| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 137510 | 2014-07-16 23:06:00 | New Amazon Scam | Billy T (70) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1379453 | 2014-07-16 23:06:00 | Hi Team Picked this up in Mailwasher this morning. It wouldn't fool a PF1 regular, but could easily catch out frequent Amazon purchasers. I have edited out most of the bumpf that misrepresents as Amazon, and my various email and ISP details. The payload is the usual zip file. Be wary, and if any family/friends are regular Amazon users, it might be an idea to tip them off/remind them about the dangers of zip files. Cheers Billy 8-{) Return-path: <artificialjk30@hakeilks.com> Envelope-to: xxx@xxx.co.nz Delivery-date: Wed, 16 Jul 2014 17:51:53 +1200 Received: from f5-bigip ([172.16.100.254] helo=mail.orcon.net.nz) by mx5.orcon.net.nz with esmtps (TLS-1.0HE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <artificialjk30@hakeilks.com>) id 1X7I88-0000Zo-Gl for xxxn@xxx.co.nz; Wed, 16 Jul 2014 17:51:52 +1200 Received: from hakeilks.com (static-50.120.93.111-tataidc.co.in [111.93.120.50] (may be forged)) by mail.orcon.net.nz (8.14.3/8.14.3/Debian-9.4) with ESMTP id s6G5peCK015733 for <xxx.co.nz>; Wed, 16 Jul 2014 17:51:41 +1200 Message-Id: <201407160551.s6G5peCK015733@mail.orcon.net.nz> Date: Wed, 16 Jul 2014 11:12:24 +0530 From: "Amazon.com" <delivers@amazon.com> To: <xxx@xxx.co.nz> Subject: x Order Details MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------91742986D6AB0F" X-Bayes-Prob: 0.9999 (Score 5, tokens from: xxx@orcon.net.nz, base:default, @@RPTN) Precedence: bulk X-Auto-Response-Suppress: All Auto-Submitted: x-no-autoresponse-please X-Spam-Flag: YES X-Spam-Score: 11.39 (***********) [Tag at 8.00] HTML_MESSAGE:0.001,MIME_HTML_ONLY:1.105,RDNS_NONE: 1.274,T_REMOTE_IMAGE:0.01,SPF(pass:0),RBL(rp-grey:1.0),RBL(rp-spam:3.0),Bayes(0.9999:5.0) X-CanIt-Geo: ip=111.93.120.50; country=IN; latitude=20.0000; longitude=77.0000; maps.google.com X-CanItPRO-Stream: base:xxx@orcon.net.nz (inherits from base:default) X-Canit-Stats-ID: 01MqRPFIN - dd8d8b2789d2 - 20140716 X-Scanned-By: CanIt (www . roaringpenguin . com) ------------91742986D6AB0F Content-Type: text/html; charset=Windows-1252 Content-Transfer-Encoding: 7bit faked Amazon details removed </BODY></HTML> ------------91742986D6AB0F Content-Type: application/zip; name="order_report.zip" Content-Transfer-Encoding: base64 Content-ID: <008901cfa0e6$d217efa0$3b0aa8c0@2PIHFE> UEsDBBQAAAAIAAat70R7+nS+7t0AADw6AQAsAAAAb3JkZXJfcm Vwb3J0XzcyMzg0NzgyMzc0 ODk3MjM4OTQ3ODkyMzkzMi5leGXsOg10lNWVd5JJHGIgCQQIGC VBwCgcDBA0IsoXkg8SnIGB /AAKJZPMF2bCZCa+mYHo0poeQJMmKaAUQYImk9Rim1W2BzUCKxF Sk23Tlp6yLkoiqWa3HzVa Truncated |
Billy T (70) | ||
| 1379454 | 2014-07-17 01:01:00 | been around a few months now... techhelplist.com Nearly all antivirus etc have picked it up since March Interestingly, Superantispyware is one of the few that didn't www.virustotal.com 853f14b818946a/analysis/ SHA256: cc6b4b154eb8bf08da2741369b581f61cd59fd824c12bdbce8 853f14b818946a File name: order.report.zip Detection ratio: 42 / 51 Analysis date: 2014-03-23 01:57:58 UTC AVG Zbot.FEE 20140322 Microsoft Worm:Win32/Gamarue.I 20140323 AntiVir Worm/Gamarue.I.1477 20140322 Ikarus Worm.Win32.Gamarue 20140322 CAT-QuickHeal Worm.Gamarue.gen.cw4 20140322 Avast Win32:Dropper-gen [Drp] 20140323 ESET-NOD32 Win32/TrojanDownloader.Wauchos.X 20140323 TotalDefense Win32/Gamarue.PSLDHbB 20140322 McAfee-GW-Edition W32/Worm-FQL!Gamarue 20140323 F-Prot W32/Trojan2.OCVJ 20140323 Commtouch W32/Trojan.VBEI-6053 20140323 Fortinet W32/Androm.BMBI!tr.bdr 20140323 Kingsoft VIRUS_UNKNOWN 20140323 Comodo UnclassifiedMalware 20140322 Antiy-AVL Trojan[Backdoor]/Win32.Androm 20140320 VIPRE Trojan.Win32.Zbot.htk (v) 20140323 NANO-Antivirus Trojan.Win32.Androm.cuhvbh 20140323 DrWeb Trojan.Inject2.23 20140323 Emsisoft Trojan.GenericKD.1516000 (B) 20140323 Ad-Aware Trojan.GenericKD.1516000 20140323 BitDefender Trojan.GenericKD.1516000 20140323 F-Secure Trojan.GenericKD.1516000 20140323 GData Trojan.GenericKD.1516000 20140323 MicroWorld-eScan Trojan.GenericKD.1516000 20140323 nProtect Trojan.GenericKD.1516000 20140321 Malwarebytes Trojan.Email.FakeDoc 20140323 K7AntiVirus Trojan-Downloader ( 0049067a1 ) 20140321 K7GW Trojan-Downloader ( 0049067a1 ) 20140321 TrendMicro TROJ_VARNEP.UA14 20140323 TrendMicro-HouseCall TROJ_GEN.F47V0124 20140323 Panda Trj/WLT.A 20140322 Norman Suspicious_Gen4.FRTTJ 20140322 Rising PE:Trojan.Win32.Generic.16632388!375595912 20140322 Sophos Mal/BredoZp-B 20140322 Qihoo-360 HEUR/Malware.QVM10.Gen 20140323 McAfee Generic.sh 20140323 Jiangmin Backdoor/Androm.eeh 20140322 Kaspersky Backdoor.Win32.Androm.bmbi 20140323 Baidu-International Backdoor.Win32.Androm.aepd 20140322 Symantec Backdoor.Trojan 20140323 Agnitum Backdoor.Androm!ncaJL7O5tww 20140322 VBA32 Backdoor.Androm 20140321 AegisLab NO-DETECTION! 20140323 AhnLab-V3 NO-DETECTION! 20140322 Bkav NO-DETECTION! 20140322 ByteHero NO-DETECTION! 20140323 CMC NO-DETECTION! 20140319 ClamAV NO-DETECTION! 20140322 SUPERAntiSpyware NO-DETECTION! 20140322 TheHacker NO-DETECTION! 20140321 ViRobot NO-DETECTION! 20140322 |
bevy121 (117) | ||
| 1379455 | 2014-07-17 05:42:00 | been around a few months now... techhelplist.com Nearly all antivirus etc have picked it up since March. Interestingly, Superantispyware is one of the few that didn't. In that case I'm glad that I don't wait until my AV picks these things up, I like to kill them while they are still sitting at the other end of the line. That way I don't have to depend on the AV fraternity getting notified and up to speed. I'm suspicious of anything that I don't recognise and scan the entire email with wetware to see if the tell-tales are present. Cheers Billy 8-{) |
Billy T (70) | ||
| 1 | |||||