Thursday, 19 May 2011

fake dhl email using pif

Another round of fake DHL emails... but this time... it's got a PIF attachment, instead of the
normal zipped exe variety.

Here's the email....












Submitted to Threatexpert:
http://www.threatexpert.com/report.aspx?md5=8b7c994f4d5b0b5e35216bd68d87edb3

Submitted to VirusTotal (7/43)
http://www.virustotal.com/file-scan/report.html?id=2936d561853db9119ac2d5e7120f80d4e8ed39fa191365b5d8be83cfa4f95343-1305796256

It seems to be interested in the following banks:
http://eureka.cyber-ta.org/OUTPUT/8b7c994f4d5b0b5e35216bd68d87edb3/dns.txt

Detected as:

Sanesecurity.Rogue.2050 and Sanesecurity.Malware.16418

Cheers,

Steve
Sanesecurity

Wednesday, 30 March 2011

strange facebook emails

Received this interesting and very simple email today...








From the source code you can see, that the link doesn't go to facebook...



... It instead, takes you to a forum... which has been hacked (which you can see when you look into the source code)



The forum then re-directs you, via a 302 re-redirect... to another site (seen with httpfox)






The final site you end up with... is a fake anti-virus site, which are generally a pain to remove :(

Checking the actual fake anti-virus site (in bold) with urlvoid.com...



















You can see that out of 21 url checkers... they all come up clean....

It's not nice out there.... but Sanesecurity.Malware.15890 and Sanesecurity.Malware.15891 are currently blocking these emails.

Cheers,

Steve
Sanesecurity