I wrote about the French (or possibly Moroccan) IT security firm Mobiquant Technologies last year when their website was serving up an exploit kit, and they failed to respond to any attempts at communicating with them. Eventually (after several weeks) they woke up and fixed the problem, and then proceeded to mount a bizarre and highly personal attack on me.
I've kept a bit of an eye on them since then as there are several things that don't add up. One of them is an a website they are running at mobiquantacademy.com. For some reason I cannot fathom, it appears to have been set up to spoof a site belonging to Southampton Solent University, an organisation that they do not seem to be affiliated with in any way.
It isn't a copy of the current Solent myCourse site, it seems to be a couple of years old. So a copy, not a mirror or anything.
The Mobiquant site prominently displays a login box:
A look at the HTML source [pastebin] shows that although there are plenty of references back to the solent.ac.uk domain, the part that handles processing the login is very much on the mobiquantacademy.com domain.
<form action="http://www.mobiquantacademy.com/login/index.php" method="post" id="login" >
<div class="loginform">
<div class="form-label"><label for="username">Username</label></div>
<div class="form-input">
<input type="text" name="username" id="username" size="15" value="" />
</div>
<div class="clearer"><!-- --></div>
<div class="form-label"><label for="password">Password</label></div>
<div class="form-input">
<input type="password" name="password" id="password" size="15" value="" />
<input type="submit" id="loginbtn" value="Log in" />
</div>
</div>
<div class="clearer"><!-- --></div>
<div class="rememberpass">
<input type="checkbox" name="rememberusername" id="rememberusername" value="1" />
<label for="rememberusername">Remember username</label>
</div>
<div class="clearer"><!-- --></div>
<div class="forgetpass"><a href="forgot_password.php">Forgotten your username or password?</a></div>
</form>
So, if a student found this site somehow and typed in their credentials, then they would be processed by a PHP scripts on the mobiquantacademy.com site. That's a bit peculiar, isn't it? You might think that this was a security risk, which is an odd thing for an IT security firm to be doing.
So perhaps this is some sort of configuration error? I have certainly seen cases where misconfigured webservers serve up the wrong website. Well, there are several reasons why this isn't the case.. Solent host their websites in their own IP address range of 194.81.144.0 - 194.81.159.255, www.mobiquantacademy.com is hiding behind a Cloudflare IP address but plain old mobiquantacademy.com (without the www) is hosted on the real IP address of 192.163.241.167 which also contains a number of sites that clearly link the domain with Mobiquant.
mseclabs.com
mail.mseclabs.com
secotnow.com
tripteek.com
clouderya.com
djmisterz.com
mail.djmisterz.com
mobiquant.com
www.mobiquant.com
mail.mobiquant.com
com1agency.com
mobiquantacademy.com
mobilesecurityfirst.com
ns1.mobilesecurityfirst.com
ns2.mobilesecurityfirst.com
securityinternetofthings.com
As I found before with Mobiquant's main mobiquant.com domain, the WHOIS details for mobiquantacademy.com are completely fake.
Registrant Name: ALEXANDRA MEYER
Registrant Organization: FORTESIA
Registrant Street: 33
Registrant Street: KNIGHTSBRIDGE RD
Registrant City: PISCATAWAY
Registrant State/Province: NJ
Registrant Postal Code: 08854
Registrant Country: US
Registrant Phone: +1.3477481090
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: adds31@gmail.com
Registry Admin ID:
This isn't the first set of fake WHOIS details they have supplied for the domain. When I complained to their registrar and host that they were using fake details, they briefly removed the spoof Solent site and changed their WHOIS details from:
Registry Registrant ID:
Registrant Name: INTERNET GROUP
Registrant Organization: HOSTING JEWEL
Registrant Street: 7
Registrant Street: CHEVAL PLACE
Registrant City: LONDON
Registrant State/Province: LD
Registrant Postal Code: S6SDJ7
Registrant Country: GB
Registrant Phone: +44.2077776588
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: ADDS31@GMAIL.COM
Registry Admin ID:
The fact that the spoof Solent site was removed and then re-added looks rather strange in my personal opinion. Namecheap (the registrar) confirmed that the content had been removed, but now it is back.
Another thing that makes this look like a deliberate act is the way that the mobiquantacademy.com website is explictly referred to in the HTML source code when it comes to the login handler which means that the code was altered deliberately. If the site had somehow been accidentally mirrored then it would not have that explicit reference.
Neither Mobiquant's websites or Solent's website has any reference to the other party. A Google search of the two parties does not show any relationship, apart from Mobiquant's copy of Solent's site. I cannot see any legitimate reason why Mobiquant would be running a site that was asking for the credentials of Solent students.
So what is this site for? I leave you to draw your own conclusions.
UPDATE: Mobiquant must be keeping track of my blog or my Tweets as they have now deleted the site.
However, if you wish to analyse a copy of the site yourself you can download a ZIPped copy from here.
Sunday, 21 September 2014
Why is Mobiquant pretending to be Southampton Solent University?
Labels:
Mobiquant
Saturday, 20 September 2014
Scam: advocateforyouths.org is not the real Advocates for Youth (and other scam sites)
I've covered these scammers before - they rip off legitimate websites such as the genuine Advocates for Youth and use them to commit fraud. The domain advocateforyouths.org is currently being pushed by the bad guys, note that the legitimate domains is actually advocatesforyouth.org.
This email is a scam and is basically a way to defraud the potential victim of money by making them think that they are dealing with a real organisation. The websites referred to is an almost pixel-perfect copy of the real thing.
The differences are very subtle. Crucially the contact details between the fake and real sites are different, but the scammers have gone to the effort of acquiring a phone number in the same area code.
Let's look at the WHOIS details for the fake domain:
Registrant ID:DI_37927050
Registrant Name:weba
Registrant Organization:greg
Registrant Street: rue marcel de france
Registrant City:la chapelle
Registrant State/Province:St luc
Registrant Postal Code:10600
Registrant Country:FR
Registrant Phone:+33.2356789990
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:nelsondove1@gmail.com
Not much to go on there, but the scammers are using their own email infrastructure to pump these out from 208.91.199.216 using the domain esecuredmails.eu registered to:
Name: Nelson
Organisation: N/A
Language: English
Address:
bijsterhuizen 1160
2282 pm Rijswijk
Netherlands
Phone: +31.645433356
Email: unit1x1@yahoo.com
Both of these refer to "Nelson". The website advocateforyouths.org actually forwards to a framed page on www-parisline.in (hosted on 103.242.119.69 in India) registered to:
Registrant Name:Patrik Pie
Registrant Organization:N/A
Registrant Street1:14 rue du Theatre
Registrant Street2:
Registrant Street3:
Registrant City:Porte de Versailles
Registrant State/Province:Paris
Registrant Postal Code:75015
Registrant Country:FR
Registrant Phone:+33.0617750470
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:nelsondove1@gmail.com
As before, this site also contains a number of other fake sites, some of which are likely to form part of the same scam. I covered the fake Al-zaida Emirates Group Holding Co and Hotel T Bello before. There may be other scam sites on the same server.
Advocates for Youth is a decent organisation, and apparently these scumbag scammers have no shame whatsoever in using their good name for their own financial gain. Given the relative sophistication of the scammer's set-up, it is likely that they will keep trying with this particular scam.
Take care.
From: advocates3@esecuredmails.eu
Date: 20 September 2014 00:52
Subject: Re: Effects of Teenage Marriage
Signed by: esecuredmails.eu
INTERNATIONAL YOUTH CONFERENCE ON “ EFFECTS OF TEENAGE MARRIAGE AND HIV/AIDS "
Advocates for Youth and co-organizers of the 21st international NGO's & CBO's conference on community Development and Development Planning have the pleasure to invite Youth Organizations, Socio Cultural Organizations, Community Based Organizations (CBO) Scholars, Researchers, Health Organizations, Professionals, Business Organizations (NGOs) Religion Organizations, Human Right Organizations & Women Groups to the International Conference on"Effects of Teenage Marriage and HIV/AIDS " taking place from Thursday 20th - Friday 21st November 2014 in U.S.A and Monday 24th - Friday 28th November 2014 in The NETHERLANDS respectively.
This is the most important event in the framework of the fight to Educate the Youth on HIV/AIDS, Child Abuse, human and community development which will take place in Washington DC, United States of America from Thursday 20th - Friday 21st November 2014 in U.S.A and Monday 24th - Friday 28th November 2014 in The NETHERLANDS respectively.
Advocates for Youth is registered 501(c) Non profit international organization whose aims & objectives are to empower individuals and communities worldwide through offering grants for business, education, economic enhancement, community development and environmental conservation, to support groups and organizations addressing social issues, youth ad women empowerment, and a variety of philanthropic projects through grants to non-profit organization; to provide education & information with view of limiting abuse and child molestation, to support and advocate on behalf of those infected and affected by the menace or abuse and neglect to promote the well-being of mankind by empowering the capacity of charitable organization to provide effective programs of quality.
This conference will bring together 1026 representatives of NGOs/CBOs and numerous numbers of interested individual participants from all over the world. The conference will be conducted on participatory bases with satellite plenary and simultaneous sessions followed by general and small group discussions.
FINANCIAL SUPPORT: The conference receives financial support from CitiBank New York and United Nations Youth Commission etc. This sponsorship covers the following:
1. Return Airplane travel tickets for selected delegates from their home countries to venues of the event in Washington DC ( United States of America ) and The Hague City (The Netherlands), then back to their home countries.
2. Hotel accommodations in Washington DC ( United States ) only for selected delegates and their friends.
3. Medical insurance cover for delegates throughout the entire conference duration.
Advocates for Youth will not assume the responsibilities of any other costs other than those listed above.
NOMINATION & SELECTION OF PARTICIPANTS: Intending participants are requested to nominate between Five (5) to Ten (15) active members to participate. Participants should be from 14 years and above (Male or Female).
REGISTRATION PROCESS: To register to take part in this Conference, please request for the International Delegates Registration form and other conference information. The request for registration form and other conference information should be addressed to the Secretary:
Linara J. Davidson
Secretary, Advocates for youth
2000 M Street, NW Suite 750,
Washington DC 20036,
United States of America,
Tel: +1 202.600.9543
Fax: + 1 650.747.4401
Email: ljdavidson@advocateforyouths.org
Website: www.advocateforyouths.org
While we anticipate your earliest response, you are advised to contact the Secretary by email and we look forward to meeting up with you and your group in Washington DC and The Hague City to assert a new change for a stronger society.
Announcer !!!
Debra Hauser
President, Advocates for youth,
Washington DC
U.S.A.
Email: debra.hauser@advocateforyouths.org
This email is a scam and is basically a way to defraud the potential victim of money by making them think that they are dealing with a real organisation. The websites referred to is an almost pixel-perfect copy of the real thing.
The differences are very subtle. Crucially the contact details between the fake and real sites are different, but the scammers have gone to the effort of acquiring a phone number in the same area code.
Let's look at the WHOIS details for the fake domain:
Registrant ID:DI_37927050
Registrant Name:weba
Registrant Organization:greg
Registrant Street: rue marcel de france
Registrant City:la chapelle
Registrant State/Province:St luc
Registrant Postal Code:10600
Registrant Country:FR
Registrant Phone:+33.2356789990
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:nelsondove1@gmail.com
Not much to go on there, but the scammers are using their own email infrastructure to pump these out from 208.91.199.216 using the domain esecuredmails.eu registered to:
Name: Nelson
Organisation: N/A
Language: English
Address:
bijsterhuizen 1160
2282 pm Rijswijk
Netherlands
Phone: +31.645433356
Email: unit1x1@yahoo.com
Both of these refer to "Nelson". The website advocateforyouths.org actually forwards to a framed page on www-parisline.in (hosted on 103.242.119.69 in India) registered to:
Registrant Name:Patrik Pie
Registrant Organization:N/A
Registrant Street1:14 rue du Theatre
Registrant Street2:
Registrant Street3:
Registrant City:Porte de Versailles
Registrant State/Province:Paris
Registrant Postal Code:75015
Registrant Country:FR
Registrant Phone:+33.0617750470
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:nelsondove1@gmail.com
As before, this site also contains a number of other fake sites, some of which are likely to form part of the same scam. I covered the fake Al-zaida Emirates Group Holding Co and Hotel T Bello before. There may be other scam sites on the same server.
Advocates for Youth is a decent organisation, and apparently these scumbag scammers have no shame whatsoever in using their good name for their own financial gain. Given the relative sophistication of the scammer's set-up, it is likely that they will keep trying with this particular scam.
Take care.
Friday, 19 September 2014
Microsoft Outlook "You have received a voice mail" spam
From: Microsoft Outlook [no-reply@victimdomain.com]The link in the email messages goes to www.prolococapena.com/yckzpntfyl/mahlqhltkh.html first and then downloads a file from www.prolococapena.com/yckzpntfyl/Invoice102740_448129486142_pdf.zip which contains exactly the same malicious executable being pushed in this earlier spam run.
Date: 19 September 2014 11:59
Subject: You have received a voice mail
You received a voice mail : VOICE976-588-6749.wav (25 KB)
Caller-Id: 976-588-6749
Message-Id: D566Y5
Email-Id: conrad@longmore.me.uk
Download and extract to listen the message.
We have uploaded voicemail report on dropbox, please use the following link to download your file:
---
http://www.prolococapena.com/yckzpntfyl/mahlqhltkh.html
---
Sent by Microsoft Exchange Server
"NatWest Statement" spam.. yet again.
Poor old NatWest is being spoofed again in this spam run that leads to malware..
In this case, the link in the email goes to www.teli.us/ylojwatayv/hjhgoflpob.html which then downloads a file from the same site at www.teli.us/ylojwatayv/Invoice102740_448129486142_pdf.zip - this in turn unzips to a malicious executable Invoice102740_448129486142_pdf.exe which has a VirusTotal detection rate of 1/55.
Analysis of this binary is still pending.
UPDATE: the Anubis report shows network activity to hallerindia.com on 192.185.97.223. I would suggest that this is a good domain to block.
From: NatWest.co.uk [noreply@natwest.com]
Date: 19 September 2014 10:40
Subject: NatWest Statement
View Your September 2014 Online Financial Activity Statement
Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It's available for you to view at this secure site. Just click to select how you would like to view your statement:
View/Download as a PDF
View all EStatements
So check out your statement right away, or at your earliest convenience.
Thank you for managing your account online.
Sincerely,
NatWest Bank
Please do not respond to this e-mail. If you have any questions about this inquiry message or your NatWest Bank ®
Merchant account, please speak to a Customer Service representative at 1-800-374-2639
NatWest Bank Customer Service Department
P.O. Box 414 | 38 Strand, WC2N 5JB, London
Copyright 2014 NatWest Company. All rights reserved.
AGNEUOMS0006001
In this case, the link in the email goes to www.teli.us/ylojwatayv/hjhgoflpob.html which then downloads a file from the same site at www.teli.us/ylojwatayv/Invoice102740_448129486142_pdf.zip - this in turn unzips to a malicious executable Invoice102740_448129486142_pdf.exe which has a VirusTotal detection rate of 1/55.
Analysis of this binary is still pending.
UPDATE: the Anubis report shows network activity to hallerindia.com on 192.185.97.223. I would suggest that this is a good domain to block.
Thursday, 18 September 2014
"Important - New account invoice" spam leads to malware
This fake NatWest invoice (since when did banks send invoices?) leads to a malicious ZIP file.
The link in this particular email goes to bnsoutlaws.co.uk/qvgstopmdi/njfeziackv.html which then downloads a ZIP file from bnsoutlaws.co.uk/qvgstopmdi/Account_Document.zip which in turn contains a malicious executable Account_Document.scr which has a VirusTotal detection rate of just 1/53.
The ThreatTrack report [pdf] shows that the malware attempts to call home to:
188.165.204.210/1809uk1/NODE01/0/51-SP3/0/
188.165.204.210/1809uk1/NODE01/1/0/0/
188.165.204.210/1809uk1/NODE01/41/5/4/
liverpoolfc.bg/images/stories/1809uk1.shh
Recommended blocklist:
188.165.204.210
liverpoolfc.bg
UPDATE: bnsoutlaws.co.uk is now cleaned up, so you can un-block it.
UPDATE:
The same malware is also being pushed by a fake Lloyds Bank email..
From: NatWest Invoice [invoice@natwest.com]
Date: 18 September 2014 11:06
Subject: Important - New account invoice
Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
To view/download your invoice please click here or follow the link below :
https://www.nwolb.com/ServiceManagement/InvoicePageNoMenu.aspx?InvoiceCode=Invoice_712816
Thank you for choosing NatWest.
Important: Please do not respond to this message. It comes from an unattended mailbox.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
The Royal Bank of Scotland International Limited trading as NatWest (NatWest). Registered Office: P.O. Box 64, Royal Bank House, 71 Bath Street, St. Helier, Jersey JE4 8PJ. Regulated by the Jersey Financial Services Commission.
The link in this particular email goes to bnsoutlaws.co.uk/qvgstopmdi/njfeziackv.html which then downloads a ZIP file from bnsoutlaws.co.uk/qvgstopmdi/Account_Document.zip which in turn contains a malicious executable Account_Document.scr which has a VirusTotal detection rate of just 1/53.
The ThreatTrack report [pdf] shows that the malware attempts to call home to:
188.165.204.210/1809uk1/NODE01/0/51-SP3/0/
188.165.204.210/1809uk1/NODE01/1/0/0/
188.165.204.210/1809uk1/NODE01/41/5/4/
liverpoolfc.bg/images/stories/1809uk1.shh
Recommended blocklist:
188.165.204.210
liverpoolfc.bg
UPDATE: bnsoutlaws.co.uk is now cleaned up, so you can un-block it.
UPDATE:
The same malware is also being pushed by a fake Lloyds Bank email..
From: Lloyds Commercial Bank [secure@lloydsbank.com]
Date: 18 September 2014 11:45
Subject: Important - Commercial Documents
Important account documents
Reference: C146
Case number: 68819453
Please review BACs documents.
Click link below, download and open document. (PDF Adobe file)
----------------------
http://fleabuster.com/dkklteqsrx/wlodznqmfc.html
-----------------------
Please note that the Terms and Conditions available below are the Bank's most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager. .
Yours faithfully
James Vance
Senior Manager, Lloyds Commercial Banking
Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.
Please remember we guarantee the security of messages sent by email.
Wednesday, 17 September 2014
The Furniture Market "TFM Confirmation - Order R12003585" spam
This fake order confirmation is not from The Furniture Market (thefurnituremarket.co.uk). It has a malicious PDF file attached to it that you should not open. The Furniture Market's computer systems have not been compromised.
It is trivially easy to fake who an email message is "From", and this email looks very convincing which makes me suspect that the bad guys have based it on a real message, possibly harvested from a hacked computer.
The attachment is IR12003585-001.pdf which is a malicious PDF file with a VirusTotal detection rate of 10/54. The VT report indicates that it is using vulnerability CVE-2013-2729 to execute malicious code. If you are using an up-to-date version of Acrobat Reader (or an alternative PDF reader) then there is a good chance that you will be OK.
The Furniture Market gets considerable kudos in my book for being very on the ball and having a great big warning notice on their site. Hopefully they are just as efficient when it comes to delivering furniture!
From: Marc - The Furniture Market [marc@thefurnituremarket.co.uk]
Date: 17 September 2014 15:40
Subject: TFM Confirmation - Order R12003585
Good afternoon,
Thank you for your order. Please find attached to this mail, confirmation of the products ordered and collected from us earlier today.
Should you have any further queries, then please do not hesitate to contact us.
Kind Regards,
Marc Chadwick
The Furniture Market
( Tel: 01829 759 259
* Email:marc@thefurnituremarket.co.uk
: web: www.thefurnituremarket.co.uk
VAT No. 904103182 │ Company No. 6491540
new-signiture (2)
Please consider the environment before printing this e-mail
find us on facebooktwitter-logo-follow1 trustpilot-coolpriser
It is trivially easy to fake who an email message is "From", and this email looks very convincing which makes me suspect that the bad guys have based it on a real message, possibly harvested from a hacked computer.
The attachment is IR12003585-001.pdf which is a malicious PDF file with a VirusTotal detection rate of 10/54. The VT report indicates that it is using vulnerability CVE-2013-2729 to execute malicious code. If you are using an up-to-date version of Acrobat Reader (or an alternative PDF reader) then there is a good chance that you will be OK.
The Furniture Market gets considerable kudos in my book for being very on the ball and having a great big warning notice on their site. Hopefully they are just as efficient when it comes to delivering furniture!
"You've received a new fax". No you haven't, you've received a new bit of malware.
From: Fax [fax@victimdomain.com]The link in the email downloads an archive file Message_Document_pdf.zip from the same estudiocarraro.com.br site. This has a VirusTotal detection rate of 3/54. The ThreatTrack report shows that the malware attempts to phone home to:
Date: 17 September 2014 09:32
Subject: You've received a new fax
New fax at SCAN6405035 from EPSON by https://victimdomain.com
Scan date: Wed, 17 Sep 2014 16:32:29 +0800
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at:
http://estudiocarraro.com.br/hpmdkvpvge/hljaejzkql.html
(Google Disk Drive is a file hosting service operated by Google, Inc.)
denis-benker.de/teilen/1709uk1.hit
188.165.204.210/1709uk1/NODE01/0/51-SP3/0/
188.165.204.210/1709uk1/NODE01/1/0/0/
188.165.204.210/1709uk1/NODE01/41/5/4/
Recommended blocklist:
188.165.204.210
denis-benker.de
estudiocarraro.com.br
Tuesday, 16 September 2014
WARNING: "Grant Funding USA" (grantfundingusa.org)
Grant Funding USA is run by Anthony Christoper Jones and Patchree Patchrint (aka Patty Patchrint or Patty Jones). Previous ventures by this pair include the North American Program Planning and Policy Academy (NAPPPA), Institute of Project Management America (IPMA) (aka DDGLA American Project Management LLC), the Institute for Communication Improvement, LLC, The Grant Institute, and the LA restaurants Mother Road, the Royale on Wilshire and Mode.
Their website makes all sorts of claims, including this one on their "About Us" page:
Established in 2004, Grant Funding USA is a network of independent consultants, nonprofit professionals, and fund raising executives dedicated to sharing their knowledge and expertise in the field of grantsmanship and program development. Our program instructors have over ten years of real world experience in the nonprofit and for profit arena which allows them to effortlessly weave theory and practice into a results oriented program for all participants. The goal of our program is to equip our graduates with the skills and tools they need to succeed in the competitive world of fund raising.The website was created in March 2014, and certainly this network (of two people, basically) has not been in operation under this name for that long, although there have been warnings about its predecessor called "The Grant Institute" for several years.
Before dealing with this company, I urge you to do your own research on the companies that they have run before.
"Unpaid invoice notification" spam leads to Angler Exploit Kit
This convincing-looking but fake spam leads to an exploit kit.
The link in the email goes to:
[donotclick]tiragreene.com/aspnet_client/system_web/4_0_30319/invoice_unn.html
Which in turn goes to an Angler EK landing page at:
[donotclick]108.174.58.239:8080/wn8omxftff
You can see the URLquery report for the EK here. I would strongly recommend blocking web traffic to 108.174.58.239 (ColoCrossing, US).
UPDATE 2014-09-17:
A second round of these is doing the rounds, leading to an exploit kit on [donotclick]109.232.105.106:8080/xolbnl9ehz (report) so I also recommend blocking 109.232.105.106 (Thyphone Communications, Russia)
The content of the email is essentially the same, but the subject and sender vary. Here are some examples:
[IMPORTANT] Invoice overdue notification
[IMPORTANT] Unpaid invoice notification
Last letter before commencing legal action
[IMPORTANT] Invoice overdue
[IMPORTANT] Recent invoice unpaid
Carmelo Erickson
Rosie Robertson
Tabitha Patterson
Phil Bates
Luisa Maso
From: Christie Foley [christie.foley@badinsky.sk]
Reply-to: Christie Foley [christie.foley@badinsky.sk]
Date: 16 September 2014 13:55
Subject: Unpaid invoice notification
We are writing to you about fact, despite previous reminders, there remains an outstanding amount of GBP 278.59 in respect of the invoice(s) contained in current letter . This was due for payment on 26 August, 2014.
Our credit terms stipulate full payment within 3 days and this amount is now more than 14 days overdue.The total amount due from you is therefore GBP 308.43
If the full amount of the sum outstanding, as set above, is not paid within 7 days of the date of this email, we shall have to begin legal action, without warning, for a court order requiring payment. We may also commence insolvency proceedings. Legal proceedings can take effect on any credit rating. The costs of legal proceedings and any other amounts which the court orders must also be paid in addition to the debt.
This email is being sent to you according to the Practice Direction on Pre-Action Conduct (the PDPAC) contained in the Civil Procedure Rules, The court has the power to sanction your continuing decline to respond.
To view the the original invoice please follow link
We immediate answer to this email.
Sincerely, Christie Foley.
The security and confidentiality of your personal information is important for us. If you have any questions, please either call the toll-free customer service phone number.
© 2014, All rights reserved
The link in the email goes to:
[donotclick]tiragreene.com/aspnet_client/system_web/4_0_30319/invoice_unn.html
Which in turn goes to an Angler EK landing page at:
[donotclick]108.174.58.239:8080/wn8omxftff
You can see the URLquery report for the EK here. I would strongly recommend blocking web traffic to 108.174.58.239 (ColoCrossing, US).
UPDATE 2014-09-17:
A second round of these is doing the rounds, leading to an exploit kit on [donotclick]109.232.105.106:8080/xolbnl9ehz (report) so I also recommend blocking 109.232.105.106 (Thyphone Communications, Russia)
The content of the email is essentially the same, but the subject and sender vary. Here are some examples:
[IMPORTANT] Invoice overdue notification
[IMPORTANT] Unpaid invoice notification
Last letter before commencing legal action
[IMPORTANT] Invoice overdue
[IMPORTANT] Recent invoice unpaid
Carmelo Erickson
Rosie Robertson
Tabitha Patterson
Phil Bates
Luisa Maso
"Kifilwe Shakong" "Copied invoices" spam
Kifilwe Shakong is a real person who works for Cashbuild in South Africa. She is not the person sending these messages, they are forgeries. Cashbuild's systems have not been compromised in any way. As you might guess, these messages have a malicious attachment.
The ThreatTrack report [pdf] shows that the malware attempts to phone home to the following domains and IPs which are worth blocking:
golklopro.com
94.100.95.109
31.134.29.175
176.213.10.114
176.8.72.4
176.99.191.49
78.56.92.46
195.114.159.232
46.98.234.76
46.185.88.110
46.98.122.183
46.211.198.56
195.225.147.101
176.53.209.231
The payload seems to be very similar to this spam run yesterday.
UPDATE: The ThreatExpert report also indicates that the malware downloads components from the following locations:
musicacademymadras.in/333
ethostraining.es/333.cab
acfnet.com.br/333.jpg
vistabuys.com/333.exe
The malware attempts to phone home to cosjesgame.su as well as golklopro.com.
The ThreatTrack report [pdf] for the second component shows the malware attempting to POST to
37.59.136.101 (OVH, France alloced to "Varts Hosting GB") and 184.106.64.151 (Rackspace, US).
Recommended blocklist:
golklopro.com
cosjesgame.su
musicacademymadras.in
ethostraining.es
acfnet.com.br
vistabuys.com
31.134.29.175
37.59.136.101
46.98.234.76
46.98.122.183
46.119.126.141
46.185.88.110
46.211.198.56
77.121.236.75
78.56.92.46
85.237.34.129
91.221.29.181
93.78.145.22
93.183.242.24
94.100.95.109
107.23.255.195
109.165.101.8
176.8.72.4
176.53.209.231
176.99.191.49
176.193.54.38
176.213.10.114
178.74.216.27
178.137.18.149
184.106.64.151
195.114.159.232
195.138.84.68
195.225.147.101
From: Kifilwe Shakong [kshakong@cashbuild.co.za]Attached is a file with a filename in the format SKMBT_75114091015230.zip which in turn contains a malicious executable SKMBT_75114091015230.exe which has a very low detection rate at VirusTotal of just 1/54.
Date: 16 September 2014 12:17
Subject: Copied invoices
The attached invoices are copies. We will not be able to pay them. Please send clear invoices
______________________________________________________________________
This outbound email has been scanned by the IS Mail Control service.
For more information please visit http://www.is.co.za
______________________________________________________________________
The attached invoices are copies. We will not be able to pay them. Please send clear invoices
______________________________________________________________________
This outbound email has been scanned by the IS Mail Control service.
For more information please visit http://www.is.co.za
The ThreatTrack report [pdf] shows that the malware attempts to phone home to the following domains and IPs which are worth blocking:
golklopro.com
94.100.95.109
31.134.29.175
176.213.10.114
176.8.72.4
176.99.191.49
78.56.92.46
195.114.159.232
46.98.234.76
46.185.88.110
46.98.122.183
46.211.198.56
195.225.147.101
176.53.209.231
The payload seems to be very similar to this spam run yesterday.
UPDATE: The ThreatExpert report also indicates that the malware downloads components from the following locations:
musicacademymadras.in/333
ethostraining.es/333.cab
acfnet.com.br/333.jpg
vistabuys.com/333.exe
The malware attempts to phone home to cosjesgame.su as well as golklopro.com.
The ThreatTrack report [pdf] for the second component shows the malware attempting to POST to
37.59.136.101 (OVH, France alloced to "Varts Hosting GB") and 184.106.64.151 (Rackspace, US).
Recommended blocklist:
golklopro.com
cosjesgame.su
musicacademymadras.in
ethostraining.es
acfnet.com.br
vistabuys.com
31.134.29.175
37.59.136.101
46.98.234.76
46.98.122.183
46.119.126.141
46.185.88.110
46.211.198.56
77.121.236.75
78.56.92.46
85.237.34.129
91.221.29.181
93.78.145.22
93.183.242.24
94.100.95.109
107.23.255.195
109.165.101.8
176.8.72.4
176.53.209.231
176.99.191.49
176.193.54.38
176.213.10.114
178.74.216.27
178.137.18.149
184.106.64.151
195.114.159.232
195.138.84.68
195.225.147.101
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
"You've received a new fax" spam
Somebody has sent me a facsimile transmission. How quaint.
This malware then phones home to the following locations, according to this ThreatTrack report:
188.165.204.210/1609uk4/NODE01/0/51-SP3/0/
188.165.204.210/1609uk4/NODE01/1/0/0/
188.165.204.210/1609uk4/NODE01/41/5/4/
brisamarcalcados.com.br/css/1609uk4.lim
Recommended blocklist:
188.165.204.210
brisamarcalcados.com.br
triera.biz.ua
yerelyonetisim.org.tr
ngujungwap.mobi.ps
From: FaxThe link is so obviously not anything to do with Google. Clicking on it loads another script from triera.biz.ua/twndcrfbru/zjliqkgppi.js which in turn downloads a ZIP file from www.yerelyonetisim.org.tr/pdf/Message_2864_pdf.zip which has a VirusTotal detection rate of 3/55.
Date: 16 September 2014 11:05
Subject: You've received a new fax
New fax at SCAN0204102 from EPSON by https://victimdomain
Scan date: Tue, 16 Sep 2014 15:35:59 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can download your fax message at:
http://ngujungwap.mobi.ps/sgfyzdptdc/gotmvoeqkk.html
(Google Disk Drive is a file hosting service operated by Google, Inc.)
This malware then phones home to the following locations, according to this ThreatTrack report:
188.165.204.210/1609uk4/NODE01/0/51-SP3/0/
188.165.204.210/1609uk4/NODE01/1/0/0/
188.165.204.210/1609uk4/NODE01/41/5/4/
brisamarcalcados.com.br/css/1609uk4.lim
Recommended blocklist:
188.165.204.210
brisamarcalcados.com.br
triera.biz.ua
yerelyonetisim.org.tr
ngujungwap.mobi.ps
"inovice 0293991 September" spam
This spam mis-spells "invoice" in the subject line, and has an .arj file attached that contains a malicious binary.
Example subjects:
inovice 8958508 September
inovice 7682161 September
inovice 4868431 September
inovice 0293991 September
Body text:
This email contains an invoice file attachment
The name of the attachment varies, but is in the format invoice_8958508.arj which contains a malicious executable invoice_38898221_spt.exe which has a VirusTotal detection rate of just 3/54. The ThreatTrack report [pdf] and Anubis report show a series a DGA domains [pastebin]
that are characteristic of Zbot, although none of these domains are currently resolving.
If your organisation can block .arj files at the mail perimeter then it is probably a good idea to do so.
Example subjects:
inovice 8958508 September
inovice 7682161 September
inovice 4868431 September
inovice 0293991 September
Body text:
This email contains an invoice file attachment
The name of the attachment varies, but is in the format invoice_8958508.arj which contains a malicious executable invoice_38898221_spt.exe which has a VirusTotal detection rate of just 3/54. The ThreatTrack report [pdf] and Anubis report show a series a DGA domains [pastebin]
that are characteristic of Zbot, although none of these domains are currently resolving.
If your organisation can block .arj files at the mail perimeter then it is probably a good idea to do so.
Monday, 15 September 2014
Sage "Outdated Invoice" spam
Another day, another fake Sage email leading to malware:
[donotclick]flashsavant.com/fauvugalwr/czkyfybjyt.html
which then attempted to load scripts from:
[donotclick]vicklovesmila.com/tpfkmryrfl/jjbyrihwib.js
[donotclick]coursstagephoto.com/hmgjmyuliz/tbjzpxgspx.js
which in turn downloads an archive file from:
[donotclick]www.florensegoethe.com.br/emailmmkt/Invoice18642.zip
[donotclick]petitepanda.net/emailmmkt/Invoice18642.zip
This ZIP file contains a malicious executable Invoice18642.scr which has a VirusTotal detection rate of just 1/55. The ThreatTrack report [pdf] shows that it attempts to communicate with the following resources:
188.165.204.210/1509uk1/NODE01/0/51-SP3/0/
188.165.204.210/1509uk1/NODE01/1/0/0/
green-fuel.us/upload/box/1509uk1.ltc
www.green-fuel.us/upload/box/1509uk1.ltc
Recommended blocklist:
188.165.204.210
green-fuel.us
petitepanda.net
florensegoethe.com.br
coursstagephoto.com
vicklovesmila.com
flashsavant.com
From: Sage Invoice [invoice@sage.com]In the sample I had, the link in the email went to:
Date: 15 September 2014 12:08
Subject: Outdated Invoice
Sage Logo
Sage Account & Payroll
You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:
https://invoice.sage.co.uk/Account?336541=Invoice_090914.zip
If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@sage.com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.
The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.
We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.
This email was sent to: [redacted]
This email was sent by: Sage UK Limited
NC1-002-08-25, Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom
Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.
[donotclick]flashsavant.com/fauvugalwr/czkyfybjyt.html
which then attempted to load scripts from:
[donotclick]vicklovesmila.com/tpfkmryrfl/jjbyrihwib.js
[donotclick]coursstagephoto.com/hmgjmyuliz/tbjzpxgspx.js
which in turn downloads an archive file from:
[donotclick]www.florensegoethe.com.br/emailmmkt/Invoice18642.zip
[donotclick]petitepanda.net/emailmmkt/Invoice18642.zip
This ZIP file contains a malicious executable Invoice18642.scr which has a VirusTotal detection rate of just 1/55. The ThreatTrack report [pdf] shows that it attempts to communicate with the following resources:
188.165.204.210/1509uk1/NODE01/0/51-SP3/0/
188.165.204.210/1509uk1/NODE01/1/0/0/
green-fuel.us/upload/box/1509uk1.ltc
www.green-fuel.us/upload/box/1509uk1.ltc
Recommended blocklist:
188.165.204.210
green-fuel.us
petitepanda.net
florensegoethe.com.br
coursstagephoto.com
vicklovesmila.com
flashsavant.com
"Overdue invoice #6767390" spam has a malicious .arj attachment
This fake invoice email has a malicious attachment:
The Comodo CAMAS report shows the malware attemping to phone home to golklopro.com/bitrix/modules.php which is multihomed on a number of IPs that look like a botnet to me.
UPDATE: The ThreatExpert report also shows an attempted phone-home to cosjesgame.su (also on a botnet) plus an attempted download from the following locations:
teles4.com/333.exe
gavilan.cl/333.exe
emstudio.fr/333.exe
calduler.com/333.exe
iamsaved.org/333.exe
This malware looks like Zbot and is poorly detected by VirusTotal. The ThreatTrack report [pdf] shows that the malware attempts to connect to a bunch of domains that do not currently resolved (listed here [pastebin]).
I recommend that you apply the following blocklist:
golklopro.com
cosjesgame.su
teles4.com
gavilan.cl
emstudio.fr
calduler.com
iamsaved.org
71.204.29.102
80.87.146.106
87.244.34.238
94.154.220.16
109.200.151.96
141.101.28.223
176.36.186.138
178.151.131.75
198.200.87.184
213.110.131.122
213.177.115.141
46.46.104.39
62.122.92.41
91.237.109.103
92.112.228.242
94.244.177.42
95.76.204.117
98.14.34.141
109.161.32.192
109.229.198.37
134.249.73.242
134.249.202.165
194.187.111.74
217.12.122.58
217.175.148.201
Added:
For information, the WHOIS details for cosjesgame.su are as follows:
domain: COSJESGAME.SU
nserver: ns1.floujorjnska.su.
nserver: ns2.floujorjnska.su.
nserver: ns3.floujorjnska.su.
nserver: ns4.floujorjnska.su.
state: REGISTERED, DELEGATED
person: Private Person
e-mail: agartudd@85mail.com
registrar: R01-REG-FID
created: 2014.09.10
paid-till: 2015.09.10
free-date: 2015.10.13
source: TCI
UPDATE 2014-09-16: a second binary is doing the rounds, the detection rate for this at the moment is 27/55. Initial analysis suggests that it calls home to the same domains and IPs as listed above.
From: Mauro ReddinThe attachment is an archive file invc_2014-09-15_15-07-11_6767390.arj so in order to get infected you would need an application capable of handling ARJ archives. Once unpacked, there is a malicious executable called invc_2014-09-15_15-07-11_88499270.exe which has a VirusTotal detection rate of just 1/55.
Date: 15 September 2014 10:32
Subject: Overdue invoice #6767390
Morning,
I was hoping to hear from you by now. May I have payment on invoice #84819995669 today please, or would you like a further extension?
Best regards,
Mauro Reddin
+07843 329907
The Comodo CAMAS report shows the malware attemping to phone home to golklopro.com/bitrix/modules.php which is multihomed on a number of IPs that look like a botnet to me.
UPDATE: The ThreatExpert report also shows an attempted phone-home to cosjesgame.su (also on a botnet) plus an attempted download from the following locations:
teles4.com/333.exe
gavilan.cl/333.exe
emstudio.fr/333.exe
calduler.com/333.exe
iamsaved.org/333.exe
This malware looks like Zbot and is poorly detected by VirusTotal. The ThreatTrack report [pdf] shows that the malware attempts to connect to a bunch of domains that do not currently resolved (listed here [pastebin]).
I recommend that you apply the following blocklist:
golklopro.com
cosjesgame.su
teles4.com
gavilan.cl
emstudio.fr
calduler.com
iamsaved.org
71.204.29.102
80.87.146.106
87.244.34.238
94.154.220.16
109.200.151.96
141.101.28.223
176.36.186.138
178.151.131.75
198.200.87.184
213.110.131.122
213.177.115.141
46.46.104.39
62.122.92.41
91.237.109.103
92.112.228.242
94.244.177.42
95.76.204.117
98.14.34.141
109.161.32.192
109.229.198.37
134.249.73.242
134.249.202.165
194.187.111.74
217.12.122.58
217.175.148.201
Added:
For information, the WHOIS details for cosjesgame.su are as follows:
domain: COSJESGAME.SU
nserver: ns1.floujorjnska.su.
nserver: ns2.floujorjnska.su.
nserver: ns3.floujorjnska.su.
nserver: ns4.floujorjnska.su.
state: REGISTERED, DELEGATED
person: Private Person
e-mail: agartudd@85mail.com
registrar: R01-REG-FID
created: 2014.09.10
paid-till: 2015.09.10
free-date: 2015.10.13
source: TCI
UPDATE 2014-09-16: a second binary is doing the rounds, the detection rate for this at the moment is 27/55. Initial analysis suggests that it calls home to the same domains and IPs as listed above.
Inspiration Mining Corporation (T.ISM / ISM.TO) pump-and-dump spam
This pump-and-dump spam for Inspiration Mining Corporation (T.ISM) follows on from this recent spam run, but this time it is pushing it under a different stock ticker.
According to reports here the shares were recently suspended due to the pump-and-dump run that the company denies is anything to do with them. However, my previous analysis is that the P&D run is (in my personal opinion) most likely being orchestrated by an existing major stockholder rather that someone buying into the stock in order to manipulate it.
The pump and dump spam does seem to have raised the stock price from about 7.5 cents to 10.5 cents [source] but the chances are that the stock is worth much closer to zero. Avoid.
UPDATE 2014-09-16:
More spam has turned up overnight..
From: YahooFinance Canada
Date: 15 September 2014 08:14
Subject: Biggest Trade Of 2014
YahooFinance Canada
View this email in your browser
Hurry! Biggest Trade Of 2014
Hey [redacted]
I have a new stock recommendation for you.
The company is called inspirationmining and it's trading in canada under the symbol ISM. Currently it's priced at right under 10 cents but by next week it should hit 30 or 40 even. I know this because my wife's uncle is the geologist at the company and they literaly just struck gold.
Move quickly on this.
Copyright (c) 2014 YahooFinance Canada Monthly, All rights reserved.
You have been sent this email as a friend of the Monthly.
Our mailing address is:
The Monthly 37-39 Langridge St Collingwood, Victoria 3066 Australia
unsubscribe from this list update subscription preferences
According to reports here the shares were recently suspended due to the pump-and-dump run that the company denies is anything to do with them. However, my previous analysis is that the P&D run is (in my personal opinion) most likely being orchestrated by an existing major stockholder rather that someone buying into the stock in order to manipulate it.
The pump and dump spam does seem to have raised the stock price from about 7.5 cents to 10.5 cents [source] but the chances are that the stock is worth much closer to zero. Avoid.
UPDATE 2014-09-16:
More spam has turned up overnight..
From: Financial Post | Canadian
Date: 16 September 2014 07:35
Subject: ISM.TO Is Back In Position For A Huge Jump
Financial Post | Canadian Business News, Investing and Commentary
One Cent Alert That's Ready To Pop
Tuesday, 16th September 2014
The only company that should be on your trading screen today
This stock can double fast
the more you wait the more it'll cost you to pick up shares of InspiraitonMinnig Corporation ( ISM . TO on the canadian exchange). this junior miner has been soaring the last few weeks since their discovery of billions in precious metals on one of their properties. act fast before cheapies run out.
All content is (c) 2005 - 2014 Port Phillip Publishing Pty Ltd All Rights Reserved
To remove your name from Money Morning and associated external offers sent from Money Morning, click here.
Port Phillip Publishing
Attn: Money Morning
PO Box 713 South Melbourne VIC 3205
Tel: 1300 667 481 Fax: (03) 9558 2219
From: NYTimes Finance
Date: 15 September 2014 17:01
Subject: ISM.TO Alert: Possible +280pct Rally This Week
If you have trouble reading this email, please click here
Monday, September 15, 2014
Morning Report
Did you catch my report on already? | Believe me when I tell you that this rare chance only comes once a year, if we're lucky. There is an amazing company trading on the canadian market called InspirtaionMiningCorp (symbol is ISM.TO) and they are sitting on hundreds of millions of precious metals reserves. From Copper to Gold and Silver. As they begin extracting them soon we expect investors to take notice and the share price to soar past a dollar!
About This Email
You received this message because you signed up for NYTimes.com's Finance Email newsletter. As a member of the Truste privacy program, we are committed to protecting your privacy.
Manage Subscriptions| Unsubscribe| Change Your Email| Privacy Policy| Contact| Advertise
Copyright 2014 | The New York Times Company |NYTimes.com 620 Eighth Avenue New York, NY 10018
From: BNN Financial News
Date: 15 September 2014 21:57
Subject: The Race Is On!
Update Profile / Unsubscribe
BNN - Business and Financial News, Analysis.
Good Morning Readers!
Did you catch my report already?
...as you can see my latest stokc tip is going up like never before. i told you to take a look at [-ISM.TO-] (inpsirationMining) trading on the canadian exchange and since i contacted you about it we have seen tremendous gains. that company is literaly sitting on gold and other precious metals. make sure to buy it before it goes nuts.
Labels:
Canada,
Pump and Dump,
Spam
Thursday, 11 September 2014
"To All Employee's - Important Address UPDATE" spam leads to Cryptowall
This fake HR spam leads to a malicious ZIP file:
From: Administrator [administrator@victimdomain.com]The link in the email goes to the same site as described in this earlier post, which means that the payload is Cryptowall.
Date: 11 September 2014 22:25
Subject: To All Employee's - Important Address UPDATE
To All Employee's:The end of the year is approaching and we want to ensure every employee receives their W-5 to the correct address.Verify that the address is correct - https://local.victimdomain.com/details.aspx?id=6871049687 If changes need to be made, contact HR at https://hr.victimdomain.com/update.aspx?id=6871049687. Administrator,http://victimdomain.com
To All Employee's:
The end of the year is approaching and we want to ensure every employee receives their W-5 to the correct address.
Verify that the address is correct - https://local.victimdomain.com/details.aspx?id=6871049687
If changes need to be made, contact HR at https://hr.victimdomain.com/update.aspx?id=6871049687.
Administrator,
http://victimdomain.com
Labels:
Cryptowall,
Malware,
Spam,
Viruses
"rooms reservation" spam leads to a malicious Word document
This fake hotel booking email has a malicious Word document attached:
The text says:
If you are foolish enough to do this, the document will then download an additional component from colfdoc.it/cart/update.exe (77.81.241.104) which in turn has a detection rate of 5/55. The ThreatTrack report [pdf] shows that the malware attempts to communicate with:
cityhotlove.com/datastat/datacoll.php (109.120.177.164)
cyklopesek.cz/css/r.pack (90.182.221.59)
I would recommend blocking the following:
109.120.177.164
cityhotlove.com
cyklopesek.cz
colfdoc.it
From: Zorita [info@convividautore.it]The Word document attempts to persuade the victim to remove the security settings from the application:
Date: 11 September 2014 15:02
Subject: rooms reservation
Dear Hotel Manager,
I would like to reserve accommodation for 5 single rooms in your hotel for 7 nights for 5 guests.
Arrival date will be on 16 September.
List any special requirements attached to letter.
Thank you for your prompt attention to the above, I look forward to receiving a letter confirming my reservation.
Kind Regards
The text says:
This error usually occurs because of macro security settings. To check your macro security settings, click the Microsoft Office Button, click Microsoft Word Options, click Trust Center, and then click Trust Center Settings. If macro security is set to Disable all macros without notification, all macros are automatically disabled. Use the following procedure to enable the macro. In the Trust Center dialog box, click Macro Settings, and then click Disable all macros with notification. Click OK in the Trust Center dialog box to apply the new setting. Click OK to close the program options dialog box. Close the file and the Microsoft Word. Open the file again. A Security Alert appears in the Document Information Bar just below the ribbon. Click Enable Content to allow the macro to run.The document itself has a VirusTotal detection rate of 9/54.
If you are foolish enough to do this, the document will then download an additional component from colfdoc.it/cart/update.exe (77.81.241.104) which in turn has a detection rate of 5/55. The ThreatTrack report [pdf] shows that the malware attempts to communicate with:
cityhotlove.com/datastat/datacoll.php (109.120.177.164)
cyklopesek.cz/css/r.pack (90.182.221.59)
I would recommend blocking the following:
109.120.177.164
cityhotlove.com
cyklopesek.cz
colfdoc.it
eFax spam leads to Cryptowall
From: eFax [message@inbound.efax.com]I bet you've already guessed that the link in the message goes somewhere bad, in this case it downloads a ZIP files from cybercity-game.com/game/Documents.zip which unzips to a malicious executable Documents.scr which has a pretty low VirusTotal detection rate of 2/55.
Date: 11 September 2014 20:35
Subject: eFax message from "unknown" - 1 page(s), Caller-ID: 1-865-537-8935
Fax Message [Caller-ID: 1-865-537-8935
You have received a 1 page fax at Fri, 12 Sep 2014 02:35:44 +0700.
* The reference number for this fax is atl_did1-1400166434-52051792384-154.
Click here to view this fax using your PDF reader.
Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox
2014 j2 Global, Inc. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax Customer Agreement.
The ThreatTrack report clearly identifies this as Cryptowall and identifies that it either downloads data from or posts data to the following locations:
188.165.204.210/1109inst2/NODE01/0/51-SP3/0/
188.165.204.210/1109inst2/NODE01/1/0/0/
mtsvp.com/files/3/install2.tar
suspendedwar.com/87n3hdh5wi04gy
suspendedwar.com/ttfvku8z7jn
goodbookideas.com/wp-content/themes/twentyeleven/111.exe
suspendedwar.com/gwfqwaratrpl2c
suspendedwar.com/h0nxfsskh0xu
suspendedwar.com/kvlfhc0hjgo6sgo
The 111.exe has a much wider detection rate of 22/53 and according the the ThreatTrack analysis of that binary there is some sort of network connection to the following IPs:
193.169.86.151
193.19.184.20
Overall, the web hosts involved are:
46.151.145.11 (Swift Trace Ltd, Crimea)
50.63.85.76 (GoDaddy, US)
76.74.170.149 (Daiger Sydes Gustafson LLC / Peer 1, US)
188.165.204.210 (OVH, France)
193.19.184.20 (PE Intechservice-B, Ukraine)
193.169.86.151 (Ivanov Vitaliy Sergeevich, Ukraine)
I would recommend blocking the following:
188.165.204.210
193.19.184.20
193.169.86.151
goodbookideas.com
mtsvp.com
suspendedwar.com
Malicious WordPress injection sending to 178.62.254.78 and 176.58.100.98
There is currently some sort of injection attack against WordPress sites that is injected code into the site's .js files. Not so unusual.. except that the payload site in the file changes every half hour or so.
A sample of the code can be seen here [pastebin], it looks similar to this (click to enlarge):
The site mentioned in the IFRAME is the one that keeps changing, so presumably there is either something running on the compromised WordPress site, or there is some other mechanism for the bad guys to update the details. The URLs I have seen recently are as follows:
[donotclick]sexyunanu.inthepress.org/bububiolasa16.html
[donotclick]binoduselda.vagfans.info/stickomanus16.html
[donotclick]binoduselda.finalmasterplugin.com/ditirakis16.html
[donotclick]binoduselda.ireleaseme.com/falcoruide16.html
[donotclick]binoduselda.hyakunime.net/bibkajuleman16.html
[donotclick]binoduselda.bateriafina.org/filimanuio16.html
All these subdomains are hijacked from legitimate domains using AFRAID.ORG nameservers, and are hosted on 178.62.254.78 (Digital Ocean, Netherlands). These then pass the victim onto another domain in the format
[donotclick]piplakoras.askhartleyauto.com/3674e375m87i/1/9ffbf35e4190fbba62f70c8477fa3964.html
which is hosted on 176.58.100.98 (Linode, UK). The URL structure indicates that this might be the Nuclear Exploit Kit, although it has been hardened against analysis.
I can't detect all the sites on 178.62.254.78, but a list of the ones I have observed so far can be found here [pastebin] and those on 176.58.100.98 can be found here. But blocking the following IPs may give you better protection:
176.58.100.98
178.62.254.78
Update 2014-09-12 0830 UTC: overnight a whole set of other malicious subdomains (hijacked again from AFRAID.ORG users) were active, using the same IPs to spread malware. The domains change every 30 to 60 minutes or so.
iflaroust.trainersclub.com.br/iflitegouler16.html
iflaroust.transtornomental.com.br/giditures16.html
iflaroust.transtornos.com.br/sukerkae16.html
iflaroust.ubertom.com/bubuerleras16.html
iflaroust.vaughnnugent.com/bubudejana16.html
biblaroita.lecnet.org/bubuidaheta16.html
biblaroita.ukies60.co.uk/nunigahulaala16.html
biblaroita.farahdzila.com/bubliorefusei16.html
biblaroita.buypurestevia.net/buidadusel16.html
biblaroita.loto-365.com/digigafus16.html
biblaroita.loto-777.com/ififuleradus16.html
biblaroita.g8r.ca/iglamiuser16.html
filmagrafy.qqm59.com/laperiuds16.html
filmagrafy.mda77.com/alsominora16.html
filmagrafy.fok96.com/ditroitosmiktajeras16.html
filmagrafy.hosting15.net/fiklakerasio16.html
filmagrafy.tab73.com/bibloruserna16.html
filmagrafy.uzz58.com/sigagulet16.html
filmagrafy.kts25.com/ifafloruseta16.html
guider.xmm85.com/fifakuitro16.html
guider.jam92.com/ifagugehaler16.html
guider.queensland-bedlinen.com/ifigahugera16.html
A sample of the code can be seen here [pastebin], it looks similar to this (click to enlarge):
The site mentioned in the IFRAME is the one that keeps changing, so presumably there is either something running on the compromised WordPress site, or there is some other mechanism for the bad guys to update the details. The URLs I have seen recently are as follows:
[donotclick]sexyunanu.inthepress.org/bububiolasa16.html
[donotclick]binoduselda.vagfans.info/stickomanus16.html
[donotclick]binoduselda.finalmasterplugin.com/ditirakis16.html
[donotclick]binoduselda.ireleaseme.com/falcoruide16.html
[donotclick]binoduselda.hyakunime.net/bibkajuleman16.html
[donotclick]binoduselda.bateriafina.org/filimanuio16.html
All these subdomains are hijacked from legitimate domains using AFRAID.ORG nameservers, and are hosted on 178.62.254.78 (Digital Ocean, Netherlands). These then pass the victim onto another domain in the format
[donotclick]piplakoras.askhartleyauto.com/3674e375m87i/1/9ffbf35e4190fbba62f70c8477fa3964.html
which is hosted on 176.58.100.98 (Linode, UK). The URL structure indicates that this might be the Nuclear Exploit Kit, although it has been hardened against analysis.
I can't detect all the sites on 178.62.254.78, but a list of the ones I have observed so far can be found here [pastebin] and those on 176.58.100.98 can be found here. But blocking the following IPs may give you better protection:
176.58.100.98
178.62.254.78
Update 2014-09-12 0830 UTC: overnight a whole set of other malicious subdomains (hijacked again from AFRAID.ORG users) were active, using the same IPs to spread malware. The domains change every 30 to 60 minutes or so.
iflaroust.trainersclub.com.br/iflitegouler16.html
iflaroust.transtornomental.com.br/giditures16.html
iflaroust.transtornos.com.br/sukerkae16.html
iflaroust.ubertom.com/bubuerleras16.html
iflaroust.vaughnnugent.com/bubudejana16.html
biblaroita.lecnet.org/bubuidaheta16.html
biblaroita.ukies60.co.uk/nunigahulaala16.html
biblaroita.farahdzila.com/bubliorefusei16.html
biblaroita.buypurestevia.net/buidadusel16.html
biblaroita.loto-365.com/digigafus16.html
biblaroita.loto-777.com/ififuleradus16.html
biblaroita.g8r.ca/iglamiuser16.html
filmagrafy.qqm59.com/laperiuds16.html
filmagrafy.mda77.com/alsominora16.html
filmagrafy.fok96.com/ditroitosmiktajeras16.html
filmagrafy.hosting15.net/fiklakerasio16.html
filmagrafy.tab73.com/bibloruserna16.html
filmagrafy.uzz58.com/sigagulet16.html
filmagrafy.kts25.com/ifafloruseta16.html
guider.xmm85.com/fifakuitro16.html
guider.jam92.com/ifagugehaler16.html
guider.queensland-bedlinen.com/ifigahugera16.html
Labels:
Injection Attacks,
Malware,
Viruses
DPD Services "Home Delivery Notification" spam
This fake DPD message contains a link leading to an exploit kit.
In this case the link goes to [donotclick]seanergia.pl/model.php?dpd=Ny1yrZdnYkTUirJpfIQ6dj79Zbf5481JA1xta2JR54w= (this seems to be 404ing, but it could just be hiding). According to this report the payload is Asprox.
From: DPD Services [dpd_support@nikos-fahrschule.com]
Reply-to: DPD Services [dpd_support@nikos-fahrschule.com]
Sate: 11 September 2014 14:18
Subject: Home Delivery Notification
DPD
DPD - Parcel Services and Parcel Shipping
Welcome to DPD
Delivery Notification
Track-Id: DP-U0096319662
We could not deliver your parcel. Download Delivery Label here.
Copyright 2014 (C) All rights reserved
In this case the link goes to [donotclick]seanergia.pl/model.php?dpd=Ny1yrZdnYkTUirJpfIQ6dj79Zbf5481JA1xta2JR54w= (this seems to be 404ing, but it could just be hiding). According to this report the payload is Asprox.
"LLC INC" / llcinc.net fake job offer
This fake company's name looks like it has been designed to be hard to find on Google. The so-called LLC INC using the domain llcinc.net does not exist.
The domain llcinc.net was registered just a few days ago with fake details:
Avoid.
Date: Wed, 10 Sep 2014 19:51:50 -0400 [09/10/14 19:51:50 EDT]This so-called job is going to be something like a money mule, parcel mule or some other illegal activity.
From: LLC INC
Reply-To: recruiter@llcinc.net
Subject: EMPLOYMENT OFFER
Hello,
Good day to you overthere we will like to inform you that our company is currently
opening an opportunity for employment if you are interested please do reply with your resume
to recruiter@llcinc.net
Thanks
Management LLC INC
The domain llcinc.net was registered just a few days ago with fake details:
Registry Registrant ID:There is no website. The email originates from 209.169.222.37, the mail headers indicate that this is probably a compromised email server mail.swsymphony.org.
Registrant Name: BEATRIZ G SANDERS
Registrant Organization: LLCINC
Registrant Street: PO BOX 33100
Registrant City: SAN ANTONIO
Registrant State/Province: TEXAS
Registrant Postal Code: 78265
Registrant Country: US
Registrant Phone: +1.2102605808
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: JOETOMMY456@YAHOO.COM
Avoid.
Labels:
Job Offer Scams,
Spam
Wednesday, 10 September 2014
Geir Myklebust (DHL NO) [Geir.Myklebust@dhl.com] invoice spam has a malicious attachment
Geir Myklebust is a real employee for DHL in Norway, but neither he nor DHL are responsible for this spam run in any way (their systems have NOT been breached either). Instead, it contains a malicious attachment and it should simple be deleted.
Attached is a ZIP file of various different names (e.g. invoice_0257241.zip), containing a malicious executable file invoice_3466198.exe which has a VirusTotal detection rate of 3/54.
The Comodo CAMAS report shows an attempted connection to voladora.com/Imagenes/qaws.cab which is currently coming up with a socket error. I would recommend that you block access to that domain. Further analysis is pending, I will update the post if I find more information.
UPDATE: a second malicious binary is doing the round, this time with a detection rate of 2/53. The ThreatTrack report [pdf] and Anubis report shows the malware performing lookups for a variety of domain names [pastebin] which are not currently resolving, but might be worth blocking.
From: Geir Myklebust (DHL NO) [Geir.Myklebust@dhl.com]
Date: 10 September 2014 10:35
Subject: FW: customer acct. no.: 4690086 - invoice 0257241 needs to be paid
Dear Sir.
The attached invoice from Villmarksmessen 2014 has still not been settled.
Please advise as soon as possible.
Thank you and regards,
Geir
Med vennlig hilsen/ Kind Regards
Geir Myklebust
Product Manager, Avd. Trade Fairs & Events
DHL Global Forwarding (Norway) AS
Avd. Trade Fairs & Events
Messeveien 14
2004 Lillestrøm
Postboks 154 Leirdal
NO-1009 OSLO
NORWAY
Direct line: + 47 90 95 58 26
Fax: + 47 64 00 71 87
Mobile: + 47 90 78 52 44
Dear Sir.The attached invoice from Villmarksmessen 2014 has still not been settled.Please advise as soon as possible.Thank you and regards,GeirMed vennlig hilsen/ Kind Regards
Geir Myklebust
Product Manager, Avd. Trade Fairs & EventsDHL Global Forwarding (Norway) AS
Avd. Trade Fairs & Events
Messeveien 14
2004 Lillestrøm
Postboks 154 Leirdal
NO-1009 OSLO
NORWAY
Direct line: + 47 90 95 58 26
Fax: + 47 64 00 71 87
Mobile: + 47 90 78 52 44
Attached is a ZIP file of various different names (e.g. invoice_0257241.zip), containing a malicious executable file invoice_3466198.exe which has a VirusTotal detection rate of 3/54.
The Comodo CAMAS report shows an attempted connection to voladora.com/Imagenes/qaws.cab which is currently coming up with a socket error. I would recommend that you block access to that domain. Further analysis is pending, I will update the post if I find more information.
UPDATE: a second malicious binary is doing the round, this time with a detection rate of 2/53. The ThreatTrack report [pdf] and Anubis report shows the malware performing lookups for a variety of domain names [pastebin] which are not currently resolving, but might be worth blocking.
Labels:
DHL,
EXE-in-ZIP,
Malware,
Spam,
Viruses
Subscribe to:
Posts (Atom)