Sponsored by..

Friday, 17 October 2014

Sage "Outdated Invoice" spam spreads malware via cubbyusercontent.com

This fake Sage email spreads malware using a service called Cubby, whatever that is.

From:     Sage Account & Payroll [invoice@sage.com]
Date:     17 October 2014 10:28
Subject:     Outdated Invoice

Sage Account & Payroll

You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:

https://invoice.sage.co.uk/Account?864394=Invoice_032414.zip


If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@sage.com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.

The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.

We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.

This email was sent to: [redacted]

This email was sent by: Sage UK Limited
NC1-002-08-25, Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom

Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.

Despite appearances, the link in the email (in this case) actually goes to https://www.cubbyusercontent.com/pl/Invoice_032414.zip/_8deb77d3530f43be8a3166544b8fee9d and it downloads a file Invoice_032414.zip. This in turn contains a malicious executable Invoice_032414.exe which has a VirusTotal detection rate of 3/53. The Malwr report shows HTTP conversations with the following URLs:

http://188.165.214.6:15600/1710uk3/HOME/0/51-SP3/0/
http://188.165.214.6:15600/1710uk3/HOME/1/0/0/
http://188.165.214.6:15600/1710uk3/HOME/41/5/1/
http://tonysenior.co.uk/images/IR/1710uk3.osa


188.165.214.6 is not surprisingly allocated to OVH France. In turn, it drops an executable bcwyw.exe (VT 6/54, Malwr report) which communicates with 66.102.253.25 (a China Telecom address located in the US in a Rackspace IP range) and also moxbk.exe (VT 1/52, Malwr report).

Recommended blocklist:
188.165.214.6
66.102.253.25
tonysenior.co.uk

Thursday, 16 October 2014

A bunch of .su and .ru domains leading to malware

These sites lead to some sort of malware. The presence of .SU domains hosted on what looks like a botnet is probably all you need to know. I haven't had much time to poke at these properly though, but I'd recommend watching out for these:

alinbot.ru
angryflo.ru
arnebbc.su
brokenpiano.ru
bubkagops.su
everydaypp.ru
f11europe.ru
fixiland.su
fumondaydns.in
funnygronni.com
goliathuz.com
icaldns.in
kimberlydns.in
kineshevasto.ru
levdnjord.su
madagask.ru
monkeysea.su
mysweetmon.ru
nitmurmansk.su
nomoreblack.su
odekon.su
opolla.ru
proffygroup.ru
salgarian.su
slimsize1.su
slowdownn.ru
solofrikred.su
superbup.su
temeluchus.ru
tomasz.su
whoisjohnthefirst.ru
winstent.su
wzorcd.ru
xchy3yzbdcavqij3dcr3.ru
ywaiukgcmmmcwqmk.org

108.21.223.101
109.104.174.109
109.104.184.20
109.120.7.117
109.162.32.234
109.162.6.112
109.184.141.196
109.196.77.198
109.201.232.221
109.227.103.153
109.227.105.88
109.227.114.50
109.227.91.150
109.254.116.68
109.60.243.38
109.86.76.58
109.86.83.167
119.18.77.27
121.176.22.15
125.135.166.159
130.204.235.160
134.19.225.199
134.249.15.60
134.249.65.178
14.33.25.64
141.101.27.2
141.101.3.150
158.181.134.227
158.181.14.38
158.181.169.88
158.181.175.126
159.224.101.52
173.171.103.248
173.49.70.65
174.61.141.129
176.100.28.115
176.102.209.127
176.104.253.21
176.104.97.17
176.105.201.21
176.106.31.227
176.114.32.97
176.114.38.72
176.118.144.240
176.118.45.228
176.120.39.87
176.193.22.49
176.193.37.112
176.215.117.210
176.239.12.104
176.36.48.185
176.36.68.13
176.8.203.177
176.8.95.116
176.98.22.147
176.99.226.87
178.132.2.153
178.137.175.36
178.137.215.186
178.137.232.234
178.141.98.158
178.150.104.8
178.151.0.25
178.158.135.20
178.158.16.193
178.158.16.248
178.159.122.213
178.212.101.94
178.213.175.151
178.213.189.58
178.216.227.71
178.219.91.40
178.74.212.207
178.74.226.67
178.89.203.41
178.90.99.120
178.91.41.119
178.94.92.212
185.10.2.11
185.32.120.210
188.0.120.49
188.163.31.16
188.163.50.18
188.214.33.160
188.230.1.99
188.230.15.191
188.230.87.17
188.239.5.123
193.111.241.125
193.34.94.85
194.187.111.74
194.44.252.229
194.44.37.3
195.114.145.188
195.114.147.96
195.138.75.163
195.174.42.216
195.242.81.56
195.72.156.236
2.132.61.249
2.135.129.248
2.135.87.207
206.174.99.120
208.107.176.24
212.22.192.224
212.79.119.49
212.90.32.62
212.92.237.199
212.92.253.167
213.111.151.156
213.111.183.205
213.129.111.70
213.164.123.63
213.174.10.241
213.231.11.136
213.231.49.184
217.112.220.202
217.12.122.58
217.175.85.76
217.197.252.11
218.52.52.157
24.163.109.78
24.214.93.170
27.147.182.44
31.130.4.1
31.131.137.63
31.133.79.131
31.133.79.205
31.134.19.130
31.134.211.43
31.135.140.114
31.170.156.146
31.192.156.153
31.28.249.94
31.41.116.88
31.41.72.159
37.110.12.9
37.115.110.8
37.115.229.27
37.115.33.96
37.115.65.28
37.140.106.117
37.229.189.190
37.229.54.152
37.25.103.214
37.25.106.88
37.53.73.152
37.55.61.26
37.57.159.200
37.57.244.98
37.57.97.229
46.118.162.62
46.118.220.117
46.118.228.6
46.118.46.202
46.119.157.204
46.119.85.215
46.119.90.143
46.146.40.134
46.149.177.86
46.149.48.133
46.160.79.233
46.164.179.75
46.172.211.150
46.172.230.166
46.173.171.118
46.185.51.76
46.185.98.100
46.191.172.157
46.211.40.28
46.211.74.12
46.219.77.143
46.33.243.82
46.61.62.152
46.63.135.3
46.63.66.102
46.98.171.128
46.98.174.49
5.1.27.92
5.1.28.199
5.105.120.46
5.137.71.123
5.153.189.97
5.246.178.134
5.248.243.117
5.34.18.37
5.56.111.111
50.134.47.136
50.154.149.189
62.16.38.131
62.220.53.85
62.80.181.42
62.84.254.75
67.183.123.151
70.114.48.81
70.53.172.129
72.185.199.204
72.80.145.90
74.103.3.126
75.131.252.100
75.76.166.8
76.17.60.31
77.120.183.13
77.121.105.26
77.121.129.150
77.121.140.120
77.122.153.68
77.71.188.240
77.95.92.254
78.131.93.231
78.27.159.75
78.27.183.113
79.113.160.194
79.114.113.151
79.132.17.125
79.134.2.105
79.171.124.211
80.245.117.198
80.64.81.51
81.162.70.55
81.162.75.68
81.163.142.181
81.163.153.185
81.200.148.6
81.90.233.231
82.117.243.39
83.218.228.46
85.198.171.90
85.237.35.122
85.29.154.152
87.110.167.54
87.76.61.30
88.135.93.105
89.105.249.250
89.116.191.51
89.161.84.65
89.209.91.107
89.252.29.97
89.254.147.242
91.196.97.220
91.197.187.189
91.198.143.44
91.200.232.86
91.201.243.191
91.203.89.26
91.207.86.210
91.210.87.242
91.222.63.1
91.223.86.185
91.243.203.238
91.250.34.68
92.112.156.8
92.113.161.218
92.113.4.121
92.114.123.227
92.245.40.208
92.55.30.207
93.170.68.140
93.171.77.198
93.183.247.117
93.76.240.22
93.76.57.57
93.77.75.2
93.78.145.22
93.79.177.59
93.79.199.81
94.100.95.109
94.153.125.201
94.153.53.132
94.153.69.169
94.178.216.34
94.179.99.149
94.231.32.32
94.231.72.194
94.244.173.95
94.45.92.6
95.135.58.25
95.215.117.207
95.47.128.209
95.66.202.226
95.76.64.224
95.87.94.65
96.26.196.66
98.111.140.190
98.244.185.173
98.245.227.235




Barclays Bank "Transaction not complete" spam

This fake Barclays spam leads to malware.

From:     Barclays Bank [Barclays@email.barclays.co.uk]
Date:     16 October 2014 12:48
Subject:     Transaction not complete

Unable to complete your most recent Transaction.

Currently your transaction has a pending status. If the transaction was made by mistake please contact our customer service.


For more details please download payment receipt below:

http://essecisoftware.it/docs/viewdoc.php


Barclays is a trading name of Barclays Bank PLC and its subsidiaries. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register
No. 122702). Registered in England. Registered Number is 1026167 with registered
office at 1 Churchill Place, London E14 5HP.

Clicking on the link downloads a file document23_pdf.zip containing a malicious executable document23_pdf.scr which has a VirusTotal detection rate of  4/54. The Malwr report shows that it reaches out to the following URLs:

http://188.165.214.6:12302/1610uk1/HOME/0/51-SP3/0/
http://188.165.214.6:12302/1610uk1/HOME/1/0/0/
http://188.165.214.6:12302/1610uk1/HOME/41/5/1/
http://jwoffroad.co.uk/img/t/1610uk1.osa


In my opinion 188.165.214.6 (OVH, France) is an excellent candidate to block or monitor.

It also drops two executables, bxqyy.exe (VT 5/54, Malwr report) and ldplh.exe (VT 1/51, Malwr report)
.


Wednesday, 15 October 2014

"Shipping Information for.." spam uses a Google redirector and copy.com to distribute malware

This fake shipping spam contains malware.. although it appears that it may be buggy and might not install properly.

From:     fatmazohra.mekhalfia@groupehasnaoui.com
Date:     15 October 2014 15:09
Subject:     Shipping Information for [redacted]
      
Please see the shipping info
  
Processed on Oct 15/ 2014

This is to inform you that the package is being shipped to you. We also provided delivery terms to specified address.

Order number: 611541106
Order total: 3000.28 USD
Shipping date: Oct 16th 2014.


Please hit the button provided at the bottom to see more info about your package.

 Shipping Invoice

The link in the email goes to https://www.google.com/url?q=https%3A%2F%2Fcopy.com%2FEl9fd4VfLkfN%2FTrackShipment_0351.PDF.scr%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNE0-3UrX7jNPzSGYodsQVzmBhrwMA which bounces through Google and then downloads a malicious executable TrackShipment_0351.PDF.scr which has a VirusTotal detection rate of 4/54.

The Malwr report indicates that the malware fails to install because of a bug in the code, a problem that also appears in all the other analysis tools that I tried.

What I think is meant to happen is that a malicious script [pastebin] that has been disguising itself as a GIF file which then renames a component Gl.png to Gl.exe and then attempts to execute it with the following command:
Gl.exe -pGlue1 -d%temp%
This executable has a VirusTotal detection rate of 2/53. It bombs out of automated analysis tools (see the Malwr report) possibly because it is being executed with the wrong parameters. It also opens a seemingly legitimate PDF file (VT 0/54) which is designed to look like a Commercial Invoice, presumably to mask the fact that it is doing something malicious in the background.


If you opened a file similar to this and you saw a PDF with a blank Commercial Invoice like the one pictured above, then you've probably been infected by the executable running in the background.

"Clean India" spam is an exercise in hypocrisy

"Clean India" is a meant to be a campaign to clean up Indian politics. But one of the biggest problems they have in India is spam (which lead to the long saga of Delhi minister Somnath Bharti's history of spam). So I think it is an act of sheer hypocrisy to promote this campaign through random spam.

From:     Ministry Of Urban Development [support@localcirclesemail.com]
Reply-To:     support@localcirclesemail.com
Date:     15 October 2014 11:24
Subject:     Swachh Bharat invite by Ministry Of Urban Development
Signed by:     localcirclesemail.com

Invited to Circle: Swachh Bharat
Founder: Ministry Of Urban Development
Members: 189975
Description: This circle brings together all citizens who want a Clean India. Through this circle, citizens will be able to share cleanliness initiatives, challenges, successes at a National Level as well as learn about best practices from each other. Members will also be able to give collective inputs to Ministry of Urban Development on an ongoing basis. Soon, members of this circle will have access to their local constituency circle on Swachh Bharat connecting them with fellow local residents and enabling them to organize/participate in clean up drives in their neighborhood/city. Together, let us make it a SWACHH BHARAT!


About LocalCircles
LocalCircles takes Social Media to the next level and makes it about Communities, Governance and Utility. It enables citizens to connect with communities for most aspects of urban daily life like Neighborhood, Constituency, City, Government, Causes, Interests and Needs, seek information/assistance when needed, come together for various initiatives and improve their urban daily life. LocalCircles is free for citizens and always will be! 

The spam originates from an Amazon AWS IP of 54.240.9.132, the spamvertised site localcircles.com is also hosted on Amazon AWS. The registration details are:

Registry Registrant ID:
Registrant Name: LocalCircles India
Registrant Organization: LocalCircles India Pvt Ltd
Registrant Street: 1105, 11th Floor,
Registrant Street: Advant Navis Business Park, Sector 142
Registrant City: Noida
Registrant State/Province: Uttar Pradesh
Registrant Postal Code: 201301
Registrant Country: India
Registrant Phone: +91.1204263558
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@localcircles.com


Google sums up localcircles.com poor reputation nicely: We've found that lots of messages from localcirclesemail.com are spam.

As long as India tolerates spam and other dishonest business practices then I don't think that there's much change of them cleaning up their act. I think whoever is sending out this spam needs to look much closer to home before criticising others.


Tuesday, 14 October 2014

"To view your document, please open attachment" spam with a DOC attachment

This spam comes with a malicious DOC attachment:

From:     Anna [ºžô õö?ǯ#-øß {qYrÝsØ l½:ž±þ EiÉ91¤É¤y$e| p‹äŒís' ÀQtÃ#7 þ–¿åoù[þ–¿åoù[þ–¿åoù[þ–¿åÿ7 å{˜x|%S;ÖUñpbSË‘ý§B§i…¾«¿¨` Òf ¶ò [no-reply@bostonqatar.net]
Date:     14 October 2014 11:09
Subject:     Your document

To view your document, please open attachment.
The "From" field in the samples I have seen seems to be a random collection of characters. The DOC attachment is also randomly named in the format document_9639245.doc.

This word document contains a malicious macro [pastebin] which downloads an additional component from pro-pose-photography.co.uk/fair/1.exe. The DOC file has a VirusTotal detection rate of 0/55 and the EXE file is just 2/54.

I have not yet had time to look at the malicious binary, but the Malwr analysis is here.

UPDATE: among other things the malware drops the executable pefe.exe with a detection rate of 3/55. You can see the Malwr analysis here.

Monday, 13 October 2014

Malware spam: "You have received a new secure message from BankLine" / "You've received a new fax"

A couple of unimaginative spam emails leading to a malicious payload.

You have received a new secure message from BankLine

From:     Bankline [secure.message@bankline.com]
Date:     13 October 2014 12:48
Subject:     You have received a new secure message from BankLine

You have received a secure message.

Read your secure message by following the link bellow:

http://losislotes.com/dropbox/document.php

You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 7507.

First time users - will need to register after opening the attachment.
About Email Encryption - https://supportcentre.Bankline.com/app/answers/detail/a_id/1671/kw/secure%20message

You've received a new fax

From:     Fax [fax@victimdomain.com]
Date:     13 October 2014 13:07
Subject:     You've received a new fax

New fax at SCAN2166561 from EPSON by https://victimdomain.com
Scan date: Mon, 13 Oct 2014 20:07:31 +0800
Number of pages: 2
Resolution: 400x400 DPI

You can secure download your fax message at:

http://www.mezaya.ly/dropbox/document.php

(Dropbox Drive is a file hosting service operated by Google, Inc.)

Clicking the link downloads document_312_872_pdf.zip from the target site which in turn contains a malicious executable document_312_872_pdf.exe which has a VirusTotal detection rate of 3/54.

The Malwr analysis shows that the malware attempts to communicate with the following URLs:

http://94.75.233.13:40200/1310uk1/HOME/0/51-SP3/0/
http://94.75.233.13:40200/1310uk1/HOME/1/0/0/
http://94.75.233.13:40200/1310uk1/HOME/41/5/1/
http://carcomputer.co.uk/image/1310uk1.rtf
http://phyccess.com/Scripts/Pony.rtf
http://144.76.220.116/gate.php
http://hotelnuovo.com/css/heap_238_id2.rtf
http://wirelesssolutionsny.com/wp-content/themes/Wireless/js/heap_238_id2.rtf
http://isc-libya.com/js/Pony.rtf
http://85.25.152.238/

Also dropped are a couple of executables, egdil.exe (VT 2/54, Malwr report) and twoko.exe (VT 6/55, Malwr report).

Recommended blocklist:

94.75.233.13
144.76.220.116
85.25.152.238
carcomputer.co.uk
phyccess.com
hotelnuovo.com
wirelesssolutionsny.com
isc-libya.com


"Your Amazon.co.uk order" spam with malformed DOC attachment

A whole bunch of these just came through:

From:     AMAZON.CO.UK [order@amazon.co.uk]
To:     1122@eddfg.com
Date:     13 October 2014 08:32
Subject:     Your Amazon.co.uk order }837-1171095-3201918

Hello,

Thanks for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.

Order Details

Order #837-1171095-3201918 Placed on October 11, 2014
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon.co.uk

The order number changes in each version of the spam. Note the misplaced "}" in the title though.. that's not the only thing wrong with this spam.

Attached is a file with a random number and a DOC extension, but in fact it is a plain text attachment that begins:

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAAIgAAAAAA
AAAAEAAAJAAAAAEAAAD+////AAAAACEAAAD/////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
///////////////////////////////////spcEAKWAZBAAA8BK/AAAAAAAAEAAAAAAABgAA
AQgAAA4AYmpiaoARgBEAAAAAAAAAAAAAAAAAAAAAAAAZBBYALhAAAOJ7AADiewAAAQAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//w8AAAAAAAAAAAD//w8AAAAAAAAAAAD//w8A
AAAAAAAAAAAAAAAAAAAAAKQAAAAAALADAAAAAAAAsAMAALADAAAAAAAAsAMAAAAAAACwAwAA
AAAAALADAAAAAAAAsAMAABQAAAAAAAAAAAAAAOoDAAAUAAAAIgQAAAAAAAAiBAAAAAAAACIE


Obviously something has gone wrong here, it looks like the attachment is Base 64 encoded when it shouldn't be, but running it through a decode still seems to generate nothing but junk.

My guess is that something has gone wrong with this spam run, and this is meant to be a malicious executable. As it stands, neither the original or decoded version trigger anything at VirusTotal [1] [2]. There's a good chance that the bad guys will figure this out and fix it though, so be cautious if you receive an unexpected email from Amazon.


Friday, 10 October 2014

Malware spam: "You've received a new fax" / "You have received a new secure message from BankLine"

A pair of malware spams this morning, both with the same payload:

"You've received a new fax"

From:     Fax [fax@victimdomain.com]
Date:     10 October 2014 11:34
Subject:     You've received a new fax

New fax at SCAN7097324 from EPSON by https://victimdomain.com
Scan date: Fri, 10 Oct 2014 18:34:56 +0800
Number of pages: 2
Resolution: 400x400 DPI

You can secure download your fax message at:

http://www.eialtd.com/kk/document.php

(Google Disk Drive is a file hosting service operated by Google, Inc.)

"You have received a new secure message from BankLine"

From:     Bankline [secure.message@bankline.com]
Date:     10 October 2014 10:29
Subject:     You have received a new secure message from BankLine

You have received a secure message.

Read your secure message by following the link bellow:

http://www.electromagneticsystems.com/kk/document.php

You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 3297.

First time users - will need to register after opening the attachment.
About Email Encryption - https://supportcentre.Bankline.com/app/answers/detail/a_id/1671/kw/secure%20message

The malware downloads a file document_73128_91898_pdf.zip from the target site that contains a malicious executable document_73128_91898_pdf.exe which has a VirusTotal detection rate of 4/54.

According to the ThreatExpert report [pdf] the malware communicates with the following URLs which are probably worth blocking or monitoring:

94.75.233.13/1010uk1/NODE01/41/5/1/
94.75.233.13/private/sandbox_status.php
94.75.233.13/1010uk1/NODE01/0/51-SP3/0/
94.75.233.13/1010uk1/NODE01/1/0/0/
beanztech.com/beanz/1010uk1.rtf


Thursday, 9 October 2014

Spam: Confederation MineraIs / Confederation Minerals (CNRMF) pump-and-dump

This high-volume pump-and-dump spam run is promoting the Confederation Minerals (CNRMF) stock, although the spam itself intentionally mis-spells it as Confederation MineraIs with a capital "I" replacing the lowercase "l".

From:     TheStreet  
Date:     9 October 2014 12:29
Subject:     The Stocktip Of The Year

 You've been patient for a while now and finally it's time.

Confederation MineraIs (CNRMF) is on the verge of exploding.

Thats because they have hundreds ofmillions of precious metals on their property and they are weeks away from beginning to dig it out and selling it up the distribution chain.

It is trading at such a bargain right now that CNRMF is a no-brainer.

Snap up as many shares of it as you can today before it goes up too high.

Everyone is certain that we will see it hit past 40cents before month's end.

63 South Main Street, Newtown CT 06470

The  TheStreet, Inc. Press | Customer Service | Privacy Policy

You received this message because you are a  TheStreet, Inc. customer or have registered at  TheStreet.com.
This email was sent to you by The  TheStreet, Inc.. Click here to update your email preferences.

We can see clearly from the Yahoo! Finance page that CNRMF is a disaster area. The stock has slumped from $1.33 in April 2011 to $0.06 today.

Usually the shares are very thinly traded with either zero trades or trades in the low thousands on most days (average trades are about 2000 per day or $120 at today's prices) . The reason for the poor share price is apparent when you look at the financials. As with several other stocks promoted through spam (especially mining stocks) there is zero income and only a bunch of expenditure.

The spam argues that this is going to be OK because CNRMF are sitting on an enormous pile of precious metals which they are shortly going to be selling off. Of course if they were actually sitting on a goldmine then the smart thing to do would be hold onto the stocks until the money comes in. In reality, the chances of this happening are approximately zero.

There doesn't seem to be a particular pattern of stock buying going on, which indicates perhaps that the pump and dump spam is being arranged by some existing stockholder trying to cash out.

Only a fool would invest in CNRMF in response to this sort of spam message. Avoid.

UPDATE 2014-10-10: a second version is now being spammed out..

From:     Thanh Ford
Date:     10 October 2014 15:50
Subject:     Sorry for my late reply

Hi [redacted],

I got your voicemail yesterday about the stock tip you want, sorry I couldnt pick up the phone I was on with the wife you know how she is but please next time don't call the house line, I would prefer if you come in to my office instead. In person is always better. Anyway your timing is impeccable you are very lucky. There's this insane little company (confederation minerals) that was exchanging hands for like a dollar and a half last year and now you can grab it for around 10 cents. These guys are sitting on gold, literaly. They have proven reserves worth a few hundred mill and theyre about to begin digging out the stuff in a few months.

You better bet the stokc is gonna go nuts in the coming weeks when they make the drilling announcement. Take care and if you need anything else give me a shout. The stokc is CNRMF and if I were you id grab as many shares as I can, everyone at the office thinks this one is gonna go up at least 5x soon.


chinaregistry.org.cn domain scam

This is an old scam that can safely be ignored.
From:     Henry Liu [henry.liu@chinaregistry.org.cn]
Date:     9 October 2014 07:53
Subject:     [redacted] domain and keyword in CN

(Please forward this to your CEO, because this is urgent. Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China. On Oct 7, 2014, we received an application from Huaya Holdings Ltd requested "[redacted]" as their internet keyword and China (CN) domain names. But after checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it's necessary to send email to you and confirm whether this company is your distributor or business partner in China?Kind regards

Henry Liu 
General Manager 
China Registry (Headquarters)
3002, Nanhai Building, No. 854 Nandan Road,
Xuhui District, Shanghai, China
Tel: +86 21 6191 8696
Mobile: +86 138 1642 8671
Fax: +86 21 6191 8697
Web:
www.chinaregistry.org.cn

Nobody is trying to register your domain name, this is simply a long-running scam aimed at getting you to spend too much money on something that you don't need. And I strongly recommend that you don't forward junk email like this to your CEO either.

I created a brief video explaining the scam that you can view below:

Nuclear EK active on 178.79.182.106

It looks like the Nuclear exploit kit is active on 178.79.182.106 (Linode, UK), using hijacked subdomains of legitimate domains using AFRAID.ORG nameservers. I can fee the following sites active on that IP:

fuhloizle.tryzub-it.co.uk
fuhloizle.pgaof39.com
fuhloizle.cusssa.org


"fuhloizle" is a pretty distinctive search string to look for in your logs. It looks like the bad sites might be down at the moment (or the kit is hardened against analysis), but blocking this IP address as a precaution might be a good idea.

Wednesday, 8 October 2014

Malware spam: Lloyds "Important - Commercial Documents" and NatWest "You have a new Secure Message"

There's a familiar pattern to this malware-laden spam, but with an updated payload from before:

Lloyds Commercial Bank: "Important - Commercial Documents"


From:     Lloyds Commercial Bank [secure@lloydsbank.com]
Date:     8 October 2014 11:09
Subject:     Important - Commercial Documents

Important account documents

Reference: C437
Case number: 66324010
Please review BACs documents.

Click link below, download and open document. (PDF Adobe file)
----------------------
http://01silex.com/dropbox/document.php
-----------------------

Please note that the Terms and Conditions available below are the Bank's most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager. .

Yours faithfully

James Vance
Senior Manager, Lloyds Commercial Banking

Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.

Please remember we guarantee the security of messages sent by email.

NatWest: "You have a new Secure Message - file-2620"


From:     NatWest [secure.message@natwest.com]
Date:     8 October 2014 10:29
Subject:     You have a new Secure Message - file-2620


You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )


Please download your ecnrypted message at:

http://cookierunid.com/dropbox/document.php

(Google Disk Drive is a file hosting service operated by Google, Inc.)


If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 3068.

The link in the email runs through a script which will attempt to download a ZIP file pdf-to-view_864129_pdf.zip onto the target machine which in turn contains a malicious executable pdf-to-view_864129_pdf.exe which has a VirusTotal detection rate of 6/53.

The Malwr report indicates that the malware phones home to the following locations which are worth blocking, especially 94.75.233.13 (Leaseweb, Netherlands) which looks like a C&C server.

94.75.233.13:37400/0810uk1/HOME/0/51-SP3/0/
94.75.233.13:37400/0810uk1/HOME/1/0/0/
94.75.233.13:37400/0810uk1/HOME/41/5/1/
cemotrans.com/seo/0810uk1.soa


Tuesday, 7 October 2014

DHL-themed phish goes to a lot of effort and then spoils it with Comic Sans

This DHL-themed phish is trying to harvest email credentials, but instead of just spamming out a link, it spams out a PDF file with the link embedded in it.

Date:     6 October 2014 23:32
Subject:     Package has been sent.

Your shipment(s) listed below is scheduled for delivery on Thursday next week.

Scheduled Delivery Date: Thursday, 10/09/2014

Shipment 2

Shipper: ADIHASAN GROUP

Kindly please see attached file for shipment /delivery details and tracking procedure. You can also request a delivery change (e.g. reschedule or reroute) from the tracking detail.

Approximate Delivery Time: between 3:00 PM and 7:00 PM
DHL Service: DHL 2nd Day Air

We are pleased to provide you with delivery that fits your life.

© 2014 Parcel Service of the World. DHL, the DHL brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
All trademarks, trade names, or service marks that appear in connection with UPS's services are the property of their respective owners.
For more information on DHL's privacy practices, refer to the DHL Privacy Notice.
Please do not reply directly to this e-mail. DHL will not receive any reply message.
For questions or comments, visit Contact DHL.

This communication contains proprietary information and may be confidential.  If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Notice
DHL My Choice Service Terms
Contact DHL

Look closely at the blurb at the bottom and it confuses DHL with UPS, but who reads that? Attached is a non-malicious PDF file DHL (1).pdf which contains a link to the phishing site.

So far, so professional. And a neat trick to use PDF files in this way as a lot of spam filters and anti-phishing tools won't spot it. The link in the PDF goes to 37.61.235.199/~zantest/doc1/dhlweb0002/webshipping_dhl_com_members_modulekey_displaycountrylist_id5482210003804452/DHL/index.htm where it has a rather less professional looking webpage that is phishing for general email addresses rather than DHL credentials.

With the grotty graphics and injudicious use of Comic Sans, it's hard to see how this would fool anyone into turning over their credentials.. but presumably they manage to harvest enough usernames and passwords to make it worthwhile.

Friday, 3 October 2014

"Thanks for shopping with us today!" malspam spreads via Dropbox

This spam email leads to malware hosted on Dropbox:

From:     pghaa@pghaa.org
To:     victim@victimdomain.com
Date:     3 October 2014 11:43
Subject:     victim@victimdomain.com

Thanks for shopping with us today! Your purchase will be processed shortly.

ORDER DETAILS

Purchase Number: CTV188614791
Purchase Date: 7:38 2-Oct-2014
Customer Email: victim@victimdomain.com

Amount: 4580 US Dollars

Open your payment details

Please click the link provided above to get more details about your order.
In this case the download location is https://www.dropbox.com/s/7n4ib0ysqnzr4un/Payment%20Details_52375.zip?dl=1 although it is likely that there are others.

The download file is Payment Details_52375.zip containing a malicious executable PAYMENT DETAILS.PDF  .scr_56453.exe which has a VirusTotal detection rate of 5/55.  At the moment, automated analysis tools [1] [2] [3] are inconclusive as to what it does.

UPDATE: it is also being distributed via
https://www.dropbox.com/s/9an3ggp98xu7ql5/Transaction_85523.zip?dl=1
https://www.dropbox.com/s/8uoheamseo98nse/Information_J90Z4.zip?dl=1 
https://www.dropbox.com/s/fvogsazezmv00hw/Transaction_G287O.zip?dl=1
https://www.dropbox.com/s/42b7binqmk8auu9/Payment_Details_A0869.zip?dl=1
https://www.dropbox.com/s/okag3y2qtg12vg7/Payment_Details_R435C.zip?dl=1

 

Thursday, 2 October 2014

Sky doesn't understand "opting out" of marketing emails

When I opt out of marketing emails, I expect to stay opted out. This kind of crap sent from Sky really gets my goat.
Are you making the most of your Sky TV?
We’re checking our records and can see that you’re not currently opted in to get offers by email, so there are bound to be things you’re not hearing about, like:
-  exclusive money-saving offers on fantastic Sky products and services
-  the chance to trial our most popular products and services totally free
We’ll also donate £2 to Sky Rainforest Rescue, our partnership with WWF, for every customer that opts in – up to £10,000. Sky Rainforest Rescue is helping to save 1 billion trees in the Amazon. So you’ll be making a real difference to the rainforest, which is home to an astonishing one in 10 of all the wild species on Earth.
It only takes a minute, so opt in tod​ay and get more out of being a Sky customer.

Sky seem aghast that I'm not interested in a stream of marketing emails for products which I am probably not interested in. Which is why I opted out of having them. I don't want to be nagged about opting out - that's not honouring the opt out is it? In other words.. this is spam.

Just in case Sky ever ends up reading it, I will put it in terms that you might understand..






Wednesday, 1 October 2014

uktservices.com "Booking Cancellation" spam / 37.235.56.121

I just had a mass of these purporting to be from uktservices.com ("UK Travel Services"), but in fact it is a forgery and does not come from them at all - they are not responsible for sending the spam and their systems have not been compromised.

From:     email@uktservices.com
Date:     1 October 2014 14:01
Subject:     Booking Cancellation

Hello.

Your booking at 13:15 on 1st Oct 2014 has been Cancelled.

Here is a link to your updated bookings view:

< href="[redacted] ">http://www.uktservices.com/system/drivers/jobs/51/66c3a53705f1ea2c5b8a11c94c29c6328599a0fc
All the emails are somewhat mangled, but the first link in the email (not the uktservices.com link) goes to what appears to be an exploit kit:

The links in the emails I have seen so far go to:

[donotclick]vinafruit.com/ongo.html
[donotclick]famdebaere.eu/ongo.html
[donotclick]ebook-55.ebook-55.com/ongo.html
[donotclick]farahenterprises.com/ongo.html


In all cases, those pages forward to a malicious page at:

[donotclick]37.235.56.121:8080/njslfxqqw9

The IP of 37.235.56.121 belongs to EDIS GmbH in Austria, and I suspect it has been hacked through an insecure Joomla installation.

I haven't been able to identify which exploit kit it is as it it has been hardened against analysis, but you can guarantee that this is malicious in some way or another.

Something evil on 87.118.127.230

Quite what exploit kit this is I cannot determine, but there's something evil on 87.118.127.230 (Keyweb, Germany) which is using hijacked GoDaddy-registered subdomains to distribute crap. It's definitely worth blocking this IP. The source looks like some sort of malvertising, but I have incomplete data.

The domains I have seen being abused are:
aacregistry.org
agostjoe.com
apprizse.com
association-connect.com
barnesvillechiro.com
bwclinic.com
chiro-connect.com
ctkblockparty.org
holyhoops.net
josephrobidoux.com
lifeatctk.org
mca-connect.com
midwestartists.org
missouritheater.com
missouritheater.net
missouritheater.org
missouritheatre.com
missouritheatre.net
missouritheatre.org
moveonedegree.com
mvsummerhoops.com
premiermortgagenetwork.info
rapidpricecomparison.com
robidouxrow.com
smallbiz-connect.com
staffing-connect.com
stjoarts.org
stjoearts.com
trailswest.org
tumainiag.com
tumainiag.org
vpmspecialists.com

A list of all the subdomains I have seen can be found here [pastebin]

"Homicide Suspect - important" spam

Ohmigod, the New York City police have finally tracked me down for eviscerating that spammer in Times Square.

From:     ALERT@police.uk [ALERT@police-uk.com]
Date:     1 October 2014 08:49
Subject:     Homicide Suspect - important


Bulletin Headline: HOMICIDE SUSPECT
Sending Agency: New York City Police
Sending Location: NY - New York - New York City Police
Bulletin Case#: 14-49627
Bulletin Author: BARILLAS #1264
Sending User #: 56521
APBnet Version: 852065

The bulletin is a pdf file. To download please follow the link below (Google Disk Drive service):

http://lppdrivingschool.id.au/ib1/cc141713


The Adobe Reader (from Adobe.com) will display and print the bulletin best.

You can Not reply to the bulletin by clicking on the Reply button in your email software.
Weirdly, the message comes from a police.uk email address and the link goes to a driving school in Australia. And it comes from 63.234.220.114 which is an IP address in Kansas City.

Perhaps the biggest anomaly is the file that is downloaded, a ZIP file called file-viewonly7213_pdf.zip which contains an executable file-viewonly7213_pdf.scr which is (as you might guess) malicious with a VirusTotal detection rate of 2/55.  The Anubis report shows that the malware phones home to santace.com  which is probably worth blocking or monitoring. Other analyses are pending.

I've also seen the same payload promoted through a "You've received a new fax" spam, and no doubt there will be others during the course of the day.

Tuesday, 30 September 2014

Alzheimer's Association (act.alz.org) abused by spammers

The Alzheimer's Association in the US (alz.org) operate some sort of tell-a-friend system which is apparently easily abused by spammers.

From:     Marbu Contracting Company LLC. [info@alz.org]
Reply-To:     "Marbu Contracting Company LLC." [marbu.constructions.ah@hotmail.com]
Date:     30 September 2014 19:33
Subject:     Check out the Alzheimer's Association website!

Marbu Contracting Company LLC.
No.48,1st Floor,Kaamco
Building, Suhaim Bin Hamad
Street, Bin Mahmoud Qatar,
Tele:44204739.Fax:44289185
E-Mail:(marbu.constructions.ah@hotmail.com)


Marbu Contracting Company LLC. wish to use this medium to announce
that vacancies is now on for Qualified building contractors,
Structural Engineers/Electrical Engineer//Piping/Mechanical
Engineers/GIS/Land Surveyors,NDT Engineer, Civil Engineers, Project
Director,ETC. Candidates should have a Relevant degree B.Eng, BSc.
Eng or B racersTech,

interested contractor or candidate should apply with full resume and
details of jobs completed or ongoing for perusal.

Send You reply to:(marbu.constructions.ah@hotmail.com)

Regard's
Mr.Ahmed Haasen,
Human Resources Manager

I urge you to join me and visit the Alzheimer's Association today!

If the text above does not appear as a clickable link, you can visit the web address:

http://act.alz.org/site/TellAFriend?s_oo=F79cLz0Fs6dcX6iQ5Lb3TA

If you no longer wish to receive email messages sent from your friends on behalf of this organization, please click here or paste this URL into your browser: http://act.alz.org/site/TellFriendOpt?action=optout&toe=a136b421fe2a9b594f68767c21c537f6382420c25dbc7e041ccd4c50a5c00593 
The originating IP is 66.45.103.69 which closely matches the IP of 66.45.103.78 for act.alz.org mentioned in the email, so the email is genuinely coming via the Alzheimer's Association website from some scumbag spammers.

Is this actually from Marbu Contracting? Well, they have been around for 35 years and have their own website at marbucontracting.co and receive emails at the domain marbu-contracting.com, so it is unlikely that they would either resort to using a Hotmail account or sending spam in this way.

So is it a scam? It could be a dangerous one as some Qatari firms have been accused of running slave labour camps, so there's a good chance that this gig isn't what it is supposed to be.

But either the Alzheimer's Association or their service provider Convio Inc must bear some of the responsibility for creating a system that can be abused by spammers in this way. Although their site is meant to restrict sending these messages to ten addresses at a time, presumably the bad guys are running a script or have found some other way to bulk email using alz.org.


In conclusion.. ignore this bogus job offer. And remember to secure this sort of "tell a friend" functionality on your own servers.