Sponsored by..

Showing posts with label Apple. Show all posts
Showing posts with label Apple. Show all posts

Monday, 7 December 2015

Malware spam: "Your receipt from Apple Store, Manchester Arndale" / "manchesterarndale@apple.com"

This fake receipt does not come from an Apple Store, but is instead a simple forgery with a malicious attachment:

From:    manchesterarndale@apple.com
Date:    7 December 2015 at 09:43
Subject:    Your receipt from Apple Store, Manchester Arndale

Thank you for shopping at the Apple Store.

To tell us about your experience, click here.
Attached is a file emailreceipt_20150130R2155644709.xls which in the sample I analysed has a VirusTotal detection rate of 6/53.

According to this Malwr report, the attachment downloads a malicious binary from:

steveyuhas.com/~steveyuhas/87tr65/43wedf.exe

This has a VirusTotal detection rate of precisely zero.  Those reports indicate network traffic to:

23.113.113.105 (AT&T Internet Services, US)

This is the same IP as seen in this earlier spam run, and I strongly recommend that you block it. The payload is likely to be the Dridex banking trojan.

Thursday, 19 September 2013

Apple (AAPL) pump-and-dump spam

A pump and dump spam trying to move Apple (AAPL) stock? Really? I don't think a spam run is going to have much effect on a $473 share in a company worth $420bn.

From: lpskann@scminvest.com
Subject: This Company continues to surge, could new highs be ahead?

Apple has presented its new models - iPhone 5S and iPhone 5C,
which actually have not moved the providers of financing. But, we
got to hear about the confidential novelty, which is created in
Cupertino (the Main Office of the Apple Company). This specialty
will be of interest for everyone. Through just a year, everybody
will utilize it. Namely now the time is ripe to acquire the
Apple's securities. Their value will be quick increased!!!

#goodluckwiththat- here's another one:

From: h.strutzmann@raymondjames.com
Subject: This Company is Hot and Premarket analysis is ready

The new-developed models, i.e. iPhone 5S and iPhone 5C, have
been recommended by the Apple Company. Nevertheless the
products have not impressed the business sponsors.
Nevertheless, we have learned about the secret new product,
which is being worked out in Cupertino, the Main Office of
the Apple Company, which will be required by a wide
audience. (It is going to be put in use by everybody duting
the course of only one year). Now it's about time to take
possession of the shareholding of Apple, because quite soon
they will go up in value!
A third sample adds the stock ticker symbol:

Subject:      Advanced Trading Alert Notice

Apple Company (Nasdaq:AA PL) has shown its new-developed models - iPhone
5S and iPhone 5C, which indeed have been not very impressive for the
providers of capital. Still, we got the wind of the confidential new
product, which is created in Cupertino (the Principal Business Place of
the Apple). This new product will be needed by all the people. During
just one year, all the people will put in use the product. Presently it's
high time to obtain the Apple's securities. Their price will grow quite
soon.

And some more rather ungrammatical auto-generated examples..

The providers of financing have not been struck by the
new-developed models, i.e. iPhone 5S and iPhone 5C, which have
been introduced by the Apple. Still, we have got the wind of
the fact that in Cupertino (the Apple's Headquarter), a
confidential innovation is being created. The item will be
popular for all the people. It will be wide put on within just
a year. Right now is the perfect timing for acquiring the
shares of the Apple. Very soon these shares of stock will
increase high in value.

The financiers have not been struck by the new-developed products, i.e.
iPhone 5S and iPhone 5C, which have been shown by the Apple. But, we have
got to hear that in Cupertino (the Apple's Headquarter), a non-public
newcomer is being designed. The item will be required by all the people. It
will be wide put on in just a year. Now is the right time for purchasing
the equity of the Apple. Fast these shareholding will grow high in price.

iPhone 5S and iPhone 5C present the fresh items, which were shown by the
Apple Company (Nasdaq:AA_PL). Nevertheless, these products have little
effect on the providers of financing. All the same, we got to learned that
in Cupertino (where the Apple's Principal Business Office is located), an
undercover recent development gadget is being elaborated. Namely this
novelty will be of interest for everybody (the recent development will be
applied by all the people within the course of one year). The Apple's equity
shall be purchased right at the moment, as fast they will increase in price!


Apple Company (Nasdaq:AAP-L) has offered its latter-day
products - iPhone 5S and iPhone 5C, which actually have
little effect on the backers. However, we got the wind of
the undercover innovation, which is produced in Cupertino
(the General Headquarter of the Apple). This recent
development will be needed by everybody. Within only one
year, everyone will utilize it. Namely now it's about time
to get hold of the Apple's shareholding. Their price will
grow quite soon!!!

Apple Company (Nasdaq:A-A_P L) has presented its new models - iPhone 5S
and iPhone 5C, which indeed have not struck the fund clients. All the
same, we got to learned about the undercover novelty, which is designed
in Cupertino (the Principal Place of Business of the Apple Company).
This new product will be required by all the people. During the course
of just a year, everybody will put on it. The present moment the time is
ripe to get hold of the Apple's shares. Their price will soon grow.
The Apple Company (Nasdaq:A-A-PL) has introduced its new products - iPhone 5S
and iPhone 5C, which truly have little impression on the fund clients. But,
we got to learned about the private newcomer, which is created in Cupertino
(the General Headquarter of the Apple Company). This recent development will
be of interest for everyone. During just a year, everyone will use it. Right
now is the time to obtain the Apple's equity. Their price will grow quite
soon. 

Thursday, 6 December 2012

iTunes "Christmas gift card" / api.myobfuscate.com / nikolamireasa.com

Here's a malware-laden spam with a twist:

From:     iTunes [shipping@new.itunes.com]
To:     purchasing [purchasing@[redacted]]
Date:     6 December 2012 20:59
Subject:     Christmas gift card

Order Number: M1V7577311
Receipt Date: 06/12/2012
Shipping To: purchasing@[redacted]

Order Total: $500.00
Billed To: Hilary Shandonay, Credit card



Item Number     Description     Unit Price
1     Christmas gift card (View\Download )     $500.00
Subtotal:     $500.00
Tax:     $0.00
Order Total:     $500.00


Please retain for your records.
Please See Below For Terms And Conditions Pertaining To This Order.

Apple Inc.
You can find the iTunes Store Terms of Sale and Sales Policies by launching your iTunes application and clicking on Terms of Sale or Sales Policies

FBI ANTI-PIRACY WARNING
UNAUTHORIZED COPYING IS PUNISHABLE UNDER FEDERAL LAW.

Answers to frequently asked questions regarding the iTunes Store can be found at http://www.apple.com/support/itunes/store/



Apple ID Summary •  Detailed invoice

Apple respects your privacy.

Copyright © 2011 Apple Inc. All rights reserved

In this case the link goes through a free web hosting site at [donotclick]longa-neara.ucoz.org which contains some heavily obfuscated javascript that eventually leads to malicious landing page on [donotclick]nikolamireasa.com/less/demands-probably.php hosted on 188.93.210.133 (logol.ru, Russia). That IP hosts the following toxic domains that you should block:

nikolamireasa.com
portgazza.cu.cc
hopercac.cu.cc
hopercas.cu.cc
ukumuxur.qhigh.com
ymuvyjih.25u.com

Heck, you might just want to cut your losses and block 188.93.210.0/23 too. Anyway, the curious thing is that the malicious javascript uses an intermediary obfuscation site called api.myobfuscate.com which you can see has been used to infect a few sites before.

Now, perhaps myobfuscate.com was created with the best of intentions, but if the bad guys have a use for it then you can bet they are probably about to abuse it in a big way.

Both api.myobfuscate.com and www.myobfuscate.com are hosted on the same IP at 188.64.170.17 (also in Russia) which is part of a tiny netblock of 188.64.170.16/31 which you may as well block too. The 188.64.170.17 IP also contains the following domains which might also be abused in the same way:

htmlobfuscator.com
api.htmlobfuscator.com
htmlobfuscator.info
javascript-obfuscator.info
javascriptcompressor.info
javascriptcrambler.com
javascriptobfuscate.com
javascriptobfuscator.info
myobfuscate.com
api.myobfuscate.com
obfuscatorjavascript.com
api.obfuscatorjavascript.com
js.robotext.com
js.robotext.info
js.robottext.ru

In my opinion, obfuscating javascript is a really bad thing and there is no legitimate reason to use it. Blocking access to free-to-use obfuscation tools like this may run the risk of breaking some legitimate sites. But only if they have been coded by idiots.


Friday, 30 November 2012

iTunes spam / mokingbirdgives.org

This fake iTunes spam leads to malware on mokingbirdgives.org:

From:     iTunes itunes@new.itunes.com
To:     purchasing [purchasing@victimdomain.com]
Date:     30 November 2012 17:02
Subject:     Your receipt #16201509085048

Billed To:
%email%

Order Number: M1V008146011
Receipt Date: 30/11/2012

Order Total: $699.99
Billed To: Credit card

Item Number     Description     Unit Price
1     Postcard (View\Download )
 Cancel order  Not your order?Report a Problem     $699.99
Subtotal:     $699.99
Tax:     $0.00
Order Total:     $699.99


Please retain for your records.
Please See Below For Terms And Conditions Pertaining To This Order.

Apple Inc.
You can find the iTunes Store Terms of Sale and Sales Policies by launching your iTunes application and clicking on Terms of Sale or Sales Policies

FBI ANTI-PIRACY WARNING
UNAUTHORIZED COPYING IS PUNISHABLE UNDER FEDERAL LAW.

Answers to frequently asked questions regarding the iTunes Store can be found at http://www.apple.com/support/itunes/store/



Apple ID Summary •  Detailed invoice

Apple respects your privacy.

Copyright © 2011 Apple Inc. All rights reserved
The malicious payload is at [donotclick]mokingbirdgives.org/less/demands-probably.php (report here) hosted on 184.82.100.201 (HostNOC, US) along with the following domains which also appear to be malicious:

jokolet5.cu.cc
revreka.cu.cc
kretaf.cu.cc
hoyerrr.cu.cc
xecomas.cu.cc
serawers.cu.cc
spaswers.cu.cc
retainedthumb.uni.me
safemessageassimilated.uni.me
fullblowntie.uni.me
confusetelltale.uni.me
fulltouchabandoning.uni.me
cuingdisinfecting.uni.me
mobilesitedisplaydizzying.uni.me
deadlinesorganizing.uni.me
consequencesaolcom.uni.me
areascompareran.uni.me
trusteunplugs.uni.me
rightsideconcoctions.uni.me
rearfacingisight.uni.me
starearnernot.uni.me
mokingbirdgives.org
germannewslinks.org
likoawdsdfzgage.dyndns-remote.com
syenial.com
amusicman.com
germannewslinks.com
fusioncaters.com
uqakanyd.ocry.com
u96s.info
germannewslinks.info
beardwithgofus.info
demonstrateddesktoplike.pro
thcenturysplitting.pro
stub.appartamentofirenze.net
germannewslinks.net
advert.apps-myups.net

Wednesday, 31 October 2012

"Your Apple ID has been disabled" phish

I've never seen one quite like this before, although it's not the first time I've seen Apple-themed scam email (this one, for example).

From:     Apple no_reply@macapple.com
Reply-To:     no_reply@macapple.com
Date:     31 October 2012 06:08
Subject:     Your Apple ID has been disabled
    
Apple ID Support

Dear [redacted] ,

This Apple ID has been disabled!


For your protection, your Apple ID ([redacted]) is automatically disabled. We detect unauthorized Login Attempts to your Apple ID from other IP Location. Please verify your identity today or your account will be disabled due to concerns we have for the safety and integrity of the Apple Community.


To verify your Apple ID, we recommend that you go to:
       
Verify Now >
The phish is hosted at [donotclick]app.apple.com.proiectmaxim.ro/id2/sign_in/login_ID&=/?&=?reactivate=[redacted] and it looks pretty convincing if you haven't spotted the Romanian domain name..


It just goes to show that the bad guys will try to phish anything these days..

Thursday, 12 January 2012

"John Dillinger" / "Apple Store - Important information about your Apple ID"

This email was actually sent by Apple, apparently to a famous bank robber, John Dillinger.

Date: Thu, 12 Jan 2012 01:37:23 +0000 (GMT)
From: Apple [appleid@id.apple.com]
Subject: Apple Store - Important information about your Apple ID

    Apple Online Store   
Order Status     Account     Help    
   
   
Dear John Dillinger
Welcome to the Apple Online Store. We wanted to share some information with you about your Apple ID, which allows you to personalize your Apple Online Store experience and helps you access other Apple resources.
Your Apple ID is your current email address.  You can use the password you created when you set up your account online. If you forget or need to reset your password, go to My Apple ID.
By using your Apple ID on the Apple Online Store, you have access to your account information online.  You can save carts until you're ready to place an order, check the status of or change your order, track your shipments, view your order history, maintain your account information, check Apple Gift Card balances, and much more.
Additionally, your Apple ID gives you access to other Apple resources, including:
• Buying music, movies, TV shows, and more at the iTunes Store
• Buying or downloading applications for your iPod touch or iPhone using the App Store
• Ordering photos and photobooks through iPhoto
• Registering your Apple products
• Accessing support for your products from AppleCare
• Getting One to One personal training and other services at an Apple Retail Store
Sign in to Your Account, to take advantages of the benefits of your Apple ID on the Apple Online Store. To learn more about your Apple ID, visit the Your Account section of online Help.
We also want you to know that the security of your personal information is important to us.  For more information on how Apple protects your personal information, please refer to the Apple Customer Privacy Policy.
Thank you for choosing Apple,
The Apple Store Team
http://store.apple.com
1-800-MY-APPLE


Indeed, an Apple account has been created for this email address. But not by me. Upon inspection, the Apple account has no information in it apart from the "John Dillinger" name, and it's a simple matter to reset the password to thwart whatever it going on here.

The email is quite genuine, coming from an Apple IP (17.254.6.195) and with all the links pointing to Apple and not another site. And it seems that I am not alone in receiving this email.

If you have had the same email, please consider letting me know in the comments!

Monday, 9 June 2008

Apple iPhone 3G



After lots and lots of rumours, the Apple iPhone 3G is finally here. It adds UMTS and HSDPA (3.5G), plus GPS and mapping. There's a new software platform, plus a number of other enhancements. But, really it's a bit disappointing.. the camera is still poor and you can't take out the battery.. and the 480 x 320 pixel display is so last year..

One surprising thing is that the iPhone will ship to 70 countries from July onwards. They've managed to do all that while keeping the iPhone 3G very quiet indeed.

Oh well, perhaps the iPhone 3 will finally be the one that fits in everything but the kitchen sink!

Tuesday, 25 March 2008

Apple Safari - a driveby download or what?

Millions of people are currently wondering what a "Safari" icon is doing on their Windows desktop. Is it something they installed? Is it adware? Or has Apple turned to the dark side?

Well, I'm afraid that Apple have turned to the dark side. If it wasn't annoying enough that iTunes keeps appearing on your desktop if you just want QuickTime, Apple's latest ploy is to push their Safari web browser out as an "update" to your existing software.. even if you have never installed Safari before.

A legitimate upgrade? Or deceptive advertising? Read more about the drive-by install here, and then decide if Apple software has any place on your Windows desktop machine.