tech support 9

Friday, 29 November 2013

Registered Express Corporation (RGTX) pump and dump spam

Posted on 09:30 by Unknown

It's taken me a few days to get around to this due to moving house, but here's a new pump-and-dump spam run promoting a stock Registered Express Corporation (OTC:RGTX).

As ever, there are a massive number of different subjects and random body-texts, for example:

Subject: This Bottom Bouncer has taken off!Subject: Our analysis right on the MONEY!Subject: Seven Reasons To Love This

Posted in Pump and Dump, Spam | No comments

Wednesday, 27 November 2013

"ADP - Reference #274135902580" spam / Transaction.exe

Posted on 05:41 by Unknown

Is it Salesforce or ADP? Of course.. it is neither.

Date: Wed, 27 Nov 2013 11:50:07 +0100 [05:50:07 EST]From: "support@salesforce.com" [support@salesforce.com]Subject: ADP - Reference #274135902580We were unable to process your recent transaction. Please verify your details and try again.If the problem persists, contact us to complete your order.Transaction details are shown in

Posted in ADP, EXE-in-ZIP, Malware, Spam, Viruses | No comments

Tuesday, 26 November 2013

Something evil on 46.19.139.236

Posted on 08:29 by Unknown

46.19.139.236 (Private Layer Inc, Switzerland) seems to be serving up some sort of Java exploit kit via injection attacks which is utilising hijacked legitimate domains, but the domains in use seem to rotate pretty quickly and I haven't got a copy of the payload, but VirusTotal has some examples. These are the domains that I can find running from this IP:

ihavefound.boostprep.com

Posted in 1&1, GoDaddy, Injection Attacks, Malware, Switzerland, Viruses | No comments

"You requested a new Facebook password!" spam / Recoverypassword.zip and Facebook-SecureMessage.exe

Posted on 06:13 by Unknown

This fake Facebook message comes with a malicious attachment:

Date: Tue, 26 Nov 2013 04:58:18 +0300 [11/25/13 20:58:18 EST]From: Facebook [update+hiehdzge@facebookmail.com]Subject: You requested a new Facebook password!facebookHello,You have received a secure message. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save

Posted in EXE-in-ZIP, Facebook, Malware, Spam, Viruses | No comments

Monday, 18 November 2013

0844 number scam (08445715179)

Posted on 04:48 by Unknown

This is a particularly insidious scam that relies on mobile phone users in the UK not knowing that an 0844 number is much, much more expensive than a normal phone call. The scam SMS goes something like this:

ATTENTION! We have tried to contact you, It is important we speak to you today. Please call 08445715179 quoting your reference 121190. Thank You.

In this case the sender's number was +

Posted in Scam, SMS, Spam, Virgin Media | No comments

Friday, 15 November 2013

RingCentral "Bank of America" fax message spam / 442074293440-1116-084755-242.zip

Posted on 09:55 by Unknown

This fake fax message email has a malicious attachment:

Date:     Fri, 15 Nov 2013 12:05:36 -0500 [12:05:36 EST]
From:     RingCentral [notify-us@ringcentral.com]
Subject:     New Fax Message on 11/15/2013 at 09:51:51 CST

You Have a New Fax Message

From
Bank of America

Received:
11/15/2013 at 09:51:51 CST

Pages:
5

To view this message, please open the attachment.

Thank you for

Posted in EXE-in-ZIP, Malware, Spam, Viruses | No comments

Malware sites to block 15/11/2013 (Caphaw)

Posted on 07:16 by Unknown

Thanks to a tip to investigate 199.68.199.178 I discovered that the Caphaw network I looked at yesterday is much bigger than I thought. The following IPs and domains can all be regarded as malicious (.SU domains are normally a dead giveaway for evil activity).

The recommended blocklist is at the end of the post (highlighted). These are the hosts involved either now or recently with hosting

Posted in .SU, Canada, France, Germany, Hetzner, Intergenia, Malware, OVH, Simply Transit, Taiwan, Viruses | No comments