My Online Security | Keep yourself safe online

compromised windstream email sending malspam

Posted on 7 June 2019 6:04 am by Myonlinesecurity7 June 2019 6:04 am

Got a bit of a dodgy one here today, where it looks like the email service for windstream.net has been compromised to allow a miscreant to send malicious emails that are passing all authentication. It is highly likely that it is an individual customer of Windstream that has been compromised, rather than the entire system, but the whole idea of a company outsourcing mailing services to a 3rd party like Zimbra / Synacor is their filtering systems that is supposed to detect & block malware, spam and other malicious content Windstream are a major US ISP / Telecoms company / … Continue reading →

Phishing emails pretending to be sent from myonlinesecurity.co.uk

Posted on 29 May 2019 5:38 am by Myonlinesecurity30 May 2019 9:56 am

First of all I want to apologise to anybody who received a scam phishing email that pretended or appeared to come from our email address security@myonlinesecurity.co.uk. These emails were not sent from this server but from a scummy server controlled by a hosting company in Iceland who are used frequently by criminals for malware, scams, phishing etc. All the emails came from 37.49.225.163 The emails looked like these emails. Both sites mentioned in the emails were taken down by the hosting company within minutes of this phishing campaign starting. Update 30 May 2019: this campaign is still continuing. Several different … Continue reading →

Lokibot via abusing the ngrok proxy service

Posted on 28 May 2019 5:55 am by Myonlinesecurity28 May 2019 5:55 am 1

It looks like one of the criminal gangs behind some of the Lokibot campaigns have found a way to serve their malware almost undetected or at least without any known host that can take down easily or be blocked. What they have done with this series of campaigns is abuse a new(ish) service NGROK which basically acts as a proxy, direct tunnel or VPN from the miscreant’s home computer or server that effectively puts the malware in the cloud & bypasses all firewalls etc. I can’t see anything in their TOS prohibiting malware, phishing, scams etc, just a general no … Continue reading →

Hot Mobile Israeli Hebrew Phishing scam

Posted on 25 May 2019 6:33 am by Myonlinesecurity25 May 2019 6:33 am

Fake Hot Mobile "Update your Account " email

We see lots of phishing attempts for various credentials. This scam in Hebrew is a totally new one to me. As far as I can tell the Mobile phone company being spoofed Hot Mobile is an Israeli Mobile Phone company that has links to the Israeli defence Forces. All the info I am getting about this comes from Google translate or Wikipedia, so might not be 100% accurate. I don’t speak or read Hebrew at all, so am completely reliant on web translations. Other countries also have regular phishing scams against their Mobile Phone or other telecoms networks or companies. … Continue reading →

multiple malware delivered from compromised website run on a domestic BT IP address

Posted on 24 May 2019 6:55 am by Myonlinesecurity24 May 2019 6:55 am

As I mentioned earlier in the week, we aren’t seeing massive amounts of malware, especially in the UK at the moment BUT we do see a steady lowish volume stream of commodity malware. These are the standard easy to purchase and use malware tools like Nanocore, Hawkeye, Agent Tesla and other keyloggers or remote access trojans that are so easy to use that they get used by both Skiddies & the criminal malware gangs. Today’s first example is a Nanocore remote access Trojan that was delivered via a fake Swift Payment advice pretending to come from Citi Bank. So far … Continue reading →

nanocore RAT via fake order in password protected word doc with wrong password

Posted on 23 May 2019 4:24 am by Myonlinesecurity23 May 2019 4:24 am

I was sent a message via the submissions system last night with the email the victim received attached. At first glance it looked like the typical password protected word docs we see regularly pretending to be either an order, invoice or resume, that frequently drop or download some sort of ransomware. At first I could not open this word doc using the password in the email body “doc2019” after trying a few variations I found the correct password is “DOC2019”. Windows ( or at least Microsoft Office) does see the differences in upper & lower case on passwords. When I … Continue reading →

Hawkeye keylogger via fake receipt. Stolen data sent to another keylogger site.

Posted on 21 May 2019 7:15 am by Myonlinesecurity21 May 2019 7:15 am 2

Over the last month or 6 weeks we, along with many other researchers, have noticed quite a drop in Malspam, in fact in spam generally. Nobody quite knows why but generally this means one or other of the major spam sending botnets has been taken down or is retooling & getting ready for a new set of campaigns. One of the few constant malware versions we are all seeing on a steady, almost daily basis, but using lowish volumes to stay somewhat under the radar is Hawkeye Keylogger. These generally aren’t worth posting about. They tend to use such generic … Continue reading →

Phishing on a compromised Brazilian ISP via fake Fax email

Posted on 17 May 2019 9:18 am by Myonlinesecurity17 May 2019 9:18 am

Just a very quick post about a phishing scam this morning. This is only noteworthy because the phishing takes place on a compromised website belonging to a small Brazilian ISP. https://www.agilinker.com.br/ The email pretends to be a fax message from your own domain, so the ones I received pretended to come from faxINchine@myonlinesecurity.co.uk. I received lots of these all addressed to various different email addresses on the myonlinesecurity.co.uk domain. You can now submit suspicious sites, emails and files via our Submissions system Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: … Continue reading →

Gootkit banking Trojan via Fake UKPC parking penalty appeals

Posted on 16 May 2019 5:23 am by Myonlinesecurity16 May 2019 5:23 am 1

I am hearing about a return of the fake UKPC parking charge appeals scam which has been quiet for about 1 year. At this time I don’t have a copy of the email that was received by the victim, only the link that was in it. I assume the email will be very similar to the ones described in these 2 posts [1] [2]. UKPC are a nationwide company that controls parking on private property throughout many parts of the UK. They do not ( as far as I can tell) control on street parking on behalf of any Local … Continue reading →

ISRStealer via fake Prudential Assurance Company Purchase Order

Posted on 15 May 2019 10:50 am by Myonlinesecurity15 May 2019 10:50 am

Every now & again we see a resurgence of ISRStealer info-stealer / Keylogger Trojan Malware. This malware has been around since 2011 and gets intermittent distribution campaigns. You can now submit suspicious sites, emails and files via our Submissions system Prudential Assurance Company Singapore has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails Purchase order #693641_3451483.zip : Extracts to: Purchase order #693641_3451483.exe Current Virus total detections: Anyrun | The C2 & … Continue reading →