Tuesday, 31 July 2007

Important: signature location

Well after hitting 25 gig of bandwidth again this month, it's time to force people to move over to the latest round-robin urls. So, if your using an old script then you will no longer be receiving the Sanesecurity signatures, as the phish and scam databases at the old download locations have now been blanked.

use the updated scripts from the usage page;

round-robin urls:

http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz
http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz

stock spam evolve again... to zip... erm... rar

Well, spammers have again this morning changed tactics again... were now seeing a standard text stock spam... inside what looks like a zip file.

However, looking at the zip file.. it's actually a rar file... another confusing trick.

Detection added as: Email.Stk.Gen603.Sanesecurity.07073100.zip

Sunday, 22 July 2007

From PDF to XLS to Zipped XLS: Stock spam

Received another variant of the XLS stock spam... this time... the spammers are zipping the XLS stock spreadsheet.

Sample Received date: 22 Jul 2007 15:48:20 +0200

Signature Email.Stk.Gen598.Sanesecurity.07072000.xls from yesterday already detected it :)

Saturday, 21 July 2007

From PDF to XLS: Stock spam

Well well, the spammers change tactics yet again, from the image spam and the pdf spam... to the downright sneeky Excel spreadsheet spam.

As most companies use XLS (and PDF for that matter) the spammers know that companies won't block these extension types, as it'll stop genuine email too.

21st July 2007 timeline

At 16:11 UK time, I received an interesting stock spam sample and started to analyse;
At 17:00 UK time, I was received five more samples.... all XLS spreadsheets.

At 18:05 UK time, the first signature was uploaded to the mirrors:

Email.Stk.Gen598.Sanesecurity.07072000.xls

Here's a screenshot:














Wonder what format is going to be next for the spammers?

Monday, 16 July 2007

Phishers go Green!

It's nice to know that even the phishers care about saving the planet, I mean it looks legit:




















... well, apart from hsbc.co.uk with a .hk domain ending:

Thursday, 5 July 2007

Digg Post

Here's a post on Digg from a user, for a bit of useful sounding software:















When you click on the link, you are taken to a download site:















Scanning the download file:













So, is this just a false positive or a different way of getting malware out to the world ??

PayPal phish using a word document

Here's a phish that came in from PayPal which contained a word document.

As the email used an image for the main text body and a word document, the phisher no doubt thought it would bypass filters.

Here's the main email:















Here's the content of the word document: