Gootkit banking Trojan via Fake UKPC parking penalty appeals

I am hearing about a return of the fake UKPC parking charge appeals scam which has been quiet for about 1 year. At this time I don’t have a copy of the email that was received by the victim, only the link that was in it. I assume the email will be very similar to the ones described in these 2 posts  [1] [2].

UKPC are a nationwide company that controls parking on private property throughout many parts of the UK. They do not ( as far as I can tell) control on street parking on behalf of any Local Authority in the UK. There is  a lot of information on the internet suggesting UKPC are a scam or less scrupulous  company that regularly breaks the law and issues non enforceable penalty notices, for spurious “offences”. I am not going to get into the argument over private parking companies sending out penalty notices here. This post is alerting to a current malware delivery campaign using the UKPC logo & imitation of their website to scam recipients & steal banking details.

These campaigns are generally very well done & use sites that resemble strongly the genuine UKPC Appeals site ukpcappeals.co.uk.

The current domain being used in this malware delivery scam is ukpcappeals.org which is a look-a-like,  typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. The criminals behind this scam have made it much more difficult for researchers and antivirus companies to investigate this delivery method easily. Each IP and computer only gets 1 attempt at contacting the site and downloading the zip file, then you get a  403 forbidden message.

You can now submit suspicious sites, emails and files via our Submissions system

UKPC has not been hacked or had their email or other servers compromised. They are not sending the emails to you.

The email link was to http://7csx.ukpcappeals.org/files/data_info/checkinfo.php where you see a page looking like this. After inserting the captcha and press view photos a randomly named zip file is downloaded

Fake Typo-squatted UKPC appeals site

Fake Typo-squatted UKPC appeals site

78397.zip : Extracts to:  TVTT_CAM92741.vbs             Current Virus total detectionsAnyrunApp | which is the gootkit downloader. This vbs calls out to http://51.254.160.193/media/report_201904 where it downloads 2 files. The first a pdf which is displayed to the victim and the second a .exe which automatically runs in the background, so stealing the victims banking details.

report242.exe ( VirusTotal)

This is another one of the  files that unless you have “show known file extensions enabled“, can easily be mistaken for  a genuine  DOC / PDF / JPG or other common file instead of the .vbs scripting file it really is, so making it much more likely for you to accidentally open it and be infected.

These malicious attachments normally have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. A very high proportion are Ransomware versions that encrypt your files and demand money ( about £350/$400) to recover the files.

  All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won’t.  Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations  with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.  

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

 Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day.

The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family  love to send us pictures of them doing silly things, or even cute pictures of the children or pets.

Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Many malicious files that are attached to emails will have a faked extension. That is the 3 letters at the end of the file name. Unfortunately windows by default hides the file extensions so you need to Set your folder options to “show known file types. Then when you unzip the zip file that is supposed to contain the pictures of “Sally’s dog catching a ball” or a report in word document format that work has supposedly sent you to finish working on at the weekend, or an invoice or order confirmation from some company,  you can easily see if it is a picture or document & not a malicious program.

If you see JS or .EXE or .COM or .PIF or .SCR or .HTA .vbs, .wsf , .jse  .jar at the end of the file name DO NOT click on it or try to open it, it will infect you.

While the malicious program is inside the zip file, it cannot harm you or automatically run. When it is just sitting unzipped in your downloads folder it won’t infect you, provided you don’t click it to run it. Just delete the zip and any extracted file and everything will be OK. You can always run a scan with your antivirus to be sure. There are some zip files that can be configured by the bad guys to automatically run the malware file when you double click the zip to extract the file. If you right click any suspicious zip file received, and select extract here or extract to folder ( after saving the zip to a folder on the computer) that risk is virtually eliminated. Never attempt to open a zip directly from your email, that is a guaranteed way to get infected. The best way is to just delete the unexpected zip and not risk any infection.

:

Website details

Address lookup

Domain Whois record

Queried whois.publicinterestregistry.net with “ukpcappeals.org“…

Domain Name: UKPCAPPEALS.ORG
Registry Domain ID: D402200000010144677-LROR
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: www.namesilo.com
Updated Date: 2019-04-24T14:00:52Z
Creation Date: 2019-04-24T13:59:45Z
Registry Expiry Date: 2020-04-24T13:59:45Z
Registrar Registration Expiration Date:
Registrar: Namesilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Registrar Abuse Contact Phone: +1.4805240066
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Registrant Organization: See PrivacyGuardian.org
Registrant State/Province: AZ
Registrant Country: US
Name Server: A.DNSPOD.COM
Name Server: B.DNSPOD.COM
Name Server: C.DNSPOD.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/)
>>> Last update of WHOIS database: 2019-05-15T14:22:11Z <<<

Network Whois record

Queried whois.arin.net with “n ! NET-47-91-64-0-1“…

NetRange:       47.91.64.0 - 47.91.95.255
CIDR:           47.91.64.0/19
NetName:        ALICLOUD-GM
NetHandle:      NET-47-91-64-0-1
Parent:         AL-3 (NET-47-88-0-0-1)
NetType:        Reassigned
OriginAS:       AS45102
Customer:       ALICLOUD-GM (C06961501)
RegDate:        2018-04-20
Updated:        2018-04-20
Comment:        1.For AliCloud IPR Infringement and Abuse Claim, please use below link with browser to report: https://intl.aliyun.com/report
Comment:        
Comment:        2.For Alibaba.com and Aliexpress.com's IPR Infringement , please use below link with browser to report: https://ipp.alibabagroup.com
Comment:        
Comment:        3.For Alibaba.com and Aliexpress.com's Abuse, please send email to those two mail lists to report: This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it.
Comment:        
Comment:        4. For network issue, please send email to this mail list: This email address is being protected from spambots. You need JavaScript enabled to view it.
Ref:            https://rdap.arin.net/registry/ip/47.91.64.0


CustName:       ALICLOUD-GM
Address:        Westendstrabe 28, 60325 Frankfurt am Main
City:           Frankfurt
StateProv:      
PostalCode:     
Country:        DE
RegDate:        2018-04-20
Updated:        2018-04-20
Ref:            https://rdap.arin.net/registry/entity/C06961501

OrgTechHandle: ALIBA-ARIN
OrgTechName:   Alibaba NOC
OrgTechPhone:  +1-408-748-1200 
OrgTechEmail:  This email address is being protected from spambots. You need JavaScript enabled to view it.
OrgTechRef:    https://rdap.arin.net/registry/entity/ALIBA-ARIN

OrgAbuseHandle: NETWO4028-ARIN
OrgAbuseName:   Network Abuse
OrgAbusePhone:  +1-408-785-5580 
OrgAbuseEmail:  This email address is being protected from spambots. You need JavaScript enabled to view it.
OrgAbuseRef:    https://rdap.arin.net/registry/entity/NETWO4028-ARIN

OrgNOCHandle: ALIBA-ARIN
OrgNOCName:   Alibaba NOC
OrgNOCPhone:  +1-408-748-1200 
OrgNOCEmail:  This email address is being protected from spambots. You need JavaScript enabled to view it.
OrgNOCRef:    https://rdap.arin.net/registry/entity/ALIBA-ARIN

Address lookup

Domain Whois record

Queried whois.internic.net with “dom securecheck256.com“…

   Domain Name: SECURECHECK256.COM
   Registry Domain ID: 2344067859_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.webnic.cc
   Registrar URL: http://www.webnic.cc
   Updated Date: 2018-12-19T08:42:23Z
   Creation Date: 2018-12-17T15:24:50Z
   Registry Expiry Date: 2019-12-17T15:24:50Z
   Registrar: Web Commerce Communications Limited dba WebNic.cc
   Registrar IANA ID: 460
   Registrar Abuse Contact Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
   Registrar Abuse Contact Phone: +603.89966788
   Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
   Name Server: NS31.CLOUDNS.NET
   Name Server: NS32.CLOUDNS.NET
   Name Server: NS33.CLOUDNS.NET
   Name Server: NS34.CLOUDNS.NET
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2019-05-16T02:09:28Z <<<

Queried whois.webnic.cc with “securecheck256.com“…

Domain Name: securecheck256.com
Registry Domain ID: 2344067859_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.webnic.cc 
Registrar URL: webnic.cc 
Updated Date: 2018-12-17T15:24:49Z
Creation Date: 2018-12-17T15:24:51Z
Registrar Registration Expiration Date: 2019-12-17T15:24:50Z
Registrar: WEBCC 
Registrar IANA ID: 460 
Registrar Abuse Contact Email: This email address is being protected from spambots. You need JavaScript enabled to view it. 
Registrar Abuse Contact Phone: +60.389966799 
Domain Status: clientUpdateProhibited https://www.icann.org/epp#clientUpdateProhibited 
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited 
Domain Status: clientDeleteProhibited https://www.icann.org/epp#clientDeleteProhibited 
Registry Registrant ID: Not Available From Registry
Registrant Name: Joshua Huff
Registrant Organization: Joshua Huff
Registrant Street: 126 Heatherleigh 
Registrant City: Cooksville
Registrant State/Province: ON
Registrant Postal Code: L5A1V9
Registrant Country: CA
Registrant Phone: +1.9052108430
Registrant Phone Ext: 
Registrant Fax: +1.9052108430
Registrant Fax Ext: 
Registrant Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Registry Admin ID: Not Available From Registry
Admin Name: Joshua Huff
Admin Organization: Joshua Huff
Admin Street: 126 Heatherleigh 
Admin City: Cooksville
Admin State/Province: ON
Admin Postal Code: L5A1V9
Admin Country: CA
Admin Phone: +1.9052108430
Admin Phone Ext: 
Admin Fax: +1.9052108430
Admin Fax Ext: 
Admin Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Registry Tech ID: Not Available From Registry
Tech Name: Joshua Huff
Tech Organization: Joshua Huff
Tech Street: 126 Heatherleigh 
Tech City: Cooksville
Tech State/Province: ON
Tech Postal Code: L5A1V9
Tech Country: CA
Tech Phone: +1.9052108430
Tech Phone Ext: 
Tech Fax: +1.9052108430
Tech Fax Ext: 
Tech Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Name Server: NS31.CLOUDNS.NET
Name Server: NS32.CLOUDNS.NET
Name Server: NS33.CLOUDNS.NET
Name Server: NS34.CLOUDNS.NET
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2018-12-17T15:24:49Z <<<

Network Whois record

Queried whois.ripe.net with “-B 51.38.154.26“…

% Information related to '51.38.154.24 - 51.38.154.27'

% Abuse contact for '51.38.154.24 - 51.38.154.27' is This email address is being protected from spambots. You need JavaScript enabled to view it.'

inetnum:        51.38.154.24 - 51.38.154.27
netname:        OVH_177596012
country:        PL
descr:          Failover Ips
org:            ORG-GS206-RIPE
admin-c:        OTC12-RIPE
tech-c:         OTC12-RIPE
status:         LEGACY
mnt-by:         OVH-MNT
created:        2018-05-04T18:31:27Z
last-modified:  2018-05-04T18:31:27Z
source:         RIPE

organisation:   ORG-GS206-RIPE
org-name:       OU IPHOSTER
org-type:       OTHER
address:        Randla 13-201
address:        10315 Tallinn
address:        EE
e-mail:         This email address is being protected from spambots. You need JavaScript enabled to view it.
phone:          +372.8804544
abuse-c:        ACRO15706-RIPE
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
created:        2015-08-04T07:06:03Z
last-modified:  2018-04-25T00:06:15Z
source:         RIPE

role:           OVH PL Technical Contact
address:        OVH Sp. z o. o.
address:        Ul. Szkocka 5 lok. 1
address:        54-402 Wroclaw
address:        Poland
e-mail:         This email address is being protected from spambots. You need JavaScript enabled to view it.
admin-c:        OK217-RIPE
tech-c:         GM84-RIPE
nic-hdl:        OTC12-RIPE
abuse-mailbox:  This email address is being protected from spambots. You need JavaScript enabled to view it.
notify:         This email address is being protected from spambots. You need JavaScript enabled to view it.
mnt-by:         OVH-MNT
created:        2009-09-16T16:09:56Z
last-modified:  2013-10-30T11:40:58Z
source:         RIPE

% Information related to '51.38.0.0/16AS16276'

route:          51.38.0.0/16
origin:         AS16276
mnt-by:         OVH-MNT
created:        2018-03-07T09:21:14Z
last-modified:  2018-03-07T09:21:14Z
source:         RIPE

 

IOC:

Main object- “TVTT_CAM92741.vbs”sha256 9ac5e0c4f834625fd336131d48812afda6c0e34c27cb390c924b3679985d66c5sha1 9f2da5974abc77e792b4c540cd9bd64e8e1a91f0md5 89c449ea3ddc6fb191ed83ade968bd87Dropped executable file report242.exeMD5 92037C20192404AB292FB4418FD933A4SHA1 329FF54DB14D33503EB7C1D9C698AADD6837397BSHA256 266A0E2E04E82B42D5DF30C70E32D58AEA042EEF7C87AF1B5CD64239F71C0FC5Report242.pdfMD5 3C0F58DA0900D2DA8C77CA3DE8476AB4SHA1 0D5ED7EA200475F2CB82520F9C6641B460EC84AFSHA256 E41A310DC5CBBD2FCBDD4EF0E5AD81F0D724C31514ACC7A2219FE5ABE9A4CF5CDNS requestsdomain securecheck256.comdomain analyticagent.comConnectionsip 51.38.154.26ip 51.254.160.193ip 52.200.159.57ip 2.16.106.152HTTP/HTTPS requestsurl http://51.254.160.193/media/download/201904/report242url http://51.254.160.193/media/report_201904url https://securecheck256.com/rbody32url https://securecheck256.com/rbody320

 

Read more https://myonlinesecurity.co.uk/gootkit-banking-trojan-via-fake-ukpc-parking-penalty-appeals/

  • curry pcworld data loss 2018

    curry pcworld data loss 2018

    On June 13, we began to contact a number of our customers as a precaution after we found that some of our security systems had been accessed in the past using sophisticated malware. We promptly launched an investigation. Since then we have been putting further security measures in place to safeguard customer information, increased our investment in cyber security and added additional controls. In all of this we have been working intensively with leading cyber security experts. Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017. This unauthorised access to data may include personal information such as name, address, phone number, date of birth and email address. While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and we have no confirmed instances of customers falling victim to fraud as a result. We are continuing to keep the relevant authorities updated. Read More
  • Hawkeye keylogger via fake receipt. Stolen data sent to another keylogger site.

    Over the last month or 6 weeks we, along with many other researchers, have noticed quite a drop in Malspam, in fact in spam generally. Nobody quite knows why but generally this means one or other of the major spam sending botnets has been taken down or is retooling & getting ready for a  new set of campaigns. One of the few constant... Read More
  • eBook, "When I was young". guide to a summer outdoors,

    We're excited to announce the launch of our brand new eBook, "When I was young". A fantastic new guide to a summer outdoors, perfect for all the family. Think back to when you were young, do you ever remember being glued to a TV screen, games console or phone? No, neither do we, so let's show the next generation the excitement that can be had from the doorstep.    We want your children to enjoy being in the outdoors, just as you did when you were little. So we've created this brand new downloadable guide packed with fun activities, games and ideas to keep your family busy all summer long.   Get the kids to re-connect with the outdoors this summer and  re-create your childhood memories! Read More
  • Fake Payment receipt vbs drops njrat bladabindi downloads Agent Tesla via Sendspace.

    A rather interesting malware campaign from overnight. It all starts with an email pretending to be a payment receipt that contains a .tar attachment which contains a vbs file. As per usual the email is just generic enough to entice a recipient to open it, read it & possibly extract & run the malware file. This is another one of the ... Read More
  • Community Works Reps’ Nominations are open! Deadline Friday 12 October

    We are looking for representatives who would like to become champions for community groups and voluntary organisations, across Brighton & Hove, Adur and Worthing on behalf of Community Works. Do you want to ensure the voices of these groups are heard and understood? Are you keen to share your knowledge and expertise across a broad range of partnerships and agendas? Would you like to represent community and voluntary organisations at a strategic level? Read More
  • Watch out for these fake account emails.

    We’ve seen an increase in reports about fake account emails claiming that there’s an issue with your account, or that your account has been suspended. The email states that you need to “update” your account details in order to resolve the problem. The link in the emails leads to genuine-looking company phishing websites designed to steal your username and password, as well as payment details. Always question unsolicited requests for your personal or financial information in case it’s a scam. Never automatically click on a link in an unexpected email or text. For more information on how to stay secure online, visit www.cyberaware.gov.uk Message Sent ByAction Fraud (Action Fraud, Administrator, National) Read More
  • Fake order eventually drops Lokibot but something else happens

    I am not entirely sure what the in initial binary download with this one is, but there are indications it might be Dark Comet RAT. What we do know is that it drops a Lokibot binary The word doc is actually a RTF file containing embedded ole objects. This appears to contain 5 identical ole objects that in turn drop an Excel macro enabled worksheet... Read More
  • Worthing Sporting Memories

    Sporting Memories is an opportunity for older sports fans to get together to talk sport over a cuppa. It aims to promote physical and mental well-being through reminiscence and tapping into passion, knowledge and love of sport. It is open to any one over the age of 50 who likes sport, and enjoys reminiscing about their experiences of watching or playing sport! It is free and takes place every Thursday 10.00 - 11.30am, at the Clubhouse, Worthing Football Club.   Read More
  • Gootkit banking Trojan via Fake UKPC parking penalty appeals

    I am hearing about a return of the fake UKPC parking charge appeals scam which has been quiet for about 1 year. At this time I don’t have a copy of the email that was received by the victim, only the link that was in it. I assume the email will be very similar to the ones described in these 2 posts  [1] [2]. UKPC are a nationwide... Read More
  • Training for groups or organisations that work with vulnerable adults, Tuesday 23 October

    Does your group or organisation work with vulnerable adults? If so, you have an important role to play in helping keep them safe. ‘Keeping Adults Safe’ is an introductory course for community groups and voluntary organisations who work with, engage and deliver activities or services for adults. The next course is on Tuesday 23 October 2018, 9.30am - 4.30pm, in Brighton. Concentrating specifically on the over 18s age group, the course will provide you with an understanding of your role in establishing a safe environment, and what you can do to create this environment. For more information and to book a place, visit: http://bhcommunityworks.org.uk/keep-adults-safe-training/ A small number of free bursary places are available to member organisations with annual income of less than £35,000. Read More
  • Remcos Rat via fake invoice using multiple delivery methods.

    I have heard of the “Belt and Braces ” approach to delivering malware before, but this malware campaign delivering Remcos Rat is using  the belt and 2 pairs of braces to try make sure the malware gets delivered. The email is a fairly typical Invoice Request that appears to a part of an ongoing conversation and contains 3 different... Read More
  • Phishing emails pretending to be sent from myonlinesecurity.co.uk

    First of all I want to apologise to anybody who received a scam phishing email that pretended or appeared to come from our email address This email address is being protected from spambots. You need JavaScript enabled to view it..  These emails were not sent from this server but from a scummy server controlled by a hosting company  in Iceland who are used frequently by criminals for malware,... Read More
  • Urgent to all residents: email delivers Ursnif payloaf

    Urgent to all residents: email delivers Ursnif payloaf

    These malicious attachments normally have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or other log in credentials.Be very careful with email attachments. Most of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Read More
  • Supporting Voluntary & Community Sector Groups in Keeping Children & Young People Safe

    Does your organisation work with a significant number of children and young people? If so, did you know that there is a VCS Safeguarding Forum that supports Safeguarding Leads as part of a network across the county?   Key Aims: • To bring together key VCS Safeguarding Leads from across West Sussex, to create networking opportunities and share best practice and training. Read More
  • Fake Council Tax refund phishing scam

    I was sent the details of a very interesting and extremely well done phishing scam, that pretends to be  a Council Tax refund. The scammers have chosen an extremely good domain name to perform the scam & copied almost exactly the genuine  Gov.uk site complete with all branding & Postcode lookup. I don’t have the original... Read More
  • West Durrington Community Facilities - opportunity for an organisation

    "Adur & Worthing Councils own a number of community buildings and lease these to strong, community-focused groups and organisations to manage. The buildings are valuable assets for our local residents and the wider community - and meeting their needs, wants and expectations are essential. The Councils need organisations with sound experience, leadership and passion to take on a new lease and be the driver of good things in, and with, the local communities." Read More
  • AgentTesla keylogger as fileless malware.

    I am seeing a somewhat different to usual AgentTesla malspam campaign this morning. This is using a multistage downloader eventually resulting in the AgentTesla keylogger / infostealer being run on the victim’s computer as a fileless malware. It all starts with the Word doc attachment, which is actually a RTF file that is using the... Read More
  • TRULEIGH HILL CONSULTATION

    • Find out more about future plans to enrich and protect this special part of the South Downs National Park. • Discover more about the planned improvements at the Truleigh Hill Youth Hostel (YHA) • Talk to YHA staff about holidays, school trips, local and national YHA services. • Sample delicious refreshments from the YHA café. • FREE nature based and wilderness skills activities for all the family throughout the afternoon, coordinated by ‘So Sussex’ • Meet RSPB volunteers and learn about the local wildlife species you might spot – from barn owls to chalk hill blue butterflies • Take a virtual animated tour of the RAF underground bunker at Truleigh Hill, giving you a glimpse into the site’s history and hidden heritage. • Complete our online survey and tell us YOUR views southdowns.gov. uk/truleigh-hill-surveyPhil Paulo (Community Landscape Project Officer Truleigh Hill) Email: Phillip.Paulo@ southdowns.gov.uk Tel: 01730 819283 FREE Parking available at the YHA. A FREE Shuttle bus will run throughout the afternoon from the junction of Mill Hill and Erringham Road, Shoreham by Sea up to Truleigh Hill YHA and back. Read More
  • Lokibot via abusing the ngrok proxy service

    It looks like one of the criminal gangs behind some of the Lokibot campaigns have found a way to serve their malware almost undetected or at least without any known host that can take down easily or be blocked. What they have done with this series of campaigns is abuse a new(ish) service NGROK which basically acts as a proxy, direct tunnel or VPN... Read More
  • It looks like another DNS compromise hack happening

    I saw a fairly short-lived, reasonably low volume, malspam campaign earlier this morning that looks like it comes via Necurs Botnet and is somehow using a “new” compromise or security hole in the DNS system. These appear to be targeted at UK only and as far as I can tell ONLY a UK IP number will get a redirect to the scumware site.... Read More
  • Hawkeye keylogger using fileless delivery system via Amazon AWS

    We have been seeing a massive increase in Malspam emails delivering Hawkeye keylogger / infostealer trojan. The vast majority have either a zip file containing the trojan itself or a malformed word doc either containing macros or using one of the Microsoft Equation Editor Exploits like CVE-2017-0199, CV-2017-11882 or CVE 2017-8570 that download... Read More
  • various phishing scams via compromised Mexican Gov email address

    This set of phishing scams is noteworthy because the emails all originate from a compromised email account belonging to the Mexican Government or at least using the Mexico Gov domain. It seems to track back to the Ministry of Justice of Guanajuato state. They all pass authentication checks so are more likely to be delivered to prospective victims.... Read More
  • Watch out for these fake TV Licensing emails.

    Watch out for these fake TV Licensing emails. We’ve seen a sharp increase in reports about fake TV Licensing emails claiming to offer refunds. The emails state that the refund cannot be processed due to “invalid account details”. The links provided in the emails lead to phishing websites designed to steal personal and financial details. Read More
  • Multiple Hawkeye malspam campaigns via GreenCloudVPS

    Another Hawkeye keylogger campaign again today. We see these most days and the emails are always such a generic invoice, order or Request for quotation so I don’t bother to post all versions we receive. I normally just tweet to the other researchers and submit to antivirus companies. These are all using CVE-2017-11882 RTF Today we are seeing... Read More
  • More compromised windstream email sending malspam with Orion keylogger

    Following on from Last Friday, it is looking like Windstream, Zimbra & Synacor still have a problem with accounts being compromised and mass malspam being sent.  Generally speaking the majority of ISPs are pretty good with blocking outgoing spam & malware emails. They generally restrict the numbers of emails sent per hour / day for... Read More
  • voicemail phishing scam involving compromised OneDrive for business site

    We see lots of phishing attempts for email credentials. This one is slightly different than many others and somewhat more  complicated. It pretends to be a message to download a voicemail. You can now submit suspicious sites, emails and files via our Submissions system Remember many email clients, especially on a mobile phone or tablet, only... Read More
  • Get Safe Online With Switched On Parents In July 2019

    Get Safe Online With Switched On Parents In July 2019

      Do you really know what your child does when they’re online? For our children and young people, the internet is a wonderful place where they can explore, learn new things, communicate, be entertained and much more, with their curiosity and appetite for new content evolving and growing as they do. At Get Safe Online, we embrace these benefits, but equally, we know that it can be a challenging and potentially hazardous experience. Do you know how long they’re spending online, what content they’re viewing or who they’re chatting with? Are you concerned that they could be bullied, befriended by the wrong kind of people or even being persuaded to commit criminal offences? Or even that it could be your child who’s the abuser or budding cybercriminal? (After all, everyone is somebody’s child). Ironically, the fact that Read More
  • Launch of Worthing Refill

    Refill Worthing launch - 15th August, 5:30-8pm @ St. Paul's cafe, chapel Road, Worthing BN11 1EE   A scheme to break our plastic habit, which started in Bristol and has taken off nationally, is launching in Worthing. The Refill scheme signs up local businesses, cafes and venues to become Refill stations, where members of the public can refill their own water bottles for free. The nifty little Refill app, available at the normal places, shows people their nearest stations on a map. Folks can also upload their own favourite cafes if they too want to become Refill stations.  Read More
  • Get Safe Online will help you keep your online payments safe.

    Trust Get Safe Online to help protect your finances with safer payments advice from the GSO experts These days, you can pay for almost anything online: products, services, tickets, holidays … even your next car, van or motorcycle. You can donate to charity, buy a driving licence or passport or pay to download, stream, play or gamble. It’s fast and convenient, but there are also risks attached, with cybercriminals doing all they can to divert your money into their pockets. Read More
  • banload and stealer

    Some weird malware possibly banload and a stealer. Details were uploaded to our submissions system Starts with email link that downloads tax.zip from http://199.192.29.182/Folder/Downloader.php?1409 This zip contains genuine google updater & a bat file which downloads a powershell script from http://51.75.142.21/l2406/uk/kk/20938092830482 Then... Read More
  • Carer Innovations Fund

    The Carer Innovations Fund aims to support accessible, carer-friendly communities and public services and also seeks to provide evidence on effective interventions to support carers.  The fund seeks to identify and promote creative and innovative models that look beyond statutory services to ensure that carers are: Read More
  • Phishing on a compromised Brazilian ISP via fake Fax email

    Just a very quick post about a phishing scam this morning. This is only noteworthy because the phishing takes place on a compromised website belonging to a small Brazilian ISP. https://www.agilinker.com.br/  The email pretends to be a fax message from your own domain, so the ones I received pretended to come from... Read More
  • Big Energy Saving Network

      Consumer energy awareness for front line workers with the Big Energy Saving Network.   Transition Town Worthing (TTW) has been chosen as Worthing’s champion for the Big Energy Saving Network 18/19 (BESN). The project is funded and administered by Citizen’s Advice, and the aim is to engage consumers, particularly those who might be vulnerable through reasons such as age, disability or financial situation, with their energy bills, assisting them to learn more about what they’re paying and how they’re paying for it, enabling them to acquire a fairer deal, and access any further assistance that may be available to them. People who are not actively engaged with the energy mark Read More
  • More AgentTesla keylogger info-stealer campaigns hitting UK

    We are still seeing continuous AgentTesla keylogger / Info-Stealer campaigns hitting the UK. We sill aren’t seeing a lot of other malware at the moment. I have received about 20 different versions over the last week that have all been nothing special, with no outstanding features worth mentioning, so I have just submitted to AV companies and... Read More
  • Finding Additional Support In A Power Cut

    UK Power Networks own and run the electricity cables in most of our region and fix power cuts. They deliver the electricity which you buy through your choice of supplier. They provide a priority service for anyone who might face extra difficulty in the event of a power cut, including households with an elderly person, young children, someone less mobile or someone with a health condition. Read More
  • Nanocore RAT via fake DHL failed delivery in Chinese

    A quick post about the latest in a long, long, long, very, very long line of fake DHL delivery failure emails delivering all sorts of malware. Today’s version is slightly different to the ones we frequently see in UK. Today it is delivering Nanocore RAT in a zip file attachment. Firstly it is written entirely in Chinese, so most recipients... Read More
  • Our actions have an impact. - Tearfund

    Our actions have an impact. - Tearfund

    As part of Tearfund’s Matched Giving Appeal, we are asking supporters to donate and pledge to reduce their plastic. When we speak out about plastic pollution and how it affects people in poverty, we are keeping the issue on the agenda. When we show by our actions that we want to live in a less wasteful world, we are valuing what God has given us and caring for our global neighbours, as well as sending a powerful signal that we want decision-makers to act. Join us by taking the Plastic Pledge to give up using one single-use plastic item for 40 days (or more!). Every single-use plastic item we save is one less thing in a landfill site, ocean or incinerator – or one less thing shipped overseas for another country to dispose of.Single-use plastics are plastic items that are only intended to be used once, such as soft drinks bottles. The most common items include disposable cups, drinks bottles, non-recyclable packaging, wipes and female hygiene products. Finding alternatives to these plastics is easier than you might think! It can be very satisfying to know that you are walking that little bit lighter on the earth – and often, it saves you money too. Read More
  • ISRStealer via fake Prudential Assurance Company Purchase Order

    Every now & again we see a resurgence of ISRStealer  info-stealer / Keylogger Trojan Malware. This malware has been around since 2011 and gets intermittent distribution campaigns. You can now submit suspicious sites, emails and files via our Submissions system Prudential Assurance Company Singapore has not been hacked or had their email... Read More
  • The Adur and Worthing Poverty Truth Commission

    Briefing meetings October 3rd 2018: Open to all. The Adur and Worthing Poverty Truth Commission (AWPTC) are pleased to announce that we will be holding two open briefing meetings for the community of Adur & Worthing to meet with us and our national Coordinator Andrew Grinnell from Leeds. The Adur and Worthing Poverty Truth Commission aims to generate solutions for the local area by bringing together decision makers with those with first-hand experience of poverty. Read More
  • AgentTesla Keylogger and Binary Options scam

    We are still not seeing massive amounts of malware currently hitting the UK. We are still seeing the commodity malware like AgentTesla keylogger / info stealer, Nanocore RAT and Hawkeye Keylogger on a very regular basis. Today’s example of an AgentTesla campaign is somewhat more interesting than usual. The email is nothing special and... Read More
  • More AgentTesla keylogger and Nanocore RAT in one bundle

    We are seeing a continuation of even more AgentTesla malspam campaigns again this morning. However today’s is somewhat different to usual and also delivers a Nanocore RAT. Actually the Nanocore RAT  is downloading the AgentTesla keylogger. And after a bit of digging around and seeing an Open Directory listing on the AgentTesla download... Read More
  • Lokibot via fake purchase order but won’t run in W7 or W8.1

    I have got a very unusual and somewhat difficult to analyse set of malware files here. I received 2 different versions of this email. The first with just an XLSX attachment, the second with both an XLSX and a .rar attachment. Running the xlsx file through Anyrun  using W7 64 bit resulted in a system freeze where it took so much memory &... Read More
  • Free EU Citizens' rights and Brexit: info session and Q&A , Brighton, Thursday 6 December

     Are you an EU citizen living in the UK? Do you have questions about how Brexit will affect your rights to stay here? The embassies of EU countries and the Representation of the European Commission invite EU citizens to an information session in Brighton on EU citizens' rights and Brexit. Read More
  • Hot Mobile Israeli Hebrew Phishing scam

    We see lots of phishing attempts for various credentials. This scam in Hebrew is a totally new one to me. As far as I can tell the Mobile phone company being spoofed Hot Mobile is an Israeli Mobile Phone company that has links to the Israeli defence Forces. All the info I am getting about this comes from Google translate or Wikipedia, so might not... Read More
  • Fake Fedex Express Shipment For Pickup in iso delivers nanocore using Sendgrid

    The next in the overnight malware campaigns is a fake Fedex Express email delivering Nanore RAT via an img ( Iso) file. They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better... Read More
  •  WSCC Care and Help at Home Service - Survey

    WSCC Care and Help at Home Service - Survey

    Voluntary and community organisations have the opportunity to give us their views on the future [Care and Help at Home service] and help us to understand how we might work better together to support independence at home. The survey should take around 10-15 minutes to complete.” https://haveyoursay.westsussex.gov.uk/children-adults-families-health-and-education/care-and-support-at-home-vco Read More
  • nanocore RAT via fake order in password protected word doc with wrong password

    I was sent a message via the submissions system last night with the email the victim received attached. At first glance it looked like the typical password protected word docs we see regularly pretending to be either an order, invoice or resume, that frequently drop or download some sort of ransomware. At first I could not open this word doc using... Read More
  • good quality grant applications from registered community groups

    good quality grant applications from registered community groups

    Homity is a small, independent, Brighton based Charitable Trust. Since 2014 we have awarded many small grants to local causes in real need of funds that will make a BIG difference. Our Trustees and Grants committee meet 3 times a year to consider the best quality applications and can award smaller (<£1000) funds quickly to those groups showing real need Read More
  • Bitcoin verify your Identity phishing scam hosted on Microsoft Azure hosting

    I  am seeing a bitcoin phishing scam campaign this morning hosted on Microsoft Azure/windows.net. The emails pretend to come from your own email address and are addressed to the same email address. All hosting companies get abused and used for malware, scams and phishing. Recently Microsoft Azure Hosting seems to be the flavour of the month.... Read More
  • claiming to offer a home insulation scheme which is supported by East Sussex County Council.

      East Sussex Trading Standards are warning residents to be vigilant about companies who are cold calling and claiming to offer a home insulation scheme which is supported by East Sussex County Council. However, it is possible that similar improper approaches may be made anywhere across the county. It is not in the remit for East Sussex County Council to support schemes that involve cold calling, and companies claiming that they do are misleading residents and may be breaking the law. This warning follows a spate of recent complaints from residents in Hastings about cold callers falsely offering an ESCC supported insulation scheme, but incidents may also be occurring elsewhere. Read More
  • Fake PrivatBank email delivers AgentTesla and Phishing

      I received a rather interesting email earlier today. It pretends to be an email from Privatbank.com and written mainly in Ukranian.  There is not a known bank using PrivatBank.com anywhere I can find listed although a website for this domain was registered many years ago (2001). The closest  legitimate bank that I can find is... Read More
  • More AgentTesla keylogger as fileless malware.

    We are seeing a continuation of the new style AgentTesla malspam campaign again this morning. This is still using a multistage downloader eventually resulting in the AgentTesla keylogger / infostealer being run on the victim’s computer as a fileless malware. The initial stage today is a .exe file though not a word doc / rtf f=doc in the... Read More
  • Fake Bose site selling goods at stupid prices.

    I have got a slightly unusual potential scam / phishing / ID and money theft or fake goods scam to report on today. Yesterday I received a message via our submission form about a look-a-like site selling Bose products. The reporter was a bit concerned, saying “This site looks impressive but the price reductions are massive. Not at all what... Read More
  • Have Your Say On Sussex Police Funding

    Have Your Say On Sussex Police Funding

    This week 70 new police officers completed their training, and a further 38 have started theirs as part of the biggest recruitment drive in Sussex for over ten years, made possible by this year’s increase in the police element of council tax - the precept. Last week the Government announced the provisional funding settlement for policing in a £970 million package that gives Police & Crime Commissioners the ability, should they wish, to raise the precept above the current £12 limit. This unprecedented funding opportunity could help Sussex to recruit substantial numbers of PCSOs and even more police officers, as well as improving the public contact service, especially the 101 non-emergency number. Although no final decisions will be made until early February next year, the Chief Constable and the PCC, Katy Bourne, have indicated their commitment to ensure that residents will see and feel the benefit of any extra funding raised locally. If you have not already done so, you can give the PCC your views on police funding by completing a very short survey available on her website at https://www.sussex-pcc.gov.uk/. I have been asked by the PCC to pass on her thanks to all Neighbourhood Watch volunteers for your support of Sussex Police throughout the year, which I am doing with great pleasure. Season's greetings to all Read More
  • AWC Community Transport Grants are open!

    Good morning  Just to share that these new grants opened today, all the details on our website: https://www.adur-worthing.gov.uk/community-transport-grants/ Deadline is 19th October. Best wishes, Jo Joanne Clarke Communities and Third Sector Lead, Adur & Worthing Councils Read More
  • compromised windstream email sending malspam

    Got a bit of a dodgy one here today, where it looks like the email service for windstream.net has been compromised to allow a miscreant to send malicious emails that are passing all authentication. It is highly likely that it is an individual customer of Windstream that has been compromised, rather than the entire system, but the whole idea of a... Read More
  • Trustee & Leadership Networks meets on the 16th October.

    ‘How to become a Charitable Incorporated Organisation’Date: 16 October 2018Time: 6.00-8.00pmVenue: Gordon Room, Worthing Town HallCost: FreeBook: via Eventbrite Read More
  • Free Conference Brighton Pier 13th June - Protecting young people against radicalisation and grooming on the internet

    Free Conference Brighton Pier 13th June - Protecting young people against radicalisation and grooming on the internet

    Creative Exchange is working with the EU and Erasmus who have funded projects across EU partner countries and for the past 18 months we have been working on Radicalisation and Protecting Young People from Internet Grooming. It is called the Heads-Up Project. Read More
  • multiple malware delivered from compromised website run on a domestic BT IP address

    As I mentioned earlier in the week, we aren’t seeing massive amounts of malware, especially in the UK at the moment BUT we do see a steady lowish volume stream of commodity malware. These are the standard easy to purchase and use malware tools like Nanocore, Hawkeye, Agent Tesla and other keyloggers or remote access trojans that are so easy... Read More
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59