This “Amazon Gift Card” from a friend is actually a link to a malware site. Â Here is what the content of the email looks like:
| A friend has sent you a $50 Amazon Gift Card.
Claim Code: #VV5H-MWWHWM-D7P3 Use it to buy anything in our store. Get your Card Link REMOVED** Must use by January 15, 2016. |
VirusTotal Scan:
| URL Scanner | Result |
|---|---|
| Netcraft | Malicious site |
| Opera | Malicious site |
| BitDefender | Phishing site |
| CLEAN MX | Phishing site |
| Fortinet | Phishing site |
| Kaspersky | Phishing site |
We got this email a few days ago. Â We have a Sam’s club membership and they don’t send out free gift cards from gmail accounts.
The email also says that there is no affiliation with Sam’s Club.
Beware -Â tener cuidado
| Seguridad Banamex | ||||||||||||||||||
|
Te informamos que acabas de recibir una transferencia a tu Cuenta Empresarial, la cual se encuentra Retenida por anomalias en el emisor, puede Autoriozar o Rechazar esta transferencia. |
||||||||||||||||||
|
Beware of the link in this email with the subject “Oh No He Diddnt!”
To achieve our objectives, we have to regularly stretch ourselves and prepare our heads to *REMOVED BEYOND YOUR LIMIT LINK*It is true that we are our only difficulty and our only remedy… This implies, we must teach our
Heads to determine the possibilities which are generally awaiting us.
Here is anything much better than looking and waiting, something which can help you at this time.
| URL Scanner | Result |
|---|---|
| ParetoLogic | Malware site |
| ADMINUSLabs | Clean site |
| AegisLab WebGuard | Clean site |
| AlienVault | Clean site |
| Antiy-AVL | Clean site |
| Avira | Clean site |
This is not real. Â NO bank is going to advertise how much cash that they want to GIVE away via gmail!
It is a scam. Â DO NOT send your personal information to these random scammers.
Dear Friend.
Firstly, I apologize for sending you this sensitive information via e-mail instead of a Certified Post-mail as this is due to the urgency of this project. I will first introduce myself to you.My Name is Yeong Keun Lee I am the executive Chairman Of Bank Of China There is the sum of $150,000,000.00 in my bank, there were no Beneficiaries stated concerning these funds which means no one would ever come forward to claim it and That is why I am asking that you be my partner and we work together as partners so as to have the sum transferred out of my bank into Your Account.
Please endeavor to observe utmost discretion in all matters concerning this issue. Once the funds have been transferred from my Bank to your Nominated Bank Account,We shall then share in the ratio of 60% for me, 40% for you. My Personal mail Address Is : [yeongkeunlee2@gmail.com]
Please if you are interested to be my partner in this project i need you to reply me back. I cannot contact you with my official email-address because it is been monitored by my Bank’s Security System.
Also you are to Fill the information below.
1, Your Full names:……………………
…..
2, Your age:……………………..
3, Your private phone number:……………
4, Your current country and residential address:……..
5, Your Occupation………………..………….
6, Your Level Of Investment………………..…….
7, Can You Handle This Project…………………..…….. Please send me your Personal Information above and reply me back urgently via my personal email address which is: [yeongkeunlee2@gmail.com]
Your earliest response to this letter will be appreciated.
Kind Regards
Yeong Keun Lee.
A friend has sent you a $50 Amazon Gift Card.
Claim Code: #VV5H-MWWHWM-D7P3
Use it to buy anything in our store.
REMOVE LINK
Must use by January 15, 2016.
DO NOT CLICK the links in this EMAIL
| …Walgreens….At The-Corner of Happy-And-Healthy! |
| New Alert-Message for: YOUR@email.com – One (1) New Important Account-Notice/Message Received. |
| ********Customer-ID #10742. |
| You have one (1) current item that is requiring-your-confirmation for account-accuracy. |
| Your current accumulated reward-points you’ve earned are set to expire if not redeemed by the end of the day (CST) on 1/13/2016. |
| LINK to malware SITE:
|
| – – – – – – – – – – – – -End of Customer Notice/Message1993 – – – – – – – – – – – – |
virustotal:
| URL Scanner | Result |
|---|---|
| Sucuri SiteCheck | Malicious site |
| ParetoLogic | Malware site |
| BitDefender | Phishing site |
| CLEAN MX | Phishing site |
This is a scam. As far as we know CVS does not send gift cards from this email: <Pharmacy@dowlign.xyz>
Get a $100 CVS Gift Card*
One of my wordpress blogs got hacked. Â I was notified by google
I was apprehensive about accessing the site from my computer so i checked it out from my smartphone. Â I figured most current malware attempts to download and install on windows systems, but are usually not smart enough to infect two different platforms (windows AND android). Â The site seemed fine, but I am sure there is something wrong. Â So I logged into the server. Â The dates look a little suspcious but I the actual php files looked find.
I noticed a pattern with the dates that the files were access. Â I am seeing scores of files/folders that have been “touched” and have the same date/time stamp Nov 22, 2015 12:00. Â You only see that many files changed at once when a script does it. Â I focused on those files and I can see that MOST of the Nov 22 1200 date/time stamps are on ONE plugin: Â plugin GroupDocs. Â I look at the error log:
INFO Started brute forcing. INFO checking: drinkmusiccity.com, david, david INFO checking: farmofpeace.com, salima, salima INFO checking: fayjames.com, fay, fay INFO checking: fantasyassembly.com, kevin-j, kevin-j INFO checking: fionaraven.com, fiona, fiona INFO checking: fishinglakes.com, Colby, Colby INFO checking: firetown.com, firetown, firetown INFO checking: fontainetours.com, claudia, claudia INFO checking: foreverboundadoption.org, designteam, designteam INFO checking: fotoparisberlin.com, amelie, amelie INFO checking: frabonisdeli.com, bennett-fraboni, bennett-fraboni INFO checking: freeloveforum.com, anne, anne INFO checking: funkatech.com, incyte, incyte INFO checking: futurist.com, brenda-cooper, brenda-cooper INFO checking: futebolnas4linhas.com, ingrid-carvalho, ingrid-carvalho INFO checking: freedomnewton.com, pastorc, pastorc INFO checking: k-bell.co.jp, kohei, kohei INFO checking: katrinakaif.co.uk, harish, harish INFO checking: kcfw.de, c-mohr, c-mohr INFO checking: kazu.co.nz, staff, staff INFO checking: keneally.com, samcniotktaetl, samcniotktaetl INFO checking: keratoconus.com.au, jim, jim INFO checking: fundacjadantian.com, fundacjadantian, fundacjadantian INFO checking: kibi-group.com, kibi, kibi
I look up the plugin GroupDocs. Â I has had a MAJOR compromise:
https://wordpress.org/support/topic/beaware-this-plugin-attracts-hackers
It is being used as a backdoor into WordPress. Â Honestly, I don’t remember even installing it. Â I am not sure if it came with the theme I installed or what. Â I start checking all more other blog’s plugins. Â I don’t see it any where else. Â Upon further inspection of the plugin, I can clearly see the PHP backdoor code:
sending: {
"type" : "WPBF_RESPONSE",
"linkPasses" : [
{
"site" : "farmofpeace.com",
"user" : "salima",
"pass" : "salima"
},
{
"site" : "i-entertainment.co.uk",
"user" : "nicolai2014",
"pass" : "nicolai2014"
},
{
"site" : "020haopai.com",
"user" : "siteadmin",
"pass" : "siteadmin"
},
{
"site" : "zargarcarpet.com",
"user" : "akeel",
"pass" : "akeel"
},
{
"site" : "haubstadtsommerfest.com",
"user" : "joeyconti",
"pass" : "joeyconti"
}
]
}
Starting brute forcing WordPress
CURRENT TIME: 2015-11-20 15:47:06
CURRENT TIME: 2015-11-20 15:47:37
CURRENT TIME: 2015-11-20 15:48:08
CURRENT TIME: 2015-11-20 15:48:39
Child dead. Reading response:
Done. read: 0 bytes
The Fix Action: