FYI...Fake Vodafone MMS SPAM - malicious attachment
30 Jan 2014 - "This -fake- Vodafone MMS spam comes with a nasty payload
: Date: Thu, 30 Jan 2014 03:55:04 -0500 [03:55:04 EST]
From: mms.service6885@ mms .Vodafone .co .uk
Subject: image Id 312109638-PicOS97F TYPE==MMS
Received from: 447219637920 | TYPE=MMS
Despite the Vodafone references in the header, this message comes from a random -infected- PC somewhere and not the Vodafone network. The email doesn't quite render properly in my sample:
The spam is probably preying on the fact that most people have heard of MMS but very rarely use it. Attached is a file IMG0000008849902.zip which in turn contains a malicious executable IMG0000008849902.exe, this has a VirusTotal detection rate of just 2/50*. Automated analysis tools are inconclusive... as the sample appears to time out."
___Twitter Follower Scam
Jan 30 2014 - "... This -scam- tries to attract potential victims by using tweets with the phrase “GET MORE F0LL0WERS” and a URL that is apparently from Google. (In this particular case, Google is just used as a -redirector- to the scammer’s site
.) It also uses Twitter’s Discover feature and trending topics to boost its visibility. It also uses tweets that mention random Twitter users.Sample tweets promoting the site:
When users click the link in the post, they will be redirected to a “get free followers” site. The site offers two options—a free and a premium service. The free option requires users to authorize a Twitter app named “LAAY PAAY” created by the scammers; this will grant them access to the user’s Twitter account. After the user is returned to the scam site from the app authorization process, the site will show a “processing” page. The user will gain random Twitter followers, including those with private accounts. The premium service boasts new followers per minute, no ads, and instant activation. This service costs five euros and can be paid via PayPal.
What’s the catch? Yes, they get new followers, but these followers are other users who signed up for this service as well. By agreeing to the service, their accounts will also be used to follow other accounts as well. In addition, spam tweets will also be sent from the victim’s Twitter account. Even paying five euros will not stop these spam tweets. Note that to get more followers you have to log in repeatedly (otherwise you drop off the “list”), repeating the whole cycle... Gaining access to Twitter accounts and sending spam tweets is not the only goal of the scammers here. They also load various advertising-laden affiliate sites
in the background, in order to gain pageviews and thus, revenue for the owners of the ads. We’ve seen -35- separate domains in this attack... Users are encouraged to -avoid- clicking links on social media posts unless the source can be verified. Users should also avoid giving access to their social media accounts unless the sites are established and well-known. Lastly, they should always remember that “free” services often aren’t
. They may ask for something in exchange, be it information or access to accounts..."
30 Jan 2014 - "Something that caught my eye was this Google Safebrowsing diagnostic for [donotclick]s15443877.onlinehome-server .info * ... Not only are (exactly) one third of the pages crawled hosting -malware-
but there are a staggering -198- domains spreading it
. Usually it's just a handful of sites, but this is the most I've ever seen
. VirusTotal also shows some historical evil** going on with the IP of 22.214.171.124
(1&1, Germany) and a Google of the site contents shows thousands of hits of what appears to be scraped content in Spanish. It's hard to say just what this site is, but with Google diagnostics like that then it is unlikely to be anything good
and -blocking- s15443877.onlinehome-server .info or 126.96.36.199
might be prudent."
"... over the past 90 days, 582 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2014-01-29, and the last time suspicious content was found on this site was on 2014-01-29. Malicious software includes 166 scripting exploit(s), 166 trojan(s), 89 exploit(s). Successful infection resulted in an average of 5 new process(es) on the target machine. Malicious software is hosted on 198 domain(s)... 155 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site..."
___Fake "Last Month Remit" SPAM
30 Jan 2014 - "This -fake- "Last Month Remit" spam
does a pretty good job of looking like it comes from your own organisation.. Date: Thu, 30 Jan 2014 12:22:05 +0000 [07:22:05 EST]
From: Administrator [victimdomain]
Subject: FW: Last Month Remit
File Validity: Thu, 30 Jan 2014 12:22:05 +0000
Company : http ://[victimdomain]
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls ...
Going to to bother of inserting fake mail headers is odd, because anyone who knew enough to check the headers would probably also realise that the attached ZIP file with an EXE in it was probably bad news. In this case, the attachment is called Remit_[victimdomain].zip which in turn contains a malicious executable called Remit.exe which has an icon that makes it look like a PDF file.
This file has a VirusTotal detection rate of 10/49*. Automated analysis tools... show an attempted connection to poragdas .com on 188.8.131.52
(Pioneer Elabs, India) which is a server that has been seen before, and excelbizsolutions .com on 184.108.40.206
on (CtrlS Private, India).