From: support398@victimdomain.tldThe spam appears to come from within the victim's own domain (but doesn't). In case you don't recognise all those random letters, that's what an email attachment looks like.. but something has gone badly wrong with this spam run. I haven't analysed the payload, but it is likely to be Locky ransomware as found here.
Date: 18 July 2016 at 16:22
Subject: Scanned image
--+-+-+-MGCS-+-+-+
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: Quoted-Printable
Content-X-CIAJWNETFAX: IGNORE
Image data has been attached to this email.
--+-+-+-MGCS-+-+-+
Content-Type: application/vnd.ms-word.document.macroEnabled.12; name="18-07-2016_rndnum(4,9)}}.docm"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="18-07-2016_rndnum(4,9)}}.docm"
Content-Description: 18-07-2016_rndnum(4,9)}}.docm
UEsDBBQABgAIAAAAIQB+OOx6hwEAAK0FAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIo
oAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0lM9OwkAQxu8mvkOzV9MueDDGUDgIHpVE
[snip]
Showing posts with label Fail. Show all posts
Showing posts with label Fail. Show all posts
Monday, 18 July 2016
Malware spam: "Image data has been attached to this email." / "Scanned image"
This spam is presumably meant to have a malicious attachment, but all the samples I have seen are malformed:
Thursday, 17 March 2016
Malware spam: "PDFPart2.pdf" / "Sent from my Samsung Galaxy Note 4 - powered by Three"
This spam run has a malicious attachment. It appears to come from within the user's own domain.
From: Administrator [admin@victimdomain.tld]All the attachments that I saw were corrupt, but it appears to be trying to download a script that installs Locky ransomware, as seen here.
Date: 17 March 2016 at 12:54
Subject: PDFPart2.pdf
Sent from my Samsung Galaxy Note 4 - powered by Three
Sent from my Samsung Galaxy Note 4 - powered by Three
Wednesday, 24 February 2016
Malware spam FAIL: "Thank you for your order!" / DoNotReply@ikea.com
This fake financial spam is not from IKEA, but it instead a simple forgery. I can only assume that it is meant to have a malicious attachment, but due to a formatting error it may not be visible.
UPDATE
Third-party analysis confirms that the attachments are broken and will not work in many mail clients. However, if they did the payload would be identical to this.
From: DoNotReply@ikea.comThe intention here is either to drop the Dridex banking trojan or Locky ransomware. If you see an attachment, do not open it. The attachment is currently being analysed.
Date: 24 February 2016 at 09:56
Subject: Thank you for your order!
IKEA UNITED KINGDOMOrder acknowledgement:
To print, right click and select print or use keys Ctrl and P.
Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015
Total cost:
£122.60Delivery date:
24-02-2016Delivery method:
ParcelforceWe will confirm your delivery date by text,email or telephone within 72 hrs. Order/Invoice number:
607656390Order time:
8:31am GMTOrder/Invoice date:
24-02-2016Legal information
Please note that this email does not mean that we have accepted your order and it does not form a binding contract. A contract will be formed between You and IKEA at the time we dispatch your order to you, with the exception of made to order sofas and worktops where order acceptance occurs at the point when we send you our Delivery Advice email.
Your order is subject to IKEAs Terms of use and Return PolicyThis is an email from IKEA Ltd (Company Number 01986283) whose registered office address is at Witan Gate House 500-600 Witan Gate West, Milton Keynes MK9 1SH, United Kingdom.
IKEA VAT Number: 527 7733 20
This email is your VAT receipt, please print a copy for your records.
IKEA Ltd does not accept responsibility for the accuracy or completeness of the contents of this email as it has been transmitted over a public network.
UPDATE
Third-party analysis confirms that the attachments are broken and will not work in many mail clients. However, if they did the payload would be identical to this.
Thursday, 21 January 2016
Malware spam FAIL: "Credit UB 7654321 dated 15.01.15 £12,345.67 - COMPANY NAME"
This fake financial spam is meant to have a malicious attachment. Company names, senders, values and reference numbers vary, but here are some examples:
HPscanner3F3AB@ebene-events.net_250371.doc
HPscanner5CF83@hacettepe.edu.tr_8760547.doc
Sharp87143@autoprivoz.ru_3718432.doc
HPscanner7180F@instrument-pily.ru_1587243.doc
In all the samples I have seen, the attachment is not formatted correctly and cannot be downloaded. Typically it will appears to be a 0 byte file with no name, but results might vary depending on the mail client.
After manually decoding the malware from the Base 64 section in the email, I found two distinct versions of the attachment (VirusTotal [1] [2]) and the Malwr reports [3] [4] show a malicious download from:
5.189.216.101/dropbox/download.php
The payload is the Dridex banking trojan (botnet 120) as described here.
From: Inez RhodesExample attachment names are:
Date: 21 January 2016 at 12:33
Subject: Credit UB 1130909 dated 15.01.15 £26,842.15 - EXOVA GRP PLC
Hi,
Please find attached Debit Note UB11309096 which will offset UB 11309097
Due to a system error UB11309097 was raised with an invoice date being 20/01/15, when it should have been 22/01/16
Regards,
Inez Rhodes
Management Accountant - EXOVA GRP PLC
t. 01523 171 662
f. 0888 650 6709
==========
From: Cortez Bird
Date: 21 January 2016 at 12:40
Subject: Credit UB 1793159 dated 15.01.15 £77,538.80 - BARCLAYS PLC
Hi,
Please find attached Debit Note UB17931596 which will offset UB 17931597
Due to a system error UB17931597 was raised with an invoice date being 20/01/15, when it should have been 22/01/16
Regards,
Cortez Bird
Management Accountant - BARCLAYS PLC
t. 01662 855 271
f. 0882 284 7942
==========
From: Autumn Pierce
Date: 21 January 2016 at 11:39
Subject: Credit UB 1911242 dated 15.01.15 £73,910.50 - GLOBAL PORTS INVESTMENTS PLC
Hi,
Please find attached Debit Note UB19112426 which will offset UB 19112427
Due to a system error UB19112427 was raised with an invoice date being 20/01/15, when it should have been 22/01/16
Regards,
Autumn Pierce
Management Accountant - GLOBAL PORTS INVESTMENTS PLC
t. 01361 953 147
f. 0883 597 3136
HPscanner3F3AB@ebene-events.net_250371.doc
HPscanner5CF83@hacettepe.edu.tr_8760547.doc
Sharp87143@autoprivoz.ru_3718432.doc
HPscanner7180F@instrument-pily.ru_1587243.doc
In all the samples I have seen, the attachment is not formatted correctly and cannot be downloaded. Typically it will appears to be a 0 byte file with no name, but results might vary depending on the mail client.
After manually decoding the malware from the Base 64 section in the email, I found two distinct versions of the attachment (VirusTotal [1] [2]) and the Malwr reports [3] [4] show a malicious download from:
5.189.216.101/dropbox/download.php
The payload is the Dridex banking trojan (botnet 120) as described here.
Wednesday, 20 January 2016
Malware spam FAIL: "Your compliment (ref: 398864)" / Rachael Love [env9729health@aylesburyvaledc.gov.uk]
This spam is not from Aylesbury Vale District Council but is instead a simple forgery with a malicious attachment.
Attached is a file 398864 - Letter to recipient@domain.doc which contains the intended victim's email address. However - due to an error by the bad guys - none of the samples I have seen are downloadable.
The intended payload is probably the Dridex banking trojan, much like this.
From Rachael Love [env9729health@aylesburyvaledc.gov.uk]I was not able to access the body text of this message. Note that the sender's email address varies slightly from message to message.
Date Wed, 20 Jan 2016 13:28:21 +0430
Subject Your compliment (ref: 398864)
Attached is a file 398864 - Letter to recipient@domain.doc which contains the intended victim's email address. However - due to an error by the bad guys - none of the samples I have seen are downloadable.
The intended payload is probably the Dridex banking trojan, much like this.
Malware spam FAIL: "Emailed Order Confirmation - 94602:1" / "DANE THORNTON" [dane@direct-electrical.com]
This fake financial spam is meant to have a malicious attachment.
From "DANE THORNTON" [dane@direct-electrical.com]Attached is a file Order_94602~1.doc which in all the samples I have seen has been attached incorrectly to the email, and it will either appear to be zero length or garbage. The payload is meant to be the Dridex banking trojan, but this is the latest of several incidents lately where the bad guys have screwed up. Shame.
Date Wed, 20 Jan 2016 16:31:21 +0800
Subject Emailed Order Confirmation - 94602:1
--
DANE THORNTON
Monday, 18 January 2016
Malware spam FAIL: "Statements" / Alison Smith [ASmith@jtcp.co.uk]
This fake financial email does not come from J Thomson Colour Printers but is instead a simple forgery with a malicious attachment.
From Alison Smith [ASmith@jtcp.co.uk]Attached is a file S-STA-SBP CRE (0036).xls which is actually corrupt, due to a monumental failure by the bad guys. The payload is meant to be the Dridex banking trojan, but since Friday the attachments have been messed up and will either appear to be garbage or zero length. The payload itself should look similar to this one, also spoofing the same company.
Date Mon, 18 Jan 2016 18:27:36 +0530
Subject Statements
Sent 12 JAN 16 15:36
J Thomson Colour Printers
14 Carnoustie Place
Glasgow
G5 8PB
Telephone 0141 4291094
Fax 0141 4295638
Malware spam FAIL: "Water Cooler World Invoice" / tom.thomson@watercoolerworld.com
This fake invoice is not from Water Cooler World but is instead a simple forgery with a malicious attachment. I was not able to capture the body text.
From =?iso-8859-1?B?IlRvbSBUaG9tc29uIFdhdGVyIENvb2xlciBXb3JsZCI=?= [tom.thomson@watercoolerworld.com]Attached is a file INVOICE_F-160003834.doc which will appear to be corrupt because the MIME attachment is malformed (it will either appear to be zero length or it will be garbage). This is the second corrupt spam run today, it was meant to be delivering the Dridex banking trojan. A fuller analysis of the attempted payload can be found here.
Date Mon, 18 Jan 2016 18:35:14 +0700
Subject Water Cooler World Invoice
Malware spam FAIL: "Invoice January" / "A . Baird" [ABaird@jtcp.co.uk]
This fake financial spam does not come from J. Thomson Colour Printers but is instead a simple forgery with a malicious attachment.
If you can get hold of the original message, then it should be possible to locate the faulty Base 64 section which has a leading space in it. Removing the space and decoding the Base 64 would generate the intended malicious message. Obviously, I don't recommend doing that unless who want to decode the malware..
UPDATE
A source (thank you!) tells me that the various versions of the document should download a binary from one of the following locations:
emirelo.com/786585d/08g7g6r56r.exe
esecon.com.br/786585d/08g7g6r56r.exe
outago.com/786585d/08g7g6r56r.exe
This binary has an MD5 of 971b9f7a200cff489ee38011836f5240 and a VirusTotal detection rate of 3/54. The same source identifies the following C2 servers whcih are worth blocking:
192.232.204.53 (WebSiteWelcome, US)
110.77.142.156 (CAT BB Net, Thailand)
216.117.130.191 (Advanced Internet Technologies Inc, US)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
Recommended blocklist:
192.232.204.53
110.77.142.156
216.117.130.191
202.69.40.173
From "A . Baird" [ABaird@jtcp.co.uk]Because the email has an error in it, the attachment cannot be downloaded or will appear to be corrupt. This follows on from a similar bunch of corrupt spam messages on Friday [1] [2] [3]. The payload is meant to be the Dridex banking trojan.
Date Mon, 18 Jan 2016 16:17:20 +0530
Subject Invoice January
Hi,
We have been paid for much later invoices but still have the attached invoice as
outstanding.
Can you please confirm it is on your system and not under query.
Regards
Alastair Baird
Financial Controller
[cid:image001.png@01CEE6A0.2D48E1B0]
Registered in Scotland 29216
14 Carnoustie Place
Glasgow G5 8PB
Direct Dial: 0141 418 5303
Tel: 0141 429 1094
www.jtcp.co.uk
P Save Paper - Do you really need to print this e-mail?
If you can get hold of the original message, then it should be possible to locate the faulty Base 64 section which has a leading space in it. Removing the space and decoding the Base 64 would generate the intended malicious message. Obviously, I don't recommend doing that unless who want to decode the malware..
UPDATE
A source (thank you!) tells me that the various versions of the document should download a binary from one of the following locations:
emirelo.com/786585d/08g7g6r56r.exe
esecon.com.br/786585d/08g7g6r56r.exe
outago.com/786585d/08g7g6r56r.exe
This binary has an MD5 of 971b9f7a200cff489ee38011836f5240 and a VirusTotal detection rate of 3/54. The same source identifies the following C2 servers whcih are worth blocking:
192.232.204.53 (WebSiteWelcome, US)
110.77.142.156 (CAT BB Net, Thailand)
216.117.130.191 (Advanced Internet Technologies Inc, US)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
Recommended blocklist:
192.232.204.53
110.77.142.156
216.117.130.191
202.69.40.173
Saturday, 14 March 2015
Quttera fails and spews false positives everywhere
By chance, I found out that my blog had been blacklisted by Quttera. No big deal, because it happens from time-to-time due to the nature of the content on the site. But I discovered that it isn't just my blog, but Quttera also block industry-leading sites such as Cisco, VMWare, Sophos, MITRE, AVG and Phishtank.
For example, at the time of writing the following domains are all blacklisted by Quttera (clicking the link shows the current blacklisting status):
www.cisco.com
www.vmware.com
cve.mitre.org
www.auscert.org.au
www.phishtank.com
www.buzzfeed.com
www.reddit.com
dl.dropbox.com
www.avg.com
www.malekal.com
nakedsecurity.sophos.com
blog.dynamoo.com
malware-traffic-analysis.net
blog.malwaremustdie.org
Cisco's blacklisting entry looks like this:
Now, you can ask Quttera to unblacklist your site for free by raising a ticket but the most prominent link leads to a paid service for £60/year. Hmmm.
I don't think that I will rush to subscribe to that. Obviously, something is seriously wrong with the algorithm in use, some of these sites should obviously be whitelisted. Quttera also doesn't understand the different between a malicious domain or IP being mentioned and such a site being linked to or injected into a site.
I guess there are many, many more domains that are in a similar situation. Perhaps you might want to check your own web properties and share your findings in the comments?
For example, at the time of writing the following domains are all blacklisted by Quttera (clicking the link shows the current blacklisting status):
www.cisco.com
www.vmware.com
cve.mitre.org
www.auscert.org.au
www.phishtank.com
www.buzzfeed.com
www.reddit.com
dl.dropbox.com
www.avg.com
www.malekal.com
nakedsecurity.sophos.com
blog.dynamoo.com
malware-traffic-analysis.net
blog.malwaremustdie.org
Cisco's blacklisting entry looks like this:
Now, you can ask Quttera to unblacklist your site for free by raising a ticket but the most prominent link leads to a paid service for £60/year. Hmmm.
I don't think that I will rush to subscribe to that. Obviously, something is seriously wrong with the algorithm in use, some of these sites should obviously be whitelisted. Quttera also doesn't understand the different between a malicious domain or IP being mentioned and such a site being linked to or injected into a site.
I guess there are many, many more domains that are in a similar situation. Perhaps you might want to check your own web properties and share your findings in the comments?
Labels:
Fail,
False Positive
Tuesday, 17 September 2013
FedEx spam FAIL
This fake FedEx spam is presumably meant to have a malicious payload:
Presumably there is meant to be a malicious link or attachment, but there isn't. However, the bad guys will probably use the same template again with a WORKING payload, so please take care.
Date: Tue, 17 Sep 2013 13:02:25 +0000 [09:02:25 EDT]
From: webteam@virginmedia.com
Subject: Your Rewards Order Has Shipped
Headers: Show All Headers
This is to confirm that one or more items in your order has been shipped. Note that multiple items in an order may be shipped separately.
You can review complete details of your order on the Order History page
Thanks for choosing FedEx.
Order Confirmation Number: 0410493
Order Date: 09/15/2013
Redemption Item Quantity Tracking Number
Paper, Document 16 <
fedex.com Follow FedEx:
You may receive separate e-mails with tracking information for reward ordered.
My FedEx Rewards may be modified or terminated at any time without notice. Rewards points available for qualifying purchases and certain exclusions apply. For details and a complete listing of eligible products and services please read My FedEx Rewards Terms and Conditions .
©2012 FedEx. The content of this message is protected by copyright and trademark laws under U.S. and international law. Review our privacy policy . All rights reserved
Presumably there is meant to be a malicious link or attachment, but there isn't. However, the bad guys will probably use the same template again with a WORKING payload, so please take care.
Friday, 28 June 2013
jConnect spam / FAX_281_3927981981_283.zip
Date: Fri, 28 Jun 2013 09:41:52 -0500 [10:41:52 EDT]
From: jConnect [message@inbound.j2.com]
Subject: jConnect fax from "697-377-6967" - 28 page(s), Caller-ID: 697-377-6967
Fax Message[Caller-ID: 697-377-6967] You have received a 28 page(s) fax at 2012-12-17
02:13:41 EST.* The reference number for this fax is
lax3_did10-1019412300-0003832668-11.This message can be opened using your PDF reader. If
you have not already installed j2 Messenger, download it for
free:http://www.j2.com/downloadsPlease visit http://www.j2.com/help if you have any
questions regarding this message or your j2 service.Thank you for using jConnect!Home
Contact Login2011 j2 Global Communications, Inc. All rights reserved.jConnect is a
registered trademark of j2 Global Communications, Inc.This account is subject to the
terms listed in thejConnect Customer Agreement.
Both the email and the attachment are horribly mangled, and in this case don't contain their malicious payload (as with this spam run). But be careful if receiving an email of this type as the next time the spammers try it, it may well be more dangerous.
Labels:
EXE-in-ZIP,
Fail,
Spam
Friday, 21 June 2013
LexisNexis spam FAIL
Date: Fri, 21 Jun 2013 10:48:12 -0700 [13:48:12 EDT]
From: LexisNexis [einvoice.notification@lexisnexis.com]Book
Subject: Invoice Notification for June 2013
There was an invoice issued to your company: [redacted]
Please double click the PDF attachment to open or print your invoice. To view full invoice details or for any Online Account Management options, download PDF attachment.
Account Number 455SAZ
Invoice Number 904510653899
Invoice Date June 21, 2013
Invoice Amount $3.508.00
Account Balance $0.00
You can PAY YOUR BALANCE through the PowerInvoice please print the attached invoice and mail to the address indicated on the invoice statement. If you do not have Adobe Acrobat, please find a link to a free downloadable file at the end of this e-mail.
You can also print this e-mail and send your payment to:
LexisNexis
PO BOX 7247-7090
Philadelphia, PA 19170-7090
If you have questions about your invoice, please contact LexisNexis at 1-800-262-2391, option 3.
If you would like to contact your Account Manager, please contact LexisNexis at 1-800-262-2391, option 2.
Please add this domain @email.lexisnexismail.com to your safe senders list.
Adobe Acrobat free downloadable file available at :
http://www.adobe.com/products/acrobat/readstep2.html
In this case the attachment is just 8 bytes and is harmless. Next time, it probably won't be..
Of note, the only link in the email goes to [donotclick]https://server.nepplelaw.com/owa/redir.aspx?C=430ed6e3b59a4a69b2d5653797c3e3d6&URL=http%3a%2f%2fwww.adobe.com%2fproducts%2facrobat%2freadstep2.html which is the sort of thing that happens to a URL when it goes through Outlook Web Access, in this case it would be on the server server.nepplelaw.com but I have no explanation as to why it is there, however it is harmless.
Labels:
EXE-in-ZIP,
Fail,
Spam
Thursday, 20 June 2013
Moniker "Security Notice: Service-wide Password Reset" mail and t.lt02.net
This email from Moniker shows an impressive combination of WIN and FAIL at the same time.
Full disclosure and prompt action is a WIN. Shit happens, it's often how you deal with it that makes the difference. But wait.. where does the link in the email go to? t.lt02.net? Who the heck are they? And this is where a big dose of FAIL happens.
lt02.net belongs to a company called VertexInternet (vertex.net). This company is not related to Moniker, and bearing in mind that this email is about a potential security breach you might expect people to be a little bit cautious about clicking through those links.
To be fair, the body of the email does suggest going to "moniker.com" (i.e. typing it in the address bar). The mystery of lt02.net is easily explainable too.. VertexInternet run an email marketing system called Listrak which is what is being used to send out the email. The email is legitimate, and presumably it has been done this way for reasons of speed.. the problem is that many people will probably be highly suspicious of this email given the context and that this approach is often used by the Bad Guys.
If you are going to send out a message like this, make sure that all the links go to a site that the recipient would recognise. In this case the sensible option would be to link directly to moniker.com. I'm betting that quite a few people will ignore this message and then wonder why they cannot log into their accounts at a later date.
www.moniker.com
Moniker
Moniker’s Operations & Security team has discovered and blocked suspicious activity on the Moniker network that appears to have been a coordinated attempt to access a number of Moniker user accounts.
As a precaution to protect your domains, we have decided to implement a system-wide password reset. Please read the below instructions to create a new password. You will not be able to access your Moniker account until these steps are taken.
In our security investigation, we have found no evidence that domains have been lost or transferred out. We also have no evidence that any confidential or credit card information has been compromised.
While our password encryption measures are robust, we are taking additional steps to ensure that your personal data and domains remain secure. This means that, to be absolutely sure of the security of your account, we are requiring all users to reset their Moniker account passwords.
Please reset your password by following the directions below.
1) Go to Moniker.com and click the “Sign In” button in the upper right hand corner of the home page. Select the “Forgot Your Password” link.
2) You will be directed to a page to “Retrieve” your Moniker Account Password. When prompted, enter your account number and click “Submit”.
3) You will be directed to a page that displays the message below. You will receive an email from Moniker. Please follow the instructions in this email to complete the password reset.
As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your domains and personal data safe very seriously, and we're constantly enhancing the security of our service infrastructure to protect our customers. We feel it is also important to be clear that we view this as attempted illegal activity and have taken steps to report this to the appropriate authorities.
There are also several important steps that you can take to ensure that your data on any website, including Moniker, is secure:
• Avoid using simple passwords based on dictionary words
• Never use the same password on multiple sites or services
• Never click on 'reset password' requests in emails that you did not request
Thank you for taking the time to read this email. We sincerely apologize for the inconvenience of having to change your password, but, ultimately, we believe this simple step will result in a more secure experience. If you have any questions, please do not hesitate to contact Moniker Support. Our support team is standing by to assist at 800-688-6311 or outside the U.S. and Canada: 954-607-1294.
Drake Harvey
Chief Operations Officer
Moniker.com
Moniker
1800 SW 1st Ave, Suite 440, Portland, OR, USA
Sales and Support: +1 (800) 688-6311
www.moniker.com
Copyright © 2013 Moniker.com | SnapNames.
Full disclosure and prompt action is a WIN. Shit happens, it's often how you deal with it that makes the difference. But wait.. where does the link in the email go to? t.lt02.net? Who the heck are they? And this is where a big dose of FAIL happens.
lt02.net belongs to a company called VertexInternet (vertex.net). This company is not related to Moniker, and bearing in mind that this email is about a potential security breach you might expect people to be a little bit cautious about clicking through those links.
To be fair, the body of the email does suggest going to "moniker.com" (i.e. typing it in the address bar). The mystery of lt02.net is easily explainable too.. VertexInternet run an email marketing system called Listrak which is what is being used to send out the email. The email is legitimate, and presumably it has been done this way for reasons of speed.. the problem is that many people will probably be highly suspicious of this email given the context and that this approach is often used by the Bad Guys.
If you are going to send out a message like this, make sure that all the links go to a site that the recipient would recognise. In this case the sensible option would be to link directly to moniker.com. I'm betting that quite a few people will ignore this message and then wonder why they cannot log into their accounts at a later date.
Labels:
Data Breach,
Fail
Wednesday, 19 June 2013
HP Spam / HP_Scan_06292013_398.zip FAIL
I've been seeing these spams for a couple of days now..
The is an attachment called HP_Scan_06292013_398.zip. Obviously this is an attempt to deliver malware.. but the attachment is too small to have a payload. Initially I thought that it was some random part of somebody's security infrastructure stripping it off until I got a really clean copy.. and the ZIP file was just 8 bytes:
Date: Wed, 19 Jun 2013 09:39:27 -0500 [10:39:27 EDT]
From: HP Digital Device [HP.Digital0@victimdomain]
Subject: Scanned Copy
Please open the attached document. This document was digitally sent to you using an HP Digital Sending device.
To view this document you need to use the Adobe Acrobat Reader.
-------------------------------------------------------------------------------
This email has been scanned for viruses and spam.
-------------------------------------------------------------------------------
The is an attachment called HP_Scan_06292013_398.zip. Obviously this is an attempt to deliver malware.. but the attachment is too small to have a payload. Initially I thought that it was some random part of somebody's security infrastructure stripping it off until I got a really clean copy.. and the ZIP file was just 8 bytes:
12 BA E8 AC 16 AC 7B AEAnother sample version looks like this, with just 6 bytes:
12 BA E8 AC 16 ACGoogling for 12BAE8AC16AC or 12BAE8AC16AC7BAE gets nothing at all (well, except it will now I've blogged about it). Weird, huh?
Labels:
EXE-in-ZIP,
Fail,
Malware,
Printer Spam,
Spam,
Viruses
Thursday, 11 October 2012
Sophos: "Your phone number may not be as private on Facebook as you think - and how to fix it"
From Sophos.. another good reason not to use Facebook.
So, as well as leaking email addresses through a reverse lookup, Facebook also does a reverse lookup for telephone numbers. What could possibly go wrong?
Well, until somebody figures out how to write a script to harvest the phone numbers automatically, that is..
Added: oh look, somebody did it already.
So, as well as leaking email addresses through a reverse lookup, Facebook also does a reverse lookup for telephone numbers. What could possibly go wrong?
Well, until somebody figures out how to write a script to harvest the phone numbers automatically, that is..
Added: oh look, somebody did it already.
Friday, 20 April 2012
New Blogger interface: It's all too horrible to contemplate.
If you use Blogger, you'll know that it has a new interface. It's horrible. OK, the old interface was horrible but usable at the same time. This is just horrible, with the familiar looking elements seeming sprinkled at random over the new interface.
There are a lot of companies at the moment doing a similar thing.. making over their tried and tested (but tired) old software interfaces and coming up with something pastel-ly and awful. Or perhaps I'm just a Luddite?
Update: you can share your feedback on the Blogger forum which is full of similar complaints.
There are a lot of companies at the moment doing a similar thing.. making over their tried and tested (but tired) old software interfaces and coming up with something pastel-ly and awful. Or perhaps I'm just a Luddite?
Update: you can share your feedback on the Blogger forum which is full of similar complaints.
Monday, 5 March 2012
BBB Spam FAIL / domain.com
Here's a normal looking BBB spam, which typically would lead to malware:
Unfortunately, next time the spammers will probably get it right.. in the meantime, here are some example subjects being used in this attack:
From: Milford Finn risk@bbb.orgExcept the idiot spammers have forgotten to include the domain name and have left if at what is presumably the default of domain.com:
Date: 5 March 2012 10:42
Subject: BBB have recieved a customer complaint about your company.
Business Owner/Manager,
One of your business customers has filed a complaint with The Better Business Bureau concerning the negative experience he had with your company. The consumer complaint is attached below. Please submit your response to this matter as within 21 days. The most efficient way to provide your response is by using the Online Complaint system. Please follow the following link to access the above-mentioned customer complaint and submit your response to it:
BBB complaint center
Use the following data to login:
Case ID: #2478119
Password: 65950
The Better Business Bureau acts in the role of a a neutral third party, and helps you resolve your customer disputes fast and efficiently. We develop and support online Reliability reports on American companies, open to the Public and used by millions of business customers. A satisfactory customer report can have a pronounced positive impact on your business.
We hope for your immediate attention to this matter.
Sincerely,
Kenyon Frye
Dispute Counselor
Unfortunately, next time the spammers will probably get it right.. in the meantime, here are some example subjects being used in this attack:
- Better Business Bureau needs your urgent attention.
- Better Business Bureau customer complaint.
- BBB have recieved a customer complaint about your company.
- Your company is accused of illegal financial transactions.
Tuesday, 26 July 2011
Phishtank FAIL: paypal.de
paypal.de is pretty obviously a legitimate PayPal domain, registered to eBay and hosted on 66.211.168.83 in eBay's address space. However, Phishtank thinks that it is a phish.. well, OK, false positives happen.. but the problem here is that it has been manually verified as a phish which really does show a weakness in the Phishtank verification system. It's not the first time it has happened.
So, if you are in Germany and find that paypal.de is blocked, then this is the reason why.
So, if you are in Germany and find that paypal.de is blocked, then this is the reason why.
Monday, 14 June 2010
Phishtank FAIL: hsbcnet.com / hsbc.net
hsbcnet.com is a valid and legitimate website belonging to HSBC. Traffic is redirected to this site from hsbc.net. The site itself is hosted on AS26381 63.111.163.110 which is delegated to an HSBC subsiduary called Household International from Verizon. The hsbcnet.com was registered in 1998 to a registrant with an hsbc.com web address:
Registrant:
HSBC
One HSBC Center
Floor 21 - HTS eBusiness
Buffalo, NY 14203
US
Domain Name: HSBCNET.COM
Administrative Contact, Technical Contact:
Fischer, Chuck charles.fischer -at- us.hsbc.com
HSBC Bank USA
One HSBC Bank
eBusiness, 21st Floor
Buffalo,, NY 14203
US
(716) 841-2075 fax: (716) 841-5022
Record expires on 04-Dec-2010.
Record created on 04-Dec-1998.
Database last updated on 14-Jun-2010 04:41:11 EDT.
Domain servers in listed order:
NS3.HSBC.COM
NS4.HSBC.COM
It's clearly not a phishing site, and yet Phishtank say that it is.
Now, Phishtank does just allow any old user to mark a site as phishing. In this case, the site was submitted by a user called dvk01 and then verified by SEVEN other people as a phish - stuartgrant knack NotBuyingIt cybercrime marcoadfox Aminof theGeezer - although some people have said that it isn't. As a result of this faulty groupthink, 71% of reports say that this legitimate site is a phish.
This false positive has now filtered down to OpenDNS and a number of other blocking services (e.g. Sophos) that are now erroneously blocking access to HSBC.
Don't get me wrong, Phishtank and other similar service can be very useful. But in this case it shows that Phishtank's verification process really doesn't work.. as any actual examination of the web site in question would surely identify is as legitimate.
Registrant:
HSBC
One HSBC Center
Floor 21 - HTS eBusiness
Buffalo, NY 14203
US
Domain Name: HSBCNET.COM
Administrative Contact, Technical Contact:
Fischer, Chuck charles.fischer -at- us.hsbc.com
HSBC Bank USA
One HSBC Bank
eBusiness, 21st Floor
Buffalo,, NY 14203
US
(716) 841-2075 fax: (716) 841-5022
Record expires on 04-Dec-2010.
Record created on 04-Dec-1998.
Database last updated on 14-Jun-2010 04:41:11 EDT.
Domain servers in listed order:
NS3.HSBC.COM
NS4.HSBC.COM
It's clearly not a phishing site, and yet Phishtank say that it is.
Now, Phishtank does just allow any old user to mark a site as phishing. In this case, the site was submitted by a user called dvk01 and then verified by SEVEN other people as a phish - stuartgrant knack NotBuyingIt cybercrime marcoadfox Aminof theGeezer - although some people have said that it isn't. As a result of this faulty groupthink, 71% of reports say that this legitimate site is a phish.
This false positive has now filtered down to OpenDNS and a number of other blocking services (e.g. Sophos) that are now erroneously blocking access to HSBC.
Don't get me wrong, Phishtank and other similar service can be very useful. But in this case it shows that Phishtank's verification process really doesn't work.. as any actual examination of the web site in question would surely identify is as legitimate.
Subscribe to:
Posts (Atom)