and vCNS product updates ...
- http://www.vmware.com/security/advisories/VMSA-2014-0009.html
2014-09-11
Summary: VMware NSX and vCloud Networking and Security (vCNS) product updates address a vulnerability that could lead to critical information disclosure.
Relevant releases:
NSX 6.0 prior to 6.0.6
vCNS 5.5 prior to 5.5.3
vCNS 5.1.4 prior to 5.1.4.2
Problem Description:
a. VMware NSX and vCNS information disclosure vulnerability
VMware NSX and vCNS contain an input validation vulnerability. This issue may allow for critical information disclosure...
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3796 - 5.0

- http://www.securitytracker.com/id/1030835
CVE Reference: CVE-2014-3796
Sep 11 2014
Impact: Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): vCNS 5.1.4 prior to 5.1.4.2, 5.5 prior to 5.5.3 ...
Solution: The vendor has issued a fix (5.1.4.2, 5.5.3)...

 Exclamation

 90 
 on: September 12, 2014, 01:11:22  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake Invoice SPAM - contains malicious VBS script
- http://blog.mxlab.eu/2014/09/12/fake-email-copie-facture-societe-lws-fc-contains-malicvious-vbs-script/
Sep 12, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “[COPIE FACTURE SOCIETE LWS FC-408185] – [LWS INVOICE] 10/09/2014″. This email is sent from the spoofed address “Service clients LWS <noreply@ lws .com>” and has the following body:
S.A.R.L LWS
4, rue galvani
75838 PARIS Cedex 17
Paris le, 10/09/2014
Veuillez trouver en pièce jointe votre facture de référence: facture FC-408185 (Fichier: facture-408185) au format ZIP.
Si vous n’avez pas WinRar (Logiciel permettant de lire les fichiers ZIP) vous pouvez le télécharger ici:
http ://www .rarlab .com/download.htm
Merci pour la confiance que vous nous accordez,
Le service comptabilité LWS ...


The attached ZIP file has the name FACTURE_45871147.zip and contains the 4 kB large file FACTURE_45871147.vbs. the VBS script in fact is encoded to hide the real purpose but it seems that this script will download other malicious files and will install them on a system in order to infect the computer. The trojan is known as Trojan.Script.Crypt.deehcf or VBS/Dloadr-DVY. At the time of writing, 2 of the 53* AV engines did detect the trojan at Virus Total..."
* https://www.virustotal.com/en/file/adf506eebd74dbdd2e23ab2a0918912a95105745226302cca32c760c34d196a5/analysis/
___

Fake Household Improvement SPAM - Zbot Malware
- https://blog.malwarebytes.org/fraud-scam/2014/09/household-improvement-emails-come-with-zbot-malware/
Sep 12, 2014 - "... malicious email in circulation at the moment which claims to contain an invoice from a Kitchen Appliance company. According to another recipient of the mail*, the named company is actually a real business entity although there’s no suggestion that they’ve been hacked or otherwise compromised – it seems the scammers just opened up a directory, said “That one” and just started pretending to be them. The mail reads as follows:
Screenshot: https://blog.malwarebytes.org/wp-content/uploads/2014/09/kitchens1.jpg
... The email comes with a .zip attachment, which contains a piece of Malware known as Zbot.  Zeus (aka Zbot) is something to be avoided, as it can lead to banking password theft, form grabbing, keystroke logging and also Ransomware. The zip contains an executable made to look like a Word .doc file, which is a trick as old as the hills yet extremely effective where catching people out is concerned. Telling Windows to display known file extensions will help to avoid this particular pitfall... we detect this as Trojan.Spy.Zbot, and the current Virus Total scores currently clock in at 29/54**...  there’s another mail*** doing the rounds which spoofs the same email address mentioned above, yet claims to be sent from a toiletries company. If you’ve bought any form of kitchen / household upgrade or addition recently and receive mails with zipped invoices, you may not recall exactly who you bought all of your items from. With that in mind, you may wish to have a look at your receipts and bank statements, and – on the off chance the randomly selected company named in the spam mails matches up – give them a call directly to confirm they really did send you something. There’s a good chance they probably didn’t..."
* http://myonlinesecurity.co.uk/m-m-kitchen-appliances-inv211457-fake-word-doc-malware/

** https://www.virustotal.com/en/file/941434a32431048380956c6bb7c6be5fd4105ac397eb8c46011d27e827014f73/analysis/

*** http://blog.mxlab.eu/2014/09/12/fake-email-with-attached-invoice-from-broad-oak-toiletries-ltd-contains-trojan/
___

Data Breaches and PoS RAM Scrapers
- http://blog.trendmicro.com/trendlabs-security-intelligence/2014-an-explosion-of-data-breaches-and-pos-ram-scrapers/
Sep 11, 2014 - "... Ever since the Target data breach came into the limelight, there has been a constant stream merchants/retailers publicly disclosing data breach incidents. These data breaches typically involve credit card data theft using PoS RAM scrapers. Early this month, Brian Krebs reported yet another big data breach that involves U.S. retailer Home Depot using a new variant of the BlackPOS PoS RAM scraper. Nearly all Home Depot locations in the US are believed to have been affected and it is speculated this data breach might surpass the Target breach in terms of volume of data stolen. In addition to an increased number of data breaches, 2014 also brings an increase in the number of new PoS RAM scraper families. Our PoS RAM scraper family tree illustrates the evolution as follows:
Evolution of the PoS RAM scraper family
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/Figure-3-01.png
... Of the six new variants discovered in 2014, four were discovered between June and August.
- Soraya – discovered in June and is a Dexter- and ZeuS-inspired malware. In addition to scraping RAM for credit card Tracks 1 and 2 data, it borrows tricks from ZeuS for hooking the NtResumeThread API, and injects itself into all new processes. It also borrows ZeuS’s form-grabbing functionality and hooks the browser’s HTTP POST function. Trend Micro detects Soraya variants as TSPY_SORAYA.A.
- BrutPOS – discovered in July and appears to have borrowed functionality from a BlackPOS variant. It attempts to exploit PoS systems that use weak or default passwords and has open Remote Desktop Protocol (RDP) ports. BrutPOS will brute-force the login:password combinations to gain entry into the system. Trend Micro detects BrutPOS variants as TROJ_TIBRUN.B and TROJ_TIBRUN.SM.
- Backoff – discovered in July is a successor of Alina. It implements an updated data search function and drops a watchdog process that ensures Backoff is always running on the system. The cybercriminals use publicly available tools to brute-force entry into RDP applications on PoS systems and installs Backoff. Trend Micro detects Backoff variants as TSPY_POSLOGR.A, TSPY_POSLOGR.B, and TSPY_POSLOGR.C.
- BlackPOS ver 2.0 – discovered in August, clones the exfiltration technique that the BlackPOS variant used to compromise U.S. retailer Target. BlackPOS ver 2.0 also adds a unique feature where it pretends to be an AV product installed on the system to avoid drawing unwanted attention to itself. Reports indicate that this malware appears to have been used in the latest big data breach targeting Home Depot. Trend Micro detects BlackPOS ver 2.0 variants as TSPY_MEMLOG.A..."

 Evil or Very Mad  Sad

Pages: 1 ... 7 8 [9] 10
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines Page created in 0.579 seconds with 16 queries.