JMH
Emeritus, Contributor
- Apr 2, 2012
- 7,197
Ongoing spam campaign impersonates LinkedIn, serves exploits and malware
- Thread starter JMH
- Start date
Kosh Vorlon
Contributor
As of just moments ago, it was detected by 24/42 AV programs (most updated that same day) and, as usual, has all sorts of names. Luckily, my choice MSE is included.
To anyone using LinkedIn (I've not yet signed up for that yet, but it's on my list) - is there a VALID version of such a notice (meaning, is it entirely fake or does it duplicate a notification which could actually be sent)? If so, does anyone know what it looks like and how in the hell to tell the difference?
Another thing not discussed was the mechanism of infection. In some cases, merely looking at a preview is enough to infect. Others require some action (and some just mouseovers to confirms that named links actually go to the same place that it says or that one would expect and not someplace clearly off-the-wall). Then others need you to actually click or open something to get infected. How does this one work?
I've been hit by several of the first type recently (Trojan:JS/BlacoleRef.AP or AH). Yes, Java is up to date and the Java Cache is cleared every few days. Everything else is up-to-date. Security is tight and all were in the Junk Mailbox already that I was just checking for anything that got there by mistake. It didn't LOOK dangerous or obviously SPAM aside from being in the Junk Mailbox. One seemed to be from AMEX and another from Citibank with no account info and not asking for anything but just a seemingly harmless solicitation without even anything to click on except the fine print links at the bottom to remove from the list and such (which I NEVER do because if it is SPAM that's a red flag that you're real and can escalate SPAM dramatically). In all cases, they were caught and quarantined from locations in Content.IE5 as TMP files. Aside from running several programs to be sure and deleting the emails after sending the malware to MMPC, I not only used TFC to clear all temp files but booted into safe mode and deleted all Content.IE5 folders that didn't delete. No bothers since then. It's getting to the point where I'm beginning to wonder about using preview mode - but then how can you otherwise tell what the email says?
It's getting more and more dangerous out there all the time - scams, identity theft, malware of all kinds (and not just emails but drive-by infections from seemingly legitimate sites where if you don't back out properly - and sometimes even then - you could have a rogue on your hands). Being careful is more important than ever.
To anyone using LinkedIn (I've not yet signed up for that yet, but it's on my list) - is there a VALID version of such a notice (meaning, is it entirely fake or does it duplicate a notification which could actually be sent)? If so, does anyone know what it looks like and how in the hell to tell the difference?
Another thing not discussed was the mechanism of infection. In some cases, merely looking at a preview is enough to infect. Others require some action (and some just mouseovers to confirms that named links actually go to the same place that it says or that one would expect and not someplace clearly off-the-wall). Then others need you to actually click or open something to get infected. How does this one work?
I've been hit by several of the first type recently (Trojan:JS/BlacoleRef.AP or AH). Yes, Java is up to date and the Java Cache is cleared every few days. Everything else is up-to-date. Security is tight and all were in the Junk Mailbox already that I was just checking for anything that got there by mistake. It didn't LOOK dangerous or obviously SPAM aside from being in the Junk Mailbox. One seemed to be from AMEX and another from Citibank with no account info and not asking for anything but just a seemingly harmless solicitation without even anything to click on except the fine print links at the bottom to remove from the list and such (which I NEVER do because if it is SPAM that's a red flag that you're real and can escalate SPAM dramatically). In all cases, they were caught and quarantined from locations in Content.IE5 as TMP files. Aside from running several programs to be sure and deleting the emails after sending the malware to MMPC, I not only used TFC to clear all temp files but booted into safe mode and deleted all Content.IE5 folders that didn't delete. No bothers since then. It's getting to the point where I'm beginning to wonder about using preview mode - but then how can you otherwise tell what the email says?
It's getting more and more dangerous out there all the time - scams, identity theft, malware of all kinds (and not just emails but drive-by infections from seemingly legitimate sites where if you don't back out properly - and sometimes even then - you could have a rogue on your hands). Being careful is more important than ever.
Just like everything else, Kosh, do as I do. Manually type the name of the site in the address bar or use your personally created bookmark and check invites. When it comes to AMEX, Citibank or any similar vendor, do you really expect solicitation e-mails from them? I don't and wouldn't consider opening them. However, if anyone is that curious, they should disable HTML in their e-mail client.
When it comes to Java, it isn't even installed on my computer. I haven't run into anything in the several years since it was removed that required Java.
When it comes to Java, it isn't even installed on my computer. I haven't run into anything in the several years since it was removed that required Java.
Agreed, most people outside of an enterprise environment really don't need Java.
If you really must use Java, don't use IE away from trusted sites, use Firefox, Chrome or Opera instead and disable the Java plugin (and any other plugins you don't explicitly need for the site - plugins can be enabled/disabled on the fly). Disabling the Java plugin in IE does not stop a web page calling Java via file associations.
This needs to be repeated and emphasized:
Another tip: Uninstalling older versions of JRE may not uninstall the Java Console for that version, causing Firefox to accumulate multiple Java Console extensions located in the Firefox > Tools > Add-ons list.
Another tip: Uninstalling older versions of JRE may not uninstall the Java Console for that version, causing Firefox to accumulate multiple Java Console extensions located in the Firefox > Tools > Add-ons list.
- Make sure you already have the most recent version, currently Java SE Runtime Environment 7u5.
- Go to C:\Program Files > Mozilla Firefox > extensions.
- Delete the folders "{CAFEEFAC-0016-0000-xxxx-ABCDEFFEDCBA}", where xxxx is the number of the JRE-version. Keep the highest number as this is the latest version.
Has Sysnative Forums helped you? Please consider donating to help us support the site!