Saturday, September 26, 2009

Google Group Spammed with Rouge Antispyware

Here is the Posting to a google group

first

 

this link redirects to

hxxp://numberstencils.net/images/www/index.php

above link connected with following rouge antispyware

hxxp://scanonlinesite.info/downloads.php/?aff_id=91&aff_Aid=20106&adult

site

above fake scanner is loaded from the web page and drops following file.

final

Following file prompts to run as administrator and here is the manifest

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>

Thursday, September 17, 2009

Punjab National Bank Phishing

 

 

Today Received phishing mail for PNB , this second mail in a week seems rise in phishing for punjab national bank.Here is the content of the mail

PUNJAB NATIONAL BANK SECURITY UPDATE

Punjab National Bank is pleased to notify our online banking customers that
we have successfully upgraded to a more secure and encrypted SSL servers
to serve our esteemed customers for a better and more efficient banking
services in the year 2009.

Due to this recent upgrade you are requested to update your Online Banking
information by following the reference below by using our new secure and safe
SSL servers. To Validate and Secure your Online Banking Account click on the
secure Web Form below;

http://www.netbanking.netpnb.com?onlinesecurity-update

but link is connected to following link

“hxxp://http://savepix.net/thumbs/punjab/index.htm – > this host the phishing page

 

This site has been hacked reason is found using  Acunetix Web Vulnerability scanner.

 

image

Thursday, September 3, 2009

Yet Again – IFRAMED Site

 

This Time following iframed site comes in top of Google Pages for , “Indian Jewels” with pages hosted from india

hxxp://nacjewellers.com

 

this site has an IFRAME to

hxxp://yournamequickshop.cn:8080/index.php

AS that has this site is

AS29550 EUROCONNEX-AS

 

 

 

So if you are using google to get some sites , beware your  chance of getting infected is high.

APK spam on Whatsapp Targeting Bank users

  Initial vector:   Whatsapp spam user posing as union bank with logo in user profile shared apk file named as “Union Bank Aadhaar Update....