My Online Security | Keep yourself safe online

Big change in the plague of Blackmail, Sextortion Scam attempts

Posted on 7 April 2019 11:12 am by Myonlinesecurity8 April 2019 7:42 am 7

Today we have seen a big change in the plague of Blackmail, Sextortion Scam attempts we have all been seeing over the last few months and even years. The emails will all basically say that he has placed a keylogger on your computer and has evidence of you “playing with yourself” while visiting a porn site. He also states that he has stolen your contacts list. There have been numerous variations in the wording of the email body, but all are basically the same. Note that I am also still receiving the “normal” emails involved with this scam. Some of … Continue reading →

Agent Tesla keylogger via fake Request for Quotation

Posted on 6 April 2019 6:34 am by Myonlinesecurity6 April 2019 6:34 am

Yet another Agent Tesla Keylogger / Info-stealer Trojan malware delivered via a fake Request for Quotation email with a malicious Excel XLS spreadsheet attachment using Microsoft Equation Editor Exploit CVE-2017-11882. We see dozens of this sort of email daily and most times don’t bother to post about them, just submit the files and urls to antivirus companies and block lists. This one is slightly different to previous versions with a different set of instructions trying to Social Engineer you into enabling content so that the “exploit” will run. They are using email addresses and subjects that will scare, persuade, shock … Continue reading →

Quick update to Emotet delivery campaign

Posted on 4 April 2019 5:42 am by Myonlinesecurity4 April 2019 5:42 am 1

Just a quick update to Emotet delivery campaigns that have plagued us for ages. I don’t normally post much about Emotet. There are lots of other researchers keeping an eye on it, who post regular updates via Twitter etc, Until recently Emotet was normally delivered via a malicious word doc attachment. Then about 10 days ago we noticed some versions using js attachments inside zip files. Yesterday evening we noticed yet another change. This time using js files inside password protected zips with a previously unknown password that might be different in each version received. Using password protected zip files … Continue reading →

Fake sentencing report delivers some sort of malware via a complicated chain.

Posted on 28 March 2019 10:15 am by Myonlinesecurity28 March 2019 10:15 am

I really don’t know what I have got here. I am totally and utterly confused by it. I don’t know if it even works or runs, or whether it just fails in anyrun or any other online sandbox, but will run on a “normal” computer. It all starts with an email pretending to come from a lawyer with loads of gobbledegook nonsense that just doesn’t sound or look in way correct. It just tries to confuse you with various legal sounding terminology. It has the subject of “Notification report sentence #3975252142 date 16.02.2019” which has an HTML attachment to it. … Continue reading →

Fake order confirmation for refurbished Samsung TV delivers Malware

Posted on 27 March 2019 5:02 am by Myonlinesecurity27 March 2019 5:02 am

I have a bit of a strange one here from yesterday evening. I received a couple of different copies of this email, both coming from the same server and IP number but with different alleged senders. I am not exactly sure what it is. although some detections on VirusTotal suggest TinyNuke Banking Trojan. Anyrun doesn’t show any strange connections or indications of anything when trying to contact a couple of different UK banking sites. Update confirmed as TinyNuke Banking Trojan which only appears to become active after rebooting the computer it is installed on. The C2 locations are m0pedx9.ru and … Continue reading →

2 in 1 Shopify and Paypal phishing scam

Posted on 21 March 2019 3:27 pm by Myonlinesecurity21 March 2019 3:27 pm

We see lots of phishing attempts for banking, Paypal and other login credentials. This is newer entry to the lists. I don’t often see Shopify phishing emails. I was quite suprised to see a double phishing scam here. First asking for your Shopify shop address, then your email address associated with the shop, then log in password for the shop. Then to add a bit of flavour they ask you to link your PayPal account and want that email address & password. This phisher is out of luck and the site has been reported for immediate takedown. I don’t expect … Continue reading →

Fake HMRC submission email delivers some sort of malware

Posted on 21 March 2019 5:02 am by Myonlinesecurity21 March 2019 5:02 am 1

I am having difficulty working out what is happening with this malware. The details about it were uploaded via our submissions system yesterday afternoon when I was out for a medical appointment. I don’t have a copy of the original email, only the body content which was pasted in to the message and the link it led to, with details of the alleged original sender. I think it is a banking trojan / Info-stealer UPDATE: Being told it is Ursnif / Gozi banking trojan that is heavily geo-ip restricted The email pretends to be from HMRC with a link in … Continue reading →

Trickbot via fake Efax message using Squiblydoo, Active X, macro and abusing pastebin

Posted on 20 March 2019 4:59 am by Myonlinesecurity20 March 2019 4:59 am

We are seeing massive changes with the Trickbot delivery campaign overnight. I have only seen 1 mention on Twitter about this campaign and 1 on a private malware research mailing list, so it can’t be affecting too many recipients. This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “You have a new eFax message! ” pretends to come from Efax but actually comes from “service@efax.delivery” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the … Continue reading →

Fake CIA Sextortion Scam

Posted on 18 March 2019 5:14 am by Myonlinesecurity19 March 2019 2:45 pm 37

The latest version of these horrific porn related Sextortion, blackmail scams has changed slightly and pretends to be a message from a CIA employee who is part of the task force on paedophilia. There are multiple different senders and all the case numbers are different in each example received. It states you are on the list to be investigated and are about to be arrested on 8th April 2019. However if you pay her $10,000 by bitcoin, before 27th March 2019, she will remove all your details from the database. Of course this is a total fabrication. And just yet … Continue reading →

Fake DHL Urgent Delivery notice delivers Gandcrab 5.2 ransomware

Posted on 15 March 2019 4:33 am by Myonlinesecurity15 March 2019 4:33 am 1

Yet another Gandcrab ransomware campaign. This time spoofing DHL Express with a fake delivery notification email. This delivers Gandcrab 5.2 ransomware that currently does not have free decryption available yet. This bad actor is getting a bit lazy and has reused the same word template that we saw earlier in the week with the CDC version to deliver the malware. All they have done is changed the file download url in the macro. It is highly likely that they are using an off the shelf exploit kit, rather than actually creating the docs themselves. However they are using different sending … Continue reading →