November 2013 ~ tech support 9

Friday, 29 November 2013

Registered Express Corporation (RGTX) pump and dump spam

Posted on 09:30 by Unknown

It's taken me a few days to get around to this due to moving house, but here's a new pump-and-dump spam run promoting a stock Registered Express Corporation (OTC:RGTX).

As ever, there are a massive number of different subjects and random body-texts, for example:

Subject: This Bottom Bouncer has taken off!Subject: Our analysis right on the MONEY!Subject: Seven Reasons To Love This

Posted in Pump and Dump, Spam | No comments

Wednesday, 27 November 2013

"ADP - Reference #274135902580" spam / Transaction.exe

Posted on 05:41 by Unknown

Is it Salesforce or ADP? Of course.. it is neither.

Date: Wed, 27 Nov 2013 11:50:07 +0100 [05:50:07 EST]From: "support@salesforce.com" [support@salesforce.com]Subject: ADP - Reference #274135902580We were unable to process your recent transaction. Please verify your details and try again.If the problem persists, contact us to complete your order.Transaction details are shown in

Posted in ADP, EXE-in-ZIP, Malware, Spam, Viruses | No comments

Tuesday, 26 November 2013

Something evil on 46.19.139.236

Posted on 08:29 by Unknown

46.19.139.236 (Private Layer Inc, Switzerland) seems to be serving up some sort of Java exploit kit via injection attacks which is utilising hijacked legitimate domains, but the domains in use seem to rotate pretty quickly and I haven't got a copy of the payload, but VirusTotal has some examples. These are the domains that I can find running from this IP:

ihavefound.boostprep.com

Posted in 1&1, GoDaddy, Injection Attacks, Malware, Switzerland, Viruses | No comments

"You requested a new Facebook password!" spam / Recoverypassword.zip and Facebook-SecureMessage.exe

Posted on 06:13 by Unknown

This fake Facebook message comes with a malicious attachment:

Date: Tue, 26 Nov 2013 04:58:18 +0300 [11/25/13 20:58:18 EST]From: Facebook [update+hiehdzge@facebookmail.com]Subject: You requested a new Facebook password!facebookHello,You have received a secure message. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save

Posted in EXE-in-ZIP, Facebook, Malware, Spam, Viruses | No comments

Monday, 18 November 2013

0844 number scam (08445715179)

Posted on 04:48 by Unknown

This is a particularly insidious scam that relies on mobile phone users in the UK not knowing that an 0844 number is much, much more expensive than a normal phone call. The scam SMS goes something like this:

ATTENTION! We have tried to contact you, It is important we speak to you today. Please call 08445715179 quoting your reference 121190. Thank You.

In this case the sender's number was +

Posted in Scam, SMS, Spam, Virgin Media | No comments

Friday, 15 November 2013

RingCentral "Bank of America" fax message spam / 442074293440-1116-084755-242.zip

Posted on 09:55 by Unknown

This fake fax message email has a malicious attachment:

Date:     Fri, 15 Nov 2013 12:05:36 -0500 [12:05:36 EST]
From:     RingCentral [notify-us@ringcentral.com]
Subject:     New Fax Message on 11/15/2013 at 09:51:51 CST

You Have a New Fax Message

From
Bank of America

Received:
11/15/2013 at 09:51:51 CST

Pages:
5

To view this message, please open the attachment.

Thank you for

Posted in EXE-in-ZIP, Malware, Spam, Viruses | No comments

Malware sites to block 15/11/2013 (Caphaw)

Posted on 07:16 by Unknown

Thanks to a tip to investigate 199.68.199.178 I discovered that the Caphaw network I looked at yesterday is much bigger than I thought. The following IPs and domains can all be regarded as malicious (.SU domains are normally a dead giveaway for evil activity).

The recommended blocklist is at the end of the post (highlighted). These are the hosts involved either now or recently with hosting

Posted in .SU, Canada, France, Germany, Hetzner, Intergenia, Malware, OVH, Simply Transit, Taiwan, Viruses | No comments

Thursday, 14 November 2013

Malware sites to block 14/11/2013 (Caphaw)

Posted on 03:46 by Unknown

These domains and IPs appear to be involved in a Caphaw malware attack, such as this one. All the IPs involved belong to Hetzner in Germany, and although some also host legitimate sites I would strongly recommend blocking them.

Recommended blocklist:
141.8.225.5
46.4.47.20
46.4.47.22
88.198.57.178

Posted in Germany, Hetzner, Malware, Viruses | No comments

Wednesday, 13 November 2013

The EXE-in-ZIP spam storm continues

Posted on 13:31 by Unknown

Two more EXE-in-ZIP spams.. the first is a terse one with a subject "Voice Message from Unknown Caller" or "Voicemail Message from unknown number" not much else with a malicious EXE-in-ZIP (VoiceMessage.zip) attachment with VirusTotal score of 7/46 which calls home [1] [2] [3] to amandas-designs.com on 80.179.141.8 (012 Smile Communications Ltd., Israel)

The second one is a fake Wells Fargo

Posted in EXE-in-ZIP, Malware, Spam | No comments

PayPal "Identity Issue" spam / Identity_Form_04182013.zip

Posted on 03:19 by Unknown

This fake PayPal (or is it Quickbooks?) spam has a malicious attachment:

Date:     Wed, 13 Nov 2013 02:27:39 -0800 [05:27:39 EST]
From:     Payroll Reports [payroll@quickbooks.com]
Subject:     Identity Issue #PP-679-223-724-838

We are writing you this email in regards to your PayPal account. In accordance with our
"Terms and Conditions", article 3.2., we would like to kindly ask you to

Posted in EXE-in-ZIP, Malware, PayPal, Spam, Viruses | No comments

"Rodrigo Sawyer and Associates" fake job offer

Posted on 01:32 by Unknown

This laughable primitive fake job offer is recruiting for money mules, package reshipping or some other scam.

From: RSA-CAREER! [anthonykather1@gmail.com]Reply-To: anthonykather1@gmail.comDate: 12 November 2013 20:43Subject: please readHi... We Have a PT/job. we pay $250 per job and we want you to participate.Your job is only to act as a regular customer and conduct normal

Posted in Job Offer Scams, Spam | No comments

Tuesday, 12 November 2013

"2012 and 2013 Tax Documents; Accountant's Letter" spam / tax 2012-2013.exe

Posted on 12:23 by Unknown

This fake tax spam comes with a malicious attachment:

Date: Wed, 13 Nov 2013 00:44:46 +0800 [11:44:46 EST]From: "support@salesforce.com" [support@salesforce.com]Subject: FW: 2012 and 2013 Tax Documents; Accountant's LetterI forward this file to you for review. Please open and view it.Attached are Individual Income Tax Returns and W-2s for 2012 and 2013, plus an accountant's

Posted in EXE-in-ZIP, Malware, Spam, Viruses | No comments

"Important - New Outlook Settings" spam / Outlook.zip

Posted on 07:55 by Unknown

This spam email has a malicious attachment:

Date:     Tue, 12 Nov 2013 16:22:38 +0100 [10:22:38 EST]
From:     Undisclosed Recipients
Subject:     Important - New Outlook Settings

Please carefully read the attached instructions before updating settings.

This file either contains encrypted master password, used to encrypt other files. Key archival has been implemented, in order to decrypt

Posted in EXE-in-ZIP, Malware, Spam, Viruses | No comments

"You have received new messages from HMRC" spam, HMRC_Message.zip and qualitysolicitors.com

Posted on 06:47 by Unknown

This fake HMRC spam comes with a malicious attachment. Because the spammers have copied-and-pasted the footer from somewhere random it also effectively joe jobs an innocent site called qualitysolicitors.com:

Date: Tue, 12 Nov 2013 05:29:28 -0500 [05:29:28 EST]From: "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]Subject: You have received new messages from HMRCPlease be advised

Posted in EXE-in-ZIP, HMRC, Malware, Spam, Viruses | No comments

Dynamic DNS sites you might want to block, 12/11/13

Posted on 03:03 by Unknown

These domains are used for dynamic DNS and are operated by a company called Dyn who offer a legitimate service, but unfortunately it is abuse by malware writers. If you are the sort of organisation that blocks dynamic DNS IPs then I recommend that you consider blocking the following.

Dyn are pretty good at dealing with abuse complaints (you can contact them here). Blocking these domains will

Posted in Dynamic DNS, Malware | No comments

Monday, 11 November 2013

"Identity Issue #PP-716-097-521-587" spam / Identity_Form_04182013.zip

Posted on 08:05 by Unknown

For some reason EXE-in-ZIP attacks are all the rage at the moment, here is a fake spam pretending to be from PayPal with a malicious attachment:

Date: Mon, 11 Nov 2013 19:14:10 +0330 [10:44:10 EST]From: Payroll Reports [payroll@quickbooks.com]Subject: Identity Issue #PP-716-097-521-587We are writing you this email in regards to your PayPal account. In accordance with our"Terms

Posted in EXE-in-ZIP, Malware, PayPal, Spam, Viruses | No comments

"To all Employees - Confidential Message" spam / To All Employees 2013.zip.exe

Posted on 05:30 by Unknown

This fake "all employees" email comes with a malicious attachment:

Date: Mon, 11 Nov 2013 11:28:29 +0000 [06:28:29 EST]From: DocuSign Service [dse@docusign.net]Subject: To all Employees - Confidential Message Your document has been completed

Posted in EXE-in-ZIP, Malware, Spam, Viruses | No comments

"Consumer Benefit Ltd" adware sites to block

Posted on 03:53 by Unknown

A couple of network blocks came to my attention after investigating some adware ntlanmbn.exe (VirusTotal report) and GFilterSvc.exe (report) both in C:\WINDOWS\SYSTEM32.

The blocks are 212.19.36.192/27 and 82.98.97.192/28 and are allocated to:

netname: Consumer-Benefit-AV-NETdescr: Consumer Benefit LTDdescr: Suite F 1st floor, New City Chambersdescr: 36 Wood

Posted in Adware | No comments

Sunday, 10 November 2013

"African Development Humanitarian Council" (adhcouncil.org) scam

Posted on 09:53 by Unknown

This spam promotes the non-existent African Development Humanitarian Council purportedly with a web address of adhcouncil.org:

From: camara amadu [camaraamadu9@gmail.com]To: davisaentltd@rediffmail.comDate: 10 November 2013 14:23Subject: FOOD STUFF NEEDED URGENTLYSigned by: gmail.comAfrican Development Humanitarian Councilhttp://www.rediffmail.com/cgi-bin/red.cgi?

Posted in Advanced Fee Fraud, Scam, Spam | No comments

Friday, 8 November 2013

"Voicemail Message" spam / MSG00049.zip and MSG00090.exe

Posted on 10:55 by Unknown

Another day, yet another fake voicemail message spam with a malicious attachment:

Date: Fri, 8 Nov 2013 15:15:20 +0000 [10:15:20 EST]From: Voicemail [user@victimdomain.com]Subject: Voicemail MessageIP Office Voicemail redirected message
Attached is a file MSG00049.zip which in turn contains a malicious executable MSG00090.exe. Virus detection on VirusTotal is a so-so 12/47.

Posted in EXE-in-ZIP, Malware, Spam, Viruses | No comments

Malware sites to block 8/11/2013 (Nuclear EK)

Posted on 07:58 by Unknown

The IPs and domains listed below are currently in use to distribute the Nuclear exploit kit (example). I strongly recommend blocking them or the 142.4.194.0/30 range in which these reside. Many (but not all) of them are already flagged as being malicious by SURBL and Google.

The domains are being used with subdomains, so they don't resolve directly. I have identified 3768 domains in this OVH

Posted in Evil Network, Malware, Viruses | No comments

Thursday, 7 November 2013

Fake "Financial Times Survey Team" spam / ft-survey.com and AlfainHost

Posted on 14:57 by Unknown

This fake Financial Times spam is a bit of a mystery:

From: The Financial Times [mailto:ft448516@surveymonkey.com]
Sent: Thu 07/11/2013 18:58
Subject: We value your opinion and we need your help

Dear British businessman,

We at the Financial Times are doing a survey among British business owners and managers regarding Euroscepticism.

As you are currently aware David Cameron on Monday

Posted in Hungary, Pakistan, Scam, Spam | No comments

"You received a voice mail" spam / Voice_Mail.exe

Posted on 07:41 by Unknown

This fake voice mail spam has a malicious attachment:

Date:     Thu, 7 Nov 2013 15:58:15 +0100 [09:58:15 EST]
From:     Microsoft Outlook [no-reply@victimdomain.net]
Subject:     You received a voice mail

You received a voice mail : N_58Q-ILM-94XZ.WAV (182 KB)

Caller-Id:

698-333-5643

Message-Id:

80956-84B-12XGU

Email-Id:

[redacted]

This e-mail contains a

Posted in EXE-in-ZIP, Malware, Singapore, Spam, Viruses | No comments

Wednesday, 6 November 2013

"Voice Message from Unknown" spam / VoiceMail.zip

Posted on 07:12 by Unknown

This fake voice mail spam comes with a malicious attachment:

Date: Wed, 6 Nov 2013 22:22:28 +0800 [09:22:28 EST]From: Administrator [voice9@victimdomain]Subject: Voice Message from Unknown (886-966-4698)- - -Original Message- - -From: 886-966-4698Sent: Wed, 6 Nov 2013 22:22:28 +0800To: recipients@victimdomainSubject: Private Message
The email appears to come from an email

Posted in EXE-in-ZIP, Malware, Spam, Viruses, Xeex | No comments

"Invoice 17731 from Victoria Commercial Ltd" spam leads to DOC exploit

Posted on 06:24 by Unknown

This fake invoice email leads to a malicious Word document:

From: Dave Porter [mailto:dave.porter@blueyonder.co.uk] Sent: 06 November 2013 12:06To: [redacted]Subject: Invoice 17731 from Victoria Commercial LtdDear Customer :Your invoice is attached to the link below:[donotclick]http://www.vantageone.co.uk/invoice17731.docPlease remit payment at your earliest convenience.Thank you for your

Posted in Endurance International Group, Malware, Microsoft, Spam, Viruses | No comments

Tuesday, 5 November 2013

USPS spam / Label_442493822628.zip

Posted on 07:48 by Unknown

This fake USPS spam has a malicious attachment:

Date:     Tue, 5 Nov 2013 14:24:45 +0000 [09:24:45 EST]
From:     USPS Express Services [service-notification@usps.gov]
Subject:     USPS - Missed package delivery

The courier company was not able to deliver your parcel by your address.

Cause: Error in shipping address.

Label: 442493822628

Print this label to get this package at our post

Posted in EXE-in-ZIP, Malware, Spam, USPS, Viruses | No comments

"ACH Notification : ACH Process End of Day Report" spam / ACAS1104201336289204PARA7747.zip

Posted on 07:39 by Unknown

This fake ACH (or is it Paychex?) email has a malicious attachment:

Date: Tue, 5 Nov 2013 08:28:30 -0500 [08:28:30 EST]From: "Paychex, Inc" [paychexemail@paychex.com]Subject: ACH Notification : ACH Process End of Day ReportAttached is a summary of Origination activity for 11/04/2013 If you need assistanceplease contact us via e-mail at paychexemail@paychex.com during regular

Posted in EXE-in-ZIP, Malware, Spam, Viruses, Zbot | No comments

Monday, 4 November 2013

"Payment Overdue - Please respond" spam / Payroll_Report-PaymentOverdue.exe

Posted on 07:48 by Unknown

This fake SAGE spam has a malicious attachment:

Date: Mon, 4 Nov 2013 21:00:59 +0600 [10:00:59 EST]From: Payroll Reports [payroll@sage.co.uk]Please find attached payroll reports for the past months. Remit the new payment by 11/10/2013 as outlines under our payment agreement.Sincerely,Bernice SwansonThis e-mail has been sent from an automated system. PLEASE DO NOT REPLY.CONFIDENTIAL

Posted in EXE-in-ZIP, Malware, Spam, Viruses | No comments

CCDCOE.org "Information Security Audit" spam

Posted on 03:59 by Unknown

Here's a weird spam email..

From: CCDCOE [mailto:ccdcoe@ccdcoe.org] Sent: Monday, November 04, 2013 12:16 PMSubject: Information Security AuditDear Sir,I am writing to inform you that NATO Cooperative Cyber Defence Centre of Excellence conducted an information security audit of the network infrastructureof your organization. It was carried out as part of exercise Steadfast Jazz 2013.Our

Posted in Estonia, NATO, Spam | No comments