Culture Jamming

[Fake UPS emails - client-side exploits and malware]

FYI...

Fake UPS emails - client-side exploits and malware ...
- http://blog.webroot.com/2012/07/18/cybercriminals-impersonate-ups-in-client-side-exploits-and-malware-serving-spam-campaign/
July 18, 2012 - "... cybercriminals systematically abuse popular brands and online services. Next to periodically rotating the brands, they also produce professional looking email templates, in an attempt to successfully brand-jack these companies, and trick their customers into interacting with the malicious emails... currently spamvertised client-side exploits and malware serving campaign impersonating UPS (United Parcel Service). Once users click on the links found in the malicious email, they’re automatically redirected to a Black Hole exploit kit landing page serving client-side exploits, and ultimately dropping malware on the exploited hosts... Upon successful client-side exploitation, the campaign drops MD5: 4462c5b3556c5cab5d90955b3faa19a8 on the exploited hosts. Detection rate: the sample is detected by 29 out of 41 antivirus scanners** as Trojan.Injector.AFR; Worm.Win32.Cridex.fb... This is the -third- UPS-themed malware serving campaign that we’ve intercepted over the past two months. Next to the malware serving campaigns impersonating DHL, we expect that we’re going to see more malicious activity abusing these highly popular courier service brands. UPS has acknowledged this threat and offered its perspective here*..."
*  http://www.ups.com/content/us/en/resources/ship/fraud_ups_recognize.html#Spam+and+Phishing+E-mails+Fraudulently+Using+the+UPS+Name+or+Brand

**  https://www.virustotal.com/file/dd529f7529692c2ebfe9da9eb7a83a7ac9d672782d93c6a82400aa3845cfb6b5/analysis/
File name: 20120710_221334_4462C5B3556C5CAB5D90955B3FAA19A8_CAE93.VIR
Detection ratio: 29/41
Analysis date: 2012-07-14
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake SpamCop E-mail Account Alert Notification E-mail Messages - New July 19, 2012
Fake FedEx Shipment Notification E-mail Messages- Updated July 19, 2012
Fake Hotel Reservation Confirmation Details E-mail Messages- Updated July 19, 2012
Fake Product Order Notification E-mail Messages - New July 19, 2012
Fake Contract Notification E-mail Messages - Updated July 19, 2012
Fake DHL Express Tracking Notification E-mail Messages - Updated July 19, 2012
Fake USPS Package Delivery Notification E-mail Messages- Updated July 19, 2012
Fake Airline Ticket Confirmation Attachment E-mail Messages - Updated July 19, 2012 ...

   

[Fake Facebook email leads to malware]

FYI...

Fake Facebook email leads to malware ...
- http://nakedsecurity.sophos.com/2012/07/17/malware-facebook-photo-tag-notification/
July 17, 2012 - "Be wary of emails claiming to be from Facebook, and saying that you have been tagged in a photograph. Because it might be that you're the next potential victim of a malware attack. SophosLabs has intercepted a spammed-out email campaign, designed to infect recipients' computers with malware...
> https://sophosnews.files.wordpress.com/2012/07/facebook-malware-email.jpg
... (Did you notice what was odd about the email? The 'from' address misspells Facebook as "Faceboook" with three "o"s) If you click on the link in the email, you are -not- taken immediately to the real Facebook website. Instead, your browser is taken to a website hosting some malicious iFrame script (which takes advantage of the Blackhole exploit kit)..."
___

The Rise of the “Blackhole” Exploit Kit:
The Importance of Keeping All Software Up To Date
- https://blogs.technet.com/b/security/archive/2012/07/19/the-rise-of-the-black-hole-exploit-kit-the-importance-of-keeping-all-software-up-to-date.aspx?Redirected=true
19 Jul 2012

Top 10 locations with the most detections of Blacole - second half 2011 (2H11)
> https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-50-43/5127.5.jpg

   

[Olympic malware on the Web]

FYI...

Olympic malware on the Web ...
- http://community.websense.com/blogs/securitylabs/archive/2012/07/20/a-malware-very-social-and-ready-for-the-olympic-games.aspx
20 Jul 2012 - "... Websense... researchers are already seeing data-stealing malware that aims to capitalize on the Games. Malware piggybacks on the buzz surrounding current, high profile events like the Olympics in order to steal personal data. Olympics-themed content armed with malware is introduced mainly through social engineering-based attacks. The cyber criminals behind the themed attacks know that they have a better chance of enticing potential victims by appearing current and relevant to a hot topic. That gets clicks, and the chance to spread their data-stealing creations... the Polish Computing Emerging Response Team (CERT)... analyzed an interesting sample of data-stealing malware*. This malware, once executed, has the ability to interact with social channels like Facebook, Skype, and Microsoft Live Messenger. This particular variant spreads malicious URLs through those channels and the victim's contact list... it employs a socially engineered attack accompanied by a malicious URL that ultimately leads to a malware file that is part of a bot network... analysis is based on a sample (MD5:  3E50B76C0066C314D224F4FD4CBF14D5 ) of the same malware family reported by the CERT.PL advisory. It is also detected as Pushbot, which is known to be a data-stealing malware variant...  the malware looks in memory for these processes: opera.exe, firefox.exe, iexplore.exe, skype.exe, and msnmsgr.exe. When it uses a web browser, the malware changes the starting page to redirect user HTTP sessions to malicious websites. In the case of Skype or Microsoft Live Messenger, the malicious process is able to forge HTTP requests with malicious payloads to users in the victim's contacts list. We have also detected a Facebook URL forger used to build proper HTTP requests and send them to the Facebook server. In this way, if there is an active Facebook session, the malware can send malicious messages to the victim's Facebook friends list... The IP addresses so far are: 46.220.203.212, 89.63.178.149, and  39.54.215.205... The URL hxxp ://lokralbumsgens. com/pictures.php?pic=google is still active, and the domain was registered 20 days ago..."
* http://www.cert.pl/news/5587/langswitch_lang/en

  

[Fake Intuit emails lead to BlackHole exploit kit]

FYI...

Fake Intuit emails lead to BlackHole exploit kit
- http://blog.webroot.com/2012/07/20/spamvertised-intuit-themed-emails-lead-to-black-hole-exploit-kit/
July 20, 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating Intuit, in an attempt to trick end and corporate users into clicking on the malicious links found in the emails. The emails pretend to be coming from Intuit’s PaymentNetwork and acknowledge the arrival of an incoming payment. In reality though, they -redirect- users to Black Hole exploit kit landing URLs where client-side exploits are served, and ultimately malware is dropped on the infected hosts.
Screenshot of the spamvertised Intuit themed malicious email:
> https://webrootblog.files.wordpress.com/2012/07/intuit_spam_email_exploits_malware.png?w=592&h=175
... Upon clicking on the links found in the email, users are exposed to the following -bogus- “Page loading…” page:
> https://webrootblog.files.wordpress.com/2012/07/intuit_spam_email_exploits_malware_01.png
- Spamvertised URLs: hxxp ://sklep.kosmetyki-nel .pl/intpmt.html; hxxp ://kuzeybebe .com/o3whbp0G/index.html; hxxp ://senzor .rs/prolintu.html
- Client-side exploits serving URLs: hxxp ://69.194.194.238/view.php?s=2acc7093df3a2945;
hxxp ://proamd-inc .com/main.php?page=8cb1f95c85bce71b;
hxxp ://thaidescribed .com/main.php?page=8cb1f95c85bce71b
- Client-side exploits served:
 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1885 - 9.3 (HIGH)
... Upon successful client-side exploitation, the campaign drops MD5: 4462c5b3556c5cab5d90955b3faa19a8* on the exploited hosts.
*  https://www.virustotal.com/file/dd529f7529692c2ebfe9da9eb7a83a7ac9d672782d93c6a82400aa3845cfb6b5/analysis/
SHA256: dd529f7529692c2ebfe9da9eb7a83a7ac9d672782d93c6a82400aa3845cfb6b5
File name: file
Detection ratio: 33/42
Analysis date: 2012-07-20 10:47:57 UTC
... Worm.Win32.Cridex.fb; Worm:Win32/Cridex.B. Upon execution, the sample phones back to renderingoptimization .info – 87.255.51.229, Email: pauletta_carbonneau2120 @quiklinks .com on port 443. Here is information on Intuit’s Online Security Center about this threat:
> http://security.intuit.com/alert.php?a=49 ..."
___

The Rise of the “Blackhole” Exploit Kit:
... The Importance of Keeping All Software Up To Date
- https://blogs.technet.com/b/security/archive/2012/07/19/the-rise-of-the-black-hole-exploit-kit-the-importance-of-keeping-all-software-up-to-date.aspx?Redirected=true
19 Jul 2012

  

[Malware targets Facebook users with Children’s Charity SCAM]

FYI...

Malware targets Facebook users with Children’s Charity SCAM
- https://www.trusteer.com/blog/malware-targets-facebook-users-children%E2%80%99s-charity-scam
July 24, 2012 - "We recently discovered a configuration of the Citadel malware that targets Facebook users with a fake request for donations to children’s charities in order to steal credit card data. After users have logged into their Facebook account, the Citadel injection mechanism displays a pop up that encourages the victim to donate $1 to children who “desperately” need humanitarian aid. Then, it asks users to fill in their credit card details. The malware is configured to deliver the attack based on the user's country/language settings, with web-injection pages in five different languages: English, Italian, Spanish, German and Dutch. In an interesting twist, the criminals do not reuse the same text for every language. Instead, they have customized each attack based on the victim’s country and/or region... This attack illustrates the continuing customization of financial malware and harvesting of credit card data from the global base of Facebook users. Using children’s charities as a scam makes this attack believable and effective. Meanwhile, the one dollar donation amount is low enough that virtually anyone can contribute if they choose. This is a well-designed method for stealing credit and debit card data on a massive scale."
(More detail at the URL above.)

 

[Malware served using bogus ‘Hotel Reservation Confirmation’ emails]

FYI...

Malware served using bogus ‘Hotel Reservation Confirmation’ emails...
- http://blog.webroot.com/2012/07/23/cybercriminals-impersonate-booking-com-serve-malware-using-bogus-hotel-reservation-confirmation-themed-emails/
July 23, 2012 - "... Cybercriminals are currently spamvertising millions of emails impersonating Booking.com, in an attempt to trick end and corporate users into downloading and executing the malicious archive attached to the emails...
Screenshot of a sample spamvertised email:
> https://webrootblog.files.wordpress.com/2012/07/hotel_reservation_spam_malware.png
... The malicious Hotel-Reservation-Confirmation_from_Booking.exe (MD5: 7b60d5b4af4b1612cd2be56cfc4c1b92 ) executable is detected... as Backdoor.Win32.Androm.cp; Mal/Katusha-F ..."
* https://www.virustotal.com/file/c57f3f74ccc38913e094480aa09593d3f28f73c48d621fe5136d4bb9f249be80/analysis/
SHA256: c57f3f74ccc38913e094480aa09593d3f28f73c48d621fe5136d4bb9f249be80
File name: file
Detection ratio: 34/41
Analysis date: 2012-07-24
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Airline Ticket Confirmation Attachment E-mail Message - Updated July 24, 2012
Fake FedEx Shipment Notification E-mail Messages - Updated July 24, 2012
Fake Product Details Attachment E-mail Messages - New July 24, 2012 ...

 

[Malware-laced traffic ticket SPAM coming to an Inbox near you]

FYI...

Malware-laced traffic ticket SPAM coming to an Inbox near you
- http://blog.webroot.com/2012/07/25/cybercriminals-impersonate-law-enforcement-spamvertise-malware-serving-speeding-ticket-themed-emails/
July 25, 2012 - "Not fearing prosecution, cybercriminals regularly impersonate law enforcement online in an attempt to socially engineer end users and corporate users into interacting with their malicious campaigns. From 419 scams, police ransomware, to law enforcement themed malware-serving email campaigns, cybercriminals continue abusing the international branches of various law enforcement agencies... a currently spamvertised malware-serving campaign, indicating that the user has “violated red light traffic signal” and that he should download the -fake- camera recording of his vehicle attached to the email...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/07/traffic_police_violation_spam_malware.png
... The attached malware*... is detected... as Trojan:W32/Agent.DTYU; Backdoor.Win32.Androm.dc..."
* https://www.virustotal.com/file/bca3da4da68a5eb9177f4882bc1803d6885e9f487587e95ee8d69169cb65f549/analysis/
File name: file
Detection ratio: 34/41
Analysis date: 2012-07-25

- http://www.hyphenet.com/blog/2012/07/25/malware-laced-traffic-ticket-spam-coming-to-an-email-inbox-near-you/
25 July 2012
___

‘Download your USPS Label’ emails serve malware
- http://blog.webroot.com/2012/07/26/spamvertised-download-your-usps-label-themed-emails-serve-malware/
July 26, 2012

 

[Twitter targeted to spread exploits/malware serving tweets]

FYI...

Twitter targeted to spread exploits/malware serving tweets
- http://blog.webroot.com/2012/07/27/cybercriminals-target-twitter-spread-thousands-of-exploits-and-malware-serving-tweets/
July 27, 2012 - "Over the past several days, cybercriminals have been persistently spamvertising thousands of exploits and malware serving links across the most popular micro blogging service. Upon clicking on the [links], users are exposed to the exploits served by the Black Hole web malware exploitation kit...
Screenshot of a sample automatically registered account spamvertising malicious links to thousands of Twitter users:
> https://webrootblog.files.wordpress.com/2012/07/twitter_exploits_malware_blackhole_exploit_kit.png
... an automatically generated subdomain is spamvertised with an .html link consisting of the name of the prospective victim. The cybercriminals behind the campaign are harvesting Twitter user names, then automatically generating the username.html files.  For the time being, they’re only relying on two static propagation messages, namely, “It’s about уou?” and “It’s уou оn photo?“... the redirection also takes place through the following domains
hxxp ://traffichouse .ru/?2 – 176.57.209.69
hxxp ://traffichouse .ru/?5 – 176.57.209.69
Responding to the same 176.57.209.69 IP are also the following domains:
forex-shop .com
abolyn.twmail .info
pclive .ru
ecoinstrument .ru
Client-side exploits serving domain: hxxp ://oomatsu.veta .su/main.php?page=afaf1d234c788e63
Upon successful client-side exploitation, the campaign drops MD5: 5d1e7ea86bee432ec1e5b3ad9ac43cfa*  on the affected hosts. Upon execution, the sample phones back to the following URLs, where it downloads additional malware on the affected hosts:
hxxp ://112.121.178.189 /api/urls/?ts=1f737428&affid=35000
hxxp ://thanosactpetitioned .cu.cc/f/notepad.exe?ts=1f737428&affid=35000 ..."
* https://www.virustotal.com/file/139d7cad16e51e3431015756492d09482fcb07ea0168eac532a83103a62485b5/analysis/
File name: 5d1e7ea86bee432ec1e5b3ad9ac43cfa.exe
Detection ratio: 16/41
Analysis date: 2012-07-27 19:21:48 UTC

- http://nakedsecurity.sophos.com/2012/07/27/outbreak-blackhole-malware-attack-spreading-on-twitter-using-its-you-on-photo-disguise/
July 27, 2012
Sample-look-alikes...
> https://sophosnews.files.wordpress.com/2012/07/malware-tweets.jpg?w=640
> https://sophosnews.files.wordpress.com/2012/07/its-about-you1.jpg?w=640

Blackhole malware attack spreading on Twitter ...
- http://atlas.arbor.net/briefs/
Severity: Elevated Severity
July 27, 2012
Another attack by the BlackHole exploit kit reminds us that patching is most important.
Analysis: If a user clicks on these links posted to various twitter feeds, they will be redirected to a Black Hole exploit kit website that will attempt to exploit vulnerabilities on their system that can be reached through the web browser. Unpatched Java is one of the most popular attack methods these days, however a batch of other issues in technologies such as Adobe Reader, Flash and various browsers are also part of the attack strategy. Robust patching for home and enterprise users will greatly reduce the pain of such exploit kits that are based on "drive-by" exploits. The enticement tactic is always going to change, but the intent is the same - to trick the user into clicking on something and getting infected.
Source: Outbreak: http://nakedsecurity.sophos.com/2012/07/27/outbreak-blackhole-malware-attack-spreading-on-twitter-using-its-you-on-photo-disguise/
___

> http://status.twitter.com/

> http://blog.twitter.com/

   

[Olympic malware]

FYI...

More Olympic malware ...

Relay Race To Ruin: Cybercrime in the Olympics
- http://blog.trendmicro.com/relay-race-to-ruin-cybercrime-in-the-olympics/
Illegal TV Cards Allowing Free Olympic Viewing Sold Online
- http://blog.trendmicro.com/illegal-tv-cards-allowing-free-olympic-viewing-sold-online/
Bogus London Olympics 2012 Ticket Site Spotted
- http://blog.trendmicro.com/bogus-london-olympics-2012-ticket-site-spotted/
Countdown to the Olympics: Are You Safe?
- http://blog.trendmicro.com/countdown-to-the-olympics-are-you-safe/
Spammed Messages* Attempt to Cash In on London 2012 Olympics
- http://blog.trendmicro.com/spammed-messages-cash-in-on-london-2012-olympics/

* http://blog.trendmicro.com/wp-content/uploads/2012/06/londonolympics_2012_1.jpg

* http://blog.trendmicro.com/wp-content/uploads/2012/06/Londonolympics_2012_2.jpg

* http://blog.trendmicro.com/wp-content/uploads/2012/06/londonolympics_2012_3.jpg

More Olympics-related threats - Blackhat Search Engine Optimization (BHSEO)
> http://blog.trendmicro.com/more-london-olympics-related-threats/
July 29, 2012

- http://research.zscaler.com/2012/07/london-olympics-stay-away-from-scams.html
July 28, 2012
___

> http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Roxy Palace Casino Promotional Code Notification E-mail Messages - Updated July 30, 2012
Fake UPS Payment Document Attachment E-mail Messages - Updated July 30, 2012
Fake Financial Transaction Scanned Document - New July 30, 2012
Fake Bank Transfer Receipt E-mail Messages - New July 30, 2012
Fake Picture Link E-mail Messages - Updated July 30, 2012
Fake Coupon Offer E-mail Messages - Updated July 30, 2012
Fake German E-mail Billing Requests - New July 30, 2012
Fake Blocked Credit Card Notification E-mail Messages - Updated July 30, 2012
Malicious Personal Pictures Attachment E-mail Messages - Updated July 30, 2012 ...

   

[Fake CPA/AICPA emails lead to BlackHole exploit kit]

FYI...

Fake CPA/AICPA emails lead to BlackHole exploit kit
- http://blog.webroot.com/2012/08/01/spamvertised-aicpa-themed-emails-lead-to-black-hole-exploit-kit/
August 1, 2012 - "Certified public accountants, beware... Cybercriminals are currently spamvertising millions of emails impersonating AICPA (American Institute of Certified Public Accountants) in an attempt to trick users into clicking on the client-side exploits and malware serving links found in the emails...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/07/aicpa_spam_exploits_black_hole_exploit_kit.png
... Spamvertised URL: hxxp://thewebloan .com/wp-includes/notice.html
Client-side exploits serving URLs parked on the same IP (221.131.129.200) - hxxp ://jeffknitwear .org/main.php?page=8614d3f3a69b5162;
hxxp ://lefttorightproductservice .org/main.php?page=4bf5d331b53d6f15
Client-side exploits serving domains responding to the same IP:
toeplunge .org; teloexpressions .org; historyalmostany .org
Client-side exploits served:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1885 9.3 (HIGH)
Detection rate for a sample redirection script with MD5: fa9daec70af9ae2f23403e3d2adb1484 *
... Trojan.Script!IK; JS/Iframe.W!tr
Upon successful client-side exploitation, the campaign drops
MD5: b00af54e5907d57c913c7b3d166e6a5a ** on the affected hosts...
Trojan.PWS.YWO; Trojan-Dropper.Win32.Dapato.bmtv ..."
* https://www.virustotal.com/file/21ac3ab9b204c532329e682d5919c60e2a84373de6021c302b30671937d6fcde/analysis/1342738075/
File name: AICPA.html
Detection ratio: 4/42
Analysis date: 2012-07-19
** https://www.virustotal.com/file/6db67c907bb779510d7d66b2eade06e09b2f975a20abe09a92a035ead7328a20/analysis/
File name: b00af54e5907d57c913c7b3d166e6a5a.exe
Detection ratio: 30/39
Analysis date: 2012-07-27

 

[Fake AT&T email installs malware]

FYI...

Fake AT&T email installs malware
- http://community.websense.com/blogs/securitylabs/archive/2012/08/02/fake-att-email-installs-malware.aspx
2 Aug 2012 - "Websense... detected a massive phishing campaign targeting AT&T customers... fake emails are masquerading as billing information... Each message claims that there is a bill of a few hundreds US dollars. In itself, the amount of money could be big enough to raise suspicion in most of us. Also, it is easy to see when the mouse cursor hovers over the link that the target Web address is different from the one displayed in the text of the message...
(Screenshot of phish/fake email):
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/5126.AT_2600_T_5F00_email_5F00_campaign.png
... the link in the bogus message sends the user to a compromised Web server that redirects the browser to a Blackhole exploit kit. As a result, malware is downloaded onto the computer that is currently not detected by most antivirus products, according to VirusTotal*..."
* https://www.virustotal.com/file/a7e62a16c47fede2772d4f4bf980cdb58b5d110887e001ab632d7f40159dfa13/analysis/
File name: 1344018262.contacts.exe
Detection ratio: 17/41
Analysis date: 2012-08-04 06:46:37 UTC
___

Fake PayPal emails lead to BlackHole exploit kit
- http://blog.webroot.com/2012/08/02/spamvertised-paypal-has-sent-you-a-bank-transfer-themed-emails-lead-to-black-hole-exploit-kit/
August 2, 2012 - "... cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick end and corporate users into interacting with the malicious campaign. Once the interaction takes place, users are exposed to the client-side exploits served by the Black Hole exploit kit, currently the market share leader within the cybercrime ecosystem...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/07/paypal_spam_email_bank_transfer_exploits_malware_blackhole_exploit_kit.png
... Upon clicking on the link, users are exposed to a bogus “Page loading…” page:
> https://webrootblog.files.wordpress.com/2012/07/paypal_spam_email_bank_transfer_exploits_malware_blackhole_exploit_kit_01.png
... Client-side exploits served: CVE-2010-0188; CVE-2010-1885
Detection rate for a sample redirection script: MD5: 2276947d2f3a7abc88e89089e65dce23*
Upon successful client-side exploitation, the campaign drops MD5: 05e0958ef184a27377044655d7b23cb0** on the affected hosts... cybercriminals behind these persistent and massive spam campaigns will simply continue rotating the impersonated brands in an attempt to target millions of users across multiple Web properties. PayPal has information (1) on their website to help users identify legitimate emails..."
* https://www.virustotal.com/file/8f502c765382a0f468e3caa4274dcaaf7578fa15266c2f2f6d63f3af4f71f6c5/analysis/1343139059/
File name: PayPal.html
Detection ratio: 3/40
Analysis date: 2012-07-24 14:10:59 UTC
** https://www.virustotal.com/file/132d2f289e5fd4708fc42aea8b733d620169c80177f6e739f606ca9c799d84be/analysis/
File name: file
Detection ratio: 32/41
Analysis date: 2012-08-03 10:30:40 UTC

1- https://www.paypal.com/us/webapps/mpp/security/suspicious-activity

 

[Phishing for Payroll with unpatched Java]

FYI...

Phishing for Payroll with unpatched Java
- https://isc.sans.edu/diary.html?storyid=13840
Last Updated: 2012-08-05 - "... companies that offer outsourced payroll management services have seen their name being abused for phishing scams. One prominent example is ADP, whose website [1] currently alerts their customers to four different samples of phishing emails that make the rounds and claim to be from ADP. The average recipient of such a phish would have no idea who or what ADP is, and would be highly unlikely to "click". But a HR/Payroll employee of a company that actually uses ADP services would certainly be alarmed to read, for example, that his/her access to ADP is about to be cut off:
> https://isc.sans.edu/diaryimages/sd1.JPG
... the odds are pretty high that someone who clicks on the link in the email is actually a HR/Payroll person. Combine the link with a nice fresh set of exploits that have near-zero detection in anti-virus, and you have a Get-Rich-Quick scheme for the crooks that's hard to beat...
>> https://isc.sans.edu/diaryimages/sd2.jpg
... Those who clicked nonetheless, have likely been "had" though. The shown marottamare link redirected via three other web sites, and then ended up on 50.116.36.175, a very temporary home on what looks like a rented Linux VServer. From there, the exploits were delivered, and at least one of them, Java CVE-2012-1723, is currently netting the bad guys a lot of illicit system access. Antivirus detection rate is and stays low, three days later, it is still only at -8/41- on Virustotal*. The main reason for this seems to be that the exploit packs are encoded... which means that the original attack code and payload are split up into five byte blocks, and each of these individual five bytes is encoded by XOR with a different static value... Some of the AV tools are getting better at providing generic detection for encoded CVE-2012-1723, but don't hold your breath... As for defenses:
1. PATCH your Java JRE. CVE-2012-1723** is deadly, and is widely being exploited in the wild at the moment. Even better, uninstall Java JRE completely from your computers if you can get away with it.
2. Make sure your HR and Payroll folks are treated to another round of "DONT CLICK ON THIS LINK" training. They are your first line of defense, and - given Antivirus' ineffectiveness - usually even your ONLY line of defense.
3. If you have an outsourced payroll provider, acquaint yourself with the email logs, so that you know how REAL email coming from this provider looks like. This knowledge is priceless during an incident, and might even help you to automatically -block- some of the more egregious phishes..."
* https://www.virustotal.com/file/342c92e09a8d2aa10ae40966d341d85db8a51e369bd1319ca5258d0d0c84803c/analysis/1344175361/
File name: Rooh.jar
Detection ratio: 8/41
Analysis date: 2012-08-05

[1] http://www.adp.com/about-us/trust-center/security-alerts.aspx

** http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1723 - 10.0 (HIGH)
6/16/2012

 

[Fake LinkedIn emails serve exploits and malware]

FYI...

Fake LinkedIn emails serve exploits and malware
- http://blog.webroot.com/2012/08/08/ongoing-spam-campaign-impersonates-linkedin-serves-exploits-and-malware/
August 8, 2012 - "... cybercriminals launched the most recent spam campaign impersonating LinkedIn, in an attempt to trick LinkedIn’s users into clicking on the client-side exploits and malware serving links found in the emails...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/08/linkedin_spam_exploits_malware_blackhole_exploit_kit.png
... Spamvertised URL: hxxp ://glqzc .com/linkzane.html
Client-side exploits serving URL: hxxp ://headtoheadblaster .org/main.php?page=f6857febef53e332
Client-side exploits served: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1885 - 9.3 (HIGH)
Upon successful client-side exploitation, the campaign drops MD5: 6c59e90d9c3931c900cfd2672f64aec3 *
... PWS-Zbot.gen.ajm; W32/Kryptik.BRK..."
* https://www.virustotal.com/file/278076aa570212200917b87c154c40f5d8a4f5ad57b8c57178fb2928c65bc800/analysis/
File name: 6c59e90d9c3931c900cfd2672f64aec3
Detection ratio: 24/42
Analysis date: 2012-08-09 02:17:01 UTC

 

[Document encrypting and network spreading virus]

FYI...

- https://isc.sans.edu/diary.html?storyid=13861
Last Updated: 2012-08-09 10:20:41 UTC
... Ref (1): http://blog.fox-it.com/2012/08/09/xdoccryptdorifel-document-encrypting-and-network-spreading-virus/
XDocCrypt/Dorifel – Document encrypting and network spreading virus
August 9, 2012 - "... apparently none of your IT security defenses has removed it, has blocked it and neither has signaled you that there was something wrong on that system. If you were hit, you will likely start asking yourself some questions now… A properly configured IDS would have picked up the attack earlier and you would have been notified of the event. Communication to the following IP addresses might indicate malicious behavior on your system:
184.82.162.163
184.22.103.202

... Ref (2): http://www.damnthoseproblems.com/?p=599&lang=en
Latest reference 09-08-2012 Update 18:05...
... 2x IPs to block: 184.82.162.163... 184.22.103.202

 

[Fake Groupon email malware coupon]

FYI...

Fake Groupon email malware coupon
- http://blog.commtouch.com/cafe/email-security-news/your-friend-has-shared-a-groupon-malware-coupon-with-you/
Aug 9, 2012 - "A recent collection of malware emails borrows heavily from authentic mailings sent out by Groupon and LinkedIn. The outbreak is different from the blended attacks that have featured regularly in the last few months since it relies on attached malware as opposed to a link to drive-by malware. Using email templates modeled on Groupon and LinkedIn increases the chances that recipients will consider the attachment genuine and worth opening. The example below shows a Groupon “deal” found by a friend. Recipients are invited to open the attachment to view the gift details and also to forward it on to friends. All the links within the “offer” point to genuine Groupon sites.
> http://blog.commtouch.com/cafe/wp-content/uploads/Groupon-newsletter-with-malware.jpg
The attached zip file unpacks to a file named “Coupon gift.exe”. Commtouch’s Antivirus identifies the malware as W32/Trojan3.DWY. The malware attempts to download and install files from several remote servers. Only 30% of the 41 engines on VirusTotal detected the malware within a few hours of the attack...
Email text:
Hi there!
You’re going to love it
We are glad to inform you that one of your friends has found a great deal on Groupon.com!
And even shared it with you!
Yeah! Now Groupon.com gives an opportunity to share a discount gift with a friend!
Enjoy your discount gift in the attachement and share it with one of your friend as well.
All the details in the file attached. be in a hurry this weekend special is due in 2 days!"