News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
August 21, 2014, 04:05:47
Pages: 1 ... 8 9 [10]
 91 
 on: July 06, 2014, 05:56:27  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake 'Exceeded Storage Limit' Phish ...
- http://www.hoax-slayer.com/email-exceeded-storage-limit-scam.shtml
Last updated: July 5, 2014 - "Email claims that the user's email account has exceeded its storage limit and instructs him or her to reply with the account username and password in order to restore full functionality. Some versions ask users to click a link in the message... The message is -not- from any system administrator or support team nor is it from Outlook, Hotmail, or any other email service provider. The email is a phishing scam designed to trick users into divulging their email account login details to Internet criminals...

Screenshot: http://www.hoax-slayer.com/images/email-exceeded-storage-limit-scam-pin.jpg

This message, which purports to be from the "System Administrator", claims that the recipient's email account has exceeded its storage limit and the sending and receiving of email may therefore be disrupted. The message instructs the recipient to reply to the email with his or her username and password so that the "System Administrator" can reset the account and increase the size of the database storage limit. A later version of the scam askes users to reply with account details to "confirm" the mailbox. In some variants, users are asked to click a link to supply their username and password. However, the message is not from the "System Administrator" or anyone else at the account holder's email service provider. Instead, the message is a phishing scam designed to trick recipients into handing over their web mail login details to Internet criminals. Those who reply to the message with their login details as instructed will in fact be handing over access to their webmail account to scammers who can then use it as they see fit. Once in their victim's email account, these criminals can then use the account to send spam messages, or in many cases, send other kinds of scam emails... Be wary of -any- unsolicited message that asks you to supply your webmail login details by replying to an email. All such requests are likely to be scams."
___

Attack on Dailymotion - redirected visitors to exploits
- https://www.computerworld.com/s/article/9249565/Attack_on_Dailymotion_redirected_visitors_to_exploits
July 4, 2014 - " Attackers injected malicious code into Dailymotion.com, a popular video sharing website, and redirected visitors to Web-based exploits that installed malware. The rogue code consisted of an iframe that appeared on Dailymotion on June 28, researchers from security vendor Symantec said Thursday in a blog post*. The iframe redirected browsers to a different website hosting an installation of the Sweet Orange Exploit Kit, an attack tool that uses exploits for Java, Internet Explorer and Flash Player. The flaws that Sweet Orange attempted to exploit are: CVE-2013-2551, patched by Microsoft in Internet Explorer in May 2013; CVE-2013-2460, patched by Oracle in Java in June 2013; and CVE-2014-0515, patched by Adobe in Flash Player in April..."
* http://www.symantec.com/connect/blogs/dailymotion-compromised-send-users-exploit-kit
3 Jul 2014 - "On June 28, the popular video sharing website Dailymotion was compromised to redirect users to the Sweet Orange Exploit Kit. This exploit kit takes advantage of vulnerabilities in Java, Internet Explorer, and Flash Player. If the vulnerabilities were successfully exploited during the campaign, pay-per-click malware was then downloaded on the victim’s computer. This week, Dailymotion is no longer compromised, as users are currently not being redirected to the exploit kit..."
___

4th of July SPAM...
- http://www.symantec.com/connect/blogs/spammers-ready-their-arsenal-us-independence-day
4 July 2014 - "... like every other year, spammers are sending people a barrage of cleverly crafted spam aimed at exploiting this mood of celebration. This year, Symantec has observed a variety of spam, ranging from fake Internet offers to pharmacy deals, which take advantage of the US Independence Day.
Travel promotion spam - Subject: 4th of July Private Jets
> http://www.symantec.com/connect/sites/default/files/users/user-2935611/independencedayspam_figure1.png
Online casino spam
> http://www.symantec.com/connect/sites/default/files/users/user-2935611/independencedayspam_figure2.png
Fake pharmacy website exploiting July 4
> http://www.symantec.com/connect/sites/default/files/users/user-2935611/independencedayspam_figure3.png
Clearance sale product spam exploiting July 4
> http://www.symantec.com/connect/sites/default/files/users/user-2935611/independencedayspam_figure4.png
... Keep your antispam product updated frequently to get the best protection against these threats..."

- http://www.bbb.org/blog/2014/07/customer-survey-scam-lures-victims-with-gift-card/
July 4, 2014

 Evil or Very Mad  Sad

 92 
 on: July 06, 2014, 05:36:05  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

6445 domains removed
- http://www.malwaredomains.com/?p=3626
July 6th, 2014 - "List recertification – 6445 domains removed (this may be why some of the files were out-of-sync). Please update your blocklists..."

 Exclamation

 93 
 on: July 04, 2014, 09:43:59  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake: RAS Cargo (rascargointernational .com)
- http://blog.dynamoo.com/2014/07/fake-ras-cargo-rascargointernationalcom.html
4 July 2014 - "There is -no- company in the UK with the name RAS Cargo according to Companies House*. So why are they spamming me?

Screenshot: https://4.bp.blogspot.com/-LjIlxFGiomU/U7bDb7BIjUI/AAAAAAAADTE/l0krv_4h3Pc/s1600/ras-cargo.png

The site is professional-looking enough, quoting... contact details... there is no multinational freight business going on here. Also, the telephones numbers quoted appear in no trade directories or other web sites, indicating that they are -fake-"
* http://wck2.companieshouse.gov.uk/
___

advocatesforyouths.org, Eem Moura, Tee Bello and other FAKE sites
- http://blog.dynamoo.com/2014/07/advocatesforyouthsorg-eem-moura-tee.html
4 July 2014 - "Advocates for Youth is a -legitimate- campaign organisation that says that it "champions efforts to help young people make informed and responsible decisions about their reproductive and sexual health." It has a website at www.advocatesforyouth.org which was registered in 1996. However, the domain advocatesforyouths .org is a completely -fake- rip-off of the legitimate advocatesforyouth.org site (note the extra "s") which is advertising itself through spam:
    From:     Advocates for Youth [inboxteam6@ gmail .com]
    Reply-To:     Advocates for Youth [ljdavidson@ advocatesforyouths .org]
    Date:     2 July 2014 21:52
    Subject:     Say No to FORCED MARRIAGE and HIV/AIDS
    Mailing list:     xkukllsbhgeel of 668
    Signed by:     gmail.com
    Invitation Ref No: OB-22-52-30-J ...


In this case the email originates from 217.120.44.73 (Ziggo / Groningen, Netherlands) and was sent to a spam trap. The -fake- site is almost a bit-for-bit copy... but things like the Contact Details page are slightly different:
> https://2.bp.blogspot.com/-XNiARcuRFpY/U7axxRUtv-I/AAAAAAAADRs/ucYCSRZeLdQ/s1600/fake-afy.png
... The fax number is in California, but the "202" telephone number appears to be Washington.. but on closer examination it looks like a VOIP (internet phone) number which could possibly be anywhere in the world.
> https://3.bp.blogspot.com/-WiDHq8Lh6eY/U7ay8JIAL8I/AAAAAAAADR4/JPDqVWEgcU8/s1600/fake-afy2.png
... the fake site looks utterly convincing. Mostly because it is cloned directly from the legitimate site (See screenshot above). The domain advocatesforyouths .org was registered on 24th May 2014 with anonymous details, and the mail handler is mailhostbox.com who are a legitimate commercial provider. But what most visitors to advocatesforyouths.org will not spot is that the domain just does a framed forward to another site googleones .in/advocates4youth/ which is where things get more complicated. googleones .in is hosted on 74.122.193.45  a Continuum Data Centers IP -reallocated- ...
 Al-zaida Emirates: "alz" is a site called "Al-zaida Emirates" which is a -ripoff- of the legitimate Zamil Group Holding Company. Probably the obvious different to that the "Al-zaida" site has an "Apply For Loan" button which marks it out as some sort of finance scam.
> https://3.bp.blogspot.com/-MhFaa-Ntevk/U7a4SsSV08I/AAAAAAAADSQ/6DFmTVc5xIY/s1600/al-zaida.png
 EEM Moura and TEE Bello (part 1): The next -fake- site is under "eem" which advertises itself as "EEM MOURA & TEE BELLO Group of Companies". This site is a slightly-altered copy of the legitimate Alpha Group.
> https://2.bp.blogspot.com/-Gyz5h5nob7w/U7a5XRxf-FI/AAAAAAAADSc/Q0880VOsyiU/s1600/eem-moura-tee-bello.png
...  perhaps a clue here under "Shipping" which could be advertising for a Parcel Mule job (i.e. laundering stolen goods).
 EEM MOURA & TEE BELLO (part 2) [eemthollandbv .nl] There is another -fake- "EEM MOURA & TEE BELLO" site in the folder "eemtholland" (and using the forwarder domain eemthollandbv .nl). This is different from the other site being a fake shopping site, a poor copy of the legitimate HollandForYou .com site.
> https://4.bp.blogspot.com/-7p7DDw5M4aM/U7a7fkZiMLI/AAAAAAAADSo/abqt76pMEy0/s1600/eem-moura-tee-bello2.png
This -fake- site is also likely to be recruiting people for a parcel reshipping scam.
 Hotel T. Bello: The final -fake- site is filed under "tbello" (sounds familiar?) and is supposedly the "Hotel T. Bello" in Den Haag (The Hague). It is a poor copy of the InterContinental Amstel Amsterdam.
> https://3.bp.blogspot.com/-tZ-lsphlTiA/U7a9fdKnlsI/AAAAAAAADS0/mRN3IBwxnuM/s1600/hotel-t-bello.png
Perhaps the "Hotel T Bello" is a -fake- hotel for the delegates to the -fake- "Advocates for Youth" conference that was advertised in the original spam.. that is certainly one way that these conference scams work.
There is not a single legitimate site on this server. Avoid."

 Evil or Very Mad   Sad

 94 
 on: July 04, 2014, 07:21:19  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Recent Updates
- http://www.malwaredomains.com/?p=3617
July 1st, 2014 - "Added 295 domains on 6/24 and 320 domains on 6/27. Please update your blocklists..."
___

mirror2 down for maintenance
- http://www.malwaredomains.com/?p=3624
July 5th, 2014 - "mirror2 is down for maintenance. Please use one of our other mirrors..."

 Exclamation Exclamation

 95 
 on: July 04, 2014, 03:40:12  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Gmail is down for some ...
- http://www.theinquirer.net/inquirer/news/2353526/gmail-is-down-for-some-in-the-uk
Jul 03 2014

- http://www.theinquirer.net/inquirer/news/2353727/google-goes-down-as-search-throws-up-server-error
Jul 04 2014 - "... The outage has seen Google's search engine throwing up a 500 error message, which suggests that the firm has been suffering from an intermittent server error. This message reads, "500. That's an error. The server encountered an error and could not complete your request. If the problem persists, please report your problem and mention this error message and the query that caused it. That's all we know." It's unclear what was causing the error, nor is it known to what extent the outage reached..."

Gmail status graph: http://downrightnow.com/gmail

Gmail - Service Details - Apps Status Dashboard
- https://www.google.com/appsstatus#hl=en&v=issue&sid=1&iid=8c7aa0905b573df087dbae0a52e8d90c
7/3/14 5:34 PM - "The problem with Gmail should be resolved. We apologize... Affected users received an error 500 message when attempting to access the Gmail web service."

 Sad  Shocked

 96 
 on: July 03, 2014, 10:33:55  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

RealPlayer 17.0.10.8 released
- http://service.real.com/realplayer/security/06272014_player/en/
June 27, 2014 - "... product upgrades that contain security bug fixes... summary of which previous and current versions of the RealPlayer software are susceptible to these vulnerabilities... Affected software: Windows RealPlayer 17.0.8.22 and prior..."

- http://www.securitytracker.com/id/1030524
CVE Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3113 - 9.3 (HIGH)
Jul 4 2014
Impact: Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 17.0.8.22 and prior...
Solution: The vendor has issued a fix (17.0.10.8 )...

 Exclamation

 97 
 on: July 03, 2014, 06:07:17  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Javascript Extortion advertised via Bing ...
- https://isc.sans.edu/diary.html?storyid=18337
Last Updated: 2014-07-02 20:49:25 UTC - "... a search for "Katie Matusik" on Bing will include the following result. The rank has been slowly rising during the day, and as of right now, it is the first link after the link to "Videos"...
Screenshot: https://isc.sans.edu/diaryimages/images/Screen%20Shot%202014-07-02%20at%202_13_48%20PM.png
... Once a user clicks on the link, the user is redirected to http ://system-check-yueedfms .in/js which loads a page claiming that the user's browser is locked, and the user is asked to pay a fine via "Moneypak", a Western-Union like payment system. Overall, the page is done pretty bad and I find it actually a bit difficult to figure out how much money they are asking to ($300??).
> https://isc.sans.edu/diaryimages/images/2_14_44_x.png
The user is not able to close the browser or change to a different site. However, just rebooting the system will clear things up again, or you have to be persistent enough in clicking "Leave this Page" as there are a large number of -iframes- that each insert a message if closed. The link was reported to Bing this morning but the result has been rising in Bing's search since then. Respective hosting providers for the likely -compromised- WordPress blog have been notified.
> Quick update: For "katie matysik" (replace 'u' with 'y', the correct spelling of the ), Bing now returns the malicious site as #1 link. Both spellings are valid last names, so either may be the original target of the SEO operation."

46.4.127.172: https://www.virustotal.com/en/ip-address/46.4.127.172/information/
___

Chain Letter migrates from mail to Social Networking
- http://blog.malwarebytes.org/fraud-scam/2014/07/ancient-chain-letter-migrates-from-mail-to-social-networking/
July 3, 2014 - "...  guaranteed to see a chain letter of one form or another bouncing around on a social network or in a mailbox, and here’s one such missive currently in circulation. It claims Microsoft and AOL are running a form of email beta test with big cash rewards for anybody forwarding on the email – $245 every time you send it on, $243 every time a contact resends it and $241 for every third person that receives it. The catch here is that the text – which is clearly supposed to be sent to email addresses – has been posted to a social network comment box on a profile page instead.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/07/microspam1.jpg
... nonsense then, and it’s nonsense now. Amazingly, the mail from 2005 even sports the same phone numbers as the social network post from a few days ago... it’s extremely likely that they’re long since abandoned. Even so, you can’t keep a good scam down and so -eight- years after it rolled into town the -fake- Microsoft / AOL beta payout bonanza continues to find new life, as it moves from mailboxes to social network comment boxes in a desperate attempt to live on for a few more years. Think twice before forwarding chain letters..."
___

Accidental leak reveals identity numbers of 900,000 Danes
- http://www.reuters.com/article/2014/07/03/us-denmark-identity-idUSKBN0F822Y20140703
Jul 3, 2014 - "The identity numbers of around 900,000 Danes, widely used as a means of identification in telephone transactions with banks or medical services, were mistakenly made available on the internet for almost an hour on Wednesday, the Danish government said. The numbers were mistakenly included by an outside contractor in a database of people who have asked -not- to receive marketing mail or calls that is made available to Danish firms, according to the daily Borsen. It is common for Danish financial institutions, hospitals and government agencies to ask for the civil registration number as a proof of identity in telephone inquiries, raising the possibility of widespread abuse. The government said the list had been downloaded 18 times in the 51 minutes that it was accessible..."
___

Brazil Boleto Fraud Ring ...
- https://blogs.rsa.com/rsa-uncovers-boleto-fraud-ring-brazil/
July 2, 2014 - "... Through a coordinated investigation spanning three continents, RSA Research has uncovered details of a substantial malware-based fraud ring that is operating with significant effectiveness to infiltrate one of Brazil’s most popular payment methods – the Boleto. Based on evidence gleaned from this fraud investigation, RSA Research discovered a Boleto malware or “Bolware” fraud ring that may have compromised 495,753 Boletos transactions over a two-year period. While the investigation did not yield evidence as to whether the fraudsters were successful in collecting on all of these compromised transactions, RSA researchers did find evidence of their value – estimated to be up to $3.75 Billion USD (R$ 8.57 Billion). Boleto Bancário, or simply Boleto, is a financial instrument that enables a customer (“sacado”) to pay an exact amount to a merchant (“cedente”). Any merchant with a bank account can issue a Boleto associated with their bank; that Boleto is then sent to the consumer to pay anything from their mortgage, energy bills, taxes or doctor’s bills via electronic transfer... Their popularity has risen because of the convenience for consumers who don’t require a personal bank account to make payments using Boletos. The Boleto system is regulated by Banco Central do Brasil (Brazilian Central Bank) and has become the second most popular payment method (behind credit cards) in Brazil. E-bit, an e-commerce market research firm in Latin America estimates that 18% of all purchases in Brazil during 2012 were transacted via Boletos...
Boleto malware – how it works:
> https://blogs.rsa.com/wp-content/uploads/2014/06/BoletoMalware.png
...  While the fraudsters behind this operation may have had the potential to cash out these modified Boletos, it is not known exactly how many of these Boletos were actually paid by the victims and whether all the funds were successfully redirected to fraudster-controlled bank accounts... RSA has turned over its research along with a significant number of fraudulent Boleto ID numbers and IOCs (indicators of compromise) to both U.S. (FBI) and Brazilian law enforcement (Federal Police) and have been in direct contact with a number of Brazilian banks. RSA is working together with these entities in the investigation... to help with shutting down infection points in the wild and blacklisting fraudulent Boleto IDs... RSA urges consumers to be vigilant when handling Boleto payments and to verify that all the details, specifically the Boleto ID are genuine prior to confirming payments. Because the Bolware gang has been spreading their malware mainly through phishing and spam, consumers in Brazil are also urged to take care when clicking on links or opening attachments in emails or social media messages from -unknown- senders and to use updated anti-virus software to help protect their PCs from infection..."

- http://www.reuters.com/article/2014/07/02/brazil-cybercrime-boleto-idUSL2N0PB0UQ20140702
Jul 2, 2014

 Evil or Very Mad Evil or Very Mad  Sad

 98 
 on: July 02, 2014, 10:10:27  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Cisco Unified Communications Domain Manager - multiple vulns
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140702-cucdm
2014 July 2 - "Summary: Cisco Unified Communications Domain Manager (Cisco Unified CDM) is affected by the following vulnerabilities:
> Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability
> Cisco Unified Communications Domain Manager Default SSH Key Vulnerability
> Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability
Successful exploitation of the Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability or of the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability may allow an attacker to execute arbitrary commands or obtain privileged access to the affected system. Successful exploitation of the Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability may allow an attacker to access and modify BVSMWeb portal user information such settings in the personal phone directory, speed dials, Single Number Reach, and call forward settings. Cisco has released free software updates that address the Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability and the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability.
Cisco will provide a free software update for the Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability as soon as the fix is available. Workarounds that mitigate these vulnerabilities are not available. Customers that are concerned about the Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability may apply the mitigation detailed in the "Workarounds" section of this advisory..."
Rev 2.0 - 2014-July-08 - Added information regarding fixed versions of the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability

- http://www.securitytracker.com/id/1030515
CVE Reference: CVE-2014-2197, CVE-2014-2198, CVE-2014-3300
Jul 2 2014

 Exclamation

 99 
 on: July 02, 2014, 06:58:13  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Restaurants hit by New Payment Card Hacks
- http://www.databreaches.net/dozens-of-restaurants-hit-by-new-payment-card-hacks/
July 2, 2014 - "Phishing emails, lax security -or- a previously unknown software flaw could turn out to be the cause of the latest eatery data breach. This one hit a number of prominent restaurants in the Pacific Northwest after hackers gained access a Point Of Sale (POS) system created by Information Systems & Supplies (ISS) of Vancouver, Washington.
    'We recently discovered that our Log-Me-In account was breached on February 28, March 5 and April 18, 2014. We have reason to believe that the data accessed could include credit card information from any cards used by your customers between these dates', a letter signed by ISS president Thomas Potter obtained by BankInfoSecurity stated. That letter was dated June 12** but not mailed until a week later... More here:
- https://www.idradar.com/news-stories/identity-protection/Dozens-Of-Restaurants-Hit-By-New-Payment-Card-Breach
If the LogMeIn reference in the story seems familiar, it’s because we also saw it misused in a breach involving a number of Subway restaurants*."
* http://www.computerworld.com/s/article/9248359/Former_Subway_franchise_owner_admits_to_POS_hacking
May 15, 2014

** http://docs.ismgcorp.com/files/external/iss_vancouver_breach.pdf

- https://www.computerworld.com/s/article/9249516/Hackers_hit_more_businesses_through_remote_access_accounts
July 2, 2014
___

Breaches exposed 1 in 7 US -debit- cards in 2013
- http://www.networkworld.com/article/2450441/breaches-exposed-1-in-7-us-debit-cards-in-2013.html
July 2, 2014 - "Data breaches at retailers and financial services companies exposed 14 percent of all U.S. debit cards in 2013, according to a nationwide survey by a major ATM network operator. The figure is three times that of 2012... The survey, conducted by Discover Financial Services’ Pulse ATM network, found that the majority of affected cards were exposed in a single event: the Target data breach that compromised some 70 million customer records in late 2013. Around 10 percent of all U.S. debit cards were affected in the Target incident, and the majority of financial institutions affected were pushed to reissue cards... The Pulse survey covered large banks, credit unions and community banks that together account for 45 percent of all debit card transactions in the U.S."

 Evil or Very Mad  Sad

 100 
 on: July 02, 2014, 04:48:42  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake Amazon Local SPAM / order_id.zip
- http://blog.dynamoo.com/2014/07/amazon-local-order-details-spam.html
2 July 2014 - "This fake Amazon spam has a malicious attachment:

Screenshot: http://3.bp.blogspot.com/-f3_3Es0R48o/U7QIrhGlRtI/AAAAAAAADRU/wJmr5sph8OM/s1600/amazon-local.png

Attached is a file order_id.zip which in turn contains the malicious executable order_id_467832647826378462387462837.exe which is detected as malicious by 5/54 engines of VirusTotal*. Automated analysis tools are inconclusive about what this malware does..."
* https://www.virustotal.com/en-gb/file/2174b3f0b1204b741b380daaeb30bcb0e847de415078ecc11128f3cef3dc6038/analysis/1404306154/
___

Fake email “Failed delivery for package #0231764″ from Canada Post - contains URLs to malicious file
- http://blog.mxlab.eu/2014/07/02/fake-email-failed-delivery-for-package-0231764-from-canada-post-contains-urls-to-malicious-file/
July 2, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Failed delivery for package #0231764″ from Canada Post regarding a failed attempt to deliver an item. This email is send from the spoofed address “Canada Post <tracking@ canadapost .com>” and has the following body:
Dear customer,
We attempted to deliver your item on Jul 2nd, 2014 , 05:44 AM.
The delivery attempt failed because no person was present at the shipping address, so this notification has been automatically sent.
You may arrange redelivery by visiting the nearest Canada Post office with the printed shipping inboice mentioned below.
If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.
TRACKING Number: RT000961269SG
Expected Delivery Date: JUL 2nd, 2014
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent
The shipping invoice can be viewed online, by visiting ...


The first embedded URl hxxp ://documents-signature .com/pdf_canpost_RT000961269SG.pdf leads to a website that shows a PDF file... The second embedded URL hxxp ://documents-signature .com/pdf_canpost_RT000961269SG.zip leads to a malicious file pdf_canpost_RT000961269SG.zip  that contains the file pdf_canpost_RT000961269SG.pif. The trojan is known as Backdoor.Bot or HEUR/Malware.QVM07.Gen. At the time of writing, 2 of the 54 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information."
* https://www.virustotal.com/en/file/e0b8d24becb65d040b9e617c31acf6926d44343807bbac2423b28beab855ba75/analysis/1404326965/

** https://malwr.com/analysis/ZTE0ZGRjOTdkYTQyNDRmZTk2ZTM0YzgxYjA1MjlhMjE/

23.62.98.234: https://www.virustotal.com/en/ip-address/23.62.98.234/information/

87.121.52.82: https://www.virustotal.com/en/ip-address/87.121.52.82/information/
___

WordPress plugin puts sites at risk...
- http://arstechnica.com/security/2014/07/wordpress-plugin-with-1-7-million-downloads-puts-sites-at-risk-of-takeover/
July 1 2014 - "Websites that run WordPress and MailPoet, a plugin with more than 1.7 million downloads, are susceptible to hacks that give attackers almost complete control, researchers have warned. "If you have this plugin activated on your website, the odds are not in your favor," Daniel Cid, CTO of security firm Sucuri, warned in a blog post published Tuesday*. "An attacker can exploit this vulnerability without having any privileges/accounts on the target site. This is a major threat, it means every single website using it is vulnerable." The bug allows attackers to remotely upload any file of their choice to vulnerable servers. Cid declined to provide specifics about the flaw other than to say it's the result of the mistaken assumption that WordPress admin_init hooks are called only when a user with administrator privileges visits a page inside the /wp-admin directory. In fact, "any call to /wp-admin/admin-post.php also executes this hook without requiring the user to be authenticated." The behavior makes it possible for anyone to upload files on vulnerable sites. The only safe version is the just released 2.6.7**, which should be installed immediately on all vulnerable websites. MailPoet gives sites added abilities to create newsletters and automatically post notifications and responses..."
* http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html

** http://downloads.wordpress.org/plugin/wysija-newsletters.2.6.7.zip
___

New Cridex Version Combines Data Stealer and Email Worm
- http://www.seculert.com/blog/2014/07/geodo-new-cridex-version-combines-data-stealer-and-email-worm.html
July 1, 2014 - "... Cridex is a data stealer also referred to as Feodo, and Bugat. The new Cridex version we are seeing now, aka Geodo, combines a self-spreading infection method – effectively turning each bot in the botnet into a vehicle for infecting new targets... Through further analysis of this attack, we were able to determine that the second piece of malware (the worm) is provided with approximately 50,000 stolen SMTP account credentials including the related SMTP servers to connect to. The bot then uses these credentials to target mostly Germany accounts by impersonating legitimate email.
Stolen SMTPs Country of Origin:
> http://www.seculert.com/blog/wp-content/uploads/2014/07/country-pie-chart-updated-numbers.png
The C&C provides the malware with a batch of 20 targeted email addresses.The malware is also given a from address, subject line, and email body text unique to this particular batch of emails. Once the malware has run through the batch, it is provided with a new batch of 20 emails. And with each new batch of emails the C&C also sends a new from address, subject line, and body... The emails we have seen, written in German, contain a link prompting the recipient to download a zip file which contains an executable disguised as a PDF document... There is no definitive information on where the 50,000 stolen credentials came from, but Cridex is the suspected culprit. And as a data stealer, Geodo can compromise the intellectual property of a corporation, putting its business and reputation at risk..."
___

Fake “Google Service Framework” Android malware ...
- http://www.fireeye.com/blog/technical/malware-research/2014/07/the-service-you-cant-refuse-a-secluded-hijackrat.html
July 1, 2014 - "... a malicious Android class running in the background and controlled by a remote access tool (RAT). Recently, FireEye mobile security researchers have discovered such a malware that pretends to be a “Google Service Framework” and -kills- an anti-virus application as well as takes other malicious actions. In the past, we’ve seen Android malware that execute privacy leakage, banking credential theft, or remote access separately, but this sample takes Android malware to a new level by combining all of those activities into one app. In addition, we found the hacker has designed a framework to conduct bank hijacking and is actively developing towards this goal. We suspect in the near future there will be a batch of bank hijacking malware once the framework is completed. Right now, eight Korean banks are recognized by the attacker, yet the hacker can quickly expand to new banks with just 30 minutes of work...
The structure of the HijackRAT malware:
> http://www.fireeye.com/blog/wp-content/uploads/2014/06/structure.png
... Virus Total detection of the malware sample:
> http://www.fireeye.com/blog/wp-content/uploads/2014/06/VT5.png
... fake “Google Service Framework” icon in home screen:
> http://www.fireeye.com/blog/wp-content/uploads/2014/06/removeicon.png
A few seconds after the malicious app is installed, the “Google Services” icon appears on the home screen. When the icon is clicked, the app asks for administrative privilege. Once activated, the uninstallation option is disabled and a new service named “GS” is started as shown below. The icon will show “App isn’t installed.” when the user tries to click it again and removes itself from the home screen... The malware has plenty of malicious actions, which the RAT can command... The server IP, 103.228.65.101, is located in Hong Kong. We cannot tell if it’s the hacker’s IP or a victim IP controlled by the RAT, but the URL is named after the device ID and the UUID generated by the CNC server...  the malware app parses the banking apps that the user has installed on the Android device and stores them in the database under /data/data/com.ll/database/simple_pref... the hacker has designed and prepared for the framework of a more malicious command from the CNC server once the hijack methods are finished. Given the unique nature of how this app works, including its ability to pull down multiple levels of personal information and impersonate banking apps, a more robust mobile banking threat could be on the horizon."

- http://atlas.arbor.net/briefs/index#322328699
July 3, 2014
___

Win8 usage declined in June - XP usage increased
- http://www.infoworld.com/t/microsoft-windows/windows-8-usage-declined-in-june-while-xp-usage-increased-245339
July 1, 2014
> http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0

 Exclamation  Sad  Shocked

Pages: 1 ... 8 9 [10]
Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Page created in 1.128 seconds with 15 queries.