We have received various spam emails that simulate messages from Better Business Bureau (BBB), but in real are used to spread malicious links that leads to Blackhole Exploit Kit. The subject of the emails looks like this: Your updated information is necessary A screenshot of the email: Other details of the emails: Return-Path: <top-team3@ms16.hinet.net> Received: [...]
Below there is a list of malicious URLs grabbed from our sandbox that analyzed few recent malware samples, we highly recommend to block these domains with a firewall and with the hosts file (C:\WINDOWS\system32\drivers\etc\hosts). hxxp://195.189.226.104/ftp/g.php hxxp://outkxmkcxkxqqmy. org/news/?s=36052 hxxp://poohfsngrxnlnkr. net/news/?s=167574 hxxp://poohfsngrxnlnkr. biz/news/?s=122180 hxxp://oyjqvypmksfasmet. info/news/?s=196250 hxxp://kastakasta. info/job2/fig.bin hxxp://flowersinamew. com/pof/deq.nk hxxp://zz.cdbeta. com/ hxxp://vip.cdbeta. com/yzm.asp hxxp://vip.cdbeta. com/jiancewangluo.asp hxxp://vip.cdbeta. com/sjy6553-user/dufuwuqipeizhi.asp?yanzheng=73eb6acbc1b8c97bc580c32368731770 [...]
Another email containing malicious URL used for phishing attack against MasterCard and Visa users: Return-Path: <services@security.com> Received: from mailrtr1.deltacom.net (mailvip.deltacom.net [72.243.252.244]) Received: from User ([66.0.110.18]) by mailrtr1.deltacom.net (MOS 4.1.10-GA) From: "visaeurope"<services@security.com> Subject: Votre carte bancaire est suspendue Date: Sun, 7 Aug 2011 00:12:08 -0500 To: undisclosed-recipients:; Email message: Bonjour clients de visa carte, Votre [...]
Phishing attack against eBay users: Return-Path: <aw-confirm@mail.aby.fr> Received: from mail.ktmtalk.com (mail.ktmtalk.com [173.74.246.25]) Received: from User [98.175.62.124] by mail.ktmtalk.com with ESMTP Reply-To: <aw-confirm@mail.aby.fr> From: "eBay Member jxavier14"<aw-confirm@mail.aby.fr> Subject: New Unpaid Item Message from jxavier14: #14027471062 — response required Date: Sat, 6 Aug 2011 06:34:47 -0500 To: undisclosed-recipients:; Email message: Dear member, eBay member charly1 has [...]
Another email that is used to spread a fake PayPal message containing a malicious link used for phishing attack against PayPal users: Return-Path: <services@security.com> Received: from mailrtr4.deltacom.net (mailvip.deltacom.net [72.243.252.244]) Received: from User ([66.0.110.18]) by mailrtr4.deltacom.net (MOS 4.1.10-GA) From: "PayPal"<services@security.com> Subject: Centre de securite PayPal Date: Sat, 6 Aug 2011 00:11:18 -0500 To: undisclosed-recipients:; Malicious URL: [...]
Users have reported us another website infected by an hidden iframe: hxxp://www.minecraftforum.net/ All web pages are affected! Here is an image of the hidden iframe at the bottom of the HTML pages: When I visted the infected website, NoVirusThanks EXE Radar Pro has displayed an alert of an unknown executable that tried to run in [...]
These URLs are malicious or related to malware: hxxp://caperiod.com/pxxko/ndrei.php?adv=adv401&id=1626783411&c=203332757 hxxp://caperiod.com/pxxko/wjwjwaobfs.php?adv=adv401&id=1626783411&c=203332757 hxxp://getpersgd09.com/persgd09/setup.php?track_id=30046 hxxp://gopersgd09.com/install/?track_id=30046 hxxp://carefinder.com.au/inf.php hxxp://scr4zy.webcindario.com/2/infects.php hxxp://elmejorbonche.com/dns hxxp://photopath.in/8797hkj9jk9j778kj9h78k9jh.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eH hxxp://www.easyenco.co.kr/module/program/media_codec.exe hxxp://www.easyenco.co.kr/module/count.asp?exec=media_codec.exe hxxp://www.easyenco.co.kr/module/count_live.asp?exec=media_codec.exe hxxp://c0re.su/panel/config.bin hxxp://ck4.nucleardiscover.com:88/p6.asp?MAC=%MAC%&Publicer=100 hxxp://201.25.28.9/mail/images/info.php hxxp://startfaredata.in/o54p6ipo546ipo6.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eH hxxp://tecnp.h19.ru/in.php hxxp://www.cplnn.com/bbcount.php?action=knock&build=sp1 hxxp://www.cplnn.com/wad/init3.php?build= hxxp://mmm-2011.co.uk/setup2683.exe hxxp://mmm-2011.co.uk/ka.exe hxxp://cekcuc.ru/z/kilka.bin hxxp://up1.free-sms.co.kr/main/free07/smsupsetting.dat hxxp://up1.free-sms.co.kr/main/free07/smsins.exe hxxp://up1.free-sms.co.kr/main/free07/smsdat.dat hxxp://up1.free-sms.co.kr/upapp/free07/eventex.exe hxxp://free-sms.co.kr/app_count/install_count.php?&pid=free07&mac=%MAC% hxxp://up1.free-sms.co.kr/main/free07/free-sms.exe hxxp://up1.free-sms.co.kr/main/free07/uninst.exe hxxp://up1.free-sms.co.kr/main/free07/free-sms.ico hxxp://up1.free-sms.co.kr/main/free07/smsupv.exe hxxp://ppppnipponp.r7m.us/cgi-bin/p.cgi hxxp://flashpile.in/90ds8c9ds8c9d0s8cds.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eHy hxxp://neframeofwork.com/gud/hig.op hxxp://ad.ring3.info/Config.asp hxxp://ad.ring3.info/Count/Count.asp hxxp://www.bbsv.nl/files/cache/…/contador.php hxxp://firstresour.web135.discountasp.net/.sys.php?action=fbgen&v=1 hxxp://shellybeachskiboatclub.co.za/.sys.php?action=fbgen&v=1 hxxp://shellybeachskiboatclub.co.za/.sys.php?action=aolsbm&v=1&hardid=%HDID%&id=0 hxxp://blognote.by/f/fn.txt hxxp://www.caesar.sk/downloads/getc/getc.php hxxp://114.200.199.251/apsuy.php hxxp://iring4u.co.kr/bcklist.php hxxp://ad79.co.kr/prex/newb/apsuo.exe hxxp://114.200.199.251/b5ains.php?mac=%MAC%&ip=%LANIP%&pid=&setup=1 hxxp://114.200.199.251/b5aliveins.php?mac=%MAC%&ip=%LANIP%&pid=&app= hxxp://caperiod.com/pxxko/iwwnnrvi.php?adv=adv401&id=1626783411&c=203332757 [...]
Suspicious email spreading malware: Return-Path: <info52943@ups.com> Received: from [39.203.6.87] (account 1361@ms21.hinet.net HELO ybydypsmsb.cehflcrileuz.ru) From: "United Parcel Service" <info52943@ups.com> Subject: United Parcel Service notification #46034 Message: May 2011United Parcel Servicetracking number #18203 Good morningParcel notificationThe parcel was sent your home adress.And it will arrive within 3 buisness days. More information and the parcel tracking number are [...]
New phishing email related to PayPal accounts: Return-Path: <servviice@paybal.com> Received: from WIN-ATAF5I4OOP1 (unknown [96.44.188.43]) Received: from User ([127.0.0.1]) by WIN-ATAF5I4OOP1 From: "Paypal"<servviice@paybal.com> Subject: Your Paypal Account Will Be Limited Date: Tue, 17 May 2011 18:38:40 -0700 To: undisclosed-recipients:; Message: Note that the email come from: From: "Paypal"<servviice@paybal.com> The domain paybal.com is parked! Malicious URL that [...]
Suspicious email spreading malware: Received: from 18714128077.user.veloxzone.com.br (unknown [187.14.128.77]) Received: from [132.75.231.74] (helo=qnmekzdssguat.bacphgvlbnez.ua) From: "Puremobile Inc." <h5923a@ms2.hinet.net> Subject: Your Order No 218538 – Puremobile Inc. Message: Thank you for ordering from Puremobile Inc. This message is to inform you that your order has been received and is currently being processed. Your order reference [...]