My Online Security | Keep yourself safe online

Fake Court summonses, Judgements, Subpoenas delivering malware

Posted on 20 February 2019 1:20 pm by Myonlinesecurity20 February 2019 1:20 pm

Starting Yesterday evening and continuing steadily all day so far today, we saw what was supposed to be a malspam campaign with a lure of court summonses. None of the links I followed actually delivered any malware but did instead lead to a zip file that contained the configuration details for the spamming and supposed malware campaign. So somewhere along the line, somebody messed up big time. I am not going to go into this particular one much more, except to say that researchers who are a lot better than me are looking at it & investigating further. We are … Continue reading →

Fake TD Bank Confirm account status delivers Trickbot

Posted on 19 February 2019 9:06 pm by Myonlinesecurity19 February 2019 9:06 pm

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of ” Confirm account status ” pretends to come from TD Bank but actually comes from “J.McMillan@tdbanksec.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have a malicious office file attachment. Today they have returned to using word docs. Again this is targeted at North American recipients rather than UK ones. I was sent the email via our submissions system, but the … Continue reading →

Agent Tesla keylogger delivered inside a Power ISO .daa archive

Posted on 19 February 2019 7:11 am by Myonlinesecurity19 February 2019 7:11 am

We never fail to be astonished by the ingenuity and attempts from malware bad actors to get their malware delivered to their intended victims. However in many cases, like this one, their attempts spectacularly backfire where such a tiny, minuscule number of recipients will be able to open the malware attachment and stand a possibility of being infected. They have used a type of archive that is virtually unknown and none of the commonly used extraction tools will extract the content. They have used a .daa file which is a proprietary format created by and only used by Power ISO, … Continue reading →

Fake Quotation request delivers Formbook

Posted on 17 February 2019 7:43 am by Myonlinesecurity17 February 2019 7:43 am

We have been seeing a lot of formbook malware recently. This campaign is very similar to all the others we frequently see. The only reason for mentioning it is that it is very unusual for malware campaigns to take place over a weekend. Most of this type of malware is targeted at business users and not consumers. I suppose they are thinking that if it arrives over the weekend then it might slip past a recipient in the mass on Monday Morning emails to read. However in reality, that gives time for the Antiviruses and perimeter defences to be updated … Continue reading →

Fake Blockchain authentication update delivers Dark Comet RAT

Posted on 13 February 2019 6:39 am by Myonlinesecurity18 February 2019 7:51 pm 2

A slightly different malware campaign that I have never seen hitting the UK previously. The email pretends to be about a reward for using Blockchain and you need to install a new authentication method. The entire email screams scam, is written in quite poor English, with missing punctuation and poor grammar. Then to add the cherry to the icing on the cake, the link to a .scr file isn’t hidden, obscured or masked in any way. They use email addresses and subjects that will scare, shock, persuade or entice a recipient to read the email and open the attachment. Now … Continue reading →

Fake Royal Bank of Canada RE: Instructions de transfert delivers Trickbot

Posted on 11 February 2019 11:33 pm by Myonlinesecurity11 February 2019 11:33 pm

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “RE: Instructions de transfert ” pretends to come from RBC Royal Bank of Canada but actually comes from “3SERVICEGROUPMTL3@R0YALBANK.COM” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. You need to look very carefully to see the 0 (zero) in the fake domain name instead of the O. It is slightly clearer in lowercase, but still close enough to confuse many recipients (r0yalbank.com.). … Continue reading →

Lokibot via Fake DHL delivery message using ISO attachments

Posted on 9 February 2019 7:04 am by Myonlinesecurity9 February 2019 7:04 am

Yet another Lokibot campaign. This time coming via a Fake DHL delivery failed email. We frequently see comments saying ” how can anybody fall for this sort of scam”. Well it is extremely easy! It only needs a combination of very plausible circumstances to make you think it is genuine. First, you see the from DHL line in the email. Next the criminal Scammers are experts in Social Engineering & manipulation. The email wording is generic enough to apply to anybody, but personalised just enough, with key words and phrases that make you believe it is true. Many of us … Continue reading →

Gandcrab via fake invoice using password protected zip files

Posted on 8 February 2019 6:14 pm by Myonlinesecurity9 February 2019 10:35 am 2

It’s Friday afternoon at the end of a busy week for many people and we get yet another Gandcrab ransomware campaign. This campaign is slightly different to previous versions that I have seen. We generally see Gandcrab delivered via Office ( normally Word) documents, either Macros or possibly Equation editor or other embedded ole object exploits. Today’s version is the first time that I have seen a js file inside a zip that was password protected as the initial vector. You need the password “invoice123” to be able to open the zip file. It starts with the email looking like … Continue reading →

A very quick update on the sextortion spam campaigns

Posted on 8 February 2019 10:56 am by Myonlinesecurity8 February 2019 10:56 am 1

This is just a very quick update about the sextortion, blackmail, bomb threat, we will kill you spam campaigns that have plagued all of us for several months now. It is a bit complicated to follow, but hopefully it will shed some light on this campaign that other researchers who are following it more closely & deeper will be able to use & hopefully assist in their work to get it all shut down and catch the criminals. I have previously posted several posts about this campaign, where some of the spam was assisted in delivery by a misconfiguration on … Continue reading →

Another BBC bitcoin scam. Email is from a compromised School email account

Posted on 7 February 2019 11:53 am by Myonlinesecurity7 February 2019 11:53 am 4

Following on from my previous post about the BBC being imitated to perform a bitcoin scam, we were asked to look at another email today, that was uploaded via our submissions system. This is slightly more alarming than the previous one. The email is personally addressed with correct details. It looks like the school in question actually has been compromised and is sending the emails out from their email system. As far as I can ascertain the recipient does have a relationship with the school, so it is extremely likely that all parents or guardians of this school’s pupils will … Continue reading →