Culture Jamming

[Malicious UPS/FedEx emails re: iPhone 5 orders]

FYI...

Malicious UPS/FedEx emails re: iPhone 5 orders ...
- http://community.websense.com/blogs/securitylabs/archive/2012/09/18/watch-out-for-malicious-ups-fedex-notifications-when-waiting-for-iphone-5.aspx
18 Sep 2012 - "The first batch of iPhone 5s will be delivered on Friday of this week... From reading discussion forums online... all orders from Apple's online store will ship with UPS... when I received a UPS notification email today, I obviously expected it to be about my iPhone. Turns out, it wasn't.
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/3288.ups_5F00_notification_5F00_1.png
...  the email contained an attached HTML page that, when loaded, displayed the page below:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/3704.ups_5F00_notification_5F00_browser.png
...  the risk is great that recipients will have their guards down and will run the attached file... There's a hidden, obfuscated script on the page... it loads an iframe from a .RU domain, which is a Blackhole Exploit Kit site that pushes a banking trojan to the PC... the phrase used for the .RU domain name translates to "money on account". Banking trojan, money on account... be extra careful if you're waiting for a delivery notification, and don't run any attachments contained in those types of emails."
___

(More) Fake UPS e-mail messages ...
> http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=25171
Sep 19, 2012

 

[Fake FDIC emails serve client-side exploits and malware]

FYI...

Fake FDIC emails serve client-side exploits and malware
- http://blog.webroot.com/2012/09/19/cybercriminals-impersonate-fdic-serve-client-side-exploits-and-malware/
Sep 19, 2012 - "... cybercriminals started spamvertising millions of emails impersonating the Federal Deposit Insurance Corporation (FDIC), in an attempt to trick businesses into installing a bogus and non-existent security tool promoted in the emails. Upon clicking on the links, users are exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised FDIC impersonating email:
> https://webrootblog.files.wordpress.com/2012/09/fdic_spam_email_malware_exploits_black_hole_exploit_kit.png
Once the user clicks on the malicious link, he’s exposed to the following bogus “Page loading…” page:
> https://webrootblog.files.wordpress.com/2012/09/fdic_spam_email_malware_exploits_black_hole_exploit_kit_01.png
Client-side exploits serving URL: hxxp ://afgreenwich .net/main.php?page=0f123fe645ddf8d7 - 203.91.113.6 (AS24559)...
Upon successful client-side exploitation, the campaign drops MD5: 3ce1ae2605aa800c205ef63a45ffdbfa *
... Trojan-Ransom.Win32.Gimemo.aovu; W32.Cridex
Once executed, it attempts to phone back to 72.167.253.106 :8080/mx/5/B/in (AS26496)...
More MD5s are known to have phoned back to the same IP in the past, for instance:
MD5: 97974153c25baf5826bf441a8ab187a6 **
...Trojan.Win32.Jorik.Zbot.fxq; Gen:Variant.Zusy.17989
... and MD5: 9069210d0758b34d8ef8679f712b48aa ***
... Trojan.Winlock.6049; W32/Cridex.R ..."
* https://www.virustotal.com/file/87742fa4d67a5d142e77dbeda2cc02bd2a975bf543ea0505045b096a82068c93/analysis/
File name: b9126f7be02c682d7b1b534c928881a0aba6ae0c
Detection ratio: 25/42
Analysis date: 2012-09-16
** https://www.virustotal.com/file/4b9a4956f8c4970f1029f814f4ad97b19bb051e186318795e482d20650fa325b/analysis/
File name: test73608696665548.bin
Detection ratio: 16/42
Analysis date: 2012-09-13
*** https://www.virustotal.com/file/c6c83420c4c2a64bd03463b6afd36b218aa6edb936c4ac15b9367669c354b59a/analysis/
File name: readme.exe
Detection ratio: 6/42
Analysis date: 2012-09-14
___

New Malware Sites using Blackhole Exploit Kit v2.0
- https://blog.opendns.com/2012/09/18/new-malware-sites-using-blackhole-exploit-kit-v2-0/
Sep 18, 2012

 

[LinkedIn SPAM]

FYI...

LinkedIn SPAM / 69.194.201.21
- http://blog.dynamoo.com/2012/09/linkedin-spam-6919420121.html
22 Sep 2012 - "This fake LinkedIn spam leads to malware on 69.194.201.21:
    Date:      Sat, 22 Sep 2012 15:16:47 -0500
    From:      "Reminder" [CC8504C0E@updownstudio.com]
    Subject:      LinkedIn: New messages awaiting your response
    LinkedIn
    REMINDERS
    Invitation reminders:
    From Emilio Byrd (Insurance Manager at Wolseley)
    PENDING MESSAGES
    There are a total of 88 message(-s) awaiting your response. Go to InBox now.
    This message was sent to [redacted]. This is an occasional email to help you get the most out of LinkedIn.
    Adjust your message settings.
    LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission.
    2012, LinkedIn Corporation.
The malicious payload is at [donotclick]69.194.201.21 /links/deep_recover-result.php (Solar VPS, US) which appears to be a Blackhole 2 exploit kit. Blocking this IP address would be prudent."
___

Fake 'KLM e-Ticket' attempts to install backdoor
- http://community.websense.com/blogs/securitylabs/archive/2012/09/21/fake-klm-e-ticket-attempts-to-install-backdoor.aspx
21 Sep 2012 - "... malicious zipped attachment..."
___

New Malware Sites using Blackhole Exploit Kit v2.0
- https://blog.opendns.com/2012/09/18/new-malware-sites-using-blackhole-exploit-kit-v2-0/
Sep 18, 2012

 

[BBB malicious SPAM flood]

FYI...

BBB malicious SPAM flood
- http://community.websense.com/blogs/securitylabs/archive/2012/09/24/bbb-malicious-spam-flood.aspx
24 Sep 2012 - "... another barrage of malicious BBB (Better Business Bureau) complaint notifications... Websense.. has detected and intercepted a marked increase in BBB malicious email this month... In an attempt to look authentic, the messages include an official graphic from the BBB Web site but, as is often the case with malicious email campaigns, they also include suspicious grammar: "about your company possible involvement in check cashing and Money Order Scam."
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/3288.BBB_2D00_Image1.png
...  a number of different subjects have been utilized for this campaign, presumably in an attempt to thwart detection, including random "Complaint IDs"...
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Components.ImageFileViewer/CommunityServer.Blogs.Components.WeblogFiles.securitylabs/3276.BBB_2D00_Image2.png_2D00_550x0.png
... As with other similar malicious campaigns with themes relating to ADP, Twitter, and LinkedIn,  the techniques, tools and redirection path that are used are pretty much the same. Tools like the Cutwail spambot and Blackhole exploit kit seem to be the main weapons used by cybercriminals in malicious spam nowadays. Redirection paths:
1) hxxp ://vargasvilcolombia .com/PykKDZe/index.html
2)<html>
<h1>WAIT PLEASE</h1>
<h3>Loading...</h3>
<script type="text/javascript" src="hxxp ://pst.org .br/Wi4aFSLZ/js.js"></script>
<script type="text/javascript" src="hxxp ://www.adahali .com/NQ9Ba2ap/js.js"></script>
</html>
3) document.location='hxxp ://108.178.59.11 /links/deep_recover-result.php';
As is very common these days, the payload for this particular campaign is the recently updated BlackHole Exploit Kit v 2.0..."
___

BBB Spam / 108.178.59.11
- http://blog.dynamoo.com/2012/09/bbb-spam-1081785911.html
24 Sep 2012 - "... most likely a Blackhole 2 kit. This IP address has been used in other attacks and should be blocked if you can."

- http://centralops.net/co/DomainDossier.aspx
108.178.59.11
network:State: Italy
OriginAS: AS32475

- http://google.com/safebrowsing/diagnostic?site=AS:32475
"...  over the past 90 days, 2949 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-09-24, and the last time suspicious content was found was on 2012-09-24...  we found 149 site(s)... that appeared to function as intermediaries for the infection of 375 other site(s)...  We found 141 site(s)... that infected 838 other site(s)..."

 

[Twitter DMs from "friends" lead to backdoor Trojan]

FYI...

Twitter DMs from "friends" lead to backdoor Trojan
- http://nakedsecurity.sophos.com/2012/09/24/twitter-facebook-video-malware/
Sep 24, 2012 - "Have you received a Twitter message from an online friend, suggesting you have been captured in a Facebook video?... The aim of the messages? To trick the unwary into clicking on a link... and ultimately infect computers. Here is one example:
> https://sophosnews.files.wordpress.com/2012/09/twitter-hacked.jpg?w=640
... here's another. Note that there are many different combinations of wording that can be used.
> https://sophosnews.files.wordpress.com/2012/09/twitter-hacked-2.jpg?w=640
Users who click on the link are greeted with what appears to be a video player and a warning message that "An update to Youtube player is needed". The webpage continues to claim that it will install an update to Flash Player 10.1 onto your computer.
> https://sophosnews.files.wordpress.com/2012/09/video-malware.jpg?w=640
... In this example, the program you are being invited to download is called FlashPlayerV10.1.57.108.exe, and is detected by Sophos anti-virus products as Troj/Mdrop-EML, a backdoor Trojan that can also copy itself to accessible drives and network shares. Quite how users' Twitter accounts became compromised to send the malicious DMs in the first place isn't currently clear, but the attack underlines the importance of -not- automatically clicking on a link just because it appeared to be sent to you by a trusted friend. If you do find that it was your Twitter account sending out the messages, the sensible course of action is to assume the worst, change your password (make sure it is something unique, hard-to-guess and hard-to-crack) and revoke permissions of any suspicious applications that have access to your account."

 

[Evil network]

FYI...

Evil network: 108.178.59.0/26
- http://blog.dynamoo.com/2012/09/evil-network-10817859026.html
25 Sep 2012 - "There's quite a bit of malware coming from a range of Singlehop IPs over the past few days. The range is 108.178.59.0/26 (108.178.59.0 - 108.178.59.63)
So far, I've seen blackhole samples from 108.178.59.20, 108.178.59.11 and 108.178.59.26 which is enough to convince me that the whole /26 is bad an should be blocked.
Singlehop have reallocated the IP range to a customer:
network: IP-Network: 108.178.59.0/26
network: State: Italy
network: Country-Code: IT ...
It's quite possible that Mr Coco doesn't know that the IP range is being abused in this way, but blocking access to it would be prudent..."

- http://centralops.net/co/DomainDossier.aspx
network: IP-Network: 108.178.59.0/26
network: State:Italy
network: Country-Code: IT
___

BBB SPAM / one.1000houses .biz
- http://blog.dynamoo.com/2012/09/bbb-spam-one1000housesbiz.html
25 Sep 2012 - "This fake BBB spam leads to malware at one.1000houses .biz:
Date:      Tue, 25 Sep 2012 11:42:18 +0200
    From:      "Better.Business Bureau" [8050910@zread.com]
    Subject:      Activity Report
    Dear business owner, we have received a complaint about your company possible involvement in check cashing and Money Order Scam.
    You are asked to provide response to this complaint within 7 days.
    Failure to provide the necessary information will result in downgrading your Better Business Bureau rating and possible cancellation of your BBB accreditation status.
    Complaint ID#125368
    Council of Better Business Bureaus
    3033 Wilson Blvd, Suite 600
    Arlington, VA 22201
    Phone: 1 (703) 276.0100
    Fax: 1 (703) 525.8277
The malicious payload is at [donotclick]one.1000houses .biz/links/deep_recover-result.php hosted on 199.195.116.185 (A2 Hosting, US). The domain 1000houses .biz appears to be a legitimate domain where the GoDaddy account has been hacked to serve malware on subdomains. There seems to be a long-standing issue with GoDaddy domains being used in this way.
Blocking 199.195.116.185 would probably be prudent..."

  

[FTC halts computer spying]

FYI...

FTC halts computer spying
* http://www.ftc.gov/opa/2012/09/designware.shtm
09/25/2012

Rent-to-own laptops were spying on users
- http://h-online.com/-1717567
26 Sep 2012 - "The US Federal Trade Commission (FTC) has settled a case with several computer rent-to-own companies and a software maker over their use of a program which spied on as many as 420,000 users of the computers. The terms of the settlement* will ban the companies from using monitoring software, deceiving customers into giving up information or using geo-location to track users. "The FTC orders today will put an end to their cyber spying" said Jon Leobowitz, FTC Chairman. The software for rental companies from DesignerWare included a "Detective Mode", a spyware application that, according to the FTC's complaint, could activate the webcam of a laptop and take pictures and log keystrokes of user activity. The software also regularly presented a fake registration screen designed to trick users into entering personal information. The data from this application was then transmitted to DesignerWare where it was then passed on to the rent-to-own companies... The FTC is limited in its actions, telling Wired**, "We don't have criminal authority. We only have civil authority" and, as this was a first violation of the FTC act, it cannot impose fines on the companies. Instead, the companies will be monitored by the FTC for compliance with the ban on using the software, or, in the case of DesignerWare, licensing it, for the next 20 years..."
** http://www.wired.com/threatlevel/2012/09/laptop-rental-spyware-scandal/

- https://www.sans.org/newsletters/newsbites/newsbites.php?vol=14&issue=78#sID305
"Eight rental companies have agreed to the terms of a settlement with the FTC..."

   

[Spear Phishing Emails increase 56%]

FYI...

Spear Phishing Emails increase 56% ...
- http://blog.fireeye.com/research/2012/09/top-20-words-used-in-spear-phishing-emails.html
2012.09.25 - "Despite the many security defenses aimed at protecting email communications, email continues to be a critical vulnerability for enterprises. Between Q1 2012 and Q2 2012 alone, FireEye reported a 56% increase in the amount of malicious emails - and this wasn’t simply an increase in the total number of emails distributed; it was an increase in the number of emails that were able to -bypass- signature and reputation-based security defenses, like next-generation firewalls, intrusion prevention systems (IPS), anti-virus (AV), and secure gateways... In a new report from FireEye*, FireEye researchers analyze the nature of malicious files cybercriminals distribute in order to bypass traditional security defenses and identify several trends - including the most common words in file names and file extensions used in spear phishing attacks. Among these trends, in particular, FireEye researchers found:
• File names relating to shipping grew from 19.20% to 26.35%.
• Number of files referencing words associated with urgency grew from 1.72% to 10.68%.
• Shipping-related words topped the lists of most frequently appearing words in spear phishing emails for both 2H 2011 and 1H 2012.
In the security community, we’re more than familiar with the consequences stemming from these kinds of advanced cyber attacks - GhostNet, Night Dragon, Operation Aurora, and the RSA breach all originated, at least in part, via targeted spear phishing emails. These highly publicized incidents only further indicate what cybercriminals already well know and use to their advantage: email is a mode of attack that works..."

* http://www.fireeye.com/resources/pdfs/fireeye-top-spear-phishing-words.pdf

 

[IRS SPAM]

FYI...

IRS SPAM - 3 different versions ...
- http://blog.dynamoo.com/2012/09/irs-spam-1howtobecomeabostoniancom-and.html
26 Sep 2012 - "Three different versions of fake IRS spam today, two leading to malware on 1.howtobecomeabostonian .com and the other with a malicious payload on mortal-records .net.
Date:      Wed, 26 Sep 2012 20:44:47 +0530
    From:      "Internal Revenue Service (IRS)" [58D1F47@guyzzer.com]
    To:      [redacted]
    Subject:      Internal Revenue Service: For the attention of enterpreneurs
    Internal Revenue Service (IRS)
    Hello,
    Due to the system error the EIN of your company has been accidently erased from the online database, please validate your EIN to reaffirm your current status of taxpayer. Certain indulgences will be applied to the next audit report for your company. IRS is sorry to cause inconvenience.
    For detail information, please refer to:
    https ://www.irs .gov/Login.aspx?u=E8710D9E9
        Email address: [redacted]
    Sincerely yours,
    Barry Griffin
    IRS Customer Service representative
    Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.
    You will need to use your email address to log in.
    This service is provided to you at no charge by the Internal Revenue Service (IRS).
    This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535
==========
    Date:      Wed, 26 Sep 2012 11:09:45 -0400
    From:      "Internal Revenue Service (IRS)" [90A75BC@etherplay.com]
    To:      [redacted]
    Subject:      Internal Revenue Service: For the attention of enterpreneurs
    Internal Revenue Service (IRS)
    Dear business owners,
    Due to the corrections in the taxation policies that have been recently applied, IRS informs that LLC, C-Corporations and S-Corporations have to validate their EIN in order to reaffirm their actual status. You have 14-day period in order to examine all the changes and make necessary amendments. We are sorry for the inconvenience caused.
    For the details please refer to:
    https ://www.irs .gov/ClientArea.aspx?u=1CBD0FC829256C
        Email address: [redacted]
    Sincerely yours,
    Damon Abbott
    Internal Revenue Service Representative
    Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.
    You will need to use your email address to log in.
    This service is provided to you at no charge by the Internal Revenue Service (IRS).
    This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535
==========
    Date:      Wed, 26 Sep 2012 19:53:28 +0400
    From:      Internal Revenue Service [weirdpr6@polysto.com]
    To:      [[redacted]]
    Subject:      IRS report of not approved tax bank transfer
    Your Federal Tax pending transaction (ID: 52007291963155), recently ordered for processing from your checking account was rejected by your Bank.
    Rejected Tax transaction
    Tax Transaction ID:     52007291963155
    Reason ID     See details in the report below
    State Tax Transaction Report     tax_report_52007291963155.doc (Microsoft Word Document)
    Internal Revenue Service 9611 Tellus. Av. Augusta 38209 MV 

Payload one is at [donotclick]1.howtobecomeabostonian .com/links/marked-alter.php hosted on 74.207.232.13 (Linode, US) which looks like a -hacked- GoDaddy domain. Payload two is at [donotclick]mortal-records .net/detects/processing-successfully.php hosted on 203.91.113.6 (G-Mobile, Mongolia) which is an IP address that has been used a LOT for this type of attack. Blocking those IPs would be ideal..."

 

[Fake iPhone sales emails/sites]

FYI...

Fake iPhone sales emails/sites ...
- http://blog.webroot.com/2012/09/27/from-russia-with-iphone-selling-affiliate-networks/
Sep 27, 2012 - "... cybercriminals continue introducing new services and goods with questionable quality and sometimes unknown origins on the market, with the idea to entice potential network participants into monetizing the traffic they can deliver through black hat SEO (Search Engine Optimization), malvertising, and spam campaigns... a recently launched affiliate network selling iPhones that primarily targets Russian-speaking customers, and emphasizes the traffic acquisition scheme used by one of the network’s participants... It all starts with a spam campaign offering brand new iPhones for a decent price in an attempt by one of the network participants to acquire traffic which will ultimately convert into sales.
Sample spamvertised email offering cheap and easy-to-obtain iPhones"
> https://webrootblog.files.wordpress.com/2012/09/spam_iphone_russian_affiliate_network.png
... an example of an affiliate network participant targeting English-speaking users, even though the actual web site is targeting Russian-speaking users...
Sample screenshot of the entry page for the iPhone selling affiliate network:
> https://webrootblog.files.wordpress.com/2012/09/iphone_sale_affiliate_network.png
(More samples available at the blog.webroot URL above)...
We advise bargain hunters to avoid clicking on links found in spam emails, avoid entering their credit card details on sites found in spam emails, and to avoid purchasing -any- kind of item promoted in these emails."

 

[Intuit SPAM]

FYI... multiple entries:

Intuit SPAM - Shipment / art-london .net
- http://blog.dynamoo.com/2012/10/intuit-shipment-spam-art-londonnet.html
1 Oct 2012 - "This terminally confused Intuit / USPS / Amazon-style spam leads to malware...
Date:      Mon, 1 Oct 2012 21:31:57 +0430
From:      "Intuit Customer Service" [battingiy760@clickz.com]
To:      [redacted]
Subject:      Intuit Shipment Confirmation
Dear [redacted],
Great News! Your order, ID859560, was shipped today (see info below) and will complete shortly. We hope that you will find that it exceeds your expectations. If you ordered not one products, we may send them in separate boxes (at no additional cost to you) to ensure the fastest possible delivery. We will also provide you with the ability to track your shipments via the information below.
Thank you for your interest.
    ORDER DETAILS    
    Order #: ID859560
Order Date: Sep 25, 2012
Item(s) In Your Order
Shipping Date: October, 1 2012
Shipping Method: USPS Express Mail
Estimated Delivery Date: October, 3 2012 - October 05, 2012
Tracking No.: 5182072894288348304217
Quantity     Item
1     Intuit Card Reader Device - Gray
Please be informed that shipping status details may be not available yet online. Check the Website Status link above for details update.
Shipment Information:
We sent your item(s) to the next address:
065 S Paolo Ave, App. 5A
S Maria, FL
Email: [redacted]  
    Questions about your order? Please visit Customer Service.
Return Policy and Instructions
 Privacy | Legal Disclaimer | Contact Us | About
You have received this business note as part of our efforts to fulfill your request and service your account. You may receive more email notifications from us even if you have previously selected out of marketing notifications...

The malicious payload is at [donotclick]art-london .net/detects/stones-instruction_think.php hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden), a site which also hosts the presumably malicious domain indice-acores .net. Presumably this IP is a hacked server belonging to some legitimate Swedish organisation, but you should block it nonetheless."
___

Fake Intuit order confirmation
- http://security.intuit.com/alert.php?a=59
10/01/2012 - "... receiving emails with the title "Your Intuit Order Notification."
Below is a copy of the email people are receiving:
> http://security.intuit.com/images/yourintuitorder.jpg
... This is the end of the fake email. Steps to Take Now: Do not click on the link in the email... Delete the email..." etc...
___

Sendspace SPAM / onlinebayunator .ru
- http://blog.dynamoo.com/2012/10/sendspace-spam-onlinebayunatorru.html
1 Oct 2012 - "I haven't seen Sendspace spam before.. but here it is, leading to malware on onlinebayunator .ru:
    Date:      Mon, 1 Oct 2012 10:40:29 +0300
    From:      Twitter
    To:      [redacted]
    Subject:      You have been sent a file (Filename: [redacted]-9038870.pdf)
    Sendspace File Delivery Notification:
    You've got a file called [redacted]-56.pdf, (133.8 KB) waiting to be downloaded at sendspace.(It was sent by CHIQUITA Caldwell).
    You can use the following link to retrieve your file:
    Download Link
    The file may be available for a limited time only.
    Thank you,
   sendspace - The best free file sharing service...

The malicious payload is at [donotclick]onlinebayunator .ru:8080/forum/links/column.php hosted on the same IP address ( 84.22.96.0/19 ) as this attack* earlier today.
* http://blog.dynamoo.com/2012/10/nacha-spam-onlinebayunatorru.html
___

Evolution1 SPAM / 69.194.194.221
- http://blog.dynamoo.com/2012/10/evolution1-spam-69194194221.html
1 Oct 2012 - "I haven't seen this spam before, it leads to malware on 69.194.194.221:
 Date:      Mon, 01 Oct 2012 15:44:59 +0200
    From:      "INTUIT" [D6531193@familyhealthplans.com]
    Subject:      Information regarding Employer Contribution
    INTUIT
    Attn: Account Holder
    You can view the information about all Employer contributions that are due to be made on 2/1/2012 by visiting the following link:
    http ://intuithealthemployer .lh1ondemand .com
    Please let us know employment alterations on your enrollment spreadsheet within the period of two business days. The foregoing report shows the ACH amount we will withdraw from your bank account for the contributions on the first business day of the month. Please remember, if changes occur, this may affect the ACH amount.
    Intuit Health Debit Card Powered by Evolution1 Employer Services..."

The malicious payload is on 69.194.194.221 (Solar VPS, US) ..."
___

NACHA SPAM / onlinebayunator .ru
- http://blog.dynamoo.com/2012/10/nacha-spam-onlinebayunatorru.html
1 Oct 2012 - "This fake NACHA spam leads to malware on onlinebayunator.ru:
Date:      Mon, 1 Oct 2012 04:16:46 -0500
    From:      Bebo Service [service@noreply.bebo.com]
    Subject:      Fwd: ACH Transfer rejected
    The ACH debit transfer, initiated from your bank account, was canceled.
    Canceled transaction:
    Transfer ID: FE-764029897226US
    Transaction Report: View
    Valentino Dickey
    NACHA - The Electronic Payment Association
    f0c34915-3e624bbb...

The malicious payload is at [donotclick]onlinebayunator .ru:8080/forum/links/column.php  (probably a Blackhole 2 exploit kit) hosted on the following familiar IPs that should be blocked:
84.22.100.108 (Republic CyberBunker, Antarctica - Amsterdam more likely)
190.10.14.196 (RACSA, Costa Rica)
203.80.16.81 (Myren, Malaysia)
Of note, CyberBunker has a long history of spamming and tolerating criminals. Blocking the range 84.22.96.0/19 should afford your network some additional protection."

   

[Fake ecard - unsolicited secret admirers via Email]

FYI... multiple entries:

Fake ecard - unsolicited secret admirers via Email
- http://community.websense.com/blogs/securitylabs/archive/2012/10/02/unsolicited-secret-admirers-via-email.aspx
02 Oct 2012 - "... an unsolicited email campaign in which love-struck or curious recipients may have their appetites whetted by the thought of a secret admirer... The messages, sent from various Yahoo .com accounts, suggest that the sender has "to let you know how [they] feel" and provide an enticing Facebook link to "View Your Ecard":
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Components.ImageFileViewer/CommunityServer.Blogs.Components.WeblogFiles.securitylabs/7776.emailbody.png_2D00_550x0.png
... a valid short Facebook URL is used which, in this case, -redirects- ... a basic JavaScript is delivered... The victim's browser is then directed to a fake ecard site hxxp ://readyourecard .com/viewmessage/?a=vip36
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Components.ImageFileViewer/CommunityServer.Blogs.Components.WeblogFiles.securitylabs/6303.ecard.png_2D00_550x0.png
... At this point, the aim of the campaign becomes clear: Every link on the fake ecard page redirects to an affiliate landing page on the Adult Dating website AdultFriendFinder .com and, with affiliate earnings of up to $1 per unique visitor, you can easily see how such a campaign could become very lucrative... This campaign appears to be financially driven, but it is conceivable that the same techniques could be used to direct victims to malicious sites..."
___

Fake Fax Email notifications ...
- http://www.gfi.com/blog/beware-fake-fax-email-notifications-in-circulation/
Oct 2, 2012 - "In the last few days we’ve seen this fake fax email doing the rounds, offering up a “2013 recruitment plan”:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/faxmalware1.jpg
... INCOMING FAX REPORT
*********************************************************
Date/Time: 09/28/2012 07:01:41 AM
Speed: 14400 bps
Connection time: 01:02
Pages: 2
Resolution: Normal
Remote ID: 0420950504
Line number: 2
DTMF/DID:
Description: 2013 Recruitment plan
Click here to view the file online ..."
... Clicking the link would take the user from a (dot)de domain to an IP associated with a Malware run currently taking place...  currently leads to a "page not found":
> http://www.gfi.com/blog/wp-content/uploads/2012/10/faxnotfound.jpg
... varied subject lines in this particular spam campaign – everything from recruitment plans to employment contributions and transaction reports – indicate a definite lean towards business targets rather than home users. Of course, whether at home or in the workplace you’re still potentially at risk should you click any of the links going out in this spamrun..."

 

[Fake Quickbooks emails lead to malware]

FYI...

Fake Quickbooks emails lead to malware
- http://www.gfi.com/blog/fake-quickbooks-emails-lead-to-malware-shenanigans/
Oct 3, 2012 - "We have some more rogue emails following the familiar pattern of the last few days – this time around, a fake Quickbooks themed email which promises “free shipping for Quickbooks customers”:
> http://www.gfi.com/blog/wp-content/uploads/2012/10/quickbooksspam.jpg
It points to a website that shows the end-user a “connecting to server” message, eventually redirecting to an IP address that has been / is still associated with Blackhole Exploit Kit and Java exploits.
> http://www.gfi.com/blog/wp-content/uploads/2012/10/quickbooksspam2.jpg
... it’s a bad time to be randomly opening dubious emails..."

Fake QB/IRS order forms emails
- http://security.intuit.com/alert.php?a=62
10/03/2012
> http://security.intuit.com/images/phish63.jpg
___

Something evil on 66.45.251.224/29 and 199.71.233.226
- http://blog.dynamoo.com/2012/10/something-evil-on-664525122429-and.html
3 Oct 2012 - "The IP address 199.71.233.226 (Netrouting, US) and the range 66.45.251.224/29 (Interserver, US) are currently being used to distribute malware through advertising. Of these the 66.45.251.224/29 has been suballocated to an anonymous person, which I didn't even know was permitted... The domains listed below are on those IP addresses, all appear to be disributing malware (see example*) and they seem to have fake or anonymous WHOIS details. Blocking traffic to 66.45.251.224/29 (66.45.251.224 - 66.45.251.231) and 199.71.233.226 should be effective in countering this threat..."
Update: 95.211.193.36 (Leaseweb, Netherlands) and 77.95.230.77 (Snel Internet Services, Netherlands) may also be distributing malware in connection with this (report here**).
(More info at the blog.dynamoo URL above.)

* http://www.google.com/safebrowsing/diagnostic?site=juniorppv.info
"Site is listed as suspicious... Malicious software includes 8 trojan(s)..."

** http://wepawet.iseclab.org/view.php?hash=d5821ee7ba6fd7c95f6bf07137aee3b9&t=1349259972&type=js
___

Friendster SPAM / sonatanamore .ru
- http://blog.dynamoo.com/2012/10/friendster-spam-sonatanamoreru.html
2 Oct 2012 - "Friendster.. remember that? Before Facebook.. before Myspace.. there was Friendster. This spam email is -not- from Friendster though and leads to malware on sonatanamore .ru:
Date:      Tue, 2 Oct 2012 05:39:54 -0500
    From:      Friendster Games [friendstergames@friendster.com]
    Thank you for joining Friendster! Your system generated password is 0JR8YXB1YR. You may change your password in your Account Settings Page.
    Friendster is the social gaming destination of choice. Connect and play with your friends & share your progress with your network.
    Copyright ? 2002 - 2012 Friendster, Inc. All rights reserved. Visit our site. - Terms of Service
    To manage your notification preferences, go here
    To stop receiving emails from us, you can unsubscribe here

The malicious payload is at [donotclick]sonatanamore .ru:8080/forum/links/column.php hosted on:
70.38.31.71 (iWeb, Canada)
202.3.245.13 (MANA, Tahiti)
203.80.16.81 (Myren, Malaysia)
Plain list of IPs and domains on those IPs for copy-and-pasting.
70.38.31.71, 202.3.245.13, 203.80.16.81 ..."
(More listed at the blog.dynamoo URL above.)

 

[Fake "Corporate eFax message" SPAM]

FYI...

Fake "Corporate eFax message" SPAM / 184.164.136.147
- http://blog.dynamoo.com/2012/10/corporate-efax-message-spam-184164136147.html
4 Oct 2012 - "These fake fax messages lead to malware on 184.164.136.147:
Date:      Thu, 04 Oct 2012 19:00:16 +0200
    From:      "eFax.Alert" [E988D6C@vida.org.pt]
    Subject:      Corporate eFax message - 09 pages
    Fax Message [Caller-ID: 341-498-5688]
    You have received a 09 pages fax at Thu, 04 Oct 2012 19:00:16 +0200.
    * The reference number for this fax is min1_20121004190016.8673161.
    View this fax using your PDF reader.
    Click here to view this message
    Please visit www.eFax .com/en/efax/twa/page/help if you have any questions regarding this message or your service.
    Thank you for using the eFax service!
    Home | Contact | Login
    � 2011 j2 Global Communications, Inc. All rights reserved.
    eFax� is a registered trademark of j2 Global Communications, Inc.
    This account is subject to the terms listed in the eFax� Customer Agreement.

... The malicious payload is at [donotclick]184.164.136.147/links/assure_numb_engineers.php  which is an IP address belonging to Secured Servers LLC in the US and suballocated to:
autharea=184.164.128.0/19
xautharea=184.164.128.0/19
network:City:Manilla ...
It might be worth blocking 184.164.136.128/27 to be on the safe side."

- http://www.google.com/safebrowsing/diagnostic?site=AS:20454
"... over the past 90 days, 244 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... the last time suspicious content was found was on 2012-10-04..."
- http://www.google.com/safebrowsing/diagnostic?site=AS:32164
"... the last time suspicious content was found was on 2012-10-03... we found 1 site(s) on this network... that appeared to function as intermediaries for the infection of 14 other site(s)..."
___

Verizon Wireless SPAM / strangernaturallanguage .net
- http://blog.dynamoo.com/2012/10/verizon-wireless-spam.html
4 Oct 2012 - "This fake Verizon wireless spam leads to malware on strangernaturallanguage .net:
From:     AccountNotify whitheringj@spcollege.edu
    Date:     4 October 2012 18:52
    Subject:     Recent Notification in My Verizon
    SIGNIFICANT ACCOUNT NOTIFICATION FROM VERIZON WIRELESS.
    Your informational letter is available.
    Your account # ending: XXX8 XXXX4
    Our Valued Client
    For your accommodation, your confirmation message can be found in the Account Documentation desk of My Verizon.
    Please check your acknowledgment letter for all the information relating to your new transaction.
    View Approval Message
    In addition, in My Verizon you will find links to info about your device & services that may be helpfull if you looking for answers.
    Thank you for joining us .
    My Verizon is also accessible 24 hours 7 days a week to assist you with:
    Usage details
    Updating your tariff
    Add Account Users
    Pay your invoice
    And much, much more...
    © 2012 Verizon Wireless
    Verizon Wireless | One Verizon Way | Mail Code: 523WSE | Basking Ridge, MA 55584
    We respect your privacy. Please review our privacy policy for more details

The malicious payload is at [donotclick]strangernaturallanguage .net/detects/notification-status_login.php hosted on 183.81.133.121 (Vodafone, Fiji)..."

 

[Intuit "GoPayment" SPAM]

FYI...

Intuit "GoPayment" SPAM / simplerkwiks .net
- http://blog.dynamoo.com/2012/10/intuit-gopayment-spam-simplerkwiksnet.html
5 Oct 2012 - "This fake "Intuit GoPayment" spam leads to malware on simplerkwiks .net:
Date:      Fri, 5 Oct 2012 15:54:26 +0100
    From:      "Intuit GoPayment" [abstractestknos65@pacunion.com]
    Subject:      Welcome - you're been granted access for Intuit GoPayment Merchant
    Greetings & Congrats!
    Your GoPayment? statement for WALLET , DEVELOPMENTS has been issued.
    Intuit Payment
    Account No.:     XXXXXXXXXXXXXX16
    Email Address:     [redacted]
    NOTE : Additional charges for this service may now apply.
    Next step: Confirm your User ID
    This is Very Important lets you:
    Manage your payment service in the Merchant Center
    Review charges
    Log In to other Intuit products you may use, like TurboTax, Quicken, and Intuit Payroll
    The good news is you have active an existing Intuit account for your email address, You can use this ID for your payment service also, or enter a new one.
    Verify UserID
    Get started:
    Step 1: If you have not still, download the Intuit application.
    Step 2: Run the GoPayment app and sign in with the UserID (your email address) and Password you setup.
    Easy Manage Your GoPayment System
    The Intuit GoPayment Merchant Service Center is the website where you can learn a lot about GoPayment features, customize your sales receipt and add GoPayment users. You can also manage transactions, deposits and fees. Visit link and signin with your GoPayment Access ID (your email address) and Password.
    For more information on how to get started using Intuit Merchant, including tutorials, FAQs and other resources, visit the Service Center at web site.
    Please do not reply to this message. automative notification system not configured to accept incoming email.
    System Terms & Agreements     � 2012 Intuit, Inc. All rights reserved.

The malicious payload is at [donotclick]simplerkwiks.net/detects/congrats_verify-access.php hosted on 183.81.133.121 (Vodafone, Fiji) along with these other suspect domains:
addsmozy .net
officerscouldexecute .org
simplerkwiks .net
strangernaturallanguage .net
buzziskin .net
art-london .net "
___

UPS SPAM / minus.preciseenginewarehouse .com
- http://blog.dynamoo.com/2012/10/ups-spam-minuspreciseenginewarehousecom.html
5 Oct 2012 - "This fake UPS spam leads to malware on minus.preciseenginewarehouse .com:
From:      "UPSBillingCenter" [512A03797@songburi.com]
    Subject:      Your UPS Invoice is Ready
    This is an automatically generated email. Please do not reply to this email address.
    Dear UPS Customer,
    New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center
    Please visit the UPS Billing Center to view and pay your invoice.
    Discover more about UPS:
    Visit ups .com
    Explore UPS Freight Services
    Learn About UPS Companies
    Sign Up For Additional Email From UPS
    Read Compass Online
    (c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
    For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
    Please do not reply directly to this e-mail. UPS will not receive any reply message.
    For questions or comments, visit Contact UPS.
    This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
    Privacy Policy
    Contact UPS

The malicious payload is at [donotclick]minus.preciseenginewarehouse .com/links/assure_numb_engineers.php hosted on 174.140.165.112 ... To be precise, the subdomains seem malicious, the domains themselves appear to be legitimate ones where the domain account has been hacked. Blocking 174.140.165.112 would be prudent."