Spyware Sucks

That which is old is new again–Ecard spam

You don’t really have a secret admirer, honest…  don’t try this at home unless you have a sandboxed VM that you can trash at will.

A sophisticated, and detailed (but fake) Amazon Kindle purchase spam

Check it out at the bottom of this post.

Interestingly, several different URLs are used in the spam email, scattered around several countries – somebody’s put a nice bit of effort into this one…

Ok, this is funny: Avast blocking Avast?

All credit to http://thedailywtf.com/Articles/Element-of-Violence.aspx

Problems at metacafe.com?

Cite: http://www.google.com/safebrowsing/diagnostic?site=metacafe.com

“Of the 15199 pages we tested on the site over the past 90 days, 5944 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-05-18, and the last time suspicious content was found on this site was on 2012-05-17.”

openx-master.info
ICANN Registrar: DomainContext Inc
Created 17 May 2012

*****

metaafe.info (t’s worrying that a malicious incident on metacafe.com involved a domain so similarly named – metaafe.info – that points to human managed attack, not just random scanning for and automated use of vulnerable OpenX installs)

ICANN Registrar: DomainContext Inc
Created 17 May 2012

*****

openxmasters.info
ICANN Registrar: DomainContext Inc
Created 17 May 2012

Some other recently reported bad domains have been:

ptsector.com
ICANN Registrar: Register.com, Inc
Created 8 May 2012

Registrant: Jacob Hayes, hiltonparis390@yahoo.com

*****

MULTIPLEXTENT.COM (http://www.google.com/safebrowsing/diagnostic?site=multiplextent.com)
ICANN Registrar: Register.com, Inc
Created 15 May 2012

Registrant: Jacob Hayes, hiltonparis390@yahoo.com

*****

WEBEXPERTEST.COM (http://www.google.com/safebrowsing/diagnostic?site=WEBEXPERTEST.COM)
ICANN Registrar: Register.com, Inc
Created 15 May 2012

Registrant: Jacob Hayes, hiltonparis390@yahoo.com

adultfriendfinder.com spam

Subject: “FWD: ALERT: You have an E-Card from your Secret Admirer.

Clicking on the URL leads you here – just so we’re all clear, nobody actually has a crush on you (sorry):

Click on “My Profile and Pics” and you end up at adultfriendfinders.com:

The Privacy Policy hyperlink and Terms of Use hyperlink are both adultfriendfinder.com URLs:

Alert: OX X Lion update exposes encryption passwords

This, I would have to say, is a pretty basic, and bad, screwup.

“a quality assurance mistake can cause OS X users' FileVault encryption passwords to be exposed”

Cite: http://nakedsecurity.sophos.com/2012/05/06/apple-update-to-os-x-lion-exposes-encryption-passwords/?utm_source=facebook&utm_medium=status+message&utm_campaign=naked+security

“It appears that a debug option was accidentally left enabled in FileVault, resulting in the user's password being saved in plain text in a log file accessible outside of the encrypted area.

Anyone with access to the disk can read the file containing the password and use it to log into the encrypted area of the disk, rendering the encryption pointless and permitting access to potentially sensitive documents. This could occur through theft, physical access, or a piece of malware that knows where to look.”

Domains implicated in malvertizing incidents

checkingserve.com
ICANN Registrar: Register.com Inc
Created 24 April 2012

IP: 216.21.239.197

Registrant: Tom Baker (medows_time@yahoo.com)

*****

trackingserviced.com
ICANN Registrar: Register.com Inc
Created 26 April 2012

IP: 216.21.239.197

Registrant: Tom Baker (medows_time@yahoo.com)

*****

directionmedian.com
ICANN Registrar: Register.com Inc
Created 20 April 2012

IP: 216.21.239.197

Registrant: Hidden behind Domain Discreet Privacy Service

*****

adalphatrack.com
ICANN Registrar: Todaynic.com, Inc
Created 20 April 2012

IP: 89.144.12.203

Registrant: Jeff M Vail (jeffmvailt@gmail.com)

Sharing IP with 24cpmtrack.com

*****

24cpmtrack.com
ICANN Registrar: Todaynic.com, Inc
Created 20 April 2012

Registrant: Phillip S Perez (phillipsperez@yahoo.com)

*****

24cpm.com
ICANN Registrar: Todaynic.com, Inc
Created 20 April 2012

IP: 89.144.12.203

Registrant: Joseph S Combs (josephscombsinc@gmail.com)

*****

In IP range that should be treated with extreme caution:

castonete.com.    89.144.12.201
e-tracked.com.    89.144.12.201
elinkclick.com.   89.144.12.201
adbetatrack.com.  89.144.12.201
trackingone.com.  89.144.12.202
247track.net.     89.144.12.202
365cpm.net.       89.144.12.204

Users of OpenX versions 2.8.0 - 2.8.8–please read!!

http://blog.openx.org/05/security-update-for-openx-28-users/

“A recent security issue with OpenX versions 2.8.0 - 2.8.8 means users of these versions of the platform should take the following steps:

1. Secure their servers by removing the files being exploited:

• www/admin/account-settings-debug.php
• www/admin/plugin-index.php
• www/admin/plugin-settings.php
• www/admin/admin-user.php

2. Removing these scripts will impact some of the user/plugin management systems, but will not affect existing users/plugins, and will not affect ad serving.

3. Replace the www/admin/dashboard.php file with the one in this archive so as to not break the login process.

Users can tell if they have been affected by this by checking for a rogue admin user named “openx-manager” in their UI at http://<your_admin_domain>/www/admin/admin-access.php

If the above user is found, it should be removed, and a full security audit should be performed.

We strongly encourage users to lock down their config file. Additionally, users should notify security@openx.com if they ever become aware of a security matter.”

Fake USPS postage labels invoice

Again, it’s not real – and again, hovering over a hyperlink in the email is a dead giveaway…

Fake Facebook emails

The pictured emails are not real Facebook emails – look at the URLs that are exposed when you hover your mouse cursor over the “sign in” and “reactivate” links.

English as a second language….

<sigh>