Sponsored by..

Showing posts with label Banking. Show all posts
Showing posts with label Banking. Show all posts

Thursday, 16 October 2014

Barclays Bank "Transaction not complete" spam

This fake Barclays spam leads to malware.

From:     Barclays Bank [Barclays@email.barclays.co.uk]
Date:     16 October 2014 12:48
Subject:     Transaction not complete

Unable to complete your most recent Transaction.

Currently your transaction has a pending status. If the transaction was made by mistake please contact our customer service.


For more details please download payment receipt below:

http://essecisoftware.it/docs/viewdoc.php


Barclays is a trading name of Barclays Bank PLC and its subsidiaries. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register
No. 122702). Registered in England. Registered Number is 1026167 with registered
office at 1 Churchill Place, London E14 5HP.

Clicking on the link downloads a file document23_pdf.zip containing a malicious executable document23_pdf.scr which has a VirusTotal detection rate of  4/54. The Malwr report shows that it reaches out to the following URLs:

http://188.165.214.6:12302/1610uk1/HOME/0/51-SP3/0/
http://188.165.214.6:12302/1610uk1/HOME/1/0/0/
http://188.165.214.6:12302/1610uk1/HOME/41/5/1/
http://jwoffroad.co.uk/img/t/1610uk1.osa


In my opinion 188.165.214.6 (OVH, France) is an excellent candidate to block or monitor.

It also drops two executables, bxqyy.exe (VT 5/54, Malwr report) and ldplh.exe (VT 1/51, Malwr report)
.


Monday, 13 October 2014

Malware spam: "You have received a new secure message from BankLine" / "You've received a new fax"

A couple of unimaginative spam emails leading to a malicious payload.

You have received a new secure message from BankLine

From:     Bankline [secure.message@bankline.com]
Date:     13 October 2014 12:48
Subject:     You have received a new secure message from BankLine

You have received a secure message.

Read your secure message by following the link bellow:

http://losislotes.com/dropbox/document.php

You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 7507.

First time users - will need to register after opening the attachment.
About Email Encryption - https://supportcentre.Bankline.com/app/answers/detail/a_id/1671/kw/secure%20message

You've received a new fax

From:     Fax [fax@victimdomain.com]
Date:     13 October 2014 13:07
Subject:     You've received a new fax

New fax at SCAN2166561 from EPSON by https://victimdomain.com
Scan date: Mon, 13 Oct 2014 20:07:31 +0800
Number of pages: 2
Resolution: 400x400 DPI

You can secure download your fax message at:

http://www.mezaya.ly/dropbox/document.php

(Dropbox Drive is a file hosting service operated by Google, Inc.)

Clicking the link downloads document_312_872_pdf.zip from the target site which in turn contains a malicious executable document_312_872_pdf.exe which has a VirusTotal detection rate of 3/54.

The Malwr analysis shows that the malware attempts to communicate with the following URLs:

http://94.75.233.13:40200/1310uk1/HOME/0/51-SP3/0/
http://94.75.233.13:40200/1310uk1/HOME/1/0/0/
http://94.75.233.13:40200/1310uk1/HOME/41/5/1/
http://carcomputer.co.uk/image/1310uk1.rtf
http://phyccess.com/Scripts/Pony.rtf
http://144.76.220.116/gate.php
http://hotelnuovo.com/css/heap_238_id2.rtf
http://wirelesssolutionsny.com/wp-content/themes/Wireless/js/heap_238_id2.rtf
http://isc-libya.com/js/Pony.rtf
http://85.25.152.238/

Also dropped are a couple of executables, egdil.exe (VT 2/54, Malwr report) and twoko.exe (VT 6/55, Malwr report).

Recommended blocklist:

94.75.233.13
144.76.220.116
85.25.152.238
carcomputer.co.uk
phyccess.com
hotelnuovo.com
wirelesssolutionsny.com
isc-libya.com


Friday, 10 October 2014

Malware spam: "You've received a new fax" / "You have received a new secure message from BankLine"

A pair of malware spams this morning, both with the same payload:

"You've received a new fax"

From:     Fax [fax@victimdomain.com]
Date:     10 October 2014 11:34
Subject:     You've received a new fax

New fax at SCAN7097324 from EPSON by https://victimdomain.com
Scan date: Fri, 10 Oct 2014 18:34:56 +0800
Number of pages: 2
Resolution: 400x400 DPI

You can secure download your fax message at:

http://www.eialtd.com/kk/document.php

(Google Disk Drive is a file hosting service operated by Google, Inc.)

"You have received a new secure message from BankLine"

From:     Bankline [secure.message@bankline.com]
Date:     10 October 2014 10:29
Subject:     You have received a new secure message from BankLine

You have received a secure message.

Read your secure message by following the link bellow:

http://www.electromagneticsystems.com/kk/document.php

You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 3297.

First time users - will need to register after opening the attachment.
About Email Encryption - https://supportcentre.Bankline.com/app/answers/detail/a_id/1671/kw/secure%20message

The malware downloads a file document_73128_91898_pdf.zip from the target site that contains a malicious executable document_73128_91898_pdf.exe which has a VirusTotal detection rate of 4/54.

According to the ThreatExpert report [pdf] the malware communicates with the following URLs which are probably worth blocking or monitoring:

94.75.233.13/1010uk1/NODE01/41/5/1/
94.75.233.13/private/sandbox_status.php
94.75.233.13/1010uk1/NODE01/0/51-SP3/0/
94.75.233.13/1010uk1/NODE01/1/0/0/
beanztech.com/beanz/1010uk1.rtf


Wednesday, 8 October 2014

Malware spam: Lloyds "Important - Commercial Documents" and NatWest "You have a new Secure Message"

There's a familiar pattern to this malware-laden spam, but with an updated payload from before:

Lloyds Commercial Bank: "Important - Commercial Documents"


From:     Lloyds Commercial Bank [secure@lloydsbank.com]
Date:     8 October 2014 11:09
Subject:     Important - Commercial Documents

Important account documents

Reference: C437
Case number: 66324010
Please review BACs documents.

Click link below, download and open document. (PDF Adobe file)
----------------------
http://01silex.com/dropbox/document.php
-----------------------

Please note that the Terms and Conditions available below are the Bank's most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager. .

Yours faithfully

James Vance
Senior Manager, Lloyds Commercial Banking

Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.

Please remember we guarantee the security of messages sent by email.

NatWest: "You have a new Secure Message - file-2620"


From:     NatWest [secure.message@natwest.com]
Date:     8 October 2014 10:29
Subject:     You have a new Secure Message - file-2620


You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )


Please download your ecnrypted message at:

http://cookierunid.com/dropbox/document.php

(Google Disk Drive is a file hosting service operated by Google, Inc.)


If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 3068.

The link in the email runs through a script which will attempt to download a ZIP file pdf-to-view_864129_pdf.zip onto the target machine which in turn contains a malicious executable pdf-to-view_864129_pdf.exe which has a VirusTotal detection rate of 6/53.

The Malwr report indicates that the malware phones home to the following locations which are worth blocking, especially 94.75.233.13 (Leaseweb, Netherlands) which looks like a C&C server.

94.75.233.13:37400/0810uk1/HOME/0/51-SP3/0/
94.75.233.13:37400/0810uk1/HOME/1/0/0/
94.75.233.13:37400/0810uk1/HOME/41/5/1/
cemotrans.com/seo/0810uk1.soa


Tuesday, 30 September 2014

Malware spam: NatWest "You have a new Secure Message" / "You've received a new fax"

The daily mixed spam run has just started again, these two samples seen so far this morning:

NatWest: "You have a new Secure Message"

From:     NatWest [secure.message@natwest.com]
Date:     30 September 2014 09:58
Subject:     You have a new Secure Message - file-3800

You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )


Please download your ecnrypted message at:

http://binuli.ge/docs/document0679

(Google Disk Drive is a file hosting service operated by Google, Inc.)


If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 6002.

"You've received a new fax"

From:     Fax [fax@victimdomain.com]
Date:     30 September 2014 09:57
Subject:     You've received a new fax

New fax at SCAN4148711 from EPSON by https://victimdomain.com
Scan date: Tue, 30 Sep 2014 14:27:24 +0530
Number of pages: 2
Resolution: 400x400 DPI

You can secure download your fax message at:

http://www.brianhomesinc.com/docs/document5928

(Google Disk Drive is a file hosting service operated by Google, Inc.)
The link in the email goes through a script to ensure that you are using a Windows PC and then downloads a file document3009.zip which contains a malicious executable document3009.scr which has a VirusTotal detection rate of 3/54. The Comodo CAMAS report  and Anubis report are rather inconclusive.

UPDATE: the ThreatTrack report [pdf] shows that the malware attempts to communicate with the following locations:

188.165.198.52/3009uk1/NODE01/0/51-SP3/0/
188.165.198.52/3009uk1/NODE01/1/0/0/

188.165.198.52 is (unsurprisingly) allocated to OVH in France and is definitely worth blocking.



Monday, 29 September 2014

Malware spam: "Lloyds Commercial Bank" / "HSBC Bank UK"

Two different banking spams this morning, leading to the same malware,.

Lloyds Commercial Bank "Important - Commercial Documents"

From:     Lloyds Commercial Bank [secure@lloydsbank.com]
Date:     29 September 2014 11:03
Subject:     Important - Commercial Documents

Important account documents

Reference: C947
Case number: 18868193
Please review BACs documents.

Click link below, download and open document. (PDF Adobe file)
----------------------
http://www.ticklestootsies.com/dropbox-documents/document_8641_29092014.php
-----------------------

Please note that the Terms and Conditions available below are the Bank's most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager. .

Yours faithfully

James Vance
Senior Manager, Lloyds Commercial Banking

Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.

Please remember we guarantee the security of messages sent by email.

HSBC Bank UK "Payment Advice Issued"


From:     HSBC Bank UK
Date:     29 September 2014 11:42
Subject:     Payment Advice Issued

Your payment advice is issued at the request of our customer. The advice is for your reference only.

Please download your payment advice at http://sabiacommunications.com/dropbox-documents/document_8641_29092014.php

Yours faithfully,
Global Payments and Cash Management

*******************************************************************************
This is an auto-generated email, please DO NOT REPLY. Any replies to this email will be disregarded.
The link in the email goes through a script and then downloads a file document_8641_29092014_pdf.scr (this time without a ZIP wrapper) which has a VirusTotal detection rate of just 1/55. The Anubis report shows that the malware attempts to phone home to cuscorock.com which is probably a good thing to block or monitor.

Friday, 26 September 2014

Malware spam: "HMRC taxes application with reference" / "Important - BT Digital File" / RBS "Outstanding invoice"

Another bunch of spam emails, with the same payload at this earlier spam run.

HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received

From:     noreply@taxreg.hmrc.gov.uk [noreply@taxreg.hmrc.gov.uk]
Date:     26 September 2014 12:26
Subject:     HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received

The application with reference number LZV9 0Q3E W5SD N3GV submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.

Please download/view your HMRC documents here: http://motobrothers.com.pl/documents/document26092014-008.php

The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

Important - BT Digital File


From:     Cory Sylvester [Cory.Sylvester@bt.com]
Date:     26 September 2014 12:51
Subject:     Important - BT Digital File

Dear Customer,

This email contains your BT Digital File. Please scan attached file and reply to this email.

To download your BT Digital File please follow the link below : http://splash.com.my/documents/document26092014-008.php

If you have any questions or forgotten your password, please visit the "Frequently Asked Questions" at www.bt.com/personal/digitalvault/help or call the helpdesk on 0870 240 0346* between 8am and midnight.

Thank you for choosing BT Digital Vault.

Kind regards,
BT Digital Vault Team
footer

*Calls charged up to 8 pence per minute on the BT network (minimum fee 5.5p). Mobile and other network costs may vary. See http://www.bt.com/pricing for details.

Please note that this is an automatically generated email for your information only. We are sorry, but we can not respond to a "Reply" to this address.

This electronic message contains information from British Telecommunications plc, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please delete this email immediately.

Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 1800000

RBS Bankline: Outstanding invoice


From:     Bankline.Administrator@rbs.co.uk [Bankline.Administrator@rbs.co.uk]
To:     redacted.uk
Date:     26 September 2014 13:05
Subject:     Outstanding invoice

   {_BODY_TXT}

Dear [redacted],

Please find the attached copy invoice which is showing as unpaid on our ledger.

To download your invoice please click here

I would be grateful if you could look into this matter and advise on an expected payment date .

Many thanks

Paul Hamilton

Credit Control

Tel: 0845 300 2952
In the sample I looked at the malware page downloaded an archive document26092014-008_pdf.zip which in turn contains document26092014-008_pdf.exe which is the same payload as earlier.

The links I have seen so far in the emails are:

http://motobrothers.com.pl/documents/document26092014-008.php
http://splash.com.my/documents/document26092014-008.php
http://www.firstlcoc.org/documents/document26092014-008.php
http://elblogderosner.com/documents/document26092014-008.php

Malware spam: "Employee Documents - Internal Use" / "You have a new voice" / "BACS Transfer : Remittance for JSAG244GBP" / "New Fax"

Whoever is running this spam run is evolving it day after day, with different types of spam to increase clickthrough rates and now some tricky tools to prevent analysis of the malware.

Employee Documents - Internal Use

From:     victimdomain
Date:     26 September 2014 09:41
Subject:     Employee Documents - Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Employee Documents

DOCUMENT LINK: http://iqmaintenance.com.au/Documents/document26092014-20.pdf

Documents are encrypted in transit and store in a secure repository

---------------------------------------------------------------------------------
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.

You have a new voice

From:     Voice Mail [Voice.Mail@victimdomain]
Date:     26 September 2014 09:30
Subject:     You have a new voice

You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.

* The reference number for this message is _qvs4004011004_001

The transmission length was 26
Receiving machine ID : ES7D-ZNA1D-QF3E

To download and listen your voice mail please follow the link below: http://www.sjorg.com/Documents/voice26092014-18

The link to this secure message will expire in 24 hours. If you would like to save a copy of the email or attachment, please save from the opened encrypted email. If an attachment is included, you will be given the option to download a copy of the attachment to your computer.

RBS: BACS Transfer : Remittance for JSAG244GBP

From:     Douglas Byers [creditdepart@rbs.co.uk]
Date:     26 September 2014 10:12
Subject:     BACS Transfer : Remittance for JSAG244GBP

We have arranged a BACS transfer to your bank for the following amount : 4596.00
Please find details at our secure link below:

http://plugdeals.com/Documents/payment26092014-15

New Fax

From:     FAX Message [fax@victimdomain]
Date:     26 September 2014 10:26
Subject:     New Fax

You have received a new fax .
Date/Time: Fri, 26 Sep 2014 16:26:36 +0700.
Your Fax message can be downloaded here : http://montfort.dk/Documents/faxmessage26092014-16
The links in the emails I have seen go to the following locations (there are probably many, many more):

http://plugdeals.com/Documents/payment26092014-15
http://iqmaintenance.com.au/Documents/document26092014-20.pdf
http://www.sjorg.com/Documents/voice26092014-18
http://montfort.dk/Documents/faxmessage26092014-16


The attack has evolved recently.. usually these malicious links forwarded on to another site which had the malicious payload. Because all the links tended to end up at the same site, it was quite easy to block that site and foil the attack. But recently the payload is spread around many different sites making it harder to block.

A new one today is that the landing page is somewhat obfuscated to make it harder to analyse, and this time the download is a plain old .scr file rather than a .zip. I've noticed that many anti-virus products are getting quite good at detecting the malicious ZIP files with a generic detection, but not the binary within. By removing the ZIP wrapper, the bad guys have given one less hook for AV engines to find.

The landing page script looks like this [pastebin] which is a bit harder to deal with, but nonetheless an malicious binary document7698124-86421_pdf.scr is downloaded from the remote site which has a VirusTotal detection rate of 2/55. The Anubis report shows the malware attempting to phone home to padav.com which is probably worth blocking.

Thursday, 25 September 2014

Malware spam: RBS "BACS Transfer" / Sage "Outdated Invoice" / Lloyds "Important - Commercial Documents" / NatWest "Important - New account invoice"

There seems to be a very aggressive spam run this morning, with at least four different email formats pushing the same malicious download.

RBS / Riley Crabtree: "BACS Transfer : Remittance for JSAG814GBP"

From:     Riley Crabtree [creditdepart@rbs.co.uk]
Date:     25 September 2014 10:58
Subject:     BACS Transfer : Remittance for JSAG814GBP

We have arranged a BACS transfer to your bank for the following amount : 4946.00
Please find details at our secure link below:

http://shetabweb.com/bvqsyphiwq/cdddcetuex.html

Sage Account & Payroll: "Outdated Invoice"

From:     Sage Account & Payroll [invoice@sage.com]
Date:     25 September 2014 10:53
Subject:     Outdated Invoice

Sage Account & Payroll

You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:

https://invoice.sage.co.uk/Account?928143=Invoice_092514.zip

If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@sage.com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.

The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.

We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.

This email was sent to: [redacted]

This email was sent by: Sage UK Limited
NC1-002-08-25, Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom

Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.

Lloyds Commercial Bank: "Important - Commercial Documents"

From:     Lloyds Commercial Bank [secure@lloydsbank.com]
Date:     25 September 2014 11:36
Subject:     Important - Commercial Documents

Important account documents

Reference: C400
Case number: 05363392
Please review BACs documents.

Click link below, download and open document. (PDF Adobe file)
----------------------
http://fantastyka.nets.pl/irdmewoars/jyfiqmcojv.html
-----------------------

Please note that the Terms and Conditions available below are the Bank's most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager. .

Yours faithfully

James Vance
Senior Manager, Lloyds Commercial Banking

Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.

Please remember we guarantee the security of messages sent by email. 

NatWest Invoice: "Important - New account invoice

From:     NatWest Invoice [invoice@natwest.com]
Date:     25 September 2014 10:28
Subject:     Important - New account invoice

Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
To view/download your invoice please click here or follow the link below :

https://www.nwolb.com/ServiceManagement/InvoicePageNoMenu.aspx?InvoiceCode=Invoice_232449


Thank you for choosing NatWest.

Important: Please do not respond to this message. It comes from an unattended mailbox.


This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

The Royal Bank of Scotland International Limited trading as NatWest (NatWest). Registered Office: P.O. Box 64, Royal Bank House, 71 Bath Street, St. Helier, Jersey JE4 8PJ. Regulated by the Jersey Financial Services Commission.
The links in the emails go to different download locations to make it harder to block:

http://shetabweb.com/bvqsyphiwq/cdddcetuex.html
http://convergika.com/atlbhffykf/rdtlixjoot.html
http://calastargate.net/iqfhtfqinv/ybzhlpbjkh.html
http://fantastyka.nets.pl/irdmewoars/jyfiqmcojv.html


There are probably many, many more locations. In each case the page then downloads the victim to download file Invoice_09252014.zip from the same directory as the html file.

This ZIP file contains a malicious executable Invoice_09252014.scr which currently has a VirusTotal detection rate of 3/54. The Anubis report shows that it phones home to ukrchina-logistics.com which is probably worth blocking or monitoring access to.


Wednesday, 24 September 2014

"You have received a new secure message from BankLine" spam leads to undetected malware

This fake BankLine email leads to malware that is not currently detected by any anti-virus engine:

From:     Bankline [secure.message@bankline.com]
Date:     24 September 2014 09:59
Subject:     You have received a new secure message from BankLine

You have received a secure message.

Read your secure message by following the link bellow:

http://ismashahalam.net/xyzpayohjx/ngkzoeqjjs.html

You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 7941.

First time users - will need to register after opening the attachment.
About Email Encryption - https://supportcentre.Bankline.com/app/answers/detail/a_id/1671/kw/secure%20message 
The link in the email goes to ismashahalam.net/xyzpayohjx/ngkzoeqjjs.html which downloads an archive file from ismashahalam.net/xyzpayohjx/SecureMessage.zip. This in turn contains a malicious file SecureMessage.scr which has a VirusTotal detection rate of 0/50.

The Anubis report shows that the malware phones home to very-english.co.uk which is worth blocking or monitoring.

For research purposes only, a copy of the malicious executable can be downloaded from here [zip]. The password is foray307.

Wednesday, 18 January 2012

Scam sites to block on 209.25.137.196

Here's a site of very professional looking scam sites, incuding fake investment firms and escrow companies. Most of these have been registered over the past few weeks with anonymous details.

atlasconsultancyltd.com
bfsauthority.org
bltradinggrp.com
chicagobgllc.com
crawfordcapitalpartners.com
fidelitycorporategroup.com
grenfellassociates.com
johnsonsterlingconsultancy.com
knowltonadvisors.com
mediatransfersltd.com
millerconsultancyservices.com
morganpremiergrp.com
notanordinarysite.com
peregrineintlgroup.com
scmrcom.org
sftcommission.org
tatecarverconsultancy.com
toddwhitefinancial.com
warrenfisherassociates.com
wellsconsultancy.com
winchesterconsultancygrp.com


also hosted on the same server:
mentemptation.com
webhostingbreaker.com

Some of the trading names used by these scammers (some may be similar to legitimate companies):
  • Atlas Consultancy
  • Brussels Financial Supervisory Authority
  • BL Trading Group
  • Chicago Business Group LLC
  • Crawford Capital Partners
  • Fidelity Corporate Group
  • Grenfell and Blackrock Associates
  • Johnson Sterling Consultancy
  • Knowlton Group
  • Media Transfers Limited
  • Miller Counsulting Group
  • Morgan Premier Group
  • Peregrine International Group
  • Swiss Commodity Market Regulatory Commission
  • Swiss Financial Trading Commission
  • Tate and Carver Consultancy Group
  • Todd and White Financial Marketing Services
  • Warren Fisher and Associates
  • Wells Capital Management
  • Winchester Consultancy Group
Do not be fooled by how good the sites look.. they are very, very convincing. Here is are some examples:



The sites are all hosted on 209.25.137.196 which looks like a rented server from LiquidNet, Florida. Also hosted on the same server is webhostingbreaker.com (possibly based in the Philippines) which might be the black hat reseller involved.

Part of this network was fingered a few weeks ago here, and it still appears to be active. Avoid at all costs.

Tuesday, 13 September 2011

Fake banks on 88.191.36.45

88.191.36.45 [Proxad, France] is hosting a series of fake banking domains, one of which is detailed by F-Secure.The domains target Finnish and Spanish banks.

The following sites appear to be hosted on that IP:

bbva-es.com
nordea-vf.com
nordeasfi.com
nordea-if.com
nordea-fis.com
osuuspankki-fi.com


Some sites might use the following subdomains: kultaraha, solo1, solo2, www and xxx.

The (fake) registrant details are:
  Admin Name........... Arthur Williams
  Admin Address........ lake tarson 41
  Admin Address........
  Admin Address........ new york city
  Admin Address........ 90121
  Admin Address........ NY
  Admin Address........ UNITED STATES
  Admin Email.......... sir.arthur999@hotmail.com
  Admin Phone.......... +1.802716100

Blocking access to 88.191.36.45 would probably be a good idea if you have Spanish or Finnish users.

Thursday, 6 November 2008

Stupid but sophisticated "Lloyds TSB" phish

Spammers are generally pretty stupid. This particular phish looks pretty normal to being with:

Customer Service department
Lloyds TSB Bank
September 26th, 2008


To all business and personal customers

We would like to inform you about recent change in Lloyds TSB terms and conditions of banking services. Lloyds TSB has updated terms and conditions for both business and personal customers. Each customer should read and accept current terms and conditions.
Failure to accept new terms and conditions may lead to blocking of current services. Such as loans, credit cards, online banking, savings accounts, bill payments. Take a moment to read through new terms and conditions. There are two convenient ways to request updated terms and conditions. You can request them by mail or use online banking to confirm the new terms of service. Please follow the link below to review and confirm updated terms and conditions.
www.lloydstsb.com/terms

Thank you for banking with the most trusted UK bank,
Lloyds TSB Customer Service Team

We know that this is a phish because a) it was sent to a harvested address and b) Lloyds TSB don't send out emails like this. So a typical next step would be to check the source code to find where the phishing site is.

So the only hypertext link in the document is to http://www.lloydstsb.com which is the real Lloyds TSB bank. A closer look shows an attempted image load from http://lloydstlb.com/images/logo_lloydstsb.gif which is the phishing site hosted on a botnet. The domain is registered to BIZCN.COM who seem to have taken over this sort of business from Estdomains.

The fake site looks pretty convincing.. even if no-one will click through to it.

The login screen looks authentic too.

The next step looks exactly like the genuine login. The "memorable information" prompt asks for 3 letters from a longer passphrase, specifically letters 1, 3 and 5.

But guess what, when you enter the information it tells you that you did it incorrectly and asks for letters 2, 4 and 6 instead. So now they have letters 1-6.

Blah blah blah..

But what's this at the bottom? Yup, more characters from the memorable phrase are needed..

Finally, a confirmation:
So, like many modern phishing sites the actually web site is very credible looking, even the domain name looks reasonable if you only glance at it. Fortunately for the intended victims, the idiots have messed up the spam and.. this time at least.. nobody will get this far.

Monday, 3 November 2008

"Colorado Business Bank - Network Security and Monitoring"


These banks get more obscure all the time, but still carry the same sort of malicious payload.



Subject: Colorado Business Bank - Network Security and Monitoring
From: "Colorado Business Bank Account Service" alert@cobizbank.com

COLORADO BUSINESS BANK NOTICE:

Colorado Business Bank has registered our secure Web sites with VeriSign and use VeriSign Server IDs.
VeriSign Server IDs enable you to verify the authenticity of our secure Web site and to communicate with our Web site securely via SSL (Secure Sockets Layer) encryption.

Proceed to customer service department>>

Sincerely, Everett Torres.
Copyright - Colorado Business Bank, a part of COBIZ BANK.



VirusTotal detections are the usual mixed bag. Most detections seem to be generic (e.g. W32/Packed_FSG.D, TR/Crypt.FSPM.Gen, Trojan.Win32.Packed.gen, TrojanDownloader:Win32/Suceret.gen!A)

Friday, 10 October 2008

FTC: Bank Failures, Mergers and Takeovers: A "Phish-erman's Special"

A timely warning from the FTC on the threat of criminals using the worldwide financial crisis to obtain banking details.. although as seen recently the payload could also be a trojan rather than a phishing attempt.

The FTC say:
If the recent changes in the financial marketplace have you confused, you’re not alone. The financial institution where you did business last week may have a new name today, and your checks and statements may come with a new look tomorrow. A new lender may have acquired your mortgage, and you could be mailing your payments to a new servicer. Procedures for the banking you do online also may have changed. According to the Federal Trade Commission (FTC), the nation’s consumer protection agency, the upheaval in the financial marketplace may spur scam artists to phish for your personal information.
They then go on to offer some excellent tips and examples of what to look out for. As I said before, it's worth warning any end-users you support of this risk because it would be relatively trivial to come up with a scam that looks very convincing indeed, and including a reference to the FTC warning might get at least some of them taking the threat seriously.

Thursday, 9 October 2008

Citigroup/Wachovia "Security Certificates" trojan

These fake "security certificates" have been around for a while, but it has taken a little time for the Bad Guys to leverage the recent worldwide banking crisis. Expect to see a LOT more of these as more banks struggle or are taken over.

WACHOVIA CORPORATION NOTICE.

Citigroup announced a buyout of Wachovia brokered by the FDIC moments ago.
All Wachovia bank locations will be in the Citigroup merger to prevent failure of Wachovia.
The Citigroup/Wachovia would focus on upgrading banks' security certificates.
All Wachovia customers must fill the forms and complete installation of new Citigroup Standard digital signatures during 48 hours.
Please follow the installation steps below:

Read more here>>

Sincerely, Sophie Burkett.
2008 Wachovia Corporation.
All rights reserved.

The link goes to the insanely named domain commercial [dot] wachovia [dot] online [dot] financial [dot] service [dot] onlineupdate.iawyvy9gcv.bankonline.doexte.gbiexsse.com which is hosted on a fast-flux botnet. The target executable is InstallationPackWachovia.exe located in the root directory which triggers just a few heuristic scanners or generic detections according to VirusTotal.


If you work in IT in any kind of organisation, it is worth sending out a warning to end users to ensure that they are aware of these emails, either at work or at home. The current batch are not particularly credible, but the Bad Guys will probably keep working on their social engineering skills.