Rogue security software XP Total Security spreads by email

We have received an email that states we have an unread message and someone has sent us a private message. But it does not state if the unread message is from a social network, it only says it comes from SecureMessage.System, as you can see from this image: The body of the email is this: […]
Continue reading...

Scam: Account suspicious activity – Facebook.Team

We started to receive emails that state our Facebook account has been blocked due to suspicious activity and to activate it we should click on a URL. Clearly this is a scam, the email seems to be sent by an email account from China, see the image below: This is an image of the body […]
Continue reading...

KBOT C&C Malware

We just logged a new C&C bot named KBOT: Content of the /js/ folder: Content of the /images/ folder: Content of the /css/ folder: Malware activity (cb119a6b42da7bba1b6151f2e0bd6f1e): File Created - %SAMPLE% - %Temp%\epbUex.UxO - A7A21220689BD796F6B74E5D983D810E - 2560 bytes - attr: [] - PE Connection Established - C:\WINDOW...
Continue reading...

Phishing: Compromised Account (PayPal)

We received another suspicious email that spreads a phishing URL: The A HREF link redirects to the phishing URL: hxxp:// restore.account.sysadmin-center .com/paypal/restore/webscrcmd=_login-run/webscrcmd=_account-run/confirm-paypal/restore=_paypal-account/updates-paypal/ Email header details: Received: from main.pensativo.nl (ma...
Continue reading...

Phishing: Skype Incident Updating Your Information To the new security

New phishing email used to steal Skype login details: The A HREF link: Please click here to verify your identity Redirects users to the malicious URL: hxxp://login.skype.com.kad-s .com/
Continue reading...

Find out who visits your Facebook profile: it is a fake, the link redirects to malicious websites

We have noted recently various messages posted by Facebook users that promote few methods to find out who visits your Facebook profile. At the end of the message there is a link to a Bit.ly shortened URL, as you can see from this image: The shortened URL redirects the users to a malicious URL: HTTP/1.1 […]
Continue reading...

Malware: Cotacao solicitada (relatorio.scr)

We have received a suspicious email: Received: from unknown (HELO userb) (***@globaltires.es@177.0.120.119) Subject: Cotacao solicitada. MIME-Version: 1.0 Date: Sat, 11 Feb 2012 17:56:37 -0300 Email message is in HTML and the page source looks like: As you can see, from this code: <A href="hxxp://groupnetvect .co.de"...
Continue reading...

New Malicious Iframe Code, Trojan.Java.Downloader and VBScript

Honeypots have reported another case of malicious iframe code that is generally added after the end of the HTML tag, at the end of the website page, as you can see from the image below: We have also noted another website that redirects users to a fake porn video streaming website with the main objective […]
Continue reading...

JavaScript Code Hidden in Image

We noted few websites infected with the following code (Gumblar-style?): Extracted malicious URL: hxxp://vohfakai .co.cc/1584179.jpg URLVoid report: http://www.urlvoid.com/scan/vohfakai.co.cc Unfortunately (fortunately) the malicious URL is not online, but I am sure it was used to spread malicious javascript code or iframe code,...
Continue reading...

Iframe Alias(dot)jjbworks(dot)com Mass Infection

Another hidden and malicious iframe is spreading by infecting websites: The iframe code is added before the BODY tag of the HTML page and is obfuscated: The extracted malicious link is: hxxp://alias .jjbworks .com/analytics.php Details about the malicious domain: Website: alias .jjbworks .com Domain Hash: 2f8f518cb5d452fca78b8c1...
Continue reading...