News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
October 31, 2014, 18:24:47
Pages: 1 ... 8 9 [10]
 91 
 on: September 24, 2014, 03:20:28  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

249 domains (goz, luxnet, poisonivy, blackshades) added
- http://www.malwaredomains.com/?p=3661
September 23rd, 2014 - "Added -249- domains (goz, luxnet, poisonivy, blackshades, etc) added. Sources include osint.bambenekconsulting.com, mwsl.org.cn, malwareconfig.com and others..."

 Exclamation

 92 
 on: September 24, 2014, 02:27:26  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake BankLine SPAM
- http://blog.dynamoo.com/2014/09/you-have-received-new-secure-message.html
24 Sep 2014 - "This -fake- BankLine email leads to malware that is not currently detected by any anti-virus engine:
   From:     Bankline [secure.message@ bankline .com]
    Date:     24 September 2014 09:59
    Subject:     You have received a new secure message from BankLine
    You have received a secure message.
    Read your secure message by following the link bellow ...
    You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk ...
    First time users - will need to register after opening the attachment...


The link in the email goes to ismashahalam .net/xyzpayohjx/ngkzoeqjjs.html which downloads an archive file from ismashahalam .net/xyzpayohjx/SecureMessage.zip. This in turn contains a malicious file SecureMessage.scr which has a VirusTotal detection rate of 0/50*. The Anubis report** shows that the malware phones home to very-english .co.uk which is worth blocking or monitoring."
* https://www.virustotal.com/en-gb/file/2ae91a34c322641a86239ab97ba8995e0e188d67ebd5e472825e53d7b53585eb/analysis/1411546325/

** https://anubis.iseclab.org/?action=result&task_id=1d5af02378c37a5b47d2e9524c46863ef&format=html

- http://myonlinesecurity.co.uk/received-new-secure-message-bankline-fake-pdf-malware/
24 Sep 2014 - "... 24 Sep 2014: SecureMessage.zip: Extracts to: SecureMessage.scr
Current Virus total detections: 7/54*..."
* https://www.virustotal.com/en/file/2ae91a34c322641a86239ab97ba8995e0e188d67ebd5e472825e53d7b53585eb/analysis/1411565004/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake Voice mail SPAM
- http://myonlinesecurity.co.uk/inclarity-net-voice-message-attached-01636605058-name-unavailable-fake-wav-malware/
24 Sep 2014 - "'Voice Message Attached from 01636605058 – name unavailable' pretending to come from voicemail@ inclarity .net is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Time: Sep 23, 2014 10:50:00 AM
    Click attachment to listen to Voice Message


24 September 2014: 01636605058_20140919_105000.wav.zip: Extracts to:   01636605058_20140919_105000.wav.exe
Current Virus total detections: 12/53*
This 'Voice Message Attached from 01636605058 – name unavailable' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( (sound)  file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/490f83b60921c80a4666ff9b546ce0a233199949d4a00a6035178fa685debbfb/analysis/1411568872/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake 'overdue invoice' SPAM – malware
- http://myonlinesecurity.co.uk/reminder-overdue-invoice-malware/
24 Sep 2014 - "'Reminder of overdue invoice' pretending to come from a random name at a random company and with a random named attachment is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... different subjects with this one having different numbers including:
   Reminder of overdue invoice: 708872110964932
    Overdue Payment: 122274492356288
    Due Date E-Mail Reminder: 417785972641224
    Payment reminder: 461929101577209
    Past Due Reminder Letter: 199488661953143
    Bills Reminder: 325332051074690
    Automatic reminder: 676901889653218
    Late payment: 475999033756578
    Reminder: 215728756825356

The email looks like:
   Hello,
     This is Rex from Olympus Industrial. After a review of our records, we have found your account is past due.
    Account ID: 5FCDMF9. This notice is a reminder your payment is due.
     Regards,
    Rex Gloeckler
    Olympus Industrial...


24 September 2014: application_708872110964932_5FCDMF9.rar:
Extracts to: application_708872110964932_5FCDMF9.exe
Current Virus total detections: 3/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a file with a red £ sign instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/de2012097279e862bde5f4ffc8e649ede75400aa7c2afd6b343998c91657968f/analysis/1411570178/
... Behavioural information
TCP connections
157.56.96.53: https://www.virustotal.com/en/ip-address/157.56.96.53/information/
213.186.33.19: https://www.virustotal.com/en/ip-address/213.186.33.19/information/
95.101.0.97: https://www.virustotal.com/en/ip-address/95.101.0.97/information/
213.186.33.17: https://www.virustotal.com/en/ip-address/213.186.33.17/information/
195.60.214.11: https://www.virustotal.com/en/ip-address/195.60.214.11/information/
___

Fake AMEX Phish - 'Home Depot Security concern'
- http://myonlinesecurity.co.uk/american-express-security-concern-data-breach-home-depot-phishing/
24 Sep 2014 - "We are seeing quite a few American Express phishing attempts trying to get your American Express details. These are very well crafted and look identical to genuine American Express emails. The senders appear to be from American Express until you look carefully at the email headers. Do -not- click -any- links in these emails... Today’s version is the 'American Express – Security concern on Data breach at Home Depot' which is a change to previous versions to attempt to make it more believable and attractive for you to click the link & give your details. They are using the recent Home Depot hack and consequent fraudulent transactions* that are being taken from many victims accounts to scare you into ignoring the usual precautions and get you to give them your details:
* http://www.cnbc.com/id/102027452
Email looks like:
[ AMEX logo ]
Dear Customer:We are writing to you because we need to speak with you regarding a security concern on your account. The Home Depot recently reported that there was unauthorized access to payment data systems at its U.S. stores. American Express has put fraud controls in place and we continue to closely monitor the situation. Our records indicate that you recently used your American Express card on September 19, 2014.
We actively monitor accounts for fraud, and if we see unusual activity which may be fraud, our standard practice is to immediately contact our Card Members. There is no need to call us unless you see suspicious activity on your account.
To ensure the safety of your account , please log on to : ...
    Regularly monitor your transactions online at americanexpress .com. If you notice fraudulent transactions, visit our online Inquiry and Dispute Center
    Enroll in Account Alerts that notify you via email or text messages about potentially fraudulent activities.
    Switch to Paperless Statements that are accessible online through your password-protected account.
Your prompt response regarding this matter is appreciated.
Sincerely,
American Express Identity Protection Team ...


Following the link in this 'American Express – Security concern on Data breach at Home Depot' or other -spoofed- emails takes you to a website that looks -exactly- like the real American Express site. You are then led through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your American Express account, but also your Bank Account, Email details, webspace (if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life. Please read our How to protect yourselves page** for simple, sensible advice on how to avoid being infected  or having your details stolen by this sort of socially engineered malware..."
** http://myonlinesecurity.co.uk/how-to-protect-yourself-and-tighten-security/

- http://threattrack.tumblr.com/post/98321608223/american-express-home-depot-credentials-phish
Sep 24, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/094c409ba72f53cb124310343c3a213b/tumblr_inline_ncf48aKPiQ1r6pupn.png
Tagged: AMEX, American Express, Home Depot, Credentials Phish
___

Netcraft Sep 2014 Web Server Survey
- http://news.netcraft.com/archives/2014/09/24/september-2014-web-server-survey.html
24 Sep 2014 - "In the September 2014 survey we received responses from 1,022,954,603 sites — nearly 31 million more than last month. This is the first time the survey has exceeded a -billion- websites, a milestone achievement that was unimaginable two decades ago. Netcraft's first ever survey was carried out over 19 years ago in August 1995. That survey found only 18,957 sites, although the first significant milestone of one million sites was reached in less than two years, by April 1997..."
___

Viator(dot)com - Data Compromise ...
- https://blog.malwarebytes.org/online-security/2014/09/viator-com-data-compromise-are-you-affected/
Sep 23, 2014 - "You may well be seeing an email appearing in your inbox from Viator .com, a website designed to help you find tours and trips overseas with none of the typical messing about such tasks usually involve. The emails have been sent out because it appears they had a breach* and anything up to 1.4 million customers may have been potentially impacted by the compromise...
* http://www.viator.com/about/media-center/press-releases/pr33251
Sep 19, 2014

... the bad news is that the breach took place a good few weeks ago yet we’re only just hearing about it... there doesn’t appear to have been a massive file posted online yet containing data such as PII related to the compromise... we await more information on this latest high-profile attack."
___

Malvertising campaign - involving DoubleClick and Zedo
- https://blog.malwarebytes.org/malvertising-2/2014/09/large-malvertising-campaign-under-way-involving-doubleclick-and-zedo/
Sep 18, 2014
Update (09/19/14 9:20 AM PT): It appears that the malicious redirection has stopped. Last activity was detected by our honeypots around midnight last night, and nothing else since then. We are still monitoring the situation and will update here if necessary."

- http://arstechnica.com/security/2014/09/google-stops-malicious-advertising-campaign-that-could-have-reached-millions/
Sep 22 2014

 Evil or Very Mad  Sad

 93 
 on: September 23, 2014, 16:27:36  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

IE10/IE11 in Win8/8.1 - Flash Player update
- https://technet.microsoft.com/en-us/library/security/2755801
Sep 23, 2014
V29.0 (Sep 23, 2014): Added the 2999249* update to the Current Update section.

Update for Adobe Flash Player in Internet Explorer
* https://support.microsoft.com/kb/2999249
Sep 23, 2014 - Rev: 1.0 - "An issue was found in which some videos may not play, or you may receive an error message, when you try to watch video from certain websites. Microsoft has released an update for this issue for IT professionals. This release contains a fix that will significantly reduce the prevalence of video playback failures on sites where this problem previously occurred.
Known issues with this update: Windows Update will not offer this update to Windows RT-based computers until update 2808380 is installed. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2808380** Windows RT-based device cannot download software updates or Windows Store apps."
** https://support.microsoft.com/kb/2808380
Mar 7, 2013 - Rev: 3.0
 
[ Hat tip to dvk01: http://myonlinesecurity.co.uk/microsoft-updates-adobe-flash-player-ie10-ie11in-windows-8-8-1/ ]

 Exclamation

 94 
 on: September 23, 2014, 10:48:23  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Microsoft Security Bulletin MS14-055 - Important
Vulnerabilities in Microsoft Lync Server Could Allow Denial of Service (2990928)
- https://technet.microsoft.com/en-us/library/security/MS14-055
V3.0 (September 23, 2014): Bulletin rereleased to announce the re-offering of the 2982385 security update file (server.msp) for Microsoft Lync Server 2010...
Why was this bulletin revised on September 23, 2014?
Microsoft re-released this bulletin to announce the re-offering of the 2982385 security update file (server.msp) for Microsoft Lync Server 2010. The re-released update addresses an issue in the original offering that prevented users from successfully installing the server.msp file. Customers who attempted to install the original update will be re-offered the 2982385* update and are encouraged to apply it at the earliest opportunity...

* https://support.microsoft.com/kb/2982385
Sep 23, 2014 - Rev: 2.0

 Shocked   Neutral

 95 
 on: September 23, 2014, 02:51:26  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake 'Voice Mail' SPAM
- http://blog.dynamoo.com/2014/09/according-to-this-spam-you-have-new.html
23 Sep 2014 - "This strangely titled spam leads to malware.
From:     Voice Mail
Date:     23 September 2014 10:17
Subject:     You have a new voice
You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
* The reference number for this message is _qvs8213783583_001
The transmission length was 78
Receiving machine ID : R8KU-UY0G3-ONGH
To download and listen your voice mail please follow the link ...
The link to this secure message will expire in 24 hours ...


The link in the email downloads a file from www .ezysoft .in/ocjnvzulsx/VoiceMail.zip which contains a malicious executable VoiceMail.scr which has a VirusTotal detection rate of 2/54*. According to this Anubis report** the malware attempts to phone home to very-english .co.uk which might be worth blocking."
* https://www.virustotal.com/en-gb/file/2008078314022b0bf08cc1e2a23420ec4f7caab95e00e020ecf07b7c01dbfa35/analysis/1411464313/

** http://anubis.iseclab.org/?action=result&task_id=1ac4290d6f92ed1044d41585aeff6b27a&format=html

- http://myonlinesecurity.co.uk/new-voice-fake-pdf-malware/
23 Sep 2014 - "... 23 Sep 2014: VoiceMail.zip (9kb): Extracts to: VoiceMail.scr Current Virus total detections: 2/54*
* https://www.virustotal.com/en-gb/file/2008078314022b0bf08cc1e2a23420ec4f7caab95e00e020ecf07b7c01dbfa35/analysis/1411464313/
___

jQuery.com compromised to serve malware via drive-by download
- http://www.net-security.org/malware_news.php?id=2869
23.09.2014 - "jQuery.com, the official website of the popular cross-platform JavaScript library of the same name, had been compromised and had been -redirecting- visitors to a website hosting the RIG exploit kit and, ultimately, delivering information-stealing malware. While any website compromise is dangerous for users, this one is particularly disconcerting because of the demographic of its users... The attack was first detected on September 18, and given that the malicious redirector was hosted on a domain that was registered on the same day, it's more than likely that that was the day when the attack actually started. RiskIQ researchers* have immediately notified the jQuery Foundation about the compromise, and the site's administrators have -removed- the malicious script. The bad news is that they still don't know how the compromised happened, so it just might happen again. Users who have visited the site on or around September 18 are advised to check whether they have been compromised by the malware. The researchers recommend immediately re-imaging of the system, resetting passwords for user accounts that have been used on it, and checking whether suspicious activity has originated from it (data exfiltration, etc.). The only good news in all of this is that there is no indication that the jQuery library was affected."
* http://www.riskiq.com/resources/blog/jquerycom-malware-attack-puts-privileged-enterprise-it-accounts-risk

>> https://blog.malwarebytes.org/?s=RIG+exploit+kit

- https://isc.sans.edu/diary.html?storyid=18699
2014-09-23

46.182.31.77: https://www.virustotal.com/en/ip-address/46.182.31.77/information/
___

Nuclear Exploit Kit evolves, includes Silverlight Exploit
- http://blog.trendmicro.com/trendlabs-security-intelligence/nuclear-exploit-kit-evolves-includes-silverlight-exploit/
Sep 23, 2014 - "... We observed that the Nuclear Exploit Kit exploit kit recently included the Silverlight exploit (CVE-2013-0074*) in its scope. We believe that the attackers behind the Nuclear Exploit Kit included Silverlight in its roster of targeted software for two reasons: to have an expanded attack surface and to avoid detection (as not many security solutions have detections for this particular exploit)... This particular exploit has also been used in other exploit kits, such as the Angler Exploit Kit... Microsoft has released a bulletin (Microsoft Security Bulletin MS13-022) to address the associated vulnerability... The number of exploits used by the kit has -doubled- since the start of 2014...
Timeline of exploits used by the Nuclear Exploit Kit:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/2-Nuclear-Exploit-Kit-Timeline-01.jpg
Vulnerabilities targeted by the current Nuclear Exploit Kit:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/nuclearexploit_fig4.png
... patches have already been released for the vulnerabilities targeted by the Nuclear Exploit Kit..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0074 - 9.3 (HIGH)

 Evil or Very Mad  Sad

 96 
 on: September 22, 2014, 04:07:45  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake gov't SPAM
- http://blog.dynamoo.com/2014/09/your-online-gatewaygovuk-submission-spam.html
22 Sep 2014 - "This -fake- spam from the UK Government Gateway leads to malware:

Screenshot: https://4.bp.blogspot.com/-O44byyBpvKE/VCACHn_z67I/AAAAAAAAFro/5VfC-5YRsOw/s1600/gateway.png

The link in the email does -not- go to gateway .gov.uk at all, but in this case the the link goes to the following:
http ://maedarchitettura .it/wfntvkppqi/wnazvamlzv.html ->
http ://www .maedarchitettura .it/wfntvkppqi/wnazvamlzv.html ->
http ://maedarchitettura .it/wfntvkppqi/GatewaySubmission.zip
The ZIP file contains a malicious executable GatewaySubmission.exe which has a VirusTotal detection rate of 1/55*. The Anubis report** shows that it attempts to make a connection to ruralcostarica .com which is probably worth blocking."
* https://www.virustotal.com/en-gb/file/146272b3c4119591adb7fd3f032a6f810a4bd8bd62109792eece587a0ac5c41d/analysis/1411383282/

184.168.152.32: https://www.virustotal.com/en-gb/ip-address/184.168.152.32/information/

** https://anubis.iseclab.org/?action=result&task_id=19b13cf14c76380345d98780f5ac50f82&format=html

- http://myonlinesecurity.co.uk/online-gateway-gov-uk-submission-fake-pdf-malware/
22 Sep 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/Your-online-Gateway.gov_.uk-Submission.png
...
> https://www.virustotal.com/en-gb/file/146272b3c4119591adb7fd3f032a6f810a4bd8bd62109792eece587a0ac5c41d/analysis/1411381013/
___

Fake 'LogMeIn' SPAM – malware
- http://myonlinesecurity.co.uk/september-22-2014-logmein-security-update-malware/
22 Sep 2014"'September 22, 2014 LogMeIn Security Update' pretending to come from LogMeIn .com <auto-mailer@ logmein .com>is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
   Dear client,
    We are pleased to announce that LogMeIn has released a new security certificate.
    It contains new features:
    •    The certificate will be attached to the computer of the account holder, which will prevent any fraud activity
    •    Any irregular activity on your account will be detected by our security department
    •       This SSL security certificate patches the “Heartbleed” bug discovered earlier this year
    Download the attached certificate. Update will be automatically installed by double click.
    As always, your Logmein Support Team is happy to assist with any questions you may have.
    Feel free to contact us ...


22 September 2014: cert_client.zip (66 kb): Extracts to: cert.scr
Current Virus total detections: 2/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a large blue i instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a3cf855b9bfbb17e4e293c6d28290de4329338a988b5c6a33e35e7bc6f3b0c3b/analysis/1411400614/
... Behavioural information
DNS requests
icanhazip .com (23.253.218.205)
www .download .windowsupdate .com (95.101.0.104): https://www.virustotal.com/en/ip-address/95.101.0.104/information/
t54cjs4qc2r4bn63 .tor2web .org (65.112.221.20): https://www.virustotal.com/en/ip-address/65.112.221.20/information/
TCP connections
23.253.218.205: https://www.virustotal.com/en/ip-address/23.253.218.205/information/
95.101.0.83: https://www.virustotal.com/en/ip-address/95.101.0.83/information/
38.229.70.4: https://www.virustotal.com/en/ip-address/38.229.70.4/information/

- https://isc.sans.edu/diary.html?storyid=18695
2014-09-22
Screenshot: https://isc.sans.edu/diaryimages/images/Screen%20Shot%202014-09-22%20at%2011_34_06%20AM.png
...
> https://www.virustotal.com/en/file/a3cf855b9bfbb17e4e293c6d28290de4329338a988b5c6a33e35e7bc6f3b0c3b/analysis/
File name: cert.scr.exe
Detection ratio: 3/51
... Behavioural information
DNS requests
icanhazip .com (23.253.218.205): https://www.virustotal.com/en/ip-address/23.253.218.205/information/
www .download.windowsupdate .com (95.101.0.104): https://www.virustotal.com/en/ip-address/95.101.0.104/information/
t54cjs4qc2r4bn63 .tor2web .org (65.112.221.20): https://www.virustotal.com/en/ip-address/65.112.221.20/information/
TCP connections
23.253.218.205: https://www.virustotal.com/en/ip-address/23.253.218.205/information/
95.101.0.83: https://www.virustotal.com/en/ip-address/95.101.0.83/information/
38.229.70.4: https://www.virustotal.com/en/ip-address/38.229.70.4/information/
___

Fake USAA SPAM - PDF malware
- http://myonlinesecurity.co.uk/usaa-policy-renewal-please-print-auto-id-cards-pdf-malware/
22 Sep 2014 - "'USAA Policy Renewal – Please Print Auto ID Cards' pretending to come from USAA <USAA.Web.Services@customermail.usaa.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/USAA-Policy-Renewal-Please-Print-Auto-ID-Cards.png

22 September 2014: id_card.pdf - Current Virus total detections: 11/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/644635d9cebfd696dd0e71eefce400ac744713b846ef3fb2df8268a1b48cd4cc/analysis/1411415107/

- http://threattrack.tumblr.com/post/98225075443/usaa-insurance-card-spam
23 Sep 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/37ba5ffb65ea0fbf4857f1d0fee84e0b/tumblr_inline_nccw5e1ERc1r6pupn.png
Tagged: USAA, CVE-2013-2729, Upatre, PDFExploit
___

Fake 'RBC Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/rbc-invoices-pdf-malware/
22 Sep 2014 - "'RBC Invoices' pretending to come from RBC Express <ISVAdmin@ rbc .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
   Please review the attached invoices and pay them at your earliest convenience. Feel free to contact us if you have any questions.
    Thank you.


22 September 2014: invoice058342.pdf . Current Virus total detections: 10/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/644635d9cebfd696dd0e71eefce400ac744713b846ef3fb2df8268a1b48cd4cc/analysis/1411409482/
___

Fake 'Payment Advice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/hsbc-payment-advice-issued-fake-pdf-malware/
22 Sep 2014 - "'HSBC Payment Advice Issued' pretending to come from HSBC Bank UK <payment.advice@ hsbc .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment or follow the link in the email... The email looks like:
   Your payment advice is issued at the request of our customer. The advice is for your reference only.
     Please download your payment advice at ...
     Yours faithfully,
    Global Payments and Cash Management
    This is an auto-generated email, please DO NOT REPLY. Any replies to this email will be disregarded.


... this drops a slightly different malware paymentadvice .exe with a current VT detections 0/53* . This HSBC Payment Advice Issued  is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/844c016c9df09432f82f2a353151ca110c2474c7cb5f09c54ebc64952dd1174d/analysis/1411386112/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake Invoice SPAM
- http://myonlinesecurity.co.uk/peter-hogarth-sons-ltd-invoice-642555-fake-pdf-malware/
22 Sep 2014 - "'PETER HOGARTH & SONS LTD Invoice 642555' pretending to come from john.williamson@ peterhogarth .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
   Please find attached your Invoice(s)/Credit(s)
    PETER HOGARTH & SONS LTD
    INDUSTRIAL HYGIENE and PROTECTION
    Tel: 01472 345726 | Fax: 01472 250272 | Web...
    Estate Road No. 5, South Humberside Industrial Estate, Grimsby, North East Lincolnshire, DN31 2UR
    Peter Hogarth & Sons Ltd is a company registered in England.
    Company Registration Number: 1143352...


22 September 2014: Attachment.zip (230 kb): Extracts to: Invoice 77261990001.PDF.exe
Current Virus total detections: 3/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3/analysis/1411380202/
___

European banks / Europol in cybercrime fightback
- http://www.reuters.com/article/2014/09/22/banks-cybersecurity-europe-idUSL6N0RN1WO20140922
Sep 22, 2014 - "Europe's banks have joined forces with Europol's cybercrime unit to try to combat the rising and increasingly sophisticated threat being posed by cyber criminals to financial firms. The European Banking Federation (EBF), which represents about 4,500 banks, and Europol's European Cybercrime Centre - known as EC3 - said on Monday they had signed a memorandum of understanding to intensify cooperation between law enforcement and the financial sector. Banks are facing frequent attacks from sophisticated hackers. Wall Street bank JP Morgan said last month it was working with U.S. law enforcement authorities to investigate a possible cyber attack, and Royal Bank of Scotland and its UK peers have suffered serious attacks by hackers that have disrupted systems... Cybercrime attacks faced by banks include coordinated attempts to disrupt websites, payment card fraud, and attempts to infiltrate systems to steal money. The agreement between the EBF, which is a federation of 32 national banking lobby groups, and EC3, which links cybercrime divisions of police forces in EU countries, will allow them to exchange know-how, statistics and strategic information. Banks are typically working closely with national police forces to fight cybercrime, and the new agreement should widen that across Europe..."

 Evil or Very Mad  Sad

 97 
 on: September 22, 2014, 01:58:24  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Recent Updates
- http://www.malwaredomains.com/?p=3659
September 20th, 2014 - "Added domains on 9/15 and 9/19 from blog.malwarebytes.org, safebrowsing.google.com, app.webinspector.com and others..."

 Exclamation

 98 
 on: September 20, 2014, 04:54:51  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

MS14-046: Description of the security update for the .NET Framework 3.5
on Windows 8 and Windows Server 2012: Aug 12, 2014
* https://support.microsoft.com/kb/2966827
Last Review: Sep 19, 2014 - Rev: 3.0
 
Bulletin Information:
MS14-046 - Important
- https://technet.microsoft.com/library/security/ms14-046
  - Reason for Revision: V1.2 (Sep 19, 2014): Bulletin
    revised with a change to the 'Known Issues' entry in the Knowledge
    Base Article section from "None" to "Yes".
  - Originally posted: August 12, 2014
  - Updated: September 19, 2014
  - Bulletin Severity Rating: Important
  - Version: 1.2
___
 
Enabling the Microsoft .NET Framework 3.5 optional Windows feature on Windows 8
and Windows Server 2012 may -fail- after you install security update 2966827
- https://support.microsoft.com/kb/3002547
Last Review: Sep 19, 2014 - Rev: 2.0

 Exclamation Exclamation

 99 
 on: September 19, 2014, 09:10:47  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

PHP 5.5.17, 5.4.33 released

- http://php.net/archive/2014.php#id2014-09-18-1
18 Sep 2014 - "... immediate availability of PHP 5.5.17. Several bugs were fixed in this release. All PHP 5.5 users are encouraged to upgrade to this version..."

ChangeLog: http://www.php.net/ChangeLog-5.php#5.5.17
___

- http://php.net/archive/2014.php#id2014-09-18-2
18 Sep 2014 - "... immediate availability of PHP 5.4.33. -10- bugs were fixed in this release. All PHP 5.4 users are encouraged to upgrade to this version. This release is the -last- planned release that contains regular bugfixes. All the consequent releases will contain only security-relevant fixes, for the term of one year. PHP 5.4 users that need further bugfixes are encouraged to upgrade to PHP 5.6 or PHP 5.5..."

ChangeLog: http://www.php.net/ChangeLog-5.php#5.4.33

Downloads:
- http://php.net/downloads.php

- http://windows.php.net/download/

 Exclamation Exclamation

 100 
 on: September 19, 2014, 04:17:13  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake 'voice mail' SPAM ...
- http://blog.dynamoo.com/2014/09/this-fake-voice-mail-message-leads-to.html
19 Sep 2014 - "This -fake- voice mail message leads to malware:
   From:     Microsoft Outlook [no-reply@ victimdomain .com]
    Date:     19 September 2014 11:59
    Subject:     You have received a voice mail
    You received a voice mail : VOICE976-588-6749.wav (25 KB)
    Caller-Id: 976-588-6749
    Message-Id: D566Y5
    Email-Id: <REDACTED>
    Download and extract to listen the message.
    We have uploaded voicemail report on dropbox, please use the following link to download your file...
    Sent by Microsoft Exchange Server


The link in the email messages goes to www .prolococapena .com/yckzpntfyl/mahlqhltkh.html first and then downloads a file from www .prolococapena .com/yckzpntfyl/Invoice102740_448129486142_pdf.zip which contains exactly the -same- malicious executable being pushed in this earlier spam run*."
* http://blog.dynamoo.com/2014/09/natwest-statement-spam-yet-again.html
19 Sep 2014 - "... shows network activity to hallerindia .com on 192.185.97.223. I would suggest that this is a good domain to -block- ..."
Screenshot: https://2.bp.blogspot.com/-Oo5Lnrowt70/VBwJo-dVgRI/AAAAAAAAFpY/TzfWXXSEP88/s1600/natwest.png

192.185.97.223: https://www.virustotal.com/en/ip-address/192.185.97.223/information/

- http://myonlinesecurity.co.uk/natwest-statement-fake-pdf-malware/
19 Sep 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/nat-west-statement.png
Current Virus total detections: 1/54*
* https://www.virustotal.com/en/file/a56ef62b4154849c04b28dd78ff2d4d383c98eb7e38785c10e9b58932f3dc0ca/analysis/1411120481/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake 'Police Suspect' SPAM - PDF malware
- http://myonlinesecurity.co.uk/city-london-police-homicide-suspect-fake-pdf-malware
19 Sep 2014 - "'City of London Police Homicide Suspect' pretending to come from City of London Police is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
   Bulletin Headline: HOMICIDE SUSPECT
    Sending Agency: London City Police
    Sending Location: GB – London – London City Police
    Bulletin Case#: 14-62597
    Bulletin Author: BARILLAS #1169
    Sending User #: 92856
    APBnet Version: 684593
    The bulletin is a pdf attachment to this email.
    The Adobe Reader (from Adobe .com) will display and print the bulletin best.
    You can Not reply to the bulletin by clicking on the Reply button in your email software.


Of course it is -fake- and -not- from any Police force or Police service in UK or worldwide.
19 September 2014: Homicide-case#15808_pdf.zip : Extracts to:   Homicide-case#15808_pdf.exe
Current Virus total detections: 4/55* . This 'City of London Police Homicide Suspect' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ae7f419e0093fd2d4892ea6920aaa2c12c95cede9c97cb0a1f096496d4ff93ea/analysis/1411120670/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustotal.com/en/ip-address/188.165.204.210/information/
192.185.97.223: https://www.virustotal.com/en/ip-address/192.185.97.223/information/
___

Fake 'Courier Svc' SPAM - PDF malware
- http://myonlinesecurity.co.uk/tnt-courier-service-tnt-uk-limited-package-tracking-fake-pdf-malware/
19 Sep 2014 - "'TNT UK Limited Package tracking' pretending to come from TNT COURIER SERVICE <tracking@tnt.co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    TNT COURIER SERVICE (TCS)
    Customer/Delivery Services Department
    Central Pk Est/Mosley Rd, Trafford Park
    Manchester, M17 1TT UK.
    DETAILS OF PACKAGE
    Reg order no: 460911612900
    Your package have been picked up and is ready for dispatch.
    Connote #           :               460911612900
    Service Type      :               Export Non Documents – Intl
    Shipped on         :               18 Sep 14 12:00
    Order No                    :       4240629
    Status          :       Driver’s Return
    Description     :      Wrong Address
    Service Options: You are required to select a service option below.
    The options, together with their associated conditions.
    Please check attachment to view information about the sender and package.


19 September 2014: Label_GB1909201488725UK_pdf.zip: Extracts to: Label_GB1909201488725UK_pdf.exe
Current Virus total detections: 5/55* . This 'TNT UK Limited Package tracking' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ae7f419e0093fd2d4892ea6920aaa2c12c95cede9c97cb0a1f096496d4ff93ea/analysis/1411121703/
... Behavioural information
DNS requests
hallerindia .com (192.185.97.223)
TCP connections
188.165.204.210: https://www.virustotal.com/en/ip-address/188.165.204.210/information/
192.185.97.223: https://www.virustotal.com/en/ip-address/192.185.97.223/information/
___

Bitcoin Ponzi scheme ...
- http://www.reuters.com/article/2014/09/19/us-sec-bitcoin-fraud-idUSKBN0HE1Z820140919
Sep 19, 2014 - "A U.S. federal judge in Texas ordered Bitcoin Savings and Trust and its owner to pay a combined $40.7 million after the Securities and Exchange Commission established that the company, which sold investments using the virtual currency, was a Ponzi scheme. In a decision dated Thursday, U.S. Magistrate Judge Amos Mazzant said Trendon Shavers "knowingly and intentionally" operated his company "as a sham and a Ponzi scheme," misleading investors about the use of their bitcoin, how he would generate promised returns and the safety of their investments... The SEC said Shavers used the online moniker "pirateat40" to raise more than 732,000 bitcoin from February 2011 to August 2012, promising investors up to 7 percent in weekly interest to be paid based on his ability to trade the currency. But according to the decision, Shavers used new bitcoin to repay earlier investors, diverted some to personal accounts at the now-bankrupt Mt. Gox exchange and elsewhere, and spent some investor funds on rent, food, shopping and casino visits..."
___

Apple Phish ...
- https://isc.sans.edu/diary.html?storyid=18669
2014-09-18 23:58:53 UTC - "... this in this morning:
Dear Client,
We inform you that your account is about to expire in less 48 hours, it's imperative to update your information with our audit forms, otherwise your session and/or account will be a limited access.
just click the link below and follow the steps our request form
Update now...
This is an automatically generated message. Thank you not to answer.  If you need help, please visit the Apple Support.
Apple Client Support.


A variation on the -many- phishing emails we see regularly, just taking advantage of two public events, the celebrity photos and the release of the new phone. Maybe a reminder to staff as well as friends and family to -ignore- emails that say "click here" ..."
___

Hack the ad network like a boss...
- https://www.virusbtn.com/blog/2014/08_15.xml
4 Sep 2014 - "... Exploit kits have been the scourge of the web for many years. Typically starting with a single line of inserted code, they probe for a number of vulnerabilities in the browser or its plug-ins and use this to drop malware onto the victim's machine. Given the high proportion of Internet users that haven't fully patched their systems, it is a successful way to spread malware.
> https://www.virusbtn.com/images/news/general_malicious_ads.png
... in order for exploit kits to do their work, a vulnerable website must first be infected, or the user must be enticed into clicking a malicious link. But by purchasing ad space, and using this to place malicious ads, attackers have discovered a cheap and effective way to get their malicious code to run inside the browser of many users. They can even tailor their advertisements to target specific languages, regions or even website subjects... We learned last month that this is a serious problem - when researchers found that cybercriminals had purchased advertising space on Yahoo in order to serve the 'Cryptowall' ransomware.
> https://www.virusbtn.com/images/news/youtube_malicious_ads.png
Ideally... advertising networks would block malicious ads as they are added to their systems... this is easier said than done: given the size of such networks, it would take a lot of time and resources - plus, technically, it's difficult to block most malicious ads without a certain percentage of false positives..."

 Evil or Very Mad Evil or Very Mad  Sad

Pages: 1 ... 8 9 [10]
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines Page created in 0.42 seconds with 16 queries.