News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
September 22, 2014, 12:15:47
Pages: 1 ... 8 9 [10]
 91 
 on: August 12, 2014, 01:55:21  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake Netflix email / Phish
- http://myonlinesecurity.co.uk/netflix-account-requires-validation-nvf-837-phishing/
12 Aug 2014 - "Your Netflix Account Requires Validation [NVF-837] is an attempt to get access to your Netflix Account... The phishing website in this example is so closely named to the genuine Netflix site, that almost anybody could be fooled by it http ://netflix-validate .com
Email looks like:
Dear Customer,
We recently failed to validate your payment information we hold on record for your account, therefore we need to ask you to complete a brief validation process in order to verify your billing and payment details. Click here to verify your accountFailure to complete the validation process will result in a suspension of your netflix membership.We take every step needed to automatically validate our users, unfortunately in this case we were unable to verify your details. The process will only take a couple of minutes and will allow us to maintain our high standard of account security.
Netflix Support Team ...


Following the link in this Your Netflix Account Requires Validation email or other spoofed emails  takes you to a website that looks exactly like the real Netflix site... then through loads of steps to input a lot of private and personal information, including billing address, date of birth and then to an update payment page, where they want credit card and bank details. Not only  will this information enable them to use your Netflix account, but also your Bank Account, credit card details, Email details, webspace..."

192.99.188.111: https://www.virustotal.com/en/ip-address/192.99.188.111/information/

Diagnostic page for AS16276 (OVH)
- https://www.google.com/safebrowsing/diagnostic?site=AS:16276
"... over the past 90 days, 2638 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-08-11, and the last time suspicious content was found was on 2014-08-11... we found 373 site(s) on this network.. that appeared to function as intermediaries for the infection of 821 other site(s)... We found 745 site(s)... that infected 65282 other site(s)..."
___

Fake Order SPAM
- http://myonlinesecurity.co.uk/order-take-8753884-fake-pdf-malware/
12 Aug 2014 - "Order take 8753884 is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email with subject of Order take < random numbers> arrives with just a subject and no email content except an attachment. It appears to come from various random names at various random companies.

12 August 2014: order 1530875.zip (37 kb) : Extracts to   Order-8991617.exe
Current Virus total detections: 1/54* . This Order take 8753884 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/359fedd007085b035873f7f777c820d2055576dff126f9921d3c003644eb5eb2/analysis/1407832220/
___

Fake new picture or video SPAM – PDF malware
- http://myonlinesecurity.co.uk/new-picture-video-message-fake-pdf-malware/
12 Aug 2014 - "A new picture or video message  pretending to come from getmyphoto@ vodafone .co.uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This one wants you to download the -malware- via a tiny URL link in the email, there is no actual attachment. Email looks like:
You have received a picture message from mobile phone number +447584905118
GET MY FOTO
Please note, the free reply expires three days after the original message is sent from the Vodafone network.
Vodafone Service


12 August 2014: f679RqP75G.exe - Current Virus total detections: 0/53*
This 'A new picture or video message' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2f35448f468647e2d4bd66bbd4cd5b8ac53b1ea06007a286d95c24cd4700bd40/analysis/1407835450/
___

Fake IRS phish...
- http://myonlinesecurity.co.uk/irs-get-refund-card/
12 Aug 2014 - "IRS Get Refund On Your Card pretending to come from IRS <refund@ irs .gov> is one of the phishing attempts to get your bank and credit card information. Email looks like:
We are writing to you because your federal Tax payment (ID: 66116572), recently sent is available for refund.
For your security, new charges on the accounts listed above may be declined. If applicable, you should advise any Additional Card Member(s) on your account that their new charges may also be declined.
For more information, please visit the following link
– https ://sa.www4.irs .gov/irfof/lang/en/irfofgetstatus.jsp?reenter=true
Your prompt response regarding this matter is appreciated.
Sincerely,
IRS Refund Team


Following the link in this 'IRS Get Refund On Your Card' email or -other- spoofed emails takes you  to a website that looks exactly like the real IRS site... then through loads of steps to input a lot of private and personal information, including billing address, date of birth and then to an update payment page, where they want credit card and bank details... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them..."

 Evil or Very Mad  Sad

 92 
 on: August 11, 2014, 10:08:04  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake BoA SPAM - PDF malware
- http://myonlinesecurity.co.uk/bank-america-alert-check-exceeded-requested-alert-limit-fake-pdf-malware/
11 Aug 2014 - "Bank of America Alert: A Check Exceeded Your Requested Alert Limit pretending to come from Bank of America Alert <onlinebanking@ ealerts.bankofamerica .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
Activity Alert
A check exceeded your requested alert limit
We’re letting you know a check written from your account went over the limit you set for this alert.
For more details please check attached file
Amount:    $32,095.35
Check number:    00000006756
Transaction date:    08/11/2014
You can sign in to Online or Mobile Banking to review this activity...
Security Checkpoint
To confirm the authenticity of messages from us, always look for this Security Checkpoint.
Remember: Always look for your SiteKey® before entering your Passcode. We’ll ask you for your Online ID and Passcode when you sign in.
This is a service email from Bank of America. Please note that you may receive service emails in accordance with your Bank of America service agreements..


11 August 2014: report081114_6897454147412.zip(10kb) : Extracts to report081114_6897454147412.exe
Current Virus total detections: 2/54* ... This Bank of America Alert: A Check Exceeded Your Requested Alert Limit is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/62ee6e794f27fe414f8071688fb3cb8ab99a7294a58c95ac7ebd23e69a15a93a/analysis/1407773230/
___

Citi Corp Spam
- http://threattrack.tumblr.com/post/94443758323/citi-corp-application-approved-spam
Aug 11, 2014 - "Subjects Seen:
   RE: Application Approved
Typical e-mail details:
   Your documents are ready , please sign them and email them back.
    Thank you
    Henri Foley
    Level III Account Management


Malicious File Name and MD5:
    application _apprd_93447836734346.exe  (CAD7B09903F7646EC37E4014DD6E70E4)
    application _apprd_93447836734346.zip (0B4A28D6737B9E27E7BF5B98DBBE6B84)


Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/5c75ed11ffc86d3b1c4337bc2ef4bb0e/tumblr_inline_na5hr0GBaE1r6pupn.png

Tagged: Citi, Upatre
___

Public Wi-Fi is safe?? ...
- http://nakedsecurity.sophos.com/2014/08/11/most-people-think-public-wi-fi-is-safe-seriously/
11 Aug 2014 - "... most people still don't understand the potential dangers of public and/or free Wi-Fi, despite doom and gloom headlines about the dangers, which include these:
- A US trio who attacked companies by wardriving - i.e., driving around, scanning for poorly protected wireless networks. Between that and breaking in to install keyloggers, they bilked companies of a total of $3 million (£1.8 million).
- An unsecured Wi-Fi home connection that led to a heavily-armed police SWAT team raiding the wrong home, including breaking down the door of a house, smashing windows and tossing a flashbang stun grenade into a living room.
- Facebook accounts of five US politicians being hijacked after they accessed a free, open, wireless Wi-Fi network.
And those are just a tiny selection of the cherries on that bountiful Wi-Fi tree. Of course, there is also the problem of protecting privacy on public Wi-Fi. In just the past year, we learned that businesses are using Wi-Fi to build shopper profiles on us, and in-flight WiFi providers have been helping feds spy on us..."
(More detail at the sophos URL above.)
Sophos - wireless security myths Video 4:26: https://www.youtube.com/watch?v=W-NNq9qoORw

 Evil or Very Mad  Sad

 93 
 on: August 08, 2014, 03:03:21  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake RBS SPAM
- http://blog.dynamoo.com/2014/08/rbs-re-incident-im03393549-spam.html
8 Aug 2014 - "This fake RBS spam has a malicious attachment:
   Date:      Thu, 24 Jul 2014 09:33:37 GMT [07/24/14 05:33:37 EDT]
    From:      Annie Wallace[Annie.Wallace@ rbs .co.uk]
    Subject:      RE: Incident IM03393549
    Good Afternoon ,
    Attached are more details regarding your account incident. Please extract the attached
    content and check the details.
    Please be advised we have raised this as a high priority incident and will endeavour to
    resolve it as soon as possible. The incident reference for this is IM03393549.
    We would let you know once this issue has been resolved, but with any further questions
    or issues, please let me know.
    Kind Regards, ...


The attachment is IM03393549.zip containing a malicious executable IM008082014.scr which has a VirusTotal detection rate of 15/42*. The CAMAS report** shows that the malware connects to the following locations to download additional components:
94.23.247.202/n0808uk/SANDBOXA/0/51-SP2/0/
94.23.247.202/n0808uk/SANDBOXA/1/0/0/
quesoslaespecialdechia .com/Scripts/n0808uk.zip
energysavingproductsinfo .com/wp-content/uploads/2014/08/n0808uk.zip
The exact nature of the malware is not known, but it is most likely a banking Trojan or Cryptowall.
Recommended blocklist:
94.23.247.202
quesoslaespecialdechia .com
energysavingproductsinfo .com
"
* https://www.virustotal.com/en-gb/file/ec7164010ab974cad9a7d06b884947331ca263fe9b01b426a4663b54ab14b0a3/analysis/1407490764/

** http://camas.comodo.com/cgi-bin/submit?file=ec7164010ab974cad9a7d06b884947331ca263fe9b01b426a4663b54ab14b0a3
___

Fake Resume SPAM - malicious attachment
- http://blog.dynamoo.com/2014/08/fw-resume-spam-has-malicious-attachment.html
8 Aug 2014 - "This terse spam is malicious:
   Date:      Fri, 8 Aug 2014 05:57:02 +0700 [08/07/14 18:57:02 EDT]
    From:      Janette Sheehan [Janette.Sheehan@ linkedin .com]
    Subject:      FW: Resume
    Attached is my resume, let me know if its ok.
    Thanks,
    Janette Sheehan


Attached is an archive Resume.zip which in turn contains a malicious executable Resume.scr. This has a VirusTotal detection rate of 24/54*. The CAMAS report** shows that the malware attempts to phone home to the following locations:
94.23.247.202 /0708stat/SANDBOXA/0/51-SP2/0/
94.23.247.202 /0708stat/SANDBOXA/1/0/0/
hngdecor .com/wp-content/uploads/2013/10/cw2800.zip
welfareofmankind .com/underconst/css/cw2800.zip
Recommended blocklist:
94.23.247.202
hngdecor .com
welfareofmankind .com
"
* https://www.virustotal.com/en-gb/file/85ed10fe703b234482d6a4eb81224dad93d7129bcd75b93e858b27ebf5a55d5b/analysis/1407493005/

** http://camas.comodo.com/cgi-bin/submit?file=85ed10fe703b234482d6a4eb81224dad93d7129bcd75b93e858b27ebf5a55d5b

94.23.247.202: https://www.virustotal.com/en-gb/ip-address/94.23.247.202/information/
___

Fake HMRC tax SPAM - PDF malware
- http://myonlinesecurity.co.uk/hmrc-taxes-application-reference-4dew-nasm-cbcg-rc6-received-fake-pdf-malware/
7 Aug 2014 - "HMRC taxes application with reference 4DEW NASM CBCG RC6 received pretending to come from noreply@ taxreg .hmrc .gov .uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
   The application with reference number 4DEW NASM CBCG RC6 submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
    The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
    Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.


7 August 2014: 4DEW NASM CBCG RC6.zip (8kb) Extracts to 4DEW NASM CBCG RC6.scr
Current Virus total detections: 0/54* . This HMRC taxes application with reference 4DEW NASM CBCG RC6 received is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ec7164010ab974cad9a7d06b884947331ca263fe9b01b426a4663b54ab14b0a3/analysis/1407447014/
___

AmericanExpress - PHISH
- http://blog.dynamoo.com/2014/08/security-concern-on-your.html
8 Aug 2014 - "This -fake- AmEx spam appears to lead to a phishing site on multiple URLs:

Screenshot: https://3.bp.blogspot.com/-bC41J5WRhtM/U-TX8pXaqxI/AAAAAAAADig/pMBuwt4hrfk/s1600/amex-phish.png

In this case the link goes to a phishing site... but there seem to be a bunch of them at the moment... IPs in use are:
91.219.29.35 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
188.240.32.75 (SC CH-NET SRL, Romania)
I recommend blocking these IPs (
91.219.29.35
188.240.32.75
"

91.219.29.35: https://www.virustotal.com/en/ip-address/91.219.29.35/information/

188.240.32.75: https://www.virustotal.com/en/ip-address/188.240.32.75/information/

- http://myonlinesecurity.co.uk/american-express-safe-key-phishing/
8 Aug 2014
___

Fake e-on energy SPAM - PDF malware
- http://myonlinesecurity.co.uk/e-energy-unable-process-recent-bill-payment-fake-pdf-malware/
8 Aug 2014 - "e-on energy Unable to process your most recent bill payment pretending to come from E ON Energy <noreply@ eonenergy .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
... Dear customer,
This e-mail has been sent to you to inform you that we were unable to process your most recent payment of bill.
Please check attached file for more detailed information on this transaction.
IMPORTANT: The actual delivery date may vary from the Delivery By date estimate. Please make sure that there are sufficient available funds in your account to cover your payment beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.
If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.
We apologize for any inconvenience this may cause.


8 August 2014: e-ON-Energy-Bill.zip (15kb) : Extracts to e-ON-Energy-Bill.exe
Current Virus total detections: 7/54* . This e-on energy Unable to process your most recent bill payment is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/46ef87f1b657c49465d9975cac71c4768e45173ebcf95522629c49104dbcd87f/analysis/1407509103/

 Evil or Very Mad  Sad

 94 
 on: August 07, 2014, 07:53:33  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

cPanel TSR-2014-0006
- http://cpanel.net/cpanel-tsr-2014-0006/
Aug 4, 2014 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having security impact levels of Moderate.
Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES
The following cPanel & WHM versions address all known vulnerabilities:
* 11.44.1.11 & Greater
* 11.42.1.25 & Greater
* 11.40.1.20 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at
- http://httpupdate.cpanel.net
___

cPanel TSR-2014-0006 Full Disclosure
- http://cpanel.net/cpanel-tsr-2014-0006-full-disclosure/
Aug 11, 2014 - "Summary: Bypass of account suspension via mod_userdir.
Security Rating: cPanel has assigned a Security Level of Moderate to this vulnerability.
Description: The fix for case 101677 in TSR-2014-0005 introduced a regression in account suspensions that allowed the web content of a suspended account to be viewed normally via Apache userdir style URLs. This has been corrected so that both NameVirtualHost and userdir access to the suspended account’s web content is blocked...
This issue is resolved in the following builds:
11.44.1.11
11.42.1.25
11.40.1.20 ..."

 Exclamation

 95 
 on: August 07, 2014, 03:50:28  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake CDS invoice SPAM
- http://blog.dynamoo.com/2014/08/cds-group-cdsgroupcouk-fake-invoice-spam.html
7 Aug 2014 - "This spam email pretends to be from the CDS Group. CDS are a wholly legitimate company and are NOT sending these emails, and their computer systems have NOT been compromised. However, the emails do contain a malicious attachment and should be deleted... CDS have a notice about these emails on their site*. This is a sample email:

Screenshot: https://3.bp.blogspot.com/-aOVkMDDBd-M/U-NbqEXZXDI/AAAAAAAADiM/hTwhU4I-cL0/s1600/cds.png

Attached is a archive file CDS_241-28195.zip which contains a folder invoice_cdsgroup_799543.xls which in turn contains a malicious executable invoice_cdsgroup_799543.xls.scr which has a very low detection rate at VirusTotal of 3/54**. Automated analysis tools are inconclusive at the moment..."
* http://www.cdsgroup.co.uk/cyber-crime.html

** https://www.virustotal.com/en-gb/file/0454a62e60cbe71dcfe77b929bfc5c1107211957da6c033e462c589a6af39342/analysis/1407408295/

- http://threattrack.tumblr.com/post/94065865938/cds-invoice-spam
Aug 7 2014
- https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/efb82cce6f0a42001cfd184814022e18/tumblr_inline_n9xwd605XI1r6pupn.png
Tagged: cds, Lerspeng
___

Vawtrak sites to block
- http://blog.dynamoo.com/2014/08/vawtrak-sites-to-block.html
7 Aug 2014 - "I found these domains and IPs today while investigating a machine apparently infected with Vawtrak* (aka Tepfer), most of them seem to be active:
http ://80.243.184.239 /posting.php
http ://80.243.184.239 /viewforum.php
http ://146.185.233.97 /posting.php
http ://146.185.233.97 /viewforum.php
http ://ipubling .com/posting.php
http ://ipubling .com/viewforum.php
http ://magroxis .com/posting.php
http ://magroxis .com/viewforum.php
http ://maxigolon .com/viewforum.php
http ://terekilpane .com/viewforum.php
Some of these domains are associated with the email address ctouma2@ gmail .com. You could block the sites individually, but because the sites are not isolated, I would personally recommend using the following blocklist:
146.185.233.0/24
80.243.184.224/27

The 146.185.233.0/24 range is allocted to "Cherepanova" in Russia. 80.243.184.224/27 is Redstation in the UK."
* http://about-threats.trendmicro.com/malware.aspx?language=au&name=BKDR_VAWTRAK.YZY

 Evil or Very Mad  Sad

 96 
 on: August 07, 2014, 01:17:45  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

WordPress 3.9.2 released
- https://wordpress.org/download/
Aug 6, 2014 - "The latest stable release of WordPress (Version 3.9.2) ..."

- http://wordpress.org/news/2014/08/wordpress-3-9-2/
Aug 6, 2014 - "WordPress 3.9.2 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately..."

Release notes
- http://codex.wordpress.org/Version_3.9.2

- https://core.trac.wordpress.org/log/branches/3.9?stop_rev=29383&rev=29411
___

- http://www.securitytracker.com/id/1030684
Aug 7 2014
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 3.9.2 ...

- http://atlas.arbor.net/briefs/index#918586250
Elevated Severity
7 Aug 2014

 Exclamation

 97 
 on: August 06, 2014, 16:30:27  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

OpenSSL Security Advisory
- https://www.openssl.org/news/secadv_20140806.txt
Aug 6 2014 - "Information leak in pretty printing functions (CVE-2014-3508)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3508

A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex et al. to leak some information from the
stack. Applications may be affected if they echo pretty printing output to the
attacker. OpenSSL SSL/TLS clients and servers themselves are not affected.
OpenSSL 0.9.8 users should upgrade to 0.9.8zb
OpenSSL 1.0.0 users should upgrade to 1.0.0n.
OpenSSL 1.0.1 users should upgrade to 1.0.1i.

... The issue affects OpenSSL clients and allows a malicious server to crash
the client with a null pointer dereference (read) by specifying an SRP
ciphersuite even though it was not properly negotiated with the client. This can
be exploited through a Denial of Service attack.
OpenSSL 1.0.1 SSL/TLS client users should upgrade to 1.0.1i ..."
___

- http://www.securitytracker.com/id/1030693
CVE Reference: CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139
Aug 7 2014
Impact: Denial of service via network, Disclosure of system information, Execution of arbitrary code via network, Modification of system information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes 
Version(s): prior to versions 0.9.8zb, 1.0.0n, 1.0.1i ...

 Exclamation  Shocked

 98 
 on: August 06, 2014, 14:16:41  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

FireEye and Fox-IT - free keys designed to unlock systems infected by CryptoLocker
>> https://www.decryptcryptolocker.com/
Aug 6, 2014 - "Please provide your email address [1] and an encrypted file [2] that has been encrypted by CryptoLocker. This portal will then email you a master decryption key along with a download link to our recovery program that can be used together with the master decryption key to repair all encrypted files on your system.
- Please note that each infected system will require its own unique master decryption key. So in case you have multiple systems compromised by CryptoLocker, you will need to repeat this procedure per compromised system.
- Notes:
[1] Email addresses will not be used for marketing purposes, nor will they be in any way stored by FireEye or Fox‑IT.
[2] You should only upload encrypted files that do not contain any sensitive or personally identifiable information..."

- http://www.fireeye.com/blog/corporate/2014/08/your-locker-of-information-for-cryptolocker-decryption.html
Aug 6, 2014
- http://www.fireeye.com/blog/wp-content/uploads/2014/08/crypto2.png

- https://www.fox-it.com/en/press-releases/fireeye-fox-announce-new-service-help-cryptolocker-victims/
6 Aug 2014

 Exclamation Wink

 99 
 on: August 06, 2014, 05:05:03  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

- http://tools.cisco.com/security/center/publicationListing.x

Cisco IOS, IOS XE Software EnergyWise DoS vuln
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140806-energywise
2014 Aug 6 - "Summary: A vulnerability in the EnergyWise module of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device. The vulnerability is due to improper parsing of crafted EnergyWise packets destined to an affected device. An attacker could exploit this vulnerability by sending a crafted EnergyWise packet to be processed by an affected device. An exploit could allow the attacker to cause a reload of the affected device. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability..."
Rev 1.1 - 2014-Aug-15 - Added 3.6E to the list of vulnerable releases.
Rev 1.2 - 2014-Aug-20 - Added 3.3xXO to the list of vulnerable IOS XE releases. Marked 15.0EX, 15.0EZ, 15.2S, and 15.4S not vulnerable and removed from affected IOS releases.
- http://www.securitytracker.com/id/1030682
CVE Reference: CVE-2014-3327
Aug 6 2014
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  ...
Solution: The vendor has issued a fix...

OpenSSL affecting Cisco Products - multiple vulns
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl
Rev 1.21  2014 Aug 6 - "Updated the Affected Products and Vulnerable Products sections. Linked bug IDs of currently known affected products..."

Cisco - OSPF LSA Manipulation vuln ...
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130801-lsaospf
For Public Release 2013 Aug 1 Rev 1.3 - "Summary: Multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, blackhole traffic, and intercept traffic. The attacker could trigger this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause flushing of the routing table on a targeted router, as well as propagation of the crafted OSPF LSA type 1 update throughout the OSPF AS domain. To exploit this vulnerability, an attacker must accurately determine certain parameters within the LSA database on the target router. This vulnerability can only be triggered by sending crafted unicast or multicast LSA type 1 packets. No other LSA type packets can trigger this vulnerability. OSPFv3 is not affected by this vulnerability. Fabric Shortest Path First (FSPF) protocol is not affected by this vulnerability. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available..."
Rev 1.3 - 2014-July-31   - Included NX-OS Software tables
Rev 1.2 - 2013-August-17 - Included OVAL definitions
Rev 1.1 - 2013-August-05 - Fixed broken links
Rev 1.0 - 2013-August-01 - Initial public release

 Exclamation

 100 
 on: August 06, 2014, 04:45:25  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake email SPAM - Word Doc attachment malware
- http://myonlinesecurity.co.uk/change-percent-word-doc-malware/
6 Aug 2014 - "'Change in percent' pretending to come from mnmorgan@ tribune .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email addresses are either faked or belong to users with infected computers or servers, that various bots have compromised. Since posting this, I have received several other copies of the -malware- email from different senders and all with different names and phone numbers in the body... once again a genuine word doc with an embedded macro that acts as a downloader to download a full blown zbot from http ://bernisuperfilm .ru/uupdate2.exe*  which has a current virus total detection rate of 3/54** ... Office 2010 and Office 2013 have macros disabled by default and are set to display in read only mode by default. That -stops- any -macros- or embedded programs from running... Email reads:
   Hi [redacted]
    Yield reduced. We ask you for information to the attached document to pass to your superiors.
    Riojas Imelda
    Tel./Fax.: +44 171 6825484


6 August 2014: Information.zip : Extracts to  Information.doc
Current Virus total detections: 2/44*** ... accidentally open it and be infected...."
* 77.28.100.73: https://www.virustotal.com/en-gb/ip-address/77.28.100.73/information/

** https://www.virustotal.com/en/file/8e7b1718836e0aa1c1529bfffadb10e2d93eba4086ddcea96aed45063af976ab/analysis/1407273243/

*** https://www.virustotal.com/en-gb/file/f9b14a5dc394294a7ad6ae836dc8f18cd78ae268bd780c24fffe4e4ad3bbb7ab/analysis/1407295528/
___

Fake 'Benefit Elections' SPAM – PDF malware
- http://myonlinesecurity.co.uk/benefit-elections-fake-pdf-malware/
6 Aug 2014 - "'Benefit Elections' pretending to come from Landon.Carter@ adp .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
   Please review the attached CBE form, If you require changes to the options shown, please contact me right away so that we may address your concerns. We will record your elections in our system and provide you a final Client Confirmation Statement for your review.
    Please sign and send it back.
    Regards,
    ADP TotalSource Benefits Team


6 August 2014 : CBEform.zip ( 8kb) : Extracts to CBEform.exe
Current Virus total detections: 0/54* ... This 'Benefit Elections' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1cee5d8cf6c8aab16463329f15e0289534ad45b8148e689bfb8356db6ed97e52/analysis/1407339197/
___

Fake Companies House SPAM
- http://blog.dynamoo.com/2014/08/companies-house-case-4620571-spam.html
6 Aug 2014 - "This -fake- Companies House spam has a malicious attachment:
   Date:      Wed, 6 Aug 2014 19:45:59 +0700 [08:45:59 EDT]
    From:      Companies House [WebFiling@ companieshouse .gov .uk]
    Subject:      RE: Case 4620571
    The submission number is: 4620571
    For more details please check attached file.
    Please quote this number in any communications with Companies House.
    All Web Filed documents are available to view / download for 10 days after their
    original submission. However it is not possible to view copies of accounts that
    were downloaded as templates.
    Companies House Executive Agency may use information it holds to prevent
    and detect fraud. We may also share such information, for the same purpose,
    with other Organizations that handle public funds...


Attached is a file Case_4620571.zip which in turn contains a malicious executable Case_4620571.scr which has a VirusTotal detection rate of 11/53*. Automated analysis tools... show that the malware reaches out to... locations which are good candidates for blocking:
64.191.43.150
94.23.247.202
feelgoodframesstore .com
beeprana .com
upscalebeauty .com
"
* https://www.virustotal.com/en-gb/file/ea8d8072b8cbb86952479547e5052596c944dba17e660dce2660039cd0151644/analysis/1407338507/

94.23.247.202: https://www.virustotal.com/en-gb/ip-address/94.23.247.202/information/
___

US-based Tech Support SCAMS ...
- http://blog.malwarebytes.org/fraud-scam/2014/08/beware-of-us-based-tech-support-scams/
Aug 6, 2014 - "... last month, we stumbled upon -fake- warning pages urging users to call a number for ‘emergency tech support’. When we rang the number, we were surprised to hear that the technician sounded American. It turned out that their company was based in ‘the sunshine state‘ of Florida, USA... The following are fraudulent sites that display a warning message and play -sound- effects with the goal of scaring the user and making them believe that their computer is infected:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/07/aredwarning.png
...
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/07/othererror.png
... There is an ongoing and strong affiliate campaign pushing these warnings. You may come across them as you are browsing the net...
A -bogus- sales pitch: Upon seeing the warning message, many people may feel as though there is really something wrong with their machine. In fact, the pages themselves are designed in such a way that you cannot close them by clicking the ‘X’. Instead you need to forcefully ‘kill’ the browser either via TaskManager or other Windows utilities. Those who take the bait will call the 1-800 number to speak with a technician and this is where their real troubles begin. The warning page is essentially a launchpad for the technician to talk about online threats, giving examples of recent attacks and eventually scare the user... This is -not- true of course. Microsoft has stated many times that “You will -never- receive a legitimate call from Microsoft or our partners to charge you for computer fixes*“.
* http://www.microsoft.com/security/online-privacy/avoid-phone-scams.aspx
... US-based companies are much less likely to cold-call people because of the risks of getting caught, not to mention the fact that this practice has such a bad reputation...
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/07/flag.png
... The technician was friendly, spoke proper English and the work was done in a timely and efficient manner. But, what these victims may not see and what we decided to expose here, is how some dishonest tech support companies have trained their staff to fabricate lies in order to -scare- their prospect customers into paying a lot of money for a service they may actually -not- need. At the end of the day, this is a tough issue because there are a lot of people out there (especially the elderly) that do need some assistance with their computers and often don’t have many options to get it. If they look for it online, chances are that they will get ripped off..."
(More detail at the malwarebytes URL at the top.)
___

Revenue and Customs Notice Spam
- http://threattrack.tumblr.com/post/93966679578/hm-revenue-and-customs-notice-of-underreported-income
Aug 6, 2014 - "Subjects Seen:
    Notice of Underreported Income
Typical e-mail details:
    Taxpayer ID: ufwsd-000005925000UK
    Tax Type: Income Tax
    Issue: Unreported/Underreported Income (Fraud Application)
    Please review your tax income statement on HM Revenue and Customs ( HMRC )
    Please complete the attached form
    HM Revenue and Customs


Malicious File Name and MD5:
    ufwsd-000004421455UK.scr (A888BD28BE24D6A59D132B66E5E1AEBB)
    ufwsd-000005925000UK.zip (33809621F99D44BEBC07E7D9B2D092C9)


Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/1c0d4cae4d18dce971ad483dd6293087/tumblr_inline_n9vy9kTNKT1r6pupn.png

Tagged: HMRC, Upatre
___

Hacks amass over a Billion internet passwords
- http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html
Aug 5, 2014 - "A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses..."
- https://isc.sans.edu/diary.html?storyid=18487
2014-08-06 - "Some of it may be hype. But no matter if 500 Million, 1.5 Billion or even 3.5 Billion passwords have been lost... given all the password leaks we had over the last couple years it is pretty fair to assume that at least -one- of your passwords has been compromised at some point..."
- http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accounts/
6 Aug 2014 - "... Q: Should I be concerned about this? A: ... If you are the type of person who re-uses passwords at multiple sites — including email accounts — then the answer is yes. If you re-use your email password at another site and that other site gets -hacked- there is an excellent chance that cyber crooks are plundering your inbox and using it to spam your friends and family to spread malware and to perpetuate the cybercrime food chain... Your email account may be worth far more than you imagine:
> http://krebsonsecurity.com/wp-content/uploads/2013/06/HE-1-600x333.jpg

 Evil or Very Mad  Sad

Pages: 1 ... 8 9 [10]
Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Page created in 1.152 seconds with 15 queries.