Tag: ursnif | My Online Security

Fake Court summonses, Judgements, Subpoenas delivering malware

Posted on 20 February 2019 1:20 pm by Myonlinesecurity20 February 2019 1:20 pm

Starting Yesterday evening and continuing steadily all day so far today, we saw what was supposed to be a malspam campaign with a lure of court summonses. None of the links I followed actually delivered any malware but did instead lead to a zip file that contained the configuration details for the spamming and supposed malware campaign. So somewhere along the line, somebody messed up big time. I am not going to go into this particular one much more, except to say that researchers who are a lot better than me are looking at it & investigating further. We are … Continue reading →

Fake Xmas Bonus Payslip delivers Ursnif – Gozi

Posted on 17 December 2018 12:05 pm by Myonlinesecurity17 December 2018 12:05 pm

We are still seeing a fairly large Ursnif /Gozi /ISFB campaign hitting the UK again this week. Today we are seeing an Xmas Payslip theme The subjects vary slightly but include Wages December, Salary Payslip, Christmas Payslip, Chrithmas Payslip or similar These are coming from dozens ( or even hundreds) of different email addresses and IP addresses all from 1 hosting company using the IP range of 91.222.237.* This appears to be a server based in London but controlled by a Russian Entity, AS202423 PE Viktor Tyurin. All the email addresses pass authentication and the majority of the sending domains have been registered for … Continue reading →

Urgent to all residents of the building email delivers Ursnif

Posted on 11 December 2018 11:23 am by Myonlinesecurity14 December 2018 10:55 am 1

We are seeing a fairly large Ursnif /Gozi /ISFB campaign hitting the UK since Yesterday. Earlier we saw a Brexit theme and now we are seeing emergency exit notices. The subject this time is consistent in all versions “Urgent to all residents of the building”. The name in the body of the email matches the alleged sender & is different in each version. These are coming from dozens ( or even hundreds) of different email addresses and IP addresses all from 1 hosting company using the IP range of 193.233.30.* This appears to be a server based in Russia, mgnhost.ru AS202423 PE … Continue reading →

Large Ursnif campaign hitting UK using Brexit as lure

Posted on 11 December 2018 9:01 am by Myonlinesecurity11 December 2018 9:01 am 1

We are seeing a fairly large Ursnif /Gozi /ISFB campaign hitting the UK since Yesterday. The criminals are using the theme of Brexit which is very topical in UK ( and the rest of Europe) at the moment. There are numerous subjects all with Brexit somewhere in the subject line and there is a link to a google docs page that downloads the malware file. Some subjects I have seen include: Brexit 2019 Brexit 29/03/2019 Brexit 29-03-2019 Brexit | 29-03-2019 Brexit Barometer Brexit These are coming from dozens ( or even hundreds) of different email addresses and IP addresses all from 1 hosting company using … Continue reading →

Ursnif campaign hitting UK imitating well known companies

Posted on 7 December 2018 7:15 am by Myonlinesecurity7 December 2018 7:15 am

We are seeing an Ursnif /Gozi /ISFB campaign hitting the UK since yesterday. I was first alerted by this Twitter post. I started to investigate quickly last night and several much better researchers and analysts have taken over and found much more details. I posted some basic details in THIS Tweet. Then the main analysis appears via THIS. Whichever bad actor is running this campaign is using extremely good social engineering tricks to imitate multiple well known companies to persuade the recipient to follow the links and get infected. Anyway back to this morning and Ursnif /Gozi /ISFB continues to … Continue reading →

Fake ticketsales.com e-tickets scam delivers ursnif banking trojan

Posted on 25 September 2018 1:47 pm by Myonlinesecurity25 September 2018 1:47 pm

We are seeing a malspam campaign with emails pretending to be e-tickets from Ticketsales.com This looks like it is a new Ursnif banking trojan version, that is now currently being investigated by several researchers and AV companies. I really don’t know what this one is https://t.co/y311bfStAp https://t.co/BUFAa03ABh — My Online Security (@dvk01uk) September 25, 2018 They use email addresses and subjects that will entice, persuade, scare or shock a recipient to read the email and open the attachment or follow the links. Unusually this campaign is aimed more at Consumers rather than small companies with the lure of e-tickets for an … Continue reading →

Fake Companies House “CC(01) Company Complaint – 5GBV2LXEK5ULLKW” delivers Ursnif banking trojan via BlackTDS

Posted on 25 June 2018 1:37 pm by Myonlinesecurity27 June 2018 2:12 pm

Following on from last Thursday and Friday when a ursnif campaign spoofing HMRC started to use blacktds via compromised SharePoint sites we have a fake Companies House campaign today using the same system. Blacktds is a method of severely restricting who gets the malware. They can restrict IP ranges, OS types and even what browser is used. Today’s email with the subject of CC(01) Company Complaint – 5GBV2LXEK5ULLKW pretending to come from Companies House but actually coming from a range of compromised or hacked sites and email addresses. The email domain these are sent from is also the URL … Continue reading →

Fake invoices delivering ursnif via blacktds chain using compromised sharepoint sites

Posted on 14 June 2018 2:49 pm by Myonlinesecurity14 June 2018 2:49 pm

This malware delivery chain has a somewhat complicated system that is using BlackTDS so there are hurdles & road blocks every step of the way for a researcher, sandbox or anti-virus company trying to get the complete chain & the malware payload. These generally use a whole range of subjects & companies as the lure, based on the same template An email with the subject of Invoice INV-03056 from The Safety Supply Company Ltd [ probably random numbered] Pretending to come from “The Safety Supply Company Ltd” but actually coming from hayley.worrall@blairdiamonds.com with link in the email body that eventually downloads … Continue reading →

Fake Invoice INV-4571 from Platelayers Limited delivers Gozi-Ursnif

Posted on 19 April 2018 7:09 pm by Myonlinesecurity19 April 2018 7:09 pm

An email with the subject of Invoice INV-4571 from Platelayers Limited pretending to come from Platelayers Limited < messaging-service@subbx.net > with a link to download a malicious word doc which delivers Gozi/Ursnif/ ISFB banking trojan In other similar malware delivery attempts in the past, the criminals sending these imitated or spoofed dozens if not hundreds of different companies in the emails. They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than … Continue reading →

Mailchimp malware continues. Today delivering Ursnif /gozi banking trojan

Posted on 4 April 2018 2:40 pm by Myonlinesecurity4 April 2018 2:40 pm

After a short break we are seeing Mailchimp abuse & attempted malware spreading again today. The next in the never ending series of compromised or fraudulently set up Mailchimp accounts spreading malware is hitting the UK again today Please read this post explaining the Mailchimp malware saga The first set of emails are generic fake payment messages. The second set pretends to be a HSBC order confirmation Your TX ID PPX001066 coming from Marissa Smith <suc7=gmail.com@mail52.atl91.mcsv.net>; on behalf of; Marissa Smith <suc7@gmail.com> Your TX ID PPX001066 coming from Marissa Smith <suc7=gmail.com@mail97.sea61.rsgsv.net>; on behalf of; Marissa Smith <suc7@gmail.com> Document’s 04/04/2018 10:29 AM … Continue reading →

My Online Security

Keep yourself safe online

Tag Archives: ursnif