News items for tag spam - Koos van den Hout

2016-11-18 Trying to scam the spammed 3 months ago
An interesting scam mail received in several of my inboxes:
To: abuse@...
Subject: you've been scammed

Your email abuse@... has been hacked and spam is sent to all your contacts!
If you don't have a lawyer, you may contact me at mark.silberman78@gmail.com

Best Regards,
Mark
I guess 'Mark' bought the cheapest available list of spammable addresses and is now trying to profit from the people spammed.

The other variation is with
Subject: You are hacked!
But with everything else exactly the same.

Update: I am getting some responses to this post, other people are seeing this spam too. I guess I was just the first one to write a post about it, since I usually like to link to posts showing I am not the only one. Hello visitors puzzling about this spam!

Update II: It's not just me! Also noted at You are hacked or scammed - hoax.co

Tags: , ,
2016-10-10 How to recognize a job advertisment for money mules 4 months ago
Don't fall for it..

I received spam which translates (to me) very clearly to 'be a money mule':
[..] is looking for a qualified representative, reliable, efficient and dedicated to help facilitate their business transactions in Australia. The work is based on administrative / customer service support improving productivity and above all performing basic banking transactions.

We are located in the London If you are satisfied with all the conditions and wish to register, please contact our Human Resources department at [.. generic webmail account ..]
Alerting items:
  • Unsollicited e-mail (spam) sent to a random address
  • Lots of buzzwords but the work seems to be "basic banking transactions"
  • Doing transactions in Australia but located in London
  • Using a generic webmail account

Tags: , ,
2016-10-03 Discovering new archiving methods... via malware 4 months ago
In the incoming spam this morning:
See attached Bill Of Laden.

[-- Attachment #2: Shipping_Documents.ace --]
I had never heard of .ace files, but I miss some developments. So I asked:
$ file Shipping_Documents.ace
Shipping_Documents.ace: ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid
So it is an archiving format, better described at ACE (compression file format) - Wikipedia. There is an unace for linux, and this gave me:
RFQ#0929919882.exe: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
c04e10a084657473828a03a97c82f0a9  RFQ#0929919882.exe
Which is obviously not shipping documents but an executable. Looking at the file showed some dangerous function names.

Tags: , ,
2016-09-29 Not very obfuscated malware code 4 months ago
In the incoming spam I noticed some unsollicited attachments, always a sign of danger. In this case with excel files (application/vnd.ms-excel) so I checked those with olevba, part of the oletools package.

And indeed there was macro code to be run at startup, with multiple warnings about suspicious behaviour, such as usage of "command" which can run PowerShell commands.

Having a look at the code showed very clearly that the macro was up to no good! I am used to quite interesting attempts at obfuscating macro code, so it was funny to see this bit with olevba:
Call Shell("rund" & "ll32.exe " & firmaVENIKOVNETUUUKA & ",qwerty", vbHide)
The url where the malware is downloaded was also quite readable in the macro.

Tags: , ,
2016-08-23 I fell for a malware mail, thankfully aimed at Windows users 6 months ago
Today I saw an incoming e-mail about a voicemail message, while I was expecting a voicemail message. The format was quite similar to the format used by my telephone provider so I tried opening it in thunderbird under Linux. That saved me, it was aimed at opening in Windows, probably only working in Microsoft Outlook.

This is what it looked like in mutt:
Dear koos :
        There is a message for you from 01427157659, on 2016/08/23 15:52:17 .
You might want to check it when you get a chance.Thanks!



[-- Attachment #2: Voicemail sound attachment. --]
[-- Type: audio/x-wav, Encoding: base64, Size: 10K --]

[-- audio/x-wav is unsupported (use 'v' to view this part) --]
The attachment is Message_from_01427157659.wav.zip but with mimetype audio/x-wav. The zip file contains:
Archive:  Message_from_01427157659.wav.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
    30764  2016-08-23 12:18   614007286106.wsf
---------                     -------
    30764                     1 file
With a lot of obfuscated scripting.

What saved me this time was opening it in a mailreader/environment which tries to play an audio/x-wav file with a mediaplayer which complained about something being invalid in it.

Tags: , ,
2016-06-22 Automatische vertalingen helpen niet altijd 8 months ago
Uit de spam mail:
In de link hieronder ontvangt u de factuur van KPN.
Voor uw veiligheid uw botbreuk is wachtwoord protected.Uw wachtwoord is 2hw3DXy .
Ik knipperde even, maar ik realiseerde me dat er vast iets met automatische vertaling is gedaan van factuur/fracture.

Tags: ,
2016-06-14 1dayfly spam 'via lead4cash' 8 months ago
Op een adres wat ik daar niet voor opgegeven heb (en niet voor zou gebruiken) kreeg ik spam van 1dayfly. Opvallend was in de tekst:
U krijgt deze nieuwsbrief omdat wij uit naam van Lead4Cash mailen en u daarmee heeft aangegeven onze nieuwsbrief te willen ontvangen!

We beloven u geen ongevraagde e-mails te sturen! 1DayFly.com verkoopt of verhuurt nooit haar gegevens aan derden.
1dayfly kan heel veel beweren maar met een naam als 'lead4cash' ga ik al uit van vervuilde marketing bestanden. Als je businessmodel 'lead4cash' oftewel 'geld voor gegevens van consumenten om te benaderen' is kost het alleen maar geld om te controleren of die 'leads' wel benadert willen worden. En dus is het niet opvallend dat er een adres tussen zit wat dat niet wil.

Zoals gebruikelijk: The Rules of Spam.

Update 2016-06-21: Uit een latere mail blijkt ook wel hoe mager de bestanden zijn:
Uw 1DayFly.com aanbiedingen van dinsdag 21 juni Wilt u een persoonlijke nieuwsbrief? Vul hier uw naam in:
Mijn conclusie is dan dat ze echt alleen maar een bak e-mail adressen ergens vandaan hebben. Dan vraag je ook om spamklachten.

Update 2016-07-26: De spam gaat rustig door, en ik heb toch eens voor de aardigheid de unsubscribe link geprobeerd. De unsubscribe link ziet er uit als:
Als u deze nieuwsbrief niet wilt ontvangen dan kunt u hier klikken:
http://mailer3.1dayfly.net/HLP?b=F-x2Ujl1NAsYbP8Qga_Sd5XOjjUEgm_UlpWmuR5KazYBLi82B5MC-LbQtvPMLZdc&c=hXFCC8KBcMLz_FJVpvWegw
om u af te melden.
En als ik die link volg heeft de site geen idee welk adres ik zou willen afmelden. Toch knap met naar schatting 88 tekens tracking in de url.

Daar het adres ingevuld en dan blijkt dat de aanmelding gedaan zou zijn vanaf IP 87.208.5.203 op zondag 5 mei 2013 om 16:09. Dat IP is van Tele2:
inetnum:        87.208.0.0 - 87.208.31.255
netname:        TELE2-CONSUMER-2
descr:          Pop Groningen, Ring Zwolle
country:        NL
admin-c:        RH3392-RIPE
tech-c:         RH3392-RIPE
tech-c:         WvdG7-RIPE
status:         ASSIGNED PA
mnt-by:         AS13127-MNT
created:        2005-06-20T09:14:32Z
last-modified:  2009-10-22T06:15:35Z
source:         RIPE # Filtered

Onder de lead4cashunsubscribe.nl pagina staat een link naar de dailymailz privacy policy (PDF, vreemd genoeg engelstalig) die er op neer komt dat ze alles mogen doen met de verzamelde gegevens wat ze leuk vinden. Die gegevens controleren ze alleen dus niet goed, dus die zijn aardig waardeloos.

Update 2016-07-28: En als ze beweren dat het meerdere dagen duurt om van alles af te komen dan menen ze dat ook, vandaag weer verse spam. Al heb ik altijd het idee dat 'het duurt meerdere dagen om alle lijsten bij te werken' vooral een excuus is om de zaken niet acuut te hoeven verwerken.

Update 2016-08-30: En de spam gaat gewoon stug door.

Update 2016-09-01: Nog maar eens afgemeld, en nu viel me op dat de afmeldlink op de 1dayfly site zelf uitkwam en niet bij lead4cashunsubscribe. Dus het eerdere afmelden bij lead4cash werd blijkbaar ergens geinterpreteerd als aanmelden bij 1dayfly.

Tags: , ,
2016-06-07 Obfuscated VBA macros in word files 8 months ago
I wanted to look at some suspicious word files to see whether the macros tried anything funny. Some searching showed me oletools which can do this and report. A sample:
Public Sub ZkBWG(ByVal uSHdvTl As String)
Dim RxXFgnMOu As Integer
VOyiBpZDIb.cFRHErvQ OdAkk.VWUUdYKG(553, JocsGn("PlJlXeAhESM.MtxpOizrMccS2W")), _
uSHdvTl, JocsGn("LcxeVxVE")
End Sub
Private Function xcOdDXhiP() As Integer
Dim NJuBRTz As String
Dim RemmeQk As Integer
xcOdDXhiP = 400
End Function
Private Function JocsGn(ByVal gAVndNSJ As String) As String
JocsGn = ZYkwp.kYxFEH(gAVndNSJ)
End Function

+------------+----------------+-----------------------------------------+
| Type       | Keyword        | Description                             |
+------------+----------------+-----------------------------------------+
| AutoExec   | Document_Open  | Runs when the Word document is opened   |
| Suspicious | CreateObject   | May create an OLE object                |
| Suspicious | CallByName     | May attempt to obfuscate malicious      |
|            |                | function calls                          |
| Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
|            |                | be used to obfuscate strings (option    |
|            |                | --decode to see all)                    |
| Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
|            |                | may be used to obfuscate strings        |
|            |                | (option --decode to see all)            |
+------------+----------------+-----------------------------------------+

Tags: , ,
2016-06-04 Phishing melden aan ICScards is nog lastig 8 months ago
Ik ben geen klant van ICScards maar toch wil ik soms interresante nieuwe phishing pogingen melden bij ze. Volgens Phishing: valse e-mails die in omloop zijn is de manier gewoon via e-mail naar het valse-email@ adres.

Maar helaas lukt het niet:
   ----- The following addresses had permanent fatal errors -----
<valse-email@.......>
    (reason: 550 Denied by policy)

   ----- Transcript of session follows -----
... while talking to mail01.icscards.nl.:
>>> DATA
<<< 550 Denied by policy
554 5.0.0 Service unavailable
het valse-email@ adres zit achter mailfilters die blijkbaar duidelijk herkenbare phishing mail blokkeren. Misschien moeten ze dat adres apart behandelen zodat ze dit soort meldingen wel binnenkrijgen...

Tags: , ,
2016-04-29 Virus mail overstressing the mime parser 9 months ago
This does not work as planned in mutt:
Subject: hi prnt
Content-Type: multipart/mixed; boundary=31BE31246BD934D65C63831D7238

--31BE31246BD934D65C63831D7238
Content-Type: multipart/alternative; boundary=31BE31246BD934D65C63831D7238

--31BE31246BD934D65C63831D7238
Content-Type: text/plain; charset=UTF-8



--31BE31246BD934D65C63831D7238
Content-Type: text/html; charset=UTF-8

<div dir="ltr"><br></div>

--31BE31246BD934D65C63831D7238--
--31BE31246BD934D65C63831D7238
Content-Type: application/zip; name="816847_304695.zip"
Content-Disposition: attachment; filename="816847_304695.zip"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_519392564

UEsDBBQAAgAIAPVmnUiLxtYfTRIAAA0pAAAUAAAANzM1NzE1NjJfODYzNjA4MTYuanO1Wmt3
2zaT/tye0/+A8rSvxViW7eRt0tp1u4osx67vlyTOOt4ekIQkRCRA8yJZNv3f9xmApKjY6abd
Shows as
  I     1                      [text/plain, 7bit, us-ascii, 0K]
  I     2                       [text/plain, 7bit, utf-8, 0.1K]
  I     3                        [text/html, 7bit, utf-8, 0.1K]

Tags: , , ,
2016-03-14 High numbers of e-mails trying to infect systems 11 months ago
The attempts to infect systems via malicous javascript in e-mail are quite high at the moment, all trying to fake some urgency to make me open it without checking. Some recent samples:
Your credit card has been billed for $187,11. For the details about this transac tion, please see the ID: 12824622-12824622 transaction report attached.

NOTE: This is the automatically generated message. Please, do not reply.
With:
Archive:  /tmp/statistic_12824622.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     4055  2016-03-14 13:44   finance_LutQLF.js
---------                     -------
Read the rest of High numbers of e-mails trying to infect systems

Tags: , ,
2016-01-27 Virus mail on the rise 1 year ago
The last weeks the virus mail trying to make me open Word/Excel files with macro virusses is on a serious rise. Mostly attached (so mail virus scanners seem to be losing again) and sometimes trying to make me download the file from some website. Abusing names of well-established companies.

The most devious type I saw was trying to convince the receiver he/she had damaged a car and had to pay up soon or police would be involved, find the pictures (with .jpg.exe names) at this link.

Any document sent to you unsollicited is suspect.

And from the stupid e-mail disclaimer copied from the 'innocent' company:
E-mail may be susceptible to data corruption, interception, unauthorised amendment, viruses and unforeseen delays, and we do not accept liability for any such data corruption, interception, unauthorised amendment, viruses and delays or the consequences thereof. Accordingly, this e-mail and any attachments are opened at your own risk.
As if they had seen this coming! And they should learn about digital signatures.

Tags: , ,
2016-01-26 Weer spam voor een Belg 1 year ago
Deze keren spam voor een Belg van: Eerder, eerder, eerder.

Tags: ,
2015-12-16 Suspect 'invoice' mail showing an interesting error 1 year ago
The flood keeps coming, this time with an interesting error:
Dear Customer,

Our records show that your account has a debt of $295.{rand(10,99)}}. Previous a
ttempts of collecting this sum have failed.

Down below you can find an attached file with the information on your case.

[-- Attachment #2: SCAN_INVOICE_99193061.zip --]
I guess the spammer had a bit of a problem with the spamming macro language!

The .zip file contains
  Length      Date    Time    Name
---------  ---------- -----   ----
    22333  2015-12-16 20:27   invoice_GeL0XY.js
---------                     -------
    22333                     1 file
Which is a really obfuscated javascript.

Tags: , ,
2015-12-16 Suspect 'invoice' mails keep coming 1 year ago
It is a whole flood of suspect mails this week, mostly trying to be an invoice or sometimes order confirmation. Containing .xls files, .doc files, or javascript or java applet.

I don't have the environment to research these completely but I expect them all to contain some form of malware aimed at the Windows operating system.

Tags: , ,
2015-12-14 Next suspect mail flood: "Invoice 14 12 15" from "Thunderbolds Limited" 1 year ago
And the next flood of suspect e-mail messages:

This message contains 2 pages in PDF format.

[-- Attachment #2: fax00163721.xls --]
[-- Type: application/vnd.ms-excel, Encoding: base64, Size: 105K --]

[-- application/vnd.ms-excel is unsupported (use 'v' to view this part) --]
Probably more malware droppers. It seems some botnets are in great need for new systems to abuse.

Tags: , ,
2015-12-14 Suspect mails "FW: Scan from a Samsung MFP" 1 year ago
Multiple e-mail messages the last hour or so with:
-----Original Message-----

Please open the attached document. It was scanned and sent to you using a
Samsung MFP. For more information on Samsung products and solutions, please
visit http://www.samsungprinter.com.


This message has been scanned for malware by Websense. www.websense.com

[-- Attachment #2: Untitled_14102015_154510.doc --]
[-- Type: application/msword, Encoding: base64, Size: 123K --]

[-- application/msword is unsupported (use 'v' to view this part) --]
I don't have the means to research the .doc file completely but when I get unsollicited office files it can only be malware.

Update: I'm not the first to notice this: New Word malware: FW: Scan from a Samsung MFP - mxlab who researched the file and indeed found malware.

Tags: , ,
2015-12-02 Geluksrelatie spam 1 year ago
Ineens een opvallende stijger in de spam die me opvalt: geluksrelatie.nl die spam stuurt alsof je op een andere manier contact had gezocht met een vrijgezelle dame en het handig is als je verder contact zoekt via die site. De logica dat die dame dan wel de ontvanger kan benaderen maar toch via die site zou moeten werken ontgaat me een beetje. Voorbeeld:
Bedankt voor je reactie ik ben wel wat laat met reageren maar dat komt omdat ik het erg druk had de afgelopen tijd. Ik probeer je daarom nu nog even te bereiken via dit mailtje. Aangezien ik enorm veel reacties had gekregen op mijn oproep heb ik besloten om mezelf [1]hier in te schrijven. Buiten het feit om dat je met mij in contact kan komen zijn er nog [2]veel meer mensen die op zoek zijn naar een serieuze relatie want we willen toch allemaal gewoon gelukkig zijn? Ik kan wel een heel verhaal op gaan hangen maar als je echt serieus bent en je wil contact dan weet je hoe je mij kunt bereiken.
Opvallend is dat hier weinig klachten over terug te vinden zijn, eentje maar via trustpilot als negatieve review van netground.nl.

Tags: ,
2015-12-01 Malware linked to recent Brussels lockdown 1 year ago
It must take a special kind of evil to try to spread malware under the guise of information about the recent Brussels lockdown. From the e-mail message:
Federale Politie
Commissariat de Police
Directorate of the special units (DSU)
Sir,
We kregen een terreuralarm met betrekking tot uw zakelijke omgeving.
Worden geadviseerd om de beschermende maatregelen (SECURITY TIPS) als gehecht aan jezelf, je bedrijf volgen en uw gezin beveiligd
.................................................................................................................
Monsieur,
Nous avons eu une alerte terroriste concernant votre secteur d'activité.
Être conseillé de suivre les mesures de protection (Conseils de sécurité) tels qu'ils sont joints pour vous garder, votre entreprise et votre famille fixée
Best regards,
Catherine De Bolle,
General Commissioner
Commissariat de Police
Rue du College 1,
1050 Brussel, Belgium
P: 032 2 515 71 86
E: commisioner(a)polfed-fedpol.be
With some shady files attached. Scanning them with virustotal gives that the .zip file contains the Java/Adwind malware.
Read the rest of Malware linked to recent Brussels lockdown

Tags: , ,
2015-10-12 The GAP: clothingstore and megaspammer 1 year ago
Someone entered an e-mail address that ends up with me in the spamlist of The GAP. The GAP sends out one or two marketing spam mails per day so this gets irritating quite fast. No verification whether the e-mail address was the right one or interested in these messages.

It seems The GAP does this via exacttarget, where the Exacttarget anti-spam policy says:
You should only receive email from our system from some client of ours that you recognize signing up to receive email from. Our clients certify that all email addresses used in our system are opt-in names that have given permission to the client to send them email.
So I also notified exacttarget.

Tags: ,
  Older news items for tag spam ⇒
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 2C66 3B5D F0D7 C263 local copy PGP key 2C66 3B5D F0D7 C263 via keyservers pgp key statistics for 0x2C663B5DF0D7C263 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews, Weather maps