Recent email spam virus

The virus also rifles through any email accounts hosted on the computer, emails itself to all the addresses that it finds, and sends the addresses back to a controller for future use.

This technique makes it very difficult to trace the spam back to the original sender and can vastly increases the volume of spam sent. The virus has not succeeded in bringing down the Spamhaus website, mainly because the company recently installed a new defensive technology called an anti-DDOS box, similar to a firewall.

Spamhaus believe that a notorious team of US-based spammers is behind the Mimail attack. They blame the same team for another variant that was also released this weekend called W C, also known as Mimail. Instead of causing computers to flood anti-spam websites with requests, W Neither site was accessible at GMT on Monday. The motive this DDOS is not known. D is also buried in a zip file. Due to the fast-moving nature of this campaign and its perceived scope, Microsoft encourages organizations to investigate and monitor communications matching characteristics described in this report and take the actions described below in this article.

We continue to see an increase in sophisticated and nation-state-sponsored attacks and, as part of our ongoing threat research and efforts to protect customers, we will continue to provide guidance to the security community on how to secure against and respond to these multi-dimensional attacks.

As part of the initial discovery of the campaign in February, MSTIC identified a wave of phishing emails that leveraged the Google Firebase platform to stage an ISO file containing malicious content, while also leveraging this platform to record attributes of those who accessed the URL.

MSTIC traced the start of this campaign to January 28, , when the actor was seemingly performing early reconnaissance by only sending the tracking portion of the email, leveraging Firebase URLs to record targets who clicked.

No delivery of a malicious payload was observed during this early activity. In one final example of experimentation, there was no accompanying HTML in the phishing email and instead a URL led to an independent website spoofing the targeted organizations, from where the ISO was distributed.

The phishing message and delivery method was not the only evolving factor in the campaign. In one of the more targeted waves, no ISO payload was delivered, but additional profiling of the target device was performed by an actor-controlled web server after a user clicked the link. Experimentation continued through most of the campaign but began to escalate in April During the waves in April, the actor abandoned the use of Firebase, and no longer tracked users using a dedicated URL.

Their techniques shifted to encode the ISO within the HTML document and have that responsible for storing target host details on a remote server via the use of the api. The actor sometimes employed checks for specific internal Active Directory domains that would terminate execution of the malicious process if it identified an unintended environment. Due to the high-volume campaign, automated systems blocked most of the emails and marked them as spam.

However, automated systems might have successfully delivered some of the earlier emails to recipients. In the May 25 campaign, there were several iterations. This address which varies for each recipient ends in in. If the user clicked the link on the email, the URL directs them to the legitimate Constant Contact service, which follows this pattern:. A malicious ISO file is then delivered to the system. Figure 3. ISO file contents. Then, the successful execution of these malicious payloads could enable NOBELIUM to conduct action-on objectives, such as lateral movement, data exfiltration, and delivery of additional malware.

Indicators of compromise IOCs for the campaign occurring on May 25 are provided in this blog to help security teams to identify actor activity. It is anticipated that additional activity may be carried out by the group using an evolving set of tactics. Microsoft Defender protects customers against the multiple components of this threat: malicious emails, file attachments, connections, malware payloads, other malicious artifacts, and attacker behavior.

Refer to the detection details below for specific detection names and alerts. Additionally, customers should follow defensive guidance and leverage advanced hunting to help mitigate variants of actor activity.

And there's no motivator like money, and the worry of losing it. This explains why the online payment service PayPal is a common front for a phishing attempt. It's also worth noting that this type of scam can also happen via text message, with fake PayPal text message alerts attempting to trick victims.

It emulated the look-and-feel of PayPal's site, then asked unwitting victims to supply their home address and credit card information all under the guise of resolving a made-up payment. And if you're in doubt, don't click the email: Log into your PayPal account through a secure link to check for any changes in your account balance.

You can also contact PayPal directly at in order to report a phishing attempt. This email purporting to be from FedEx is such a classic scam that it should be instantly recognizable as such, yet it still carries a whiff of plausibility which could easily trip you up.

A somewhat innocent looking email, it suggests that there is a message waiting for you from FedEx, and encourages you to click on a link to read it. The cunning aspect of this email is that it insinuates that there could be a package or some mail waiting for you, and who doesn't like receiving a parcel in the post? This particular email purports to be linked to REI Co-op, an outdoors equipment retailer, presumably in the hope of tricking people into clicking the link in the belief they've missed the delivery of a free tent or a sturdy pair of walking boots.

Like the Chipotle advert, this is nothing more than a textbook data harvesting scam. So don't click the message — delete it. As ever, if you receive an email claiming to have information about a product you haven't ordered, delete it or better still, report the spam to your email provider.

Apple scam emails are so old that Indiana Jones should be clutching them while running away from a giant boulder. However, that's not to say that they're going away, or that people have stopped falling for them. The Apple iTunes email scam is fairly similar to the PayPal scam above, and relies on instilling panic in its victim about the loss of money.

Victims receive an email purporting to be from Apple iTunes it's not actually from iTunes or any real Apple account , claiming that they have just made a purchase on the Apple Store.

The email then provides a link to a page to cancel the payment. Sound familiar? Follow that link, and yep, you guessed it you'll be asked to fill in lots of juicy personal details. The fact that this scam keeps showing up implies that a lot of people must be falling for it. Staying vigilant is relatively easy to do, and if you receive an email like this and don't recognize the purchase, check your purchases under your Apple account directly, rather than following the link.

With this scam, victims receive an email from the scammer stating that they have been recorded watching pornographic material online. The twist here is that the emails open with the victim's own password as the subject header, making them extra convincing and creating immediate panic.

The victim is asked to pay a bribe in Bitcoin in exchange for silence. It's believed that the scammers are getting the email addresses and passwords from a list of previously leaked addresses. The UK government group Action Fraud has run the affected email addresses through the Have I Been Pwned site a useful free tool to check if your data has been compromised.

Most of those affected were indeed in the database. If you receive this email, don't despair. Firstly, rest assured that nobody has any compromised footage of you. Secondly, check the Have I Been Pwned database and change your password details for your affected email address if you're still using the same one on any other websites. Remember, you should never re-use the same password on multiple sites. Instead, we recommend using a Password Manager to create and autofill secure passwords for you.

This classic scam sends you an urgent email with an admittedly confusing subject line. To reset your account, you'll just need to confirm your Apple ID with a bunch of personal information you wouldn't want in the hands of an online scammer. Unfortunately, that's definitely who it's going to.

Fortunately, there are a few easy ways to spot a fake request like this one. For one, that poorly constructed subject line is a dead giveaway. Apple is a lot of things , but prone to spelling errors in important company emails like this one they are not.

Also, most tech services like Apple rarely ask you to input your personal information in such a haphazard way, so make sure the request is legitimate. Always make sure an email address, a hyperlink, or anything you click on the internet is authenticated before inputting any personal information. Many of us rely on our online bank accounts on a daily basis. As such, the thought of being locked out is an unnerving prospect.

The people behind this next scam are well aware of this, and use it to their advantage, threatening to cut off access to Bank of America customers if they don't respond in time. It starts with a fairly convincing email that claims to come from Bank of America. Those who don't hold accounts with the bank are likely to spot something is off straight away, but it's easy to see how customers could be sucked in.

The email states that the bank requires some updated account information, and that if this isn't provided within two days, the account will be frozen. It's highly unusual for any bank to threaten to take away its service in this way. Follow the link, and you'll land on an almost convincing Bank of America page.

Visually, it looks like the real deal, but the garbled URL is a giveaway. While the front page mimics Bank of America's own, you'll find that none of the links go anywhere. Try and log into the site, however, and the scammers will have your vital username and password for your Bank of America account. As far as scams go, this is a classic case of phishing, where victims are fooled into entering their personal data on what they believe to be a genuine site.

This scam email purports to be from Bank of America, but scammers will imitate all sorts of popular banks when sending out phishing emails en masse. The safest practice is to never, ever click on an email claiming to be from your bank.