Tag: spam | My Online Security

Nanocore RAT via fake DHL failed delivery in Chinese

Posted on 19 June 2019 12:39 pm by Myonlinesecurity20 June 2019 5:44 am 1

A quick post about the latest in a long, long, long, very, very long line of fake DHL delivery failure emails delivering all sorts of malware. Today’s version is slightly different to the ones we frequently see in UK. Today it is delivering Nanocore RAT in a zip file attachment. Firstly it is written entirely in Chinese, so most recipients won’t be able to read it. It is also worth mentioning the email server /account this malware laden email came from. kate@xapps.link Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and … Continue reading →

Remcos Rat via fake invoice using multiple delivery methods.

Posted on 19 June 2019 6:22 am by Myonlinesecurity19 June 2019 6:22 am

I have heard of the “Belt and Braces ” approach to delivering malware before, but this malware campaign delivering Remcos Rat is using the belt and 2 pairs of braces to try make sure the malware gets delivered. The email is a fairly typical Invoice Request that appears to a part of an ongoing conversation and contains 3 different attachments. A zip file that contains a Remcos binary An RTF file using CVE-2017-11882 to contact a remote site & download a different Remcos binary A Word doc that is a renamed RTF file using CVE-2017-11882 to contact the same remote … Continue reading →

AgentTesla Keylogger and Binary Options scam

Posted on 12 June 2019 12:31 pm by Myonlinesecurity12 June 2019 12:31 pm

We are still not seeing massive amounts of malware currently hitting the UK. We are still seeing the commodity malware like AgentTesla keylogger / info stealer, Nanocore RAT and Hawkeye Keylogger on a very regular basis. Today’s example of an AgentTesla campaign is somewhat more interesting than usual. The email is nothing special and pretends to be the typical fake invoice we frequently see as the lure with these campaigns. What is different today is firstly the email is actually coming from the sender it says it is and passes all authentication. ( see email headers below) The home page … Continue reading →

Bitcoin verify your Identity phishing scam hosted on Microsoft Azure hosting

Posted on 11 June 2019 5:07 am by Myonlinesecurity11 June 2019 5:07 am 1

I am seeing a bitcoin phishing scam campaign this morning hosted on Microsoft Azure/windows.net. The emails pretend to come from your own email address and are addressed to the same email address. All hosting companies get abused and used for malware, scams and phishing. Recently Microsoft Azure Hosting seems to be the flavour of the month. It is not helped by the fact that Microsoft make it overly complicated to report these scams, malware or phishing via the https://portal.msrc.microsoft.com/en-us/engage/cars where you have to give loads of details. Using the very simple report to Microsoft form on https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site is just about … Continue reading →

It looks like another DNS compromise hack happening

Posted on 10 June 2019 11:30 am by Myonlinesecurity10 June 2019 11:30 am 8

I saw a fairly short-lived, reasonably low volume, malspam campaign earlier this morning that looks like it comes via Necurs Botnet and is somehow using a “new” compromise or security hole in the DNS system. These appear to be targeted at UK only and as far as I can tell ONLY a UK IP number will get a redirect to the scumware site. Other users don’t, at this time get anything. So far today the eventual target site has been https://appteslerapp.com/ which is pushing a very high risk stock trading scheme. Beware: the only people who get rich on these … Continue reading →

More compromised windstream email sending malspam with Orion keylogger

Posted on 10 June 2019 7:33 am by Myonlinesecurity10 June 2019 7:33 am

Following on from Last Friday, it is looking like Windstream, Zimbra & Synacor still have a problem with accounts being compromised and mass malspam being sent. Generally speaking the majority of ISPs are pretty good with blocking outgoing spam & malware emails. They generally restrict the numbers of emails sent per hour / day for each account and the limit is normally very low, in the 10’s or low 100’s, unless you have a business account where the sending limits are much higher. That is why we normally see the majority of malspam coming from fraudulently set up, or compromised … Continue reading →

voicemail phishing scam involving compromised OneDrive for business site

Posted on 7 June 2019 1:33 pm by Myonlinesecurity7 June 2019 1:33 pm

We see lots of phishing attempts for email credentials. This one is slightly different than many others and somewhat more complicated. It pretends to be a message to download a voicemail. You can now submit suspicious sites, emails and files via our Submissions system Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well. This appeared to be sent from an outlook.com mail server and it is almost certain the alleged sender details have been … Continue reading →

compromised windstream email sending malspam

Posted on 7 June 2019 6:04 am by Myonlinesecurity7 June 2019 6:04 am

Got a bit of a dodgy one here today, where it looks like the email service for windstream.net has been compromised to allow a miscreant to send malicious emails that are passing all authentication. It is highly likely that it is an individual customer of Windstream that has been compromised, rather than the entire system, but the whole idea of a company outsourcing mailing services to a 3rd party like Zimbra / Synacor is their filtering systems that is supposed to detect & block malware, spam and other malicious content Windstream are a major US ISP / Telecoms company / … Continue reading →

Phishing emails pretending to be sent from myonlinesecurity.co.uk

Posted on 29 May 2019 5:38 am by Myonlinesecurity30 May 2019 9:56 am

First of all I want to apologise to anybody who received a scam phishing email that pretended or appeared to come from our email address security@myonlinesecurity.co.uk. These emails were not sent from this server but from a scummy server controlled by a hosting company in Iceland who are used frequently by criminals for malware, scams, phishing etc. All the emails came from 37.49.225.163 The emails looked like these emails. Both sites mentioned in the emails were taken down by the hosting company within minutes of this phishing campaign starting. Update 30 May 2019: this campaign is still continuing. Several different … Continue reading →

Lokibot via abusing the ngrok proxy service

Posted on 28 May 2019 5:55 am by Myonlinesecurity28 May 2019 5:55 am 1

It looks like one of the criminal gangs behind some of the Lokibot campaigns have found a way to serve their malware almost undetected or at least without any known host that can take down easily or be blocked. What they have done with this series of campaigns is abuse a new(ish) service NGROK which basically acts as a proxy, direct tunnel or VPN from the miscreant’s home computer or server that effectively puts the malware in the cloud & bypasses all firewalls etc. I can’t see anything in their TOS prohibiting malware, phishing, scams etc, just a general no … Continue reading →

My Online Security

Keep yourself safe online

Tag Archives: spam