News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
July 23, 2014, 22:25:25
Pages: 1 ... 8 9 [10]
 91 
 on: June 11, 2014, 02:00:00  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake Invoice/Billing SPAM - PDF malware
- http://myonlinesecurity.co.uk/focus-accounts-electronic-invoice-billing-information-fc4800-fake-pdf-malware/
11 June 2014 - "Focus Accounts Electronic Invoice and Billing Information for FC4800 is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email reads:

Please find attached your May Invoice and, if you have requested them, additional reports relating to the call and line charges on this bill.
Don’t Forget – We provide a host of other products and services including:
Telephone Systems & Maintenance (both traditional and VoIP)
Office Cabling (Cat5)
IT Support & Maintenance, IT Equipment & Installation
Cloud Computing, Hosted Solutions, Data Backup & Antivirus
Broadband, FTTC, EFM, MPLS & Leased Lines
Mobile Phones & Mobile Broadband
Non-Geographic Numbers (0800, 0845, 0844, 0871)
Inbound and Call Centre Solutions
Web Design & Hosting, Search Engine Optimisation (SEO)
Gas & Electricity Procurement
If you have any problems opening the file(s), or would like to discuss your bill, please call us or reply to this email.
Kind Regards,
Focus Billing.


11 June 2014 : 211852.zip ( 57kb) : Extracts to report_92da3ec16736842.pdf.exe:
Current Virus total detections: 2/53* . This Focus Accounts is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/25e438be8daffc316e5d48e0efdf325ce194db90608182ebc122d77590520110/analysis/
___

Fake RBS SPAM spreads malware via Cubby .com
- http://blog.dynamoo.com/2014/06/fake-rbs-spam-spreads-malware-via.html
11 June 2014 - "This -fake  bank spam downloads malware from file sharing site cubby .com:
   From:     Sammie Aaron [Sammie@ rbs .com]
    Date:     11 June 2014 12:20
    Subject:     Important Docs
    Please review attached documents regarding your account.
    To view/download your documents please click here
    Tel:  01322 215660
    Fax: 01322 796957
    email: Sammie@ rbs .com
    This information is classified as Confidential unless otherwise stated.  



The download location is [donotclick]www .cubby .com/pl/Document-772976_829712.zip/_e97c36c260ed454d8962503b18e37e86 which downloads a file Document-772976_829712.zip which in turn contains a malicious executable Document-772976_829712.scr which has VirusTotal detection rate of just 1/54*. Automated analysis... show that it creates a file with the disincentive name googleupdaterr.exe and attempts to communicate with the following IPs:
85.25.148.6 (Intergenia AG, Germany)
192.99.6.61 (OVH, Canada)
217.12.207.151 (ITL Company, Ukraine)
(Plain list)
85.25.148.6
192.99.6.61
217.12.207.151
"
* https://www.virustotal.com/en-gb/file/523b9e8057ef0905e2c7d51b742d4be9374cf2eee5a810f05d987604847c549d/analysis/1402490061/
___

Fake Booking .com email - attached ZIP file contains trojan
- http://blog.mxlab.eu/2014/06/11/booking-com-reservation-confirmation-with-attached-zip-file-contains-trojan/
June 11, 2014 - "... new trojan distribution campaign by email with the subject 'Reservation for Thursday, June 12, 2014 BN_4914940'...

Screenshot: http://img.blog.mxlab.eu/2014/20140611_booking_com_virus.gif

The attached ZIP file has the name BN_4914940.zip and contains the 95 kB large file report_92da3ec16736842.pdf.exe. Please note that the numbers in the subject, message or attachment may vary with each email. The trojan is known as PWSZbot-FXE!3B53E958ECF1  or TrojanSpy.Zbot.herw. At the time of writing, 2 of the 51* AV engines did detect the trojan at Virus Total... Remove the email immediately from your computer. Use the Virus Total permalink* and Malwr permalink** for more detailed information."
* https://www.virustotal.com/en/file/25e438be8daffc316e5d48e0efdf325ce194db90608182ebc122d77590520110/analysis/1402480105/

** https://malwr.com/analysis/Y2NmMGJlNzA1MGRkNGE1MTljMGI0MjQ4MmVlOWMzOWY/

 Evil or Very Mad Evil or Very Mad  Sad

 92 
 on: June 11, 2014, 00:52:42  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Thunderbird 24.6 released
- http://www.securitytracker.com/id/1030386
CVE Reference: CVE-2014-1533, CVE-2014-1534, CVE-2014-1536, CVE-2014-1537, CVE-2014-1538, CVE-2014-1541
Jun 11 2014
Impact: Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes 
Version(s): prior to 24.6 ...
Impact: A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (24.6)...

- https://www.mozilla.org/en-US/thunderbird

- https://www.mozilla.org/en-US/thunderbird/24.6.0/releasenotes/
v.24.6.0, released: June 10, 2014

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird24.6
Fixed in Thunderbird 24.6
MFSA 2014-52 Use-after-free with SMIL Animation Controller
MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer
MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html

 Exclamation

 93 
 on: June 10, 2014, 17:03:41  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Chrome 35.0.1916.153 released
- https://secunia.com/advisories/58585/
Release Date: 2014-06-10
Criticality: Highly Critical
Where: From remote
Impact: Unknown, Security Bypass, Cross Site Scripting, System access
Solution Status: Vendor Patch
CVE Reference(s): CVE-2014-0531, CVE-2014-0532, CVE-2014-0533, CVE-2014-0534, CVE-2014-0535,
CVE-2014-0536, CVE-2014-3154, CVE-2014-3155, CVE-2014-3156, CVE-2014-3157
... vulnerabilities are reported in versions prior to 35.0.1916.153.
Solution: Update to version 35.0.1916.153.
Original Advisory:
- http://googlechromereleases.blogspot.com/2014/06/stable-channel-update.html
June 10, 2014 - "... This update includes 4 security fixes..."
___

- http://googlechromereleases.blogspot.com/2014/07/flash-player-update.html
July 8, 2014 - "We are updating Flash Player to version 14.0.0.145 on Windows and Mac via our component update system (i.e. there will not be a Chrome update)..."

 Exclamation

 94 
 on: June 10, 2014, 14:32:19  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Credit Card Breach at P.F. Chang
- http://krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs/
June 10, 2014 - "Nationwide chain P.F. Chang’s China Bistro said today that it is investigating claims of a data breach involving credit and debit card data reportedly stolen from restaurant locations nationwide. On June 9, thousands of newly-stolen credit and debit cards went up for sale on rescator[dot]so, an underground store best known for selling tens of millions of cards stolen in the Target breach. Several banks contacted by KrebsOnSecurity said they acquired from this new batch multiple cards that were previously issued to customers, and found that all had been used at P.F. Chang’s locations between the beginning of March 2014 and May 19, 2014... Contacted about the banks’ claims, the Scottsdale, Arizona-based restaurant chain said it has not yet been able to confirm a card breach, but that the company “has been in communications with law enforcement authorities and banks to investigate the source”... Banks contacted for this story reported cards apparently stolen from PFC locations in Florida, Maryland, New Jersey, Pennsylvania, Nevada and North Carolina. The new batch of stolen cards, dubbed “Ronald Reagan” by the card shop’s owner, is the first major glut of cards released for sale on the fraud shop since March 2014, when curators of the crime store advertised the sale of some 282,000 cards stolen from nationwide beauty store chain Sally Beauty. The items for sale are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards. Armed with this information, thieves can re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example). The most common way that thieves steal this type of card data is by hacking into cash registers at retail locations and planting malicious software that surreptitiously records mag stripe data when cards are swiped through the machines. The breaches at Target, Neiman Marcus, Michaels and Sally Beauty all were powered by malware that thieves planted on point-of-sale systems..."
___

- http://pfchangs.com/security/
June 12, 2014 - "On Tuesday, June 10, P.F. Chang's learned of a security compromise that involves credit and debit card data reportedly stolen from some of our restaurants. Immediately, we initiated an investigation with the United States Secret Service and a team of third-party forensics experts to understand the nature and scope of the incident, and while the investigation is still ongoing, we have concluded that data has been compromised. At P.F. Chang's, the safety and security of our guests' payment information is a top priority. Therefore, we have moved to a manual credit card imprinting system for all P.F. Chang's China Bistro branded restaurants located in the continental United States. This ensures our guests can still use their credit and debit cards safely in our restaurants as our investigation continues. We have also established a dedicated public website, pfchangs.com/security, for guests to receive updates and answers to their questions. Because we are still in the preliminary stages of our investigation, we encourage our guests to be vigilant about checking their credit card and bank statements. Any suspected fraudulent activity should be immediately reported to their card company. We sincerely regret the inconvenience and concern this may cause for our guests."

 Evil or Very Mad  Sad

 95 
 on: June 10, 2014, 12:38:10  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Microsoft Security Advisory 2962824
Update Rollup of Revoked Non-Compliant UEFI Modules
- https://technet.microsoft.com/en-us/library/security/2962824
Updated: June 10, 2014 - Ver: 1.1 - "With this advisory, Microsoft is revoking the digital signature for four private, third-party UEFI (Unified Extensible Firmware Interface) modules that could be loaded during UEFI Secure Boot. These UEFI (Unified Extensible Firmware Interface) modules are partner modules distributed in backup and recovery software. When the update is applied, the affected UEFI modules will no longer be trusted and will no longer load on systems where UEFI Secure Boot is enabled. The affected UEFI modules consist of specific Microsoft-signed modules that are not in compliance with our certification program and are being revoked at the request of the author.  Microsoft is not aware of any misuse of the affected UEFI modules. Microsoft is proactively revoking these non-compliant modules in coordination with their author as part of ongoing efforts to protect customers. This action only affects systems running Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 that are capable of UEFI Secure Boot where the system is configured to boot via UEFI and Secure Boot is enabled. There is no action on systems that do not support UEFI Secure Boot or where it is disabled...
Known Issues. Microsoft Knowledge Base Article 2962824* documents the currently known issues that customers may experience when installing this update. The article also documents recommended solutions for these issues."
* https://support.microsoft.com/kb/2962824

Microsoft Security Advisory 2755801
Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
- https://technet.microsoft.com/en-us/library/security/2755801
Updated: June 10, 2014 - Ver: 25.0 - "... Microsoft recommends that customers apply the current update immediately using update management software, or by checking for updates using the Microsoft Update service. Since the update is cumulative, only the current update will be offered. Customers do not need to install previous updates as a prerequisite for installing the current update. On June 10, 2014, Microsoft released an update (2966072) for Internet Explorer 10 on Windows 8, Windows Server 2012, and Windows RT, and for Internet Explorer 11 on Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-16*..."
* http://helpx.adobe.com/security/products/flash-player/apsb14-16.html

Microsoft Security Advisory 2862973
Update for Deprecation of MD5 Hashing Algorithm for Microsoft Root Certificate Program
- https://technet.microsoft.com/en-us/library/security/2862973
Updated: June 10, 2014 - Ver: 3.0 - "Microsoft is announcing the availability of an update for supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT that restricts the use of certificates with MD5 hashes. This restriction is limited to certificates issued under roots in the Microsoft root certificate program. Usage of MD5 hash algorithm in certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. Recommendation: Microsoft recommends that customers apply the update at the earliest opportunity. Please see the Suggested Actions section of this advisory for more information..."
- https://support.microsoft.com/kb/2862966

- https://support.microsoft.com/kb/2862973

 Exclamation

 96 
 on: June 10, 2014, 09:38:36  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

- https://technet.microsoft.com/library/security/ms14-jun
June 10, 2014 - "This bulletin summary lists security bulletins released for June 2014...
(Total of -7-)

Microsoft Security Bulletin MS14-035 - Critical
Cumulative Security Update for Internet Explorer (2969262)
- https://technet.microsoft.com/library/security/ms14-035
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer
"... resolves -59- items..." *

Microsoft Security Bulletin MS14-036 - Critical
Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (2967487)
- https://technet.microsoft.com/library/security/ms14-036
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Microsoft Office, Microsoft Lync

Microsoft Security Bulletin MS14-034 - Important
Vulnerability in Microsoft Word Could Allow Remote Code Execution (2969261)
- https://technet.microsoft.com/library/security/ms14-034
Important - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS14-033 - Important
Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2966061)
- https://technet.microsoft.com/en-us/library/security/ms14-033
Important - Information Disclosure - May require restart - Microsoft Windows

Microsoft Security Bulletin MS14-032 - Important
Vulnerability in Microsoft Lync Server Could Allow Information Disclosure (2969258)
- https://technet.microsoft.com/library/security/ms14-032
Important - Information Disclosure - May require restart - Microsoft Lync Server

Microsoft Security Bulletin MS14-031 - Important
Vulnerability in TCP Protocol Could Allow Denial of Service (2962478)
- https://technet.microsoft.com/library/security/ms14-031
Important - Denial of Service - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS14-030 - Important
Vulnerability in Remote Desktop Could Allow Tampering (2969259)
- https://technet.microsoft.com/library/security/ms14-030
Important - Tampering - May require restart - Microsoft Windows
___

*  http://blogs.technet.com/b/msrc/archive/2014/06/10/theoretical-thinking-and-the-june-2014-bulletin-release.aspx
10 Jun 2014

Deployment Priority, Severity, and Exploit Index
- http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/2860.Deployment.jpg
___

June 2014 Office Updates
- http://blogs.technet.com/b/office_sustained_engineering/archive/2014/06/10/june-2014-office-update-release.aspx
10 Jun 2014 - "... There are 7 security updates (2 bulletins*) and 20 non-security updates..."
* MS14-034, MS14-036
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=18233
2014-06-10

.

 97 
 on: June 10, 2014, 07:38:45  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Flash 14.0.0.125 released
- https://helpx.adobe.com/security/products/flash-player/apsb14-16.html
June 10, 2014
CVE numbers: CVE-2014-0531, CVE-2014-0532, CVE-2014-0533, CVE-2014-0534, CVE-2014-0535, CVE-2014-0536
Platform: All Platforms
Summary: Adobe has released security updates for Adobe Flash Player 13.0.0.214 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.359 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Flash Player 13.0.0.214 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 14.0.0.125.
- Users of Adobe Flash Player 11.2.202.359 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.378.
- Adobe Flash Player 13.0.0.214 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 14.0.0.125 for Windows, Macintosh and Linux.
- Adobe Flash Player 13.0.0.214 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 14.0.0.125 for Windows 8.0.
- Adobe Flash Player 13.0.0.214 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 14.0.0.125 for Windows 8.1.
- Users of the Adobe AIR 13.0.0.111 SDK and earlier versions should update to the Adobe AIR 14.0.0.110 SDK.
- Users of the Adobe AIR 13.0.0.111 SDK & Compiler and earlier versions should update to the Adobe AIR 14.0.0.110 SDK & Compiler.
- Users of Adobe AIR 13.0.0.111 and earlier versions for Android should update to Adobe AIR 14.0.0.110.
- Users of Adobe AIR 13.0.0.111 and earlier versions for Windows and Macintosh should update to Adobe 14.0.0.110.
___

- https://www.adobe.com/products/flashplayer/distribution3.html

Flash test site:
- http://www.adobe.com/software/flash/about/

- http://helpx.adobe.com/flash-player.html

AIR download:
- http://get.adobe.com/air/
___

- http://www.securitytracker.com/id/1030368
CVE Reference: CVE-2014-0531, CVE-2014-0532, CVE-2014-0533, CVE-2014-0534, CVE-2014-0535, CVE-2014-0536
Jun 10 2014
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 13.0.0.214 and prior (Windows/Mac); 11.2.202.359 and prior (Linux)...
Solution: The vendor has issued a fix (14.0.0.125 for Windows/Mac, 11.2.202.378 for Linux).
The vendor's advisory is available at:
- http://helpx.adobe.com/security/products/flash-player/apsb14-16.html

 Exclamation

 98 
 on: June 10, 2014, 07:21:17  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Firefox 30.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Security Advisories for 30.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox30
Fixed in Firefox 30
MFSA 2014-54 Buffer overflow in Gamepad API
MFSA 2014-53 Buffer overflow in Web Audio Speex resampler
MFSA 2014-52 Use-after-free with SMIL Animation Controller
MFSA 2014-51 Use-after-free in Event Listener Manager
MFSA 2014-50 Clickjacking through cursor invisability after Flash interaction
MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer
MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)

Release notes
- https://www.mozilla.org/en-US/firefox/30.0/releasenotes/
June 10, 2014

... complete list of changes in this release... 3622 bugs found.
___

- http://www.securitytracker.com/id/1030388
CVE Reference: CVE-2014-1533, CVE-2014-1534, CVE-2014-1536, CVE-2014-1537, CVE-2014-1538, CVE-2014-1539, CVE-2014-1540, CVE-2014-1541, CVE-2014-1542, CVE-2014-1543
Jun 11 2014
Impact: Disclosure of system information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes 
Version(s): prior to 30.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system. A remote user can conduct clickjacking attacks.
Solution: The vendor has issued a fix (30.0)...

 Exclamation Exclamation

 99 
 on: June 10, 2014, 02:39:03  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Unique Gameover Zeus Infected IPs per day...
- https://goz.shadowserver.org/stats/

- http://blog.shadowserver.org/2014/06/08/gameover-zeus-cryptolocker/
June 8, 2014

[Added June 13, 2014]
... You can check if your computer is infected with Gameover Zeus by visiting this page:
- https://goz.shadowserver.org/gozcheck/

 Exclamation Exclamation

 100 
 on: June 10, 2014, 02:04:51  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake Company Tax Return – PDF malware
- http://myonlinesecurity.co.uk/company-tax-return-ct600_4938297-june-fake-pdf-malware/
10 June 2014 - "Company Tax Return – CT600_4938297 June is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email reads:

   This email contains an Company Tax Return form file attachment

10 June 2014: invoice_4938297.zip (55kb)  Extracts to CT600_june_4323432432.pdf.exe
Current Virus total detections: 1/52* . This Company Tax Return – CT600_4938297 June is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6174c4d6b613cea4fe90b42a353b21acbe1b4edfc261435d9c40de1caa2ce389/analysis/
___

Fake Voice mail SPAM - downloads malware from Dropbox
- http://blog.dynamoo.com/2014/06/you-have-received-voice-mail-spam.html
10 June 2014 - "Another -fake- voice message spam, and another malware attack downloading from Dropbox.
   From:     Microsoft Outlook [no-reply@ victimdomain]
    Date:     10 June 2014 15:05
    Subject:     You have received a voice mail
    You received a voice mail : VOICE437-349-3989.wav (29 KB)
    Caller-Id: 437-349-3989
    Message-Id: U7C7CI
    Email-Id: [redacted]
    Download and extract the attachment to listen the message.
    We have uploaded fax report on dropbox, please use the following link to download your file:
    https ://www.dropbox .com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJj
b250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICIxeWEwM
Gx3enQ1aWdpOXEifQ/AANABss7_JqczoocZG5p_SjA659fq_BNbEs6hyC4CqDuBA?dl=1
    Sent by Microsoft Exchange Server


The link downloads a file VOICE-864169741-28641.zip which in turn contains a malicious executable VOICE-864169741-28641.scr which has a VirusTotal detection rate of 4/52*. Automated analysis... indicates that it downloads files from the following domains:
newsbrontima .com
yaroshwelcome .com
granatebit .com
teromasla .com
rearbeab .com
"
* https://www.virustotal.com/en-gb/file/fc5e57f70bdce3af0e8c43d124eacd1ead0be79bf369284f85a5f81c629f345e/analysis/1402407401/

Dropbox phishing: Cryptowall, Bitcoins, and You
- http://phishme.com/inside-look-dropbox-phishing-cryptowall-bitcoins/#update
Updated June 10 - "... the attackers have changed their tactics... the email is disguised as a voicemail notification..."
- http://phishme.com/beware-phishing-emails-using-dropbox-links/
June 2, 2014
___

News Headlines for KULUOZ SPAM ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-steal-news-headlines-for-kuluoz-spam-campaigns/
June 10, 2014 - "Last April, we reported a KULUOZ spam campaign using the South Korean ferry sinking tragedy... a malware that is distributed by the Asprox botnet. It can download certain strains of FAKEAV and ZACCESS malware onto the affected system, as well as have the potential to turn that system into a part of the Asprox botnet itself... Now it appears that the spam campaign is still going strong, with the cybercriminals behind the attack leveraging headlines from major news outlets...How they leverage the headlines themselves is relatively simple, and typical of a spam attack: they copy the headline and part of the news article from the news website and implement it into the mail itself, in order to make itself look legitimate to the user as well as bypass spam filters. It seems that this malware also used CNN and BBC News as sources of news clip snippets, incorporated in their spam runs.
KULUOZ spam sample with “Knife attack at South China Station”
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/06/140609comment01.jpg
... we found that the spam email itself retains the previous template of shipping notifications, including that of Fedex and United States Postal Service.
KULUOZ spam sample with “Thai Coup news item”
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/06/140609comment02.jpg
... this may seem like a typical spam run that takes news headlines in order to bypass spam filters (as well as trick users into reading them), it’s to note that the malware being used can compromise the security of unsecured systems should it be allowed to take root. The continued use of news headlines is also something to bear in mind, in that it is proof that as long as there is news to talk about, there will be threats that take advantage of them..."
___

Corporate cyber-espionage ...
Internet postings link a Chinese hacking group to a military unit
- https://www.computerworld.com/s/article/9248970/Second_Chinese_army_unit_linked_to_corporate_cyber_espionage
June 9, 2014

- http://resources.crowdstrike.com/putterpanda/
June 9, 2014 - "Putter Panda is a cyber espionage actor that conducts operations from Shanghai, China, likely on behalf of the Chinese People’s Liberation Army (PLA) 3rd Department 12th Bureau Unit 61486. The PLA’s General Staff Division (GSD) Third Department appears to be China’s primary SIGINT collection and analysis agency. The 12th Bureau, Unit 61486, headquartered in Shanghai’s Chabei District, supports China’s space surveillance network. They are a determined adversary group, conducting intelligence-gathering operations targeting the Government, Defense, Research, and Technology sectors in the United States, with specific targeting of space, aerospace, and communications. The group has been operating since at least 2007 and has been observed heavily targeting the US Defense and European satellite and aerospace industries. They focus their exploits against popular productivity applications such as Adobe Reader and Microsoft Office to deploy custom malware through targeted email attacks. CrowdStrike identified Chen Ping, aka cpyy, a suspected member of the PLA responsible for procurement of the domains associated with operations conducted by Putter Panda."

 Evil or Very Mad  Sad

Pages: 1 ... 8 9 [10]
Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Page created in 0.596 seconds with 15 queries.