FYI...Fake Customer Daily Statement - XLS malware
18 June 2014 - "Customer Daily Statement pretending to come from Berkeley Futures Limited [trade@ bfl .co.uk] is another one from the current zbot runs
which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... This email has a zip attachment that requires you to use the password in the body of the email to open the zip file ( hopefully this will slow down & make you think and help protect you). The zip contains 2 files: what appears to eb a genuine PDF statement and a file suggesting it is a Microsoft XLS (Excel) file which is in fact a renamed .exe malware. Email reads: Attached is your daily statement and payment request form for May 2014.
Please fulfill payment request form and send it back. The attached zip archive is secured with personal password.
Berkeley On-line and Berkeley Equities are trading names of Berkeley Futures Limited. Berkeley Futures Limited is authorised and regulated by the Financial Conduct Authority (Registered no. 114159) © 2012 Berkeley Futures Limited
18 June 2014: XCU01.zip : Extracts to request_form_8943540512.xls.exe
Current Virus total detections: 3/54*. This is another one of the spoofed icon files
that unless you have “show known file extensions enabled“, will look like a proper xls file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
___Pinterest and Tumblr Accounts Compromised to Spread Diet Pill Spam
Updated: 18 Jun 2014 - "Over the weekend, a large number of Pinterest accounts were compromised and used to pin links to a miracle diet pill spam called Garcinia Cambogia Extract. Since most of the compromised accounts were linked to Twitter, these spam “pins” on Pinterest were also cross-posted to Twitter... The main reason spammers go through all of these hoops is to evade spam filters on social networks. On Pinterest, plenty of users pin posts from Tumblr blogs. On Tumblr, a redirect script called 'tumblr-redirect.js' hosted on Dropbox is inserted into each Tumblr page.
Are Twitter accounts compromised?
It does not appear so. Most of the tweets we have seen show they were shared through Pinterest and not Twitter. Symantec Security Response recommends the following tips for Pinterest, Tumblr, and Twitter users:
- Make sure your password on all these services are strong and unique*
- Tumblr users should enable two-factor authentication**
- Twitter users should revoke and reauthorize access to the Pinterest application "
___Fake Wells Fargo SPAM - malicious PDF file
17 June 2014 - "This -fake- Wells Fargo spam comes with a malicious PDF attachment
: From: Raul.Kelly@ wellsfargo .com
Date: 17 June 2014 18:50
Subject: Important docs
We have received this documents from your bank, please review attached documents.
Wells Fargo Accounting
817-306-0627 cell Raul.Kelly@ wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...
The attachment is account_doc~9345845757.pdf which has a VirusTotal detection rate of 5/51*. The Malwr report doesn't say much but can be found here**."
___Fake Payment Overdue SPAM - PDF malware
18 June 2014 - "Payment Overdue - Please respond pretending to come from Payroll Invoice [firstname.lastname@example.org] is another one from the current zbot runs
which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads: We have uploaded previous month reports on dropbox, please use the
following link to download your file:
https ://www.cubby .com/pl/Document_772-998.zip/_666f6271a7a8418a9881644fdcae6e1f
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY...
18 June 2014: Document_772-998.zip (8kb) : Extracts to Document_772-998.scr
Current Virus total detections: 2/54* ... another one of the spoofed icon files
that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
___Fake Lloyds Bank SPAM
18 June 2014 - "Sent to the same targets and the same victim as this HSBC spam, this fake Lloyds Bank message comes with a malicious payload
: From: Lloyds Bank Commercial Finance [customermail@ lloydsbankcf .co.uk]
Date: 18 June 2014 12:48
Subject: Customer Account Correspondence
This attachment contains correspondence relating to your customer account with Lloyds Bank Commercial Finance Ltd.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please contact the individual or customer care team whose details appear on the statement.
This email message and its attachment has been swept for the presence of computer viruses.
Lloyds Bank Commercial Finance, No 1 Brookhill Way, Banbury, Oxfordshire OX16 3EL | www.lloydsbankcommercialfinance .co.uk
Ensuring that your PDF reader is up-to-date may help to mitigate against this attack."
___Fake Xerox WorkCentre Spam...
18 June 2014 - "The PDF spammers are busy today - this is the third time this particular malicious PDF
has been spammed out to victims, first as a fake HSBC message, then a fake Lloyds message, and now a fake Xerox WorkCentre spam. From: Xerox WorkCentre
Date: 18 June 2014 13:41
Subject: Scanned Image from a Xerox WorkCentre
It was scanned and sent to you using a Xerox WorkCentre Pro.
Sent by: [redacted]
Number of Images: 0
Attachment File Type: PDF
WorkCentre Pro Location: Machine location not set
Device Name: [redacted]
Attached file is scanned image in PDF format...
The payload is a malicious PDF
that is identical to the HSBC and Lloyds spams."
___Fake Electro Care SPAM - XLS malware
18 June 2014 - "Invoice from Electro Care Electrical Services Ltd is another one from the current zbot runs
which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like : This invoice is the oldest and we did receive a cheque if £4900.00 On the 16/04/14
Please not that they have deducted CIS at 20% on the above payment so the total amount applied to this invoice is £5400.00.
Any question then please call me.
This message contains Invoice #03974 from Electro Care Electrical Services Ltd. If you have questions about the contents of this message or Invoice, please contact Electro Care Electrical Services Ltd.
Electro Care Electrical Services Ltd
Lenton Business Centre
T: 01159699638 F: 01159787862 ...
18 June 2014: ECE03974.zip (57kb) : Extracts to Electro Care Electrical Services Ltd invoice.scr
Current Virus total detections: 3/54* . Invoice from Electro Care Electrical Services Ltd is another one of the spoofed icon files
that unless you have “show known file extensions enabled“, will look like a proper XLS file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
___Fake HSBC SPAM...
18 June 2014 - "This convincing looking bank spam comes with a malicious PDF attachment
:From: HSBC.co.uk [service@ hsbc .co.uk]
Date: 18 June 2014 12:33
Subject: Unable to process your most recent Payment
You have a new e-Message from HSBC .co.uk
This e-mail has been sent to you to inform you that we were unable to process your most recent payment.
Please check attached file for more detailed information on this transaction.
Pay To Account Number: **********91
Due Date: 18/06/2014
Amount Due: £ 876.69 ...
Attached is a malicious PDF
file HSBC_Payment_9854711.pdf which has a VirusTotal detection rate of just 6/53*. The Malwr report does not add much but can be found here**."
___Android ransomware uses TOR
June 17, 2014 - "... samples we now detect as AndroidOS_Locker.HBT
, we found that this malware shows a user interface that notifies the user that their device has been locked down, and that they need to pay a ransom of 1000 rubles to unlock it. The interface also states that failure to pay would result in the destruction of all data in the mobile device. Examples of apps we’ve seen display this routine are found in third-party app stores
, bearing names such as Sex xonix, Release, Locker, VPlayer, FLVplayer, DayWeekBar, and Video Player. Non-malicious apps with these names are available from various app stores... The user will be asked to pay to account 79660624806/79151611239/79295382310 by QIWI or 380982049193 by Monexy within 48 hours. This UI will also keeping pop out, thus preventing the user from being able to use their device properly... we found that it communicates to its command-and-control server via TOR. Although this is not the first time we’ve seen Android malware use TOR, this is the first ransomware we’ve seen that uses it. Considering the amount of data that users now store in their mobile devices, we predict that this is just the start of the continuous development of mobile ransomware... How to Remove this Ransomware: For users whose devices are infected with this ransomware, the malicious app can be manually removed through the Android Debug Bridge. The adb is part of the Android SDK*, which can be freely downloaded from the Android website..."