Culture Jamming

[Spoofed Xanga malicious emails]

FYI...

Spoofed Xanga malicious emails ...
- http://community.websense.com/blogs/securitylabs/archive/2012/06/07/spoofed-xanga-malicious-emails-similar-to-craigslist-campaign.aspx
7 Jun 2012 - "Hot on the trail of yesterday's spoofed Craigslist malicious emails* comes another variant, spotted today. This one spoofs a Xanga blog notification about a comment on your blog. So far we have seen about 140,000 of these in our Cloud Email Security portal... a sample:
Subject: New Weblog comment on your post!
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Components.ImageFileViewer/CommunityServer.Blogs.Components.WeblogFiles.securitylabs/1682.mal_5F00_xanga_5F00_blur.jpg_2D00_550x0.jpg
... the "Click here to reply" link goes to this URL:
hxxp ://www.1000sovetov .kiev.ua/wp-content/themes/esp/wp-local.htm
The target site contains obfuscated JavaScript that redirects to URLs like:
hxxp ://pushkidamki .ru:8080/forum/showthread .php?page=5fa58bce769e5c2c
Those are the sites that host the exploit kit.
Basically, the lure has changed, but the URLs suggest this is all part of the same malicious campaign. We can probably expect a few more themes in the coming weeks, as the cybercriminals try to broaden their victim base..."
* http://community.websense.com/blogs/securitylabs/archive/2012/06/06/malicious-urls-in-fake-craigslist-emails.aspx

   

[Pharmacy SPAM - Facebook/Digg app]

FYI...

Pharmacy SPAM - Facebook/Digg app
- http://blog.commtouch.com/cafe/anti-spam/spammers-invent-new-facebook-digg-application-facebook-social/
June 14th, 2012 - "... a “Facebook Social Reader” for Digg – but “Facebook Social” is a neatly confusing invention of pharmacy spammers... The email welcomes users to the new service and invites them to “view profile details”:
> http://blog.commtouch.com/cafe/wp-content/uploads/facebook-social-email1.jpg
The links in the email lead to compromised websites ... Scripts hidden on these sites redirect users to the destination pharmacy site – the “Toronto Drug Store” which apparently is an “essential part of the Canadian RX Network”:
> http://blog.commtouch.com/cafe/wp-content/uploads/facebook-social-spam-website.jpg
Email text:
Thank you for registering with us at Facebook Social. We look forward to seeing you around the site.
Your profile has two different views reachable through clickable tabs:
• View My Profile: see your profile as your network does
• Edit My Profile: edit the different elements of your profile
View profile details.
What is Facebook Social Share?
Enable Facebook social sharing, and share your Digg experience with your Facebook friends. Let your friends see what you’re reading as you discover the best news around the web. Click the Social button to turn this off.
___

FAKE Classmates.com email
- http://blog.commtouch.com/cafe/malware/beware-the-phony-classmates-com-email/
June 13th, 2012 - "Classmates.com has become the latest in a series of well-known brands to be abused by a particular gang of malware distributors. The similarities to other outbreaks include:
• Linking to multiple compromised sites which then redirect to the malware hosting sites
• Favoring WordPress sites (that can be exploited)
• Hosting the malware on various .ru domains
• Showing simple messages on the malware page such as “Please Wait – Loading” (black text on white)
• Using the same Flash exploits in the malware
Previous attacks use well known brands such as Amazon.com, LinkedIn, Verizon Wireless and AT&T Wireless. The Classmates.com email thanks the recipient for joining and provides links to confirm the user or make corrections:
> http://blog.commtouch.com/cafe/wp-content/uploads/Classmates.com-phony-email.jpg
Once again the initial link is to a compromised WordPress site. A script hidden on this site dynamically builds a redirect to a forum site. Here, a second script embedded in a forum post directs to the final .ru domain which displays the expected “Loading” message. This “double-hop” is a slight change from previous similar attacks:
> http://blog.commtouch.com/cafe/wp-content/uploads/Classmates.com-destnation-malware-site.jpg
The malware on the final site checks for PDF and Flash versions on the target PC.
• If an appropriate version is found it then redirects to a malicious SWF flash file.
• If not it redirects to google .de"

   

[LinkedIn SPAM serving Adobe and Java exploits]

FYI...

LinkedIn SPAM serving Adobe and Java exploits
- http://pandalabs.pandasecurity.com/linkedin-spam-serving-adobe-and-java-exploits/
06/14/12 - "... email that appeared to come from LinkedIn. The email was inviting you to check your LinkedIn Inbox. As you know, LinkedIn was hacked some time ago and passwords were compromised in the attack... If we verify the “To” and “CC” fields of this email, we see about -100- other recipients.... email in question:
>> http://pandalabs.pandasecurity.com/wp-content/uploads/2012/06/ss.jpg
Subjects of this email might be: 'Relationship LinkedIn Mail, 'Communication LinkedIn Mail', 'Link LinkedIn Mail' or 'Urgent LinkedIn Mail'. No doubt the subjects of this email will vary, and are not limited to these four.
- Step 1 and step 2 of the cybercrook’s scheme are already fulfilled. Now he just has to wait until someone clicks on one of the links. Which brings us to point 3.
- Suppose someone clicks on the link. What will happen exactly ? This depends on the version of these programs that may be installed on your computer: Adobe Reader / Java
In some cases, your browser will crash. In other cases, the page will just appear to sit there and nothing happens... the exploit will begin doing its work... seems to spawn a .dll file, which in turn spawns another file.. Your machine is executing malware and is in the process of being infected... a malicious executable which will start every time the computer boots. The exploits’ source is probably the Blackhole exploit kit. The exploits in question are: CVE-2006-0003 / CVE-2010-0840
Unknown (at this point) Adobe Reader exploit
- Step 3 and 4 have also been accomplished now. The user clicked on the link, the exploit(s) got loaded and the user is now infected. The malware will try to phone home or connect to the following IP addresses: 188.40.248.150 / 46.105.125.7 . The IPs (188.40.248.150 in particular) are part of a known botnet. The IPs are used to receive new instructions from the botherder or to download additional malware... lesson is a very important one and is one of the basics of security... Keep ALL of your software up-to-date! This means Adobe, Java, but don’t forget other software, for example VLC, Windows Media Player...This also includes installing your Windows patches, keeping your browser up-to-date as well as any plugins or add-ons you might have installed..."
___

> http://centralops.net/co/DomainDossier.aspx
- 188.40.248.150
Registrant-Name:Felix Preuss
Registrant-Organisation:netcup GmbH
Registrant-Street:Griesbachstrasse 5
Registrant-City:Karlsruhe
Registrant-State/Province:Germany
Registrant-Postal-Code:76185
Registrant-Country:DE ...
- 46.105.125.7
person:  Octave Klaba
address: OVH SAS
address: 2 rue Kellermann
address: 59100 Roubaix
address: France ...

 

[9500 malicious sites a day found by Google]

FYI...

9500 malicious sites a day found by Google
- http://h-online.com/-1621670
20 June 2012 - "Google's Safe Browsing programme, which searches for malicious sites and warns browser users when they attempt to visit them, is now five years old, and the problem of malicious sites is still as bad as ever with the system finding more than nine thousand dangerous sites a day. In a post* marking the five year anniversary, Google shared statistics on how effective the system has been... the problem of malicious sites is still growing. Google's own statistics show they are currently discovering over 300,000 phishing sites a month, the highest detection rate ever. These sites may be online for only an hour as they attempt to avoid being detected by services like Safe Browsing, and they have become more targeted both through spear phishing attacks which target particular groups of individuals and through attacks aimed at companies and banks. Phishing sites are also likely to try and get the user to install some malware. Malware distribution through compromised innocent sites is still commonplace, but according to Google, attack web sites built specifically to deliver malware to victims are being used in increasing numbers. While these attacks have used drive-by downloads and other technical mechanisms to deploy the malware, Google notes that social engineering attacks, while still behind drive-by attacks in frequency, are a rapidly growing category. Google asks that people don't ignore their warnings when they see them in the browser..."
* http://googleonlinesecurity.blogspot.co.uk/2012/06/safe-browsing-protecting-web-users-for.html
(Charted)

 

[Zeus-SpyEye ATS module masks online Banking Theft]

FYI...

Zeus-SpyEye ATS module masks online Banking Theft
Automated attack bypasses two-factor authentication
- http://www.darkreading.com/taxonomy/index/printarticle/id/240002267
Jun 18, 2012 - "A newly discovered online banking fraud tool cheats two-factor authentication, automates the attack, and hides out so that victims can't see losses or traces of the theft until long after the money is gone. Security researchers at Trend Micro during the past few months have studied a dangerous new module for Zeus and SpyEye that automatically withdraws funds from a victim's account without the attacker having to monitor the process, even if it includes strong authentication. So far, the so-called automatic transfer systems (ATS) attacks are targeting banking customers in Europe, namely in Germany, England, and Italy, where two-factor authentication is used via SMS..."
* http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_automating_online_banking_fraud.pdf

- http://www.infosecisland.com/blogview/21690-Ever-More-Sophisticated-Malware-Targets-Online-Banking.html
June 21, 2012 - "... it is possible to detect various active ATSs in the wild that based on a common framework used by cybercriminals to conduct automated fraud. Typically the schemes use phishing emails with links to tainted pages, malware attachments or drive-by download attacks from malicious or even compromised legitimate sites..."

 

[AutoCAD malware - targeted for Industrial Espionage]

FYI...

AutoCAD malware - targeted for Industrial Espionage
- https://isc.sans.edu/diary.html?storyid=13549
Last Updated: 2012-06-25 04:19:38 UTC - "A number of sites have published an analysis of relatively new malware, ACAD/Medre.A*... somewhat unique in that it seems to be highly targeted and specialized. The current version of ACAD/Medre.A seems to be targeted at AutoCAD files hosted at IP addresses in Peru. ACAD/Medre.A is not just thrown together, low quality malware. Analysis reveals it is well written; at a level that suggests an experienced malware writer wrote it... Either it is a limited test of a new malware concept that will be unleashed on the general world in the future. The malware is written using AutoLISP, the AutoCAD built in scripting language. To the best of my knowledge the first malware written in this language. Another possibility is that it is a targeted intellectual property attack by one of the organized malware groups..."
* http://thehackernews.com/2012/06/virus-specialized-for-autocad-perfect.html
6/24/2012

- http://www.gfi.com/blog/worm-found-in-peru-systems-was-stealing-data/
June 25, 2012
___

> http://blog.eset.com/2012/06/21/acadmedre-a-technical-analysis-2
June 22, 2012

Removal tool here: http://download.eset.com/special/EACADMedreCleaner.exe

   

[UPS delivery tracking SPAM emails serving client-side exploits and malware]

FYI...

UPS delivery tracking SPAM emails serving client-side exploits and malware
- http://blog.webroot.com/2012/06/25/spamvertised-your-ups-delivery-tracking-emails-serving-client-side-exploits-and-malware/
June 25, 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating United Parcel Service (UPS) in an attempt to trick end and corporate users into clicking on exploits and malware serving links found in the malicious emails... Upon clicking on the link, the campaign is serving client-side exploits using the Black Hole web malware exploitation kit, and in this particular campaign it’s attempting to exploit CVE-2010-1885 and CVE-2012-0507...
> https://www.virustotal.com/file/267a95ad845dfddcea93bc915a8569ef5f9085d7a93d47a3896b29aa636d726e/analysis/1339706944/
File name: Shipping, Freight, Logistics and Supply Chain Management from UPS.htm
Detection ratio: 2/42
Analysis date: 2012-06-14 20:49:04 UTC
... Upon successful client-side exploitation the second malicious URL drops MD5: 5e187c293a563968dd026fae02194cfa, detected by 3 out of 42 antivirus scanners as PAK_Generic.001. Upon execution it creates the following file:
%AppData%\KB00121600.exe – MD5: 5E187C293A563968DD026FAE02194CFA - detected by 3 out of 42 antivirus scanners as PAK_Generic.001
Upon execution, the sample phones back to 123.49.61.59 /zb/v_01_b/in on port 8080. Another sample is known to have phoned back to the same URL, namely, MD5: 108F10F0921F2B4FCA87FE6E620D21EF which phones back..."
(More detail at the webroot URL above.)

 

[Fake PayPal account confirmation emails lead to phishing sites]

FYI...

Fake PayPal account confirmation emails lead to phishing sites
- http://blog.webroot.com/2012/06/26/spamvertised-confirm-paypal-account-notifications-lead-to-phishing-sites/
June 26, 2012 - "... Phishers have just started spamvertising hundreds of thousands of legitimately-looking PayPal themed emails, in an attempt to trick users into entering their accounting data on the fraudulent web site linked in the emails...
Screenshot of the spamvertised PayPal themed campaign:
> https://webrootblog.files.wordpress.com/2012/06/phishing_email_paypal.png?w=458&h=250
... Sample spamvertised text:
Dear PayPal Costumer, It has come to our attention that your PayPal® account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service. However, failure to update your records will result in account suspension. Please update your records before June 12, 2012. Once you have updated your account records, your PayPal® account activity will not be interrupted and will continue as normal.
Upon clicking on the link found in the phishing emails, users are presented with the following legitimately-looking PayPal login page:
> https://webrootblog.files.wordpress.com/2012/06/phishing_email_paypal_02.png
Users are advised to avoid interacting with the emails, and to report them as fraudulent/malicious as soon as they receive them."

 

[Bogus online casino themed emails serving W32/Casonline]

FYI...


Red - Virus Outbreak In Progress
- http://www.ironport.com/toc/

Real-time Outbreak Details
> http://tools.cisco.com/security/center/threatOutbreak.x?i=77
June 29, 2012
___

Bogus online casino themed emails serving W32/Casonline
- http://blog.webroot.com/2012/06/28/spamvertised-bogus-online-casino-themed-emails-serving-w32casonline/
June 28, 2012

Fake Delta email leads to Sirefef, Fake AV
- http://www.gfi.com/blog/fake-delta-email-leads-to-sirefef-fake-av/
June 27, 2012

Fake DHL emails serving malware
- http://blog.webroot.com/2012/06/26/spamvertised-dhl-express-parcel-tracking-notification-emails-serving-malware/
June 26, 2012

   

[Garbage print jobs]

FYI...

Garbage print jobs...
- http://www.symantec.com/connect/blogs/printer-madness-w32printlove-video
July 2, 2012 - "...we have received several customer issues about garbage being printed on their network printers... we came across a new -worm- that causes the garbage print jobs. Symantec detects this worm as W32.Printlove. W32.Printlove uses the Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (CVE 2010-2729)* discovered in 2010 to spread across networks. We have created a video..."
* https://technet.microsoft.com/en-us/security/bulletin/MS10-061
MS10-061 - Critical
Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290)
September 2010

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2729 - 9.3 (HIGH)
Last revised: 07/19/2011 - "... as exploited in the wild in September 2010, aka 'Print Spooler Service Impersonation Vulnerability'."

- https://isc.sans.edu/diary.html?storyid=13519
Last Updated: 2012-06-21
___

- http://h-online.com/-1632779
5 July 2012

   

[GoPro is compromised serving malicious code]

FYI...

GoPro is compromised serving malicious code
-  http://community.websense.com/blogs/securitylabs/archive/2012/07/04/the-official-website-of-gopro-is-compromised-and-serves-malicious-code.aspx
4 Jul 2012 - "... Websense... has detected that the official website of GoPro (at gopro.com), the popular brand for "wearable" cameras, has been compromised and injected with malicious code. We have contacted GoPro and let them know about the compromise but to date, we have not heard back from them... The injected code is resident in multiple locations on the main page. This injection is part of mass injection that is known to us and that is doing its rounds over the web at the moment... Once a user visits gopro .com the injected code gets translated to an Iframe that leads the user automatically and without any interaction to a malicious redirector at ad.fourtytwo.proadvertise .net ... The malicious redirector at ad.fourtytwo.proadvertise .net further redirects the user to an exploit Website loaded with the Blackhole exploit kit located at ad.banchoath .com. On the exploit website several exploits are sent to the user's browser and on successful exploitation the user's machine is infected with malware, at the time of the post... according to virustotal...
* https://www.virustotal.com/file/f27730348e7d286e3f2000eee4ee8ba1746f18b58fb93616de81590b1ad6b46b/analysis/
File name: !r033PlxM.exe
Detection ratio: 4/42
Analysis date: 2012-07-04 17:44:13 UTC
... The injected code translates to an Iframe that takes without user interaction the visitor to an exploit Website..."
___

- http://google.com/safebrowsing/diagnostic?site=proadvertise.net/
Site is listed as suspicious - visiting this web site may harm your computer... the last time suspicious content was found on this site was on 2012-07-04. Malicious software includes 1 trojan...

- http://google.com/safebrowsing/diagnostic?site=banchoath.com/
Site is listed as suspicious - visiting this web site may harm your computer... the last time suspicious content was found on this site was on 2012-07-04. Malicious software includes 7 trojan(s)...

 

[Java exploit-in-the-wild]

FYI...

Java exploit-in-the-wild ...
- https://krebsonsecurity.com/2012/07/new-java-exploit-to-debut-in-blackhole-exploit-kits/
July 5, 2012 - "... more than 3 billion devices run Java and many these installations are months out of date... a malicious “.jar” file that — when scanned at Virustotal.com — was detected by just -one- antivirus product (Avira), which flagged it as Java/Dldr.Lamar.BD*. The description of that threat says it targets a Java vulnerability tagged as CVE-2012-1723, a critical bug fixed in Java 6 Update 33 and Java 7 Update 5**..."
* https://www.avira.com/en/support-threats-summary/tid/7558/threat/Java%252FDldr.Lamar.BD

** http://boards.cexx.org/index.php?topic=15451.msg83613#msg83613

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1723 - 10.0 (HIGH)

Verify: https://www.java.com/en/download/installed.jsp?detect=jre&try=1
___

- http://h-online.com/-1636577
11 July 2012

Ongoing...
- https://threatpost.com/en_us/blogs/black-hole-exploit-kit-targeting-java-cve-2012-1723-flaw-071612
July 16, 2012 - "... Websense* said that they've seen the Black Hole exploit kit targeting this vulnerability and using a series of freshly registered domains... The vulnerability could evade the JRE (Java Runtime Environment) sandbox and load additional Java classes in order to perform malicious actions..."
* http://community.websense.com/blogs/securitylabs/archive/2012/07/15/new-spear-of-blackhole-java-vulernatibily-cve-2012-1723.aspx
15 Jul 2012

   

[Phishing campaign targeting Gmail, Yahoo, AOL and Hotmail]

FYI...

Phishing campaign targeting Gmail, Yahoo, AOL and Hotmail ...
- http://blog.webroot.com/2012/07/09/phishing-campaign-targeting-gmail-yahoo-aol-and-hotmail-spotted-in-the-wild/
July 9, 2012 - "... intercepted a currently active phishing campaign that’s a good example of a popular tactic used by cybercriminal known as ‘campaign optimization’. The reason this campaign is well optimized it due to the fact that as it simultaneously targets Gmail, Yahoo, AOL and Windows Hotmail email users... Sample screenshot of the spamvertised phishing email:
> https://webrootblog.files.wordpress.com/2012/07/phishing_campaign_gmail_yahoo_aol_hotmail.png?w=333&h=159
Spamvertised URL hosted on a compromised Web server: tanitechnology .com/fb/includes/examples/properties/index .htm - the URL is currently -not- detected by any of the 28 phishing URL scanning services used by the VirusTotal service. Sample screenshot of the landing phishing page affecting multiple free  email service providers:
> https://webrootblog.files.wordpress.com/2012/07/phishing_campaign_gmail_yahoo_aol_hotmail_01.png?w=280&h=320
What makes an impression is the poor level of English applied to the campaign’s marketing creative. Moreover, it’s rather awkward to see that the landing phishing page is themed using the Online Real Estate brand Remax, a brand that has nothing to do with the enforcement of a particular marketing message related to the phishing campaign. Users are advised to avoid interacting with similar pages, and to always ensure that they’re on the right login page before entering their accounting data."

 

[here]

FYI...


Red - Virus Outbreak In Progress
- http://www.ironport.com/toc/
July 11, 2012

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Personal Photos E-mail Messages... Updated   July 11, 2012
Fake Portuguese Contract Confirmation Email Messages... New July 11, 2012
Fake Hotel Reservation Confirmation Details E-mail Messages... Updated    July 11, 2012
Fake DHL Express Tracking Notification E-mail Messages... Updated July 11, 2012
Unknown Malicious Files Distributed in E-mail Messages... New July 11, 2012
Fake USPS Parcel Delivery Failure Notification E-mail Messages... Updated July 11, 2012
Fake Warning Notification E-mail Messages... Updated July 11, 2012
Fake DHL Express Tracking Notification E-mail Messages... Updated July 11, 2012 ...

  

[Blended attacks in Q2 2012]

FYI...

Blended attacks in Q2 2012
- http://www.commtouch.com/threat-report-july-2012/
July 12, 2012 - "Commtouch’s quarterly Internet Threats Trend Report covers Web threats, phishing, malware, and spam. The July 2012 report describes how distributors of malware, spam and phishing attacks are relying more and more on compromised websites. This tactic is designed to outwit email security and Web security systems that consider a site’s reputation before blocking it. Legitimate websites with positive online reputations but with deficient plugins and known vulnerabilities were harvested en masse in the second quarter of 2012 to host redirects, malware, pharmacy sites and phony login pages. The hacked websites were combined with effective social engineering that exploited multiple well-known brands to draw in victims. Similar branding tricks were used to distributed malware via email attachments. The popular file synchronization and sharing site Dropbox was also used as a malware distribution point in an attack promising free movie tickets..."
(More detail in slideshow at the URL above.)

> http://images.slidesharecdn.com/commtouchjuly2012internetthreatstrendreport-120712083747-phpapp01/95/slide-5-728.jpg

> http://images.slidesharecdn.com/commtouchjuly2012internetthreatstrendreport-120712083747-phpapp01/95/slide-7-728.jpg

> http://images.slidesharecdn.com/commtouchjuly2012internetthreatstrendreport-120712083747-phpapp01/95/slide-8-728.jpg

> http://images.slidesharecdn.com/commtouchjuly2012internetthreatstrendreport-120712083747-phpapp01/95/slide-27-728.jpg

> http://images.slidesharecdn.com/commtouchjuly2012internetthreatstrendreport-120712083747-phpapp01/95/slide-28-728.jpg

- http://www.commtouch.com/download/2336
PDF

- http://blog.commtouch.com/cafe/data-and-research/infographic-blended-attacks-in-q2-2012/
July 12, 2012 - Infographic
___

2012 June Symantec Intelligence Report - slideshow:
- http://www.slideshare.net/symantec/2012-june-symantec-intelligence-report
Jul 06, 2012