-
Fake FFIEC SPAM ...
FYI...
Fake FFIEC SPAM / live-satellite-view .net
- http://blog.dynamoo.com/2013/02/ffie...e-viewnet.html
7 Feb 2013 - "This spam attempts to load malware from live-satellite-view .net, but fails because at the moment the domain isn't registered. However, you can expect them to try again.. so watch out for emails like this.
From: FFIEC [mailto:complaints @ffiec .gov]
Sent: 06 February 2013 16:17
Subject: FFIEC Occasion No. 77715
This summons is meant to make advise of file # 77715 which is opened and under interrogative with FFIEC following a accusation of your Financial Institution regarding suspect financial activity on your account.
A hard copy of this judicial process will be delivered to your business address.
Our institution will forward information to competent government agencies following this accusation.
Information and contacts regarding your Occasion file # can be found at
Occasion Number: 77715
Observed by
Federal Financial Institution Examination Council
Emily Gray
The attempted download is from [donotclick]live-satellite-view .net/detects/advanced_selected_determines_comparison.php although it fails to resolve. Perhaps the registrar nuked the domain? However, it is possible to tell that the nameservers were ns1.http-page .net and ns2.http-page .net, and up investigate it turns out that all the following IPs and domains are related and should be treated as malicious:
7.129.51.158
31.170.106.17
74.4.6.128
98.144.191.50
175.121.229.209
198.144.191.50
208.117.43.145
222.238.109.66
able-stock .net
capeinn .net
duriginal .net
euronotedetector .net
gonita .net
gutprofzumbns .com
http-page .net
live-satellite-view .net
morepowetradersta .com
ocean-movie .net
starsoftgroup .net
vespaboise .net "
___
Ransomware Spam Pages on Github, Sourceforge, Others
- http://www.gfi.com/blog/ransomware-s...eforge-others/
Feb 7, 2013 - "There’s currently a large and determined effort to infect computers with Ransomware, courtesy of the Stamp EK exploit kit... The bait for most of these redirects to Ransomware appears to be a slice of US news reporters in various “fake” (ie nonexistent) nude pictures, along with a smattering of film actresses / singers – in other words, the usual shenanigans. Curiously, we’ve observed a lot of wrestlers / people involved in the wrestling industry listed on many of the spam pages too... There are pages and pages of ripped content sitting on various websites such as one located on a .ua domain... So far we have observed Weelsof and Reveton Ransomware being dropped. The below piece of Ransomware is demanding $300 to “Unlock your computer and avoid other legal consequences”. As with other similar forms of Ransomware, it accuses the user of accessing illegal pornography and makes no bones about the fact that they should be paying up “or else”... Unfortunately much of the same content can currently be found on both Github and Sourceforge, typically in the form of a Youtube page or a collection of sex pictures lifted from a real porn site. We’ve also seen air rifle stores, a rip of a Windows for Dummies site, Twitter pages and a whole lot more besides. A lot of these pages seem to be in the process of being taken down, but there’s still enough floating around out there to be a problem..."
(Screenshots available at the gfi URL above.)
___
Telepests... Robocalls ...
- http://blog.dynamoo.com/2013/02/20-3...-telepest.html
7 Feb 2013 - "For some reason I've been plagued with cold calling telepests recently. This particular one (+20 3 2983245) offered the usual "press 5 to be ripped off" and "press 9 to try to unsubscribe which we will ignore" recorded message about claiming for an accident. There was a very politely spoken and nice young man on the end of the phone. He seemed a bit perplexed and upset when I told him to f**k off and leave me alone. Good. I don't know exactly who is behind this nuisance activity, but they were calling a TPS-registered phone from a number in Alexandria, Egypt. Offshoring fraudulent activity like this is quite common, but this is the first time that I've had to swear at an Egyptian. Perhaps the poor guy will consider doing something less scummy instead."
- https://www.bbb.org/blog/2013/01/con...ing-robocalls/
> http://www.ftc.gov/bcp/edu/microsites/robocalls/
___
Whitehole Exploit Kit in-the-wild...
- http://blog.trendmicro.com/trendlabs...t-kit-emerges/
Feb 6, 2013 - "... there is news of an emerging exploit kit dubbed Whitehole Exploit Kit. The name Whitehole Exploit Kit is just a randomly selected name to differentiate it from BHEK. While it uses similar code as Blackhole Exploit kit, BHEK in particular uses JavaScript to hide its usage of plugindetect.js, while Whitehole does not. It directly uses it without obfuscating this. We analysed the related samples, including the exploit malware cited in certain reports. The malware (detected as JAVA_EXPLOYT.NTW) takes advantage of the following vulnerabilities to download malicious files onto the system:
• CVE-2012-5076
• CVE-2011-3544
• CVE-2012-4681
• CVE-2012-1723
• CVE-2013-0422
Worth noting is CVE-2013-0422, which was involved in the zero-day incident that distributed REVETON variants and was used in toolkits like the Blackhole Exploit Kit and Cool exploit kit. Because of its serious security implication, Oracle immediately addressed this issue and released a software update, which was received with skepticism. The downloaded files are detected as BKDR_ZACCESS.NTW and TROJ_RANSOM.NTW respectively. ZACCESS/SIRIEF variants are known bootkit malware that download other malware and push fake applications. This specific ZACCESS variant connects to certain websites to send and receive information as well as terminates certain processes. It also downloads additional malicious files onto already infected systems. On the other hand, ransomware typically locks systems until users pay a sum of money via specific payment modes... Whitehole Exploit Kit is purportedly under development and runs in “test-release” mode. However, the people behind this kit are already peddling the kit and even command a fee ranging from USD 200 to USD 1800. Other notable features of this new toolkit include its ability to evade antimalware detections, to prevent Google Safe Browsing from blocking it, and to load a maximum of 20 files at once. Given Whitehole’s current state, we may be seeing more noteworthy changes to the exploit kit these coming months. Thus, we are continuously monitoring this threat for any developments..."
___
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Bank Wire Transfer Notification E-mail Messages - February 07, 2013
Fake Real Estate Offer E-mail Messages - February 07, 2013
Fake Money Transfer Notification E-mail Messages - February 07, 2013
Fake Debt Collection E-mail Messages - February 07, 2013
Fake Money Transfer Notification E-mail Messages - February 07, 2013
Malicious Attachment E-mail Messages - February 07, 2013
Fake Product Order Quotation Attachment E-mail Messages - February 07, 2013
(More detail and links available at the cisco URL above.)
:mad:
-
Something evil on 5.135.67.160/28 ...
FYI...
radarsky .biz and something evil on 5.135.67.160/28
- http://blog.dynamoo.com/2013/02/rada...g-evil-on.html
8 Feb 2013 - "There is currently an injection attack -redirecting- visitors to a domain radarsky .biz (for example) hosted on 5.135.67.173 (OVH*) and suballocated to:
inetnum: 5.135.67.160 - 5.135.67.175
netname: MMuskatov-FI
descr: MMuskatov
country: FI
org: ORG-OH6-RIPE
admin-c: OTC15-RIPE
tech-c: OTC15-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered
"MMuskatov" was involved in this attack too, and a quick inspection of 5.135.67.160/28 doesn't look promising, you might want to block it and 5.135.67.144/28 and 5.135.67.192/28 as well. A deeper analysis is in progress."
* https://www.google.com/safebrowsing/...?site=AS:16276
"... over the past 90 days, 7580 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-02-08, and the last time suspicious content was found was on 2013-02-08... we found 518 site(s) on this network... that appeared to function as intermediaries for the infection of 3631 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 1465 site(s)... that infected 7340 other site(s)..."
___
Fake ACH Batch Download Notification emails
- http://security.intuit.com/alert.php?a=71
2/8/13 - "People are receiving fake emails with the title "ACH Batch Download Notification". Below is a copy of the email people are receiving, including the mistakes shown.
Refund check in the amount of $4,370.00 for
The following ACH batch has been submitted for processing.
Initiated By: colleen
Initiated Date & Time: Fri, 8 Feb 2013 21:38:16 +0600 Batch ID: 7718720 Batch Template Name: PAYROLL
Please view the attached file to review the transaction details.
This is the end of the fake email..."
___
Fake BBB SPAM / madcambodia .net
- http://blog.dynamoo.com/2013/02/bbb-...mbodianet.html
8 Feb 2013 - "This fake BBB spam leads to malware on madcambodia .net:
Date: Fri, 8 Feb 2013 11:55:55 -0500 [11:55:55 EST]
From: Better Business Bureau [notify @bbb .org]
Subject: BBB details about your cliente's pretense ID 43C796S77
Better Business Bureau ©
Start With Trust ©
Thu, 7 Feb 2013
RE: Issue No. 43C796S77
[redacted]
The Better Business Bureau has been booked the above mentioned claim letter from one of your purchasers in respect of their business contacts with you. The detailed description of the consumer's concern are available for review at a link below. Please pay attention to this subject and let us know about your judgment as soon as possible.
We pleasantly ask you to visit the GRIEVANCE REPORT to reply on this claim.
We awaits to your prompt response.
Best regards
Luis Davis
Dispute Advisor
Better Business Bureau
3073 Wilson Blvd, Suite 600 Arlington, VA 23501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
The malicious payload is at [donotclick]madcambodia .net/detects/review_complain.php (report here) hosted on:
175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US) ..."
___
Fake ADP SPAM / 048575623_02082013 .zip
- http://blog.dynamoo.com/2013/02/adp-...082013zip.html
8 Feb 2013 - "This fake ADP spam comes with a malicious attachment:
Date: Fri, 8 Feb 2013 18:26:05 +0100 [12:26:05 EST]
From: "ops_invoice @adp .com" [ops_invoice @adp .com]
Subject: ADP Payroll Invoice for week ending 02/08/2013 - 01647
Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Thank you for choosing ADP Payroll.
Important: Please do not respond to this message. It comes from an unattended mailbox.
In this case there was a ZIP file called 048575623_02082013 .zip (this may vary) with an attachment 048575623_02082013 .exe designed to look like a PDF file. VirusTotal* identifies it as a Zbot variant. According to ThreatExpert**, the malware attempts to connect to the following hosts:
eyon-neos .eu
quest.social-neos .eu
social-neos .eu
These may be legitimate hacked domains, but if you are seeing unexpected traffic going to them then it could be a Zbot indicator.
* https://www.virustotal.com/file/d961...is/1360370000/
File name: 048575623_02082013.exe
Detection ratio: 17/45
Analysis date: 2013-02-09
** http://www.threatexpert.com/report.a...0342013e5d0ad0
:fear: :mad:
-
Fake Support Center / ADP SPAM
FYI...
Fake "Support Center" SPAM / phticker .com
- http://blog.dynamoo.com/2013/02/supp...tickercom.html
11 Feb 2013 - "Not malware this time, but this fake "Support Center" spam leads to a fake pharma site at phticker .com:
Date: Mon, 11 Feb 2013 06:13:52 -0700
From: "Brinda Wimberly" [noreply @mdsconsulting .be]
Subject: Support Center
Welcome to Help Support Center
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or report new ticket here
See All tickets
Go To Profile
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.
The site appears to be clean from a malware perspective and is hosted on 171.25.190.246 (Verus AS, Latvia) along with other fake pharma sites..."
___
Something evil on 46.163.79.209
- http://blog.dynamoo.com/2013/02/some...616379209.html
11 Feb 2013 - "The following sites are connected with some ADP-themed malware that has been doing the rounds for the past few days. As far as I can tell, they are some sort of download server for this malware, hosted on 46.163.79.209 (Host Europe, Germany), it all looks quite nasty.
social-neos .eu
cloud.social-neos .eu
quest.social-neos .eu
archiv.social-neos .eu
eyon-neos .eu
international.eyon-neos .eu
ns.eyon-neos .eu
euroherz.eyon-neos .eu
The domains look like they might be legitimate ones that have been hijacked, nonetheless blocking them would be an excellent move."
___
Fake Citi Group SPAM
- http://www.hotforsecurity.com/blog/s...mers-5322.html
Feb 11, 2013 - "... it’s time Citi clients keep an eye open for e-mails that read “You have received a secure message” inviting them to read the message by opening the attachments securedoc .html...
> http://www.hotforsecurity.com/wp-con...-Customers.png
The emails include a link and an attachment. While the link is harmless, taking receivers to the legitimate Citi page, the attachment is a password stealer that opens a backdoor for remote attackers. Some instances appear to also download components of the BlackHole or ZeuS exploit kits. Untrained eyes could fall for this trick, since these e-mails are written in good English, with decent grammar and harmless-looking attachments. Of the countless ways of infecting a computer, spam delivering malware continues to pay off despite restless efforts of media and the security community. Infecting PCs via spam proves an efficient dissemination method, since users are still caught off-guard by malicious links or attachments such as this message addressed to Citi Group clients..."
___
Fake British Airways SPAM / epianokif .ru
- http://blog.dynamoo.com/2013/02/brit...ianokifru.html
11 Feb 2013 - "This fake British Airways spam leads to malware on epianokif .ru:
Date: Mon, 11 Feb 2013 11:30:39 +0330
From: JamesTieszen @[victimdomain .com]
Subject: British Airways E-ticket receipts
Attachments: E-Ticket-N234922XM .htm
e-ticket receipt
Booking reference: DZ87548418
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services
British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.
British Airways Plc is a public limited company registered in England and Wales. Registered number: 74665737. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.
How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.
If you require further assistance you may contact us
If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.
The malicious payload is at [donotclick]epianokif .ru:8080/forum/links/column.php (report here) hosted on:
82.148.98.36 (Qatar Telecom, Qatar)
195.210.47.208 (PS Internet Company, Kazakhstan)
202.72.245.146 (Railcom, Mongolia) ..."
___
Fake NACHA SPAM / albaperu .net
- http://blog.dynamoo.com/2013/02/nach...baperunet.html
11 Feb 2013 - "This fake NACHA spam leads to malware on albaperu .net:
Date: Mon, 11 Feb 2013 11:39:03 -0500 [11:39:03 EST]
From: ACH Network [reproachedwp41 @direct.nacha .org]
Subject: ACH Transfer canceled
Aborted transfer
The ACH process (ID: 838907191379), recently initiated from your checking account (by one of your account members), was reversed by the other financial institution.
Transaction ID: 838907191379
Reason of Cancellation See detailed information in the despatch below
Transaction Detailed Report RP838907191379.doc (Microsoft Word Document)
13150 Sunrise Drive, Suite 100 Herndon, VA 20172 (703) 561-1600
2013 NACHA - The Electronic Payments Association
The malicious payload is at [donotclick]albaperu .net/detects/case_offices.php (report here) hosted on:
175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)..."
___
Something evil on 46.165.206.16
- http://blog.dynamoo.com/2013/02/some...616520616.html
11 Feb 2013 - "This is a little group of fake analytics sites containing malware (for example*), hosted on 46.165.206.16 (Leaseweb, Germany**). Sites listed in -red- have already been tagged by Google Safe Browsing diagnostics, presumably the others have stayed below the radar.
adstat150 .com
cexstat20 .com
katestat77 .us
kmstat505 .us
kmstat515 .us
kmstat530 .com
lmstat450 .com
mptraf11 .info
mptraf2 .info
mxstat205 .us
mxstat570 .com
mxstat740 .com
mxstat760 .com
rxtraf25 .ru
rxtraf26 .ru
skeltds .us
vmstat100 .com
vmstat120 .com
vmstat140 .com
vmstat210 .com
vmstat230 .com
vmstat320 .com ..."
* http://urlquery.net/report.php?id=738388
Diagnostic page for AS16265 (LEASEWEB)
** https://www.google.com/safebrowsing/...?site=AS:16265
"... over the past 90 days, 3350 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-02-12, and the last time suspicious content was found was on 2013-02-12... we found 1006 site(s) on this network... that appeared to function as intermediaries for the infection of 3958 other site(s)... We found 1567 site(s)... that infected 6879 other site(s)..."
:fear::mad:
-
Fake IRS / Changelog SPAM
FYI...
Fake IRS SPAM / micropowerboating .net
- http://blog.dynamoo.com/2013/02/chan...maianemru.html
12 Feb 2013 - "This fake IRS spam leads to malware on micropowerboating .net:
Date: Tue, 12 Feb 2013 22:06:55 +0800
From: Internal Revenue Service [damonfq43 @taxes.irs .gov]
Subject: Income Tax Refund TURNED DOWN
Hereby we have to note that Your State Tax Refund Appeal ({ID: 796839212518), recently has been RETURNED. If you believe that IRS did not properly estimate your case due to misunderstanding of the fact(s), be prepared to serve additional information. You can obtain refusal to accept details and re-submit your appeal by browsing a link below.
Please enter official website for information
Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
9611 Tellus. Av.
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
===
Date: Tue, 12 Feb 2013 15:00:35 +0100
From: Internal Revenue Service [zirconiumiag0 @irs .gov]
Subject: Income Tax Refund NOT ACCEPTED
Hereby we hav to inform that Your Income Tax Refund Appeal ({ID: 46303803645929), recently has been CANCELED. If you believe that IRS did not properly estimate your case due to misapprehension of the fact(s), be prepared to equip additional information. You can obtain non-acceptance details and re-submit your appeal by browsing a link below.
Please browse official site for more information
Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
3192 Aliquam Rd.
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
===
Date: Tue, 12 Feb 2013 15:13:37 +0100 [09:13:37 EST]
From: Internal Revenue Service [idealizesmtz @informer.irs .gov]
Subject: Income Tax Refund TURNED DOWN
Hereby You notified that Your Income Tax Outstanding transaction Appeal (No: 8984589927661), recently was CANCELED. If you believe that IRS did not properly estimate your case due to misapprehension of the fact(s), be prepared to deliver additional information. You can obtain refusal of acceptance details and re-submit your appeal by using a link below.
Please enter official site for information
Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
P.O. Box 265
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
The malicious payload is on [donotclick]micropowerboating .net/detects/pending_details.php (report here) hosted on:
175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)
The following IPs and domains should be blocked:
175.121.229.209
198.144.191.50
micropowerboating .net
morepowetradersta .com
asistyapipressta .com
uminteraktifcozumler .com
rebelldagsanet .com
madcambodia .net
acctnmrxm .net
capeinn .net
albaperu .net
live-satellite-view .net ..."
___
Fake Changelog SPAM / emaianem .ru
- http://blog.dynamoo.com/2013/02/chan...maianemru.html
12 Feb 2013 - "This changelog spam leads to malware on emaianem .ru:
Date: Tue, 12 Feb 2013 09:11:11 +0200
From: LinkedIn Password [password@linkedin.com]
Subject: Re: Changlog 10.2011
Good day,
changelog update - View
L. KIRKLAND
===
Date: Tue, 12 Feb 2013 05:14:54 -0600
From: LinkedIn [welcome @linkedin .com]
Subject: Fwd: Re: Changelog as promised(updated)
Good morning,
as prmised updated changelog - View
L. AGUILAR
The malicious payload is at [donotclick]emaianem .ru:8080/forum/links/column.php and is hosted on the same servers as found here*."
* http://blog.dynamoo.com/2013/02/efax...ipaindoru.html
46.175.224.21 (Maxnet Lukasz Hamerski, Poland)
91.121.57.231 (OVH, France)
202.72.245.146 (Railcom, Mongolia)
___
Something evil on 192.81.129.219
- http://blog.dynamoo.com/2013/02/some...281129219.html
12 Feb 2013 - "It looks like there's a nasty case of the Blackhole Exploit kit on 192.81.129.219 (see example*). The IP is controlled by Linode in the US who have been a bit quiet recently... active domains that I can identify on this IP..."
(Long list at the dynamoo URL above.)
* http://urlquery.net/report.php?id=986474
:fear ::mad:
-
Fake NACHA SPAM ...
FYI...
Fake NACHA SPAM / thedigidares .net
- http://blog.dynamoo.com/2013/02/nach...idaresnet.html
13 Feb 2013 - "This fake NACHA spam leads to malware on thedigidares .net:
Date: Wed, 13 Feb 2013 12:10:27 +0000
From: " NACHA" [limbon@direct .nacha .org]
Subject: Aborted transfer
Canceled transaction
The ACH process (ID: 648919687408), recently sent from your bank account (by you), was canceled by the other financial institution.
Transaction ID: 648919687408
Cancellation Reason Review additional info in the statement below
Transaction Detailed Report Report_648919687408.xls (Microsoft/Open Office Word Document)
13150 Sunrise Street, Suite 100 Herndon, VA 20174 (703) 561-1200
2013 NACHA - The Electronic Payments Association
The malicious payload is at [donotclick]thedigidares .net/detects/irritating-crashed-registers.php (report here*) hosted on:
134.74.14.98 (City College of New York, US)
175.121.229.209 (Hanaro Telecom, Korea)
The following IPs and domains are linked and should be blocked:
134.74.14.98
175.121.229.209
albaperu .net
capeinn .net
thedigidares .net
madcambodia .net
micropowerboating .net
dressaytam .net
acctnmrxm .net
albaperu .net
live-satellite-view .net
dressaytam .net "
* http://urlquery.net/report.php?id=993904
BlackHole v2.0 exploit kit
- http://blog.dynamoo.com/2013/02/nach...nakotprru.html
13 Feb 2013 - "More fake NACHA spam, this time leading to malware on eminakotpr .ru:
Date: Wed, 13 Feb 2013 05:24:26 +0530
From: "ACH Network" [risk-management@nacha.org]
Subject: Re: Fwd: ACH Transfer rejected
The ACH transaction, initiated from your checking acc., was canceled.
Canceled transfer:
Transfer ID: FE-65426265630US
Transaction Report: View
August BLUE
NACHA - The National Automated Clearing House Association
The malicious payload is at [donotclick]eminakotpr .ru:8080/forum/links/column.php hosted on:
46.175.224.21 (MAXNET Lukasz Hamerski, Poland)
91.121.57.231 (OVH, France)
202.72.245.146 (Railcom, Mongolia)..."
___
Malware sites to block 13/2/13
- http://blog.dynamoo.com/2013/02/malw...ock-13213.html
13 Feb 2013 - "These malicious sites appear to be part of a Waledac botnet. I haven't had much time to analyse what exactly what it going on, but here is one example from [donotclick]merwiqca .ru/nothing.exe: URLquery, VirusTotal*, Comodo CAMAS, ThreatExpert**.
I'm still working on IP addresses (there are a LOT), but these are the domains that I have managed to identify.."
(Long list [mostly *.ru] at the dynamoo URL above.)
* https://www.virustotal.com/file/a604...is/1360769367/
File name: khgkg01.exe
Detection ratio: 8/43
Analysis date: 2013-02-13
Behavioural information
TCP connections...
85.121.3.1:80
76.169.151.26:80
195.228.43.24:80
46.162.243.26:80
** http://www.threatexpert.com/report.a...988293dffbdc9a
192.5.5.241
___
- http://tools.cisco.com/security/cent...o=1&sortType=d
Fake CashPro Online Digital Certificate Notification E-mail Messages - February 13, 2013
Fake Failed Package Delivery Notification E-mail Messages - February 13, 2013
Fake Message Receipt Notification E-mail Messages - February 13, 2013
Fake Western Union Money Transfer Transaction E-Mail Messages - February 13, 2013
Fake Payment Request E-mail Messages - February 13, 2013
Fake Voicemail Message Notification E-mail Messages - February 13, 2013
Fake Turkish Airline Ticket Booking Confirmation E-mail Messages - February 13, 2013
Fake Antiphishing Notification E-mail Messages - February 13, 2013
Fake Bank Transfer Confirmation Notification E-mail Messages - February 13, 2013
Fake Product Order Change Notification E-mail Messages - February 13, 2013
Fake Italian Policy Change Notification E-mail Messages - February 13, 2013
Fake United Parcel Service Shipment Error E-mail Messages - February 13, 2013
(Links and more info available at the cisco URL above.)
___
Fake Bank "Secure Email Notification" SPAM
- http://blog.dynamoo.com/2013/02/firs...ure-email.html
13 Feb 2013 - "It looks a bit like a phish, but this "First Foundation Bank Secure Email Notification" spam has a ZIP file that leads to malware:
Date: Wed, 13 Feb 2013 20:08:46 +0200 [13:08:46 EST]
From: FF-inc Secure Notification [secure.notification @ff-inc .com]
Subject: First Foundation Bank Secure Email Notification - 94JIMEEQ
You have received a secure message
Read your secure message by opening the attachment, secure_mail_94JIMEEQ. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile @res.ff-inc .com to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.795.7643.
2000-2013 First Foundation Inc. All rights reserved.
Attached is a file called secure_mail_94JIMEEQ.zip which expands into.. well, nothing good.. a file called secure_mail_{_Case_DIG}.exe with an icon that is meant to disguise it as an Acrobat file. VirusTotal detection rates* are just 15/45 and the malware is resistant to analysis. Incidentally, emailing mobile @res.ff-inc .com just generates a failure message. Avoid."
* https://www.virustotal.com/file/71b8...is/1360795797/
File name: secure_mail_{_Case_DIG}.exe
Detection ratio: 15/45
Analysis date: 2013-02-13
:mad:
-
Something evil on 92.63.105.23
FYI...
Something evil on 92.63.105.23
- http://blog.dynamoo.com/2013/02/some...926310523.html
14 Feb 2013 - "Looks like a nasty infestion of Blackhole is lurking on 92.63.105.23 (TheFirst-RU, Russia*) - see an example of the nastiness here** (this link is safe to click!). The following domains are present on this address, although there are probably more..."
(Long list at the dynamoo URL above.)
** http://urlquery.net/report.php?id=995495
... Blackholev2 url structure detected
* https://www.google.com/safebrowsing/...?site=AS:29182
"... over the past 90 days, 606 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-02-14, and the last time suspicious content was found was on 2013-02-14... we found 182 site(s) on this network... that appeared to function as intermediaries for the infection of 652 other site(s)... We found 655 site(s)... that infected 4547 other site(s)..."
___
Top 10 Valentine’s Day Scams...
- http://www.hotforsecurity.com/blog/t...erts-5357.html
Feb 14, 2013 - "... advises users to stay away from fake limousine offers and online ‘heart experts’ who claim to heal troubled relationships. This type of scam spreads through spam and redirects users to phishing, fraud and malware-infected websites... The bait that tricks men these days includes fake chocolate offers, diamond-like rings, perfumes, personalized gifts, heart-shaped jewelry and replica watches... A fast spreading scam tricks victims to download Valentine’s Day wallpapers which redirect to fraudulent websites. Users are told they won an iPhone 5 and asked for personal details. In the name of Cupid, similar scams circulate on Facebook, too. Valentine’s Day games and Android apps downloaded from unofficial marketplaces such as free love calculators may install adware and malware. Britons should be especially careful with flower offers. Valentine’s Day is not only the busiest day of the year for UK florists, but also for fake ‘flower’ scammers..."
> http://www.hotforsecurity.com/wp-con...-experts-1.jpg
___
Malicious URL hits related to “valentine” from January to Feb. 14
> http://blog.trendmicro.com/trendlabs...-URLs-2013.png
Malware detections related to “valentine” from January to Feb. 14
> http://blog.trendmicro.com/trendlabs...tines-2013.png
___
Fake 'Facebook blocked' emails serve client-side exploits and malware
- http://blog.webroot.com/2013/02/14/f...s-and-malware/
14 Feb 2013 - "Cybercriminals are currently spamvertising two separate campaigns, impersonating Facebook Inc., in an attempt to trick its users into thinking that their Facebook account has been disabled. What these two campaigns have in common is the fact that the client-side exploits serving domains are both parked on the same IP. Once users click on -any- of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised campaign:
> https://webrootblog.files.wordpress....xploit_kit.png
... Malicious domain names reconnaissance:
gonita .net – 222.238.109.66 – Email: lockwr @rocketmail .com
able-stock .net – 222.238.109.66
capeinn .net – 222.238.109.66; 198.144.191.50 – Email: softonlines @yahoo .com
Name servers used in the campaign:
Name Server: NS1.HTTP-PAGE .NET
Name Server: NS2.HTTP-PAGE .NET
We’ve already seen the same name servers used in... malicious campaigns...
Responding to 222.238.109.66 are... malicious/fraudulent domains...
Responding to 198.144.191.50 are... malicious domains...
We’ve already seen the same pseudo-randm C&C communication characters (EGa+AAAAAA), as well as the same C&C server (173.201.177.77) in... previously profiled campaigns..."
(More detail at the webroot URL above.)
___
Fake HP ScanJet SPAM / eipuonam .ru
- http://blog.dynamoo.com/2013/02/hp-s...ipuonamru.html
14 Feb 2013 - "This fake printer spam leads to malware on eipuonam .ru:
Date: Thu, 14 Feb 2013 -02:00:50 -0800
From: "Xanga" [noreply@xanga.com]
Subject: Fwd: Scan from a HP ScanJet #72551
Attachments: HP_Document.htm
Attached document was scanned and sent
to you using a HP A-39329P.
SENT BY : Ingrid
PAGES : 0
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]
The attachment HP_Document.htm contains a script that attempts to direct visitors to [donotclick]eipuonam .ru:8080/forum/links/column.php (report here*) hosted on:
91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1000763
... Detected suspicious URL pattern
___
Fake "Copies of policies" SPAM / ewinhdutik .ru
- http://blog.dynamoo.com/2013/02/copi...nhdutikru.html
14 Feb 2013 - "This spam leads to malware on ewinhdutik .ru:
Date: Thu, 14 Feb 2013 07:16:28 -0500
From: "Korbin BERG" [ConnorAlmeida @telia .com]
Subject: RE: Korbin - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Korbin BERG,
===
Date: Thu, 14 Feb 2013 03:30:52 +0530
From: Tagged [Tagged @taggedmail .com]
Subject: RE: KESHIA - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
KESHIA LEVINE,
The malicious payload is at [donotclick]ewinhdutik .ru:8080/forum/links/column.php (report here*) hosted on the same IP addresses as this attack we saw earlier:
- http://blog.dynamoo.com/2013/02/hp-s...ipuonamru.html
91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)"
* http://urlquery.net/report.php?id=1001864
... AS48716** Kazakhstan... suspicious URL pattern
** https://www.google.com/safebrowsing/...?site=AS:48716
___
Fake HP ScanJet SPAM / 202.72.245.146
- http://blog.dynamoo.com/2013/02/hp-s...272245146.html
14 Feb 2013 - "This fake printer spam leads to malware on 202.72.245.146:
Date: Thu, 14 Feb 2013 10:10:56 +0000
From: AntonioShapard @hotmail .com
Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet #6293
Attachments: HP_Document.htm
Attached document was scanned and sent
to you using a HP A-32347P.
SENT BY : TRISH
PAGES : 3
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]
===
Date: Thu, 14 Feb 2013 06:07:00 -0800
From: LinkedIn Password [password @linkedin .com]
Subject: Fwd: Scan from a Hewlett-Packard ScanJet 83097855
Attachments: HP_Document.htm
Attached document was scanned and sent
to you using a HP A-775861P.
SENT BY : CARLINE
PAGES : 4
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]
The malicious payload is on [donotclick]202.72.245.146 :8080/forum/links/column.php which is a familiar IP address belonging to Railcom in Mongolia. The following malicious websites are also active on the same server..."
(Long list at the dynamoo URL above.)
___
Fake Intuit SPAM / epionkalom .ru
- http://blog.dynamoo.com/2013/02/intu...onkalomru.html
14 Feb 2013 - "This fake Intuit spam leads to malware on epionkalom .ru:
Date: Thu, 14 Feb 2013 09:05:48 -0500
From: "Classmates . com" [classmatesemail @accounts.classmates .com]
Subject: Payroll Account Holded by Intuit
Direct Deposit Service Informer
Communicatory Only
We cancelled your payroll on Thu, 14 Feb 2013 09:05:48 -0500.
Finances would be gone away from below account # ending in 2317 on Thu, 14 Feb 2013 09:05:48 -0500
amount to be seceded: 2246 USD
Paychecks would be procrastinated to your personnel accounts on: Thu, 14 Feb 2013 09:05:48 -0500
Log In to Review Operation
Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services
The malicious payload is at [donotclick]epionkalom .ru:8080/forum/links/column.php hosted on a bunch of IP addresses that we have seen many, many times before:
91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia) ..."
___
Fake 'TurboTax State Return Rejected' SPAM
- http://security.intuit.com/alert.php?a=72
2/14/13 - "People are receiving fake emails with the title 'TurboTax State Return Rejected'. Below is a copy of the email people are receiving. The email does not contain a link; however, the email has a .zip attachment that contains malware. Do not open the .zip file.
> http://security.intuit.com/images/turbotaxstate.jpg
This is the end of the fake email..."
:mad::mad:
-
Fake IRS emails lead to BlackHole Exploit Kit
FYI...
Fake IRS emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/02/15/s...e-exploit-kit/
Feb 15, 2013 - "Its tax season and cybercriminals are mass mailing tens of thousands of IRS (Internal Revenue Service) themed emails in an attempt to trick users into thinking that their income tax refund has been “turned down”. Once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Malicious domain name reconnaissance:
micropowerboating .net – 175.121.229.209; 198.144.191.50 – Email: dooronemars @aol .com
Name Server: NS1.POOPHANAM .NET – 31.170.106.17
Name Server: NS2.POOPHANAM .NET – 65.135.199.21
The following malicious domains also respond to the same IPs (175.121.229.209; 198.144.191.50) and are part of the campaign’s infrastructure...
Although the initial client-side exploits serving domain used in the campaign (micropowerboating .net) was down when we attempted to reproduce its malicious payload, we managed to reproduce the malicious payload for a different domain parked at the same IP (175.121.229.209), namely, madcambodia .net.
Detection rate for the dropped malware:
madcambodia .net – 175.121.229.209 – MD5: * ... Trojan-Spy.Win32.Zbot.ivkf.
Once executed, the sample also phones back to the following C&C (command and control) servers: 94.68.61.135 :14511, 99.76.3.38 :11350
We also got another MD5 phoning back to the same IP..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/d...9a70/analysis/
File name: 2da28ae0df7a90ce89c7c43878927a9f
Detection ratio: 23/45
Analysis date: 2013-02-10 05
___
Malware sites to block 15/2/13
- http://blog.dynamoo.com/2013/02/malw...ock-15313.html
15 Feb 2013 - "A set of malware sites.. or I think two sets of malware sites that you might want to block. The .ru domains are connected with this botnet, a second set of sites seem to be something else malicious. Both groups of sites are connected by a server at 142.0.45.27 (Volumedrive, US**) which may be a C&C server. Interested parties might want to poke at the server a bit.. As a bonus, these are the IPs* that I can find connected with the .ru botnet that I have collected over the past few days. Some of them are dynamic, but it might be a starting point if anyone wants to poke at that botnet a bit more..."
* http://www.dynamoo.com/files/botnet-feb-13.txt
** https://www.google.com/safebrowsing/...?site=AS:46664
___
Fake IRS SPAM / azsocseclawyer .net
- http://blog.dynamoo.com/2013/02/cum-...lawyernet.html
15 Feb 2013 - "This fake IRS spam (from an office on "Cum Avenue"!) actually leads to malware on azsocseclawyer .net:
Date: Fri, 15 Feb 2013 09:47:25 -0500
From: Internal Revenue Service [ahabfya196 @etax.irs .gov]
Subject: pecuniary penalty for delay of tax return filling
Herewith we are informing you that you are required to pay a surcharge for not filling the income tax return prior to January 31.
Please note that IRS Section 7117-F-8 specifies a money penalty of $2.000 for each Form 479 that is filled later than deadline for filling the income tax return or does not contain the exhaustive information described in 7117-F-8.
You will be released from the pecuniary penalty when the taxpayer shows that the failure to file was caused by substantial reason.
Please visit official website for more information
Internal Revenue Services United States, Department of Treasury
Ap #822-9450 Cum Avenue
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
The malicious payload is at [donotclick]azsocseclawyer .net/detects/necessary_documenting_broadcasts-sensitive.php (report here*) hosted on:
77.241.192.47 (VPSNET, Lithunia)
175.121.229.209 (Hanaro Telecom, Korea)..."
* http://urlquery.net/report.php?id=1009373
... BlackHole v2.0 exploit kit
___
Fake Wire transfer SPAM / 202.72.245.146
- http://blog.dynamoo.com/2013/02/wire...272245146.html
15 Feb 2013 - "This fake wire transfer spam leads to malware on 202.72.245.146:
Date: Fri, 15 Feb 2013 07:24:40 -0500
From: Tasha Rosenthal via LinkedIn [member @linkedin .com]
Subject: RE: Wire transfer cancelled
Good day,
Wire Transfer was canceled by the other bank.
Canceled transaction:
FED NR: 94813904RE5666838
Transfer Report: View
The Federal Reserve Wire Network
The malicious payload is on [donotclick]202.72.245.146 :8080/forum/links/public_version.php (Railcom, Mongolia) (report here) which is a well-known malicious IP that you should definitely block if you can.
Update: there is also a "Scan from a HP ScanJet #841548" spam for the same IP, sending victims to [donotclick]202.72.245.146 :8080/forum/links/column.php..."
:mad::fear::fear:
-
Facebook Wall posts malware propagations ...
FYI...
Facebook Wall posts malware propagations ...
- http://blog.webroot.com/2013/02/18/m...ok-wall-posts/
Feb 18, 2013 - "We’ve recently intercepted a localized — to Bulgarian — malware campaign, that’s propagating through Facebook Wall posts. Basically, a malware-infected user would unknowingly post a link+enticing message, in this case “Check it out!“, on their friend’s Walls, in an attempt to abuse their trusted relationship and provoke them to click on the malicious link. Once users click on the link, they’re exposed to the malicious software...
Sample screenshot of the propagation in action:
> https://webrootblog.files.wordpress....ware_links.png
Sample spamvertised URL appearing on Facebook users’ Walls:
hxxp ://0845 .com/fk7u
Sample redirection chain:
hxxp ://0845 .com/fk7u -> hxxp ://connectiveinnovations .com/mandolin.html?excavator=kmlumm -> hxxp ://91.218.38.245 /imagedl11.php
Sample detection rates for the malicious executables participating in the campaign:
hxxp ://91.218.38.245 /imagedl11.php – MD5: 1ad434025cd1fb681597db80447290e4 * ... Backdoor:Win32/Tofsee.F ...
Responding to this IP (91.218.38.245, AS197145 Infium Ltd.) are also... malicious/fraudulent domains...
More MD5s are known to have phoned back to 91.218.38.245:
MD5: 20057f1155515dd3a37afde0b459b2cf
MD5: 665419c0e458883122a790f260115ada
MD5: 1ea373c41eabd0ad3787039dd0927525
MD5: f3472ec713d3ab2e255091194e4dccaa
MD5: 4d54a2c022dad057f8e44701d52fec6b
MD5: 6807409c44a4a9c83ce67abc3d5fe982
As well as related MD5s phoning back to 185.4.227.76:
MD5: 6b1e671746373a5d95e55d17edec5623
MD5: 377c2e63ff3fd6f5fdd93ff27c8216fe
MD5: 2D4C5B95321C5A9051874CEE9C9E9CDC
MD5: 3f9df3fd39778b1a856dedebf8f39654
MD5: 82e2672c2ca1b3200d234c6c419fc83a
MD5: 796967255c8b99640d281e89e3ffe673
MD5: bc1883b07b47423bd30645e54db4775c
MD5: e6f081d2c5a3608fad9b2294f1cb6762
What’s special about the second C&C phone back IP (185.4.227.76) is that it was used in another Facebook themed malware campaign back in December, 2012, indicating that this cybercriminal/group of cybercriminals are actively impersonating Facebook Inc. for malicious and fraudulent purposes..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/c...5947/analysis/
File name: Dionis
Detection ratio: 31/45
Analysis date: 2013-02-15
AS197145 Infium
- https://www.google.com/safebrowsing/...site=AS:197145
:mad::fear:
-
Fake Wire Transfer emails serve client-side exploits and malware
FYI...
Fake Wire Transfer emails serve client-side exploits and malware
- http://blog.webroot.com/2013/02/19/m...s-and-malware/
Feb 19, 2013 - "... a persistent attempt to infect tens of thousands of users with malware through a systematic rotation of multiple social engineering themes... they all share the same malicious infrastructure. Let’s profile one of the most recently spamvertised campaigns, and expose the cybercriminals’ complete portfolio of malicious domains, their related name servers, dropped MD5 and its associated run time behavior...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
Sample spamvertised compromised URLs:
hxxp://2555.ruksadindan .com/page-329.htm
hxxp://www.athenassoftware .com.br/page-329.htm
hxxp://www.sweetgarden .ca/page-329.htm
hxxp://lab.monohrom .uz/page-329.htm
hxxp://easy2winpoker .com/page-329.htm
hxxp://ideashtor .ru/page-329.htm
Sample client-side exploits serving URL:
hxxp:// 202.72.245.146 :8080/forum/links/public_version.php
... malicious domains also respond to the same IP (202.72.245.146) and are part of multiple campaigns spamvertised over the past couple of days...
(Long list available at the webroot URL above.)...
Sample malicious payload dropping URL:
hxxp:// 202.72.245.146 :8080/forum/links/public_version.php?mmltejvt=1g:2v:33:2v:2w&pstvw=3d&xrej=1j:33:32:1l:1g:1i:1o:1n:1o:1i&vczaspnq=1n:1d:1f:1d:1f:1d:1j:1k:1l
Sample client-side exploits served: CVE-2010-0188
Upon successful client-side exploitation, the campaign drops MD5: 04e9d4167c9a1b82e622e04ad85f8e99 * ... Trojan.Win32.Yakes.cdxy.
Once executed, the sample creates... Registry Keys... And modifies them..."
(More detail available at the webroot URL above.)
* https://www.virustotal.com/en/file/b...d48d/analysis/
File name: contacts.exe
Detection ratio: 33/46
Analysis date: 2013-02-18
___
Something evil on 67.208.74.71
- http://blog.dynamoo.com/2013/02/some...672087471.html
19 Feb 2013 - "67.208.74.71 (Inforelay, US) is a parking IP with several thousand IPs hosted on it. However, it also includes a large number of malicious sites using Dynamic DNS servces. Some of these sites have recently moved from the server mentioned here*.
Probably most of the sites on this server are legitimate and blocking access to it might cause some problems. However, you can block most of these malicious domains by targeting the Dynamic DNS domain...
You can find a copy of the domains, IPs, WOT ratings and Google prognosis here** [csv].
These following domains are hosted on 67.208.74.71 and are listed as malicious by Google's Safe Browsing Diagnostics...
These domains are hosted on 67.208.74.71 and are not flagged by Google, but almost all have a poor WOT reputation and are very likely to be malicious...
These sites appear to have been hosted recently on 67.208.74.71 and are flagged as malware by Google, but are not resolving at present...
These domains appear to have been recently hosted on 67.208.74.71, are not flagged as malicious by Google but are nonetheless suspect..."
(More detail available at the dynamoo URL above.)
* http://blog.dynamoo.com/2013/02/some...926310523.html
** http://www.dynamoo.com/files/67-208-74-71.csv
- https://www.google.com/safebrowsing/...?site=AS:33597
___
Fake UPS SPAM / emmmhhh .ru
- http://blog.dynamoo.com/2013/02/ups-spam-emmmhhhru.html
19 Feb 2013 - "The spammers sending this stuff out always confuse UPS with USPS, this one is not exception although on balance it is more UPS than USPS.. anyway, it leads to malware on emmmhhh .ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of Valda Gill via LinkedIn
Sent: 19 February 2013 10:00
Subject: United Postal Service Tracking Nr. H9878032462
You can use UPS .COM to:
Ship Online
Schedule a Pickup
Open a UPS .COM Account
Welcome to UPS Team
Hi, [redacted].
DEAR CUSTOMER , We were not able to delivery the post package
PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT.
With best regards , UPS Customer Services.
Copyright 2011 United Parcel Service of America, Inc. Your USPS ...us
There is an attachment UPS_ID5408466.htm which attempts to direct visitors to [donotclick]emmmhhh .ru:8080/forum/links/column.php hosted on:
50.31.1.104 (Steadfast Networks, US)
66.249.23.64 (Endurance International, US)
195.210.47.208 (PS Internet Company, Kazakhstan)
The following IPs and domains are all malicious and should be blocked:
50.31.1.104
66.249.23.64
195.210.47.208..."
___
Something evil on 74.208.148.35
- http://blog.dynamoo.com/2013/02/some...420814835.html
19 Feb 2013 - "Spotted by the good folks at GFI Labs here*, here** and here*** are several Canadian domains on the same server, 74.208.148.35 (1&1, US):
justcateringfoodservices .com
dontgetcaught .ca
blog.ritual .ca
lumberlandnorth .com
Obviously, there's some sort of server-level compromise here. Blocking access to 74.208.148.35 will give some protection against several very active malicious spam campaigns..."
* http://gfisoftware.tumblr.com/post/4...l-invoice-spam
** http://gfisoftware.tumblr.com/post/4...complaint-spam
*** http://gfisoftware.tumblr.com/post/4...-transfer-spam
___
Fake pharma SPAM - Cyberbunker / 84.22.104.123
- http://blog.dynamoo.com/2013/02/cybe...422104123.html
19 Feb 2013 - "Crime-friendly host Cyberbunker strikes again, this time hosting more fake pharma sites on 84.22.104.123, being promoted through this suspicious looking spam:
Date: Tue, 19 Feb 2013 22:58:26 +0000 (GMT)
From: Apple [noreply @bellona.wg.saar .de]
To: [redacted]
Subject: Your Apple ID was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5
Dear Customer,
Your Apple ID ([redacted]) was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5.
If you have not recently set up an iPhone with your Apple ID, then you should change your Apple ID password. Learn More.
Privacy Policy
Copyright 2013 Apple Inc. 1 Infinite Loop, Cupertino CA 95014 - All Rights Reserved.
The spam has a link to an illegally hacked legitimate site that then bounces to drugstorepillstablets .ru hosted on 84.22.104.123 along with... spammy sites... Cyberbunker is nothing but bad news. Blocking 84.22.96.0/19 is an exceptionally good idea.
(More detail at the dynamoo URL above.)
* https://www.google.com/safebrowsing/...?site=AS:34109
:fear::mad:
-
Fake USPS SPAM with malware attachment...
FYI...
Fake USPS SPAM / USPS delivery failure report.zip
- http://blog.dynamoo.com/2013/02/usps...y-failure.html
20 Feb 2013 - "This fake USPS spam contains malware in an attachment called USPS delivery failure report.zip.
Date: Wed, 20 Feb 2013 06:40:39 +0200 [02/19/13 23:40:39 EST]
From: USPS client manager Michael Brewer [reports @usps .com]
Subject: USPS delivery failure report
USPS notification
Our company’s courier couldn’t make the delivery of package.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: KnoxvilleFort
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: M1PZN6BI4F
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
USPS Global.
The attachment is double-zipped, presumably to try to evade virus and content scanners. Opening it extracts another ZIP file called USPS report id 943577924988734.zip which contains another file called USPS report id 943577924988734.exe.
The VirusTotal detections for this are patchy and fairly generic*. Automated analysis tools are pretty inconclusive** when it comes to the payload, although if you are trying to clean it up then starting with HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched (which is set to "C:\Documents and Settings\All Users\svchost.exe") is probably a good start."
* https://www.virustotal.com/en/file/6...is/1361351470/
File name: USPS report id 943577924988734.exe
Detection ratio: 27/46
Analysis date: 2013-02-20
** http://camas.comodo.com/cgi-bin/subm...ac5b32d8e28682
___
Something evil on 62.212.130.115
- http://blog.dynamoo.com/2013/02/some...212130115.html
20 Feb 2013 - "Something evil seems to be lurking on 62.212.130.115 (Xenosite, Netherlands) - a collection of sites connected with the Blackhole exploit kit, plus indications of evil subdomains of legitimate hacked sites. All-in-all, this IP is probably worth avoiding.
Firstly, there are the evil subomains that have a format like 104648746540365e.familyholidayaccommodation .co.za - these are mostly hijacked .co.za and .cl domains. The following list contains the legitimate domains and IPs that appear to have been hijacked. Ones marked in red have been flagged as malicious by Google. Remember, these IPs are not evil, it is just the subdomains that are (on a different IP)...
The second bunch of domains appear to be connected with the Blackhole Exploit kit (according to this report*) and can be assumed to be malicious, and are hosted on 62.212.130.115...
The final group is where it gets messy. These are malicious subdomains that either are on (or have recently been on) 62.212.130.115. It looks like they are hardened against analysis, but they certainly shouldn't be here and can be assumed to be malicious too..."
(More detail at the dynamoo URL above.)
* http://pastebin.com/FNjkdB34
___
famagatra .ru injection attack in progress
- http://blog.dynamoo.com/2013/02/fama...-progress.html
20 Feb 2013 - "There seems to be an injection attack in progress, leading visitors to a hacked website to a malicious page on the server famagatra .ru.
The payload is at [donotclick]famagatra .ru:8080/forum/links/public_version.php?atd=1n:33:2v:1l:1h&qav=3j&yvxhqg=1j:33:32:1l:1g:1i:1o:1n:1o:1i&jehmppj=1n:1d:1f:1d:1f:1d:1j:1k:1l (report here*) which is basically a nasty dose of Blackhole.
84.23.66.74 (EUserv Internet, Germany)
195.210.47.208 (PS Inernet Company, Kazakhstan)
210.71.250.131 (Chungwa Telecom, Taiwan)
The following domains are IPs are all part of the same evil circus:
84.23.66.74
195.210.47.208
210.71.250.131..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1050803
... Blackholev2 redirection successful
___
Fake Wire transfer SPAM / fulinaohps .ru
- http://blog.dynamoo.com/2013/02/wire...inaohpsru.html
20 Feb 2013 - "This fake wire transfer spam leads to malware on fulinaohps .ru:
Date: Wed, 20 Feb 2013 04:28:14 +0600
From: accounting@[victimdomain]
Subject: Fwd: ACH and Wire transfers disabled.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department
The malicious payload is at [donotclick]fulinaohps .ru:8080/forum/links/column.php (report here*) hosted om the following IPs:
84.23.66.74 (EUserv Internet, Germany)
195.210.47.208 (PS Internet Company, Kazakhstan)
210.71.250.131 (Chungwa Telecom, Taiwan)
These are the same IPs as used in this attack**, you should block them if you can."
* http://urlquery.net/report.php?id=1051770
... suspicious URL pattern... obfuscated URL
** http://blog.dynamoo.com/2013/02/fama...-progress.html
___
Fake SendSecure Support SPAM / secure_message... .zip
- http://blog.dynamoo.com/2013/02/send...port-spam.html
20 Feb 2013 - "This fake SendSecure Support / Bank of America spam comes with a malicious attachment called secure_message_02202013_01590106757637303.zip:
Date: Wed, 20 Feb 2013 11:23:43 -0400 [10:23:43 EST]
From: SendSecure Support [SendSecure.Support @bankofamerica .com]
Subject: You have received a secure message from Bank Of America
You have received a secure message.
Read your secure message by opening the attachment. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly.
First time users - will need to register after opening the attachment.
Help - https ://securemail.bankofamerica .com/websafe/help?topic=Envelope
The zip file secure_message_02202013_01590106757637303 .zip unzips into secure_message_02202013_01590106757637303 .exe with a VirusTotal detection**... According to ThreatExpert***, the malware installs a keylogger and also tries to phone home to:
blog.ritual .ca
dontgetcaught .ca
These sites are hosted on 74.208.148.35 which I posted about yesterday*. Blocking access to this IP might mitigate against this particular threat somewhat."
* http://blog.dynamoo.com/2013/02/some...420814835.html
** https://www.virustotal.com/en/file/3...is/1361376818/
File name: secure_message_02202013_{DIGIT[17]}.exe
Detection ratio: 6/46
Analysis date: 2013-02-20
*** http://www.threatexpert.com/report.a...27e6479a4dffd3
___
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Airline Ticket Credit Card Processing E-mail Messages - February 20, 2013
Fake CashPro Online Digital Certificate Notification E-mail Messages - February 20, 2013
Fake Tax Document Notification E-mail Messages - February 20, 2013
Fake Rejected Tax Form Notification E-mail Messages - February 20, 2013
Fake Bank Deposit Notification E-mail Messages - February 20, 2013
Fake Package Delivery Failure E-mail Messages - February 20, 2013
Fake Product Order E-mail Messages - February 20, 2013
(More info and links available at the cisco URL above.)
:fear::mad:
-
Fake ADP/Verizon SPAM ...
FYI...
Fake ADP SPAM / faneroomk .ru
- http://blog.dynamoo.com/2013/02/adp-...neroomkru.html
21 Feb 2013 - "This fake ADP spam tries (and fails) to lead to malware on faneroomk .ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply@bounce.linkedin .com] On Behalf Of LinkedIn
Sent: 20 February 2013 20:02
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 001737199
Thu, 21 Feb 2013 02:01:39 +0600
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www.flexdirect .adp.com/client/login.aspx
Please see the following notes:
• Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
• Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 890911798
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.
The malicious payload is meant to be [donotclick]faneroomk .ru:8080/forum/links/column.php but right at the moment it is not resolving... The following IPs and domains are all related:
41.168.5.140
110.164.58.250
184.106.195.200
210.71.250.131
203.171.234.53 ..."
(More detail at the dynamoo URL above.)
___
Fake Verizon Wireless SPAM / participamoz .com
- http://blog.dynamoo.com/2013/02/veri...ipamozcom.html
20 Feb 2013 - "This fake Verizon Wireless spam leads to malware on participamoz .com:
Date: Wed, 20 Feb 2013 23:24:49 +0400
From: "AccountNotify @verizonwireless .com" [cupcakenc0 @irs .gov]
Subject: Verizon wireless online bill.
Important account information from Verizon Wireless
Your current bill for your account ending in XXXX-XX001 is now available online in My Verizon
Total Balance Due: $48.15
Scheduled Automatic Payment Date: 02/25/2012
Mind that payments and/or adjustments made to your account after your bill was generated will be deducted from your automatic payment amount.
> Review and Pay Your Bill
Thank you for choosing Verizon Wireless.
My Verizon is also available 24/7 to assist you with:
Vrowsing your usage
Updating your plan
Adding Account Members
Paying your bill
Finding accessories for your devices
And much, much more...
2011 Verizon Wireless
Verizon Wireless | One Verizon Way | Mail Code: 190WVB | Basking Ridge, NJ 07990
We respect your privacy. Please review our privacy policy for more information
If you are not the intended recipient and feel you have received this email in error; or if you would like to update your customer notification preferences, please click here.
The malicious payload is at [donotclick]participamoz .com/detects/holds_edge.php hosted on:
161.200.156.200 (Chulanet, Thailand)
173.251.62.46 (MSP Digital / Cablevision, US)
The following IPs and domains are connected should be treated as malicious:
161.200.156.200
173.251.62.46
prosctermobile .com
aftandilosmacerati .com
pardontemabelos .com
participamoz .com ..."
___
Fake Verizon emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/02/21/f...e-exploit-kit/
Feb 21, 2013 - "On a periodic basis, cybercriminals are spamvertising malicious campaigns impersonating Verizon Wireless to tens of thousands of Verizon customers across the globe in an attempt to trick them into interacting with the fake emails... one of the most recently spamvertised campaigns impersonating Verizon Wireless. Not surprisingly, once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Malicious domain name reconnaissance:
participamoz .com – 173.251.62.46; 161.200.156.200 – Email: dort.dort @live .com
Name Server: NS1.THEREGISTARS .COM – 31.170.106.17 – Email: lockwr @rocketmail .com
Name Server: NS2.THEREGISTARS .COM – 67.15.223.219 – Email: lockwr @rocketmail .com
... Upon successful client-side exploitation, the campaign drops MD5: 4377dcc591f87cc24e75f8c69a2a7f8f * ... UDS:DangerousObject.Multi.Generic.
It then attempts to phone back to the following IPs:
110.143.183.104, 24.120.165.58, 110.143.183.104, 75.80.49.248, 71.42.56.253, 94.65.0.48,
98.16.107.213, 190.198.30.168, 76.193.173.205, 71.43.217.3, 66.229.110.89, 101.162.73.132,
94.68.49.208, 64.219.121.189, 99.122.152.158, 80.252.59.142, 108.211.64.46, 69.39.74.6,
91.99.146.167, 187.131.70.221, 76.202.211.184, 168.93.99.82, 122.60.136.168, 213.105.24.171,
122.60.136.168, 84.72.243.231, 79.56.80.211 ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/8...3dd9/analysis/
File name: info.exe
Detection ratio: 25/46
Analysis date: 2013-02-21
___
Fake "Efax Corporate" SPAM / fuigadosi .ru
- http://blog.dynamoo.com/2013/02/efax...igadosiru.html
21 Feb 2013 - "This fake eFax spam leads to malware on fuigadosi .ru:
Date: Thu, 21 Feb 2013 -05:24:35 -0800
From: LinkedIn Password [password @linkedin .com]
Subject: Efax Corporate
Attachments: EFAX_Corporate.htm
Fax Message [Caller-ID: 705646877]
You have received a 29 pages fax at Thu, 21 Feb 2013 -05:24:35 -0800, (913)-809-4198.
* The reference number for this fax is [eFAX-806896385].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.
The malicious payload is at [donotclick]fuigadosi .ru:8080/forum/links/column.php (report here*) hosted on:
84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
210.71.250.131 (Chungwa Telecom, China)..."
* http://urlquery.net/report.php?id=1060334
___
Fake Trustwave TrustKeeper emails - Phish ...
- http://blog.spiderlabs.com/2013/02/-...ing-alert.html
21 Feb 2013 - "Over the last few hours, Trustwave has received multiple reports of individuals receiving fake emails pretending to be from Trustwave. These emails did not originate from Trustwave. Recipients should immediately delete the emails and not follow any links presented in them. These emails indicate they are being sent as part of a “TrustKeeper PCI Scan Notification” and are alerting the recipient to login to a portal to respond to an issue related to a vulnerability scan of their network. Early analysis has shown these emails are being sent from many variations of fake Trustwave email addresses and redirecting users to multiple non-Trustwave URLs. Visiting these URLs might introduce malware onto your systems. Below is a screenshot of a fake email:
> http://npercoco.typepad.com/.a/6a013...1337399970c-pi ..."
___
Fake inTuit emails - overdue payment
- http://security.intuit.com/alert.php?a=73
2/21/13 - "People are receiving fake emails with the title "Please respond - overdue payment." Below is a copy of the email people are receiving. The email does not contain a link; however, the email has a .zip attachment that contains malware. Do not open the .zip file:
Please find attached your invoices for the past months. Remit the payment by 02/25/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Earline Robles
This is the end of the fake email.
Steps to Take Now: Do -not- open the attachment in the email..."
___
Fake "Xerox WorkCentre Pro" SPAM / familanar .ru
- http://blog.dynamoo.com/2013/02/scan...-pro-spam.html
21 Feb 2013 - "This familiar printer spam leads to malware on the familanar .ru domain:
Date: Thu, 21 Feb 2013 09:22:25 -0500 [09:22:25 EST]
From: Tagged [Tagged @taggedmail .com]
Subject: Fwd: Re: Scan from a Xerox WorkCentre Pro #800304
A Document was sent to you using a XEROX WorkJet PRO 760820.
SENT BY : BRYNN
IMAGES : 5
FORMAT (.JPEG) DOWNLOAD
The malicious payload is at [donotclick]familanar .ru:8080/forum/links/column.php (report here*) hosted on:
84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
210.71.250.131 (Chungwa Telecom, China)
Which are the same IPs found in this attack** and several others. Block 'em if you can."
* http://www.urlquery.net/report.php?id=1064138
** http://blog.dynamoo.com/2013/02/efax...igadosiru.html
___
Fake ACH transaction SPAM / payment receipt - 884993762994.zip
- http://blog.dynamoo.com/2013/02/ach-...tion-spam.html
21 Feb 2013 - "This fake ACH transaction spam comes with a malicous attachment:
Date: Thu, 21 Feb 2013 14:32:08 -0500 [14:32:08 EST]
From: Payment notification system [homebodiesga38@gmail.com]
Subject: Automatic transfer notification
ACH transaction is completed. $443 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt on payment is attached.
This is an automatically generated email, please do not reply
Attached is a file called payment receipt - 884993762994.zip which unzips to payment receipt - 884993762994.exe which has a disappointing VirusTotal detection count of just 14/46... Blocking EXE-in-ZIP files at the perimeter generally causes very little trouble, assuming you can do it.."
:fear::mad:
-
Fake Invoice / D.P. Svc SPAM ...
FYI...
Fake Invoice SPAM - "End of Aug. Stat" forummersedec .ru
- http://blog.dynamoo.com/2013/02/end-...ersedecru.html
22 Feb 2013 - "This fake invoice email leads to malware on forummersedec .ru:
Date: Fri, 22 Feb 2013 11:33:38 +0530
From: AlissonNistler@ [victimdomain]
Subject: Re: FW: End of Aug. Stat.
Attachments: Invoices-1207-2012.htm
Hallo,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer/Mozilla Firefox file)
Regards
The attachment attempts to redirect the victim to a malicious payload at [donotclick]forummersedec .ru:8080/forum/links/column.php (report here*) hosted on
84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
The following IPs and domains are related and should be blocked:
84.23.66.74
122.160.168.219...
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1069702
___
Fake "Data Processing" SPAM / dekolink .net
- http://blog.dynamoo.com/2013/02/data...kolinknet.html
22 Feb 2013 - "This fake "Data Processing" spam leads to malware on dekolink .net:
Date: Fri, 22 Feb 2013 08:06:43 -0500
From: "Data Processing Service" [customersupport @dataprocessingservice .com]
Subject: ACH file ID '768.579
Files Processing Service
SUCCESS Note
We have successfully handled ACH file 'ACH2013-02-20-5.txt' (id '768.579') submitted by user '[redacted]' on '2013-02-20 1:14:30.7'.
FILE SUMMARY:
Item count: 79
Total debits: $28,544.53
Total credits: $28,544.53
For more info click here
The malicious payload is at [donotclick]dekolink .net/detects/when-weird-contrast.php (report here*) hosted on the following servers:
50.7.251.59 (FDC Servers, Czech Republic)
176.120.38.238 (Langate, Ukraine).."
* http://urlquery.net/report.php?id=1062564
... BlackHole v2.0 exploit kit
___
Fake LinkedIn SPAM / greatfallsma .com
- http://blog.dynamoo.com/2013/02/link...allsmacom.html
22 Feb 2013 - "This "accidental" LinkedIn spam is a fake and leads to malware on greatfallsma .com:
From: LinkedIn [mailto:papersv@ informer.linkedin .com]
Sent: 22 February 2013 15:58
Subject: Reminder about link requests pending
See who connected with you this week on LinkedIn
Now it's easy to connect with people you email
Continue
This is an accidental LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
© 2013, LinkedIn Corporation. 2089 Stierlin Ct, Mountain View, CA 99063
> Another example:
Date: Fri, 22 Feb 2013 18:21:25 +0200
From: "LinkedIn" [noblest00@ info.linkedin .com]
Subject: Reminder about link requests pending
[redacted]
See who requested link with you on LinkedIn
Now it's easy to connect with people you email
Continue
This is an casual LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
2013, LinkedIn Corporation. 2073 Stierlin Ct, Mountain View, CA 98043
The malicious payload is at [donotclick]greatfallsma .com/detects/impossible_appearing_timing.php (report here*) hosted on:
50.7.251.59 (FDC Servers, Czech Republic)
176.120.38.238 (Langate, Ukraine)
These are the same two servers used in this attack, blocking them would probably be a good idea."
* http://urlquery.net/report.php?id=1071027
... Blackhole 2 Landing Page
:fear::mad:
-
Fake ACH emails serve client-side exploits and malware
FYI...
Fake ACH emails serve client-side exploits and malware
- http://blog.webroot.com/2013/02/25/m...s-and-malware/
Feb 25, 2013 - "... yet another spam campaign, this time impersonating the “Data Processing Service” company, in an attempt to trick its customers into interacting with the malicious emails. Once they do so, they are automatically exposed to the client-side exploits served by the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....ervice_ach.png
... Upon successful client-side exploitation, the campaign drops MD5: faa3a6c7bbf5b0449f60409c8bf63859 * ... Trojan-Spy.Win32.Zbot.jfpy.
... It then attempts to connect to the following IPs:
24.120.165.58, 66.117.77.134, 64.219.121.189, 66.117.77.134, 75.47.231.138, 108.211.64.46,
91.99.146.167, 108.211.64.46, 71.43.217.3, 81.136.230.235, 101.162.73.132, 99.76.3.38,
85.29.177.249, 24.126.54.116, 108.130.34.42, 99.116.134.54, 80.252.59.142
Malicious domain name reconnaissance:
dekolink .net – 50.7.251.59; 176.120.38.238 – Email: wondermitch @hotmail .com
Name Server: NS1.THEREGISTARS .COM – 31.170.106.17 – Email: lockwr @rocketmail .com
Name Server: NS2.THEREGISTARS .COM – 67.15.223.219 – Email: lockwr @rocketmail .com ..."
(More detail available at the webroot URL above.)
* https://www.virustotal.com/en/file/1...ca62/analysis/
File name: info.exe
Detection ratio: 27/45
Analysis date: 2013-02-25
___
Trustwave Trustkeeper Phish
- https://isc.sans.edu/diary.html?storyid=15271
Last Updated: 2013-02-25 17:41:36 UTC - ... the give away that this is a fake is the from e-mail address as well as the link leading to a different site then advertised. Click on the image for a full size example.
> https://isc.sans.edu/diaryimages/ima...twavephish.png
[Update:] An analysis of this phish by Trustwave's own Spiderlabs can be found here:
- http://blog.spiderlabs.com/2013/02/m...per-phish.html
- http://blog.dynamoo.com/2013/02/trus...ties-scan.html
25 Feb 2013 - "... this "TrustKeeper Vulnerabilities Scan Information" -spam- leads to an exploit kit on saberdelvino .net...
> https://lh3.ggpht.com/-Gyic2-WNNZE/U.../trustwave.png
... The malicious payload is at [donotclick]saberdelvino .net/detects/random-ship-members-daily.php (report here*) hosted on the following IPs:
118.97.77.122 (PT Telekon, Indonesia)
176.120.38.238 (Langate, Ukraine)..."
* http://www.urlquery.net/report.php?id=1120754
... Blackhole 2
:fear::mad:
-
Fake Facebook/Intuit SPAM ...
FYI...
Fake Facebook SPAM / lazaro-sosa .com
- http://blog.dynamoo.com/2013/02/face...o-sosacom.html
26 Feb 2013 - "This fake Facebook spam leads to malware on lazaro-sosa .com:
Date: Tue, 26 Feb 2013 14:26:20 +0200
From: "Facebook" [twiddlingv29@informer.facebook.com]
Subject: Brian Parker commented your photo.
facebook
Brian Parker commented on Your photo.
Reply to this email to comment on this photo.
See Comment
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.
Facebook, Inc., Attention: Department 415, PO Box 10001, Palo Alto, CA 90307
The malicious payload is at [donotclick]lazaro-sosa .com/detects/queue-breaks-many_suffering.php (report here*) hosted on:
118.97.77.122 (PT Telkom, Indonesia)
147.91.83.31 (AMRES, Serbia)
Blocking these IPs is probably prudent."
* http://www.urlquery.net/report.php?id=1135254
... Blackhole
___
Fake Intuit SPAM / forumligandaz .ru
- http://blog.dynamoo.com/2013/02/intu...igandazru.html
26 Feb 2013 - "This fake Intuit spam leads to malware on forumligandaz .ru:
Date: Tue, 26 Feb 2013 01:27:09 +0330
From: "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject: Payroll Account Holded by Intuit
Direct Deposit Service Informer
Communicatory Only
We cancelled your payroll on Tue, 26 Feb 2013 01:27:09 +0330.
Finances would be gone away from below account # ending in 8733 on Tue, 26 Feb 2013 01:27:09 +0330
amount to be seceded: 3373 USD
Paychecks would be procrastinated to your personnel accounts on: Tue, 26 Feb 2013 01:27:09 +0330
Log In to Review Operation
Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services
The malicious payload is at [donotclick]forumligandaz .ru:8080/forum/links/column.php hosted on:
31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)
Blocklist:
31.200.240.153
83.169.41.58 ..."
(More detail at the dynamoo URL above.)
:mad::fear:
-
Fake US Airways SPAM...
FYI...
Fake US Airways SPAM / berrybots .net
- http://blog.dynamoo.com/2013/02/us-a...rybotsnet.html
27 Feb 2013 - "... fake US Airways spam leads to malware on berrybots .net:
Date: Wed, 27 Feb 2013 08:09:36 -0500 [08:09:36 EST]
From: bursarp1 @email-usairways .com
Subject: Your US Airways trip...
> http://images.usairways.com/newEmail..._630px_yrs.gif
Confirmation code: B339AO
Date issued: Tuesday, February 26, 2013
Barcode
[redacted]
Scan at any US Airways kiosk to check in
Passenger summary
Passenger name
Frequent flyer # (Airline)
Ticket number
Special needs
Angel Morris 40614552582 (US) 22401837506661
Robert White 12938253579871
Fly details Download to Outlook
Depart: Philadelphia, PA (PHL) Chicago, IL (O'Hare) (ORD)...
(More detail at the dynamoo URL above.)
Picture version (click to enlarge):
> http://blog.dynamoo.com/2013/02/us-a...rybotsnet.html
The malicious payload is at [donotclick]berrybots .net/detects/circulation-comparatively.php (report here*) hosted on:
118.97.77.122 (PT Telkon, Jakarta)
147.91.83.31 (AMRES, Serbia)
195.88.139.78 (Neiron Systems, Ukraine)
Recommended blocklist:
118.97.77.122
147.91.83.31
195.88.139.78
greatfallsma .com
lazaro-sosa .com
yoga-thegame .net
dekolink .net
saberdelvino .net
berrybots .net ..."
* http://www.urlquery.net/report.php?id=1168427
... Blackhole Java applet with obfuscated URL
... 147.91.83.31 Blackhole 2 Landing Page
___
Fake Invoice-themed SPAM / forumusaaa .ru
- http://blog.dynamoo.com/2013/02/end-...umusaaaru.html
27 Feb 2013 - "This invoice-themed spam leads to malware on forumusaaa .ru:
Date: Thu, 28 Feb 2013 06:04:08 +0530
From: "Lisa HAGEN" [WilsonVenditti @ykm .com .tr]
Subject: Re: FW: End of Aug. Statement
Attachments: Invoice_JAN-2966.htm
Good day,
as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).
Regards
Lisa HAGEN
The malware is hosted at [donotclick]forumusaaa .ru:8080/forum/links/column.php (report here*) hosted on:
31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)
Blocklist:
31.200.240.153
83.169.41.58..."
(More listed at the dynamoo URL above.)
* http://www.urlquery.net/report.php?id=1170276
... suspicious URL pattern
... 31.200.240.153 Blackhole 2 Landing Page
___
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Payment Advice Notification E-mail Messages - February 27, 2013
Fake Overdue Payment Notification E-mail Messages - February 27, 2013
Fake Bank Account Update E-mail Messages - February 27, 2013
Fake Product Order E-mail Messages - February 27, 2013
Fake Product Order Quotation Attachment E-mail - February 27, 2013
Fake Wire Transfer Notification E-mail Messages - February 27, 2013
Fake Invoice Statement Attachment E-mail Messages - February 27, 2013
Fake Bank Account Statement Notification E-mail Messages - February 27, 2013
Fake Quotation Attachment E-mail Messages - February 27, 2013
(Links and more info at the cisco URL above.)
:mad:
-
"Follow this link" SPAM ...
FYI...
"Follow this link" SPAM / sidesgenealogist .org
- http://blog.dynamoo.com/2013/02/foll...link-spam.html
28 Feb 2013 - "This rather terse spam appears to lead to an exploit kit on sidesgenealogist .org:
From: Josefina Underwood [mailto:hdFQe @heathrowexpress .com]
Sent: 27 February 2013 16:43
Subject: Follow this link
I have found it http ://www.eurosaudi .com/templates/beez/wps.php?v20120226
Sincerely yours,
Sara Walton
The link is to a legitimate hacked site, and in this case it attempts to bounce to [donotclick]sidesgenealogist .org/closest/c93jfi2jf92ifj39ugh2jfo3g.php but at the time of writing the malware site appears to be overloaded. However, we can find an earlier report for the same sever here* that indicates an exploit kit. The malware is hosted on 188.93.210.226 (Logol.ru, Russia**). I would recommend blocking the entire 188.93.210.0/23 range to be on the safe side. These other two domains are in the same AS and are currently active:
reinstalltwomonthold .org
nephewremovalonly .org
scriptselse .org
everflowinggopayment .net "
* http://urlquery.net/report.php?id=1180853
... Blackholev2 url structure detected... Multiple Exploit Kit Payload detection
** https://www.google.com/safebrowsing/...?site=AS:49352
___
Fake "Contract" SPAM / forumny .ru
- http://blog.dynamoo.com/2013/02/cont...forumnyru.html
28 Feb 2013 - "This contracts-themed spam leads to malware on forumny .ru:
Date: Thu, 28 Feb 2013 11:43:15 +0400
From: "LiveJournal.com" [do-not-reply @livejournal .com]
Subject: Fw: Contract of 09.07.2011
Attachments: Contract_Scan_IM0826.htm
Dear Sirs,
In the attached file I am forwarding you the Translation of the Loan Contract that I have just received a minute ago. I am really sorry for the delay.
Best regards,
SHERLENE DARBY, secretary
The -attachment- Contract_Scan_IM0826.htm leads to malware on [donotclick]forumny .ru:8080/forum/links/column.php (report here*) on:
31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)
Blocklist:
31.200.240.153
83.169.41.58 ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1183959
... suspicious URL pattern
... 31.200.240.153 Blackhole 2 Landing Page
___
Fake job offer
- http://blog.dynamoo.com/2013/02/usan...job-offer.html
28 Feb 2013 - "This fake job offer will be some illegal activity such as money laundering or reshipping stolen goods:
Date: Thu, 28 Feb 2013 14:57:55 -0600
From: andrzej.wojnarowski@[victimdomain]
Subject: There is a vacancy of a Regional manager in USA:
If you have excellent administrative skills, working knowledge of Microsoft Office,
a keen eye for detail, well-versed in the use of social networking sites such as Twitter and Facebook,
are organized, present yourself well and are a team player with the ability to work independently,
are reliable and punctual and can understand and execute instructions are determined to work hard and succeed - we need you.
If you are interested in this job, please, send us your contact information:
Full name:
Country:
City:
E-mail:
Please email us for details: Paulette @usanewwork .com
In this case the email originated from 187.246.25.58, a Mega Cable customer in Guadalajara, Mexico. The domain is registered to an address that does not exist (there is no Pratt Avenue in Tukwila):
Sarah Shepard info @usanewwork .com
360-860-3630 fax: 360-860-3321
4478 Pratt Avenue
Tukwila WA 98168
us
The domain was only registered two days ago on 28/2/13. The nameservers ns1.stageportal .net and ns2.stageportal .net are shared by several other domains offering similar fake jobs...
IP addresses involved are:
5.135.90.19 (OVH, France)
69.169.90.62 (Big Brain Host, US)
199.96.86.139 (Microglobe LLC, US)
This job offer is best avoided unless you like prison food..."
(More detail at the dynamoo URL above.)
___
Fake BBB SPAM / forumnywrk .ru
- http://blog.dynamoo.com/2013/02/bbb-...umnywrkru.html
28 Feb 2013 - "This fake BBB Spam leads to malware on forumnywrk .ru:
Date: Thu, 28 Feb 2013 07:29:10 -0500 [07:29:10 EST]
From: LinkedIn Password [password @linkedin .com]
Subject: Urgent information from BBB
Attn: Owner/Manager
Here with the Better Business Bureau notifies you that we have received a complaint (ID 832708632)
from one of your customers with respect to their dealership with you.
Please open the COMPLAINT REPORT below to obtain more information on this matter and let us know of your point of view as soon as possible.
We are looking forward to your prompt reply.
Regards,
VERSIE Stringer
The malicious payload is on [donotclick]forumnywrk .ru:8080/forum/links/column.php hosted on:
31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)
Blocklist:
83.169.41.58
31.200.240.153 ..."
(More detail at the dynamoo URL above.)
:mad:
-
Casino-themed Blackhole sites
FYI...
Casino-themed Blackhole sites
- http://blog.dynamoo.com/2013/03/casi...ole-sites.html
1 March 2013 - "Here's a a couple of URLs that look suspicious like a BlackHole Exploit kit, hosted on 130.185.105.74:
[donotclick]888casino-luckystar .net/discussing/sizes_agreed.php
[donotclick]555slotsportal .org/discussing/alternative_distance.php
[donotclick]555slotsportal .net/shrift.php
[donotclick]555slotsportal .net/discussing/alternative_distance.php
[donotclick]555slotsportal .me/discussing/alternative_distance.php
[donotclick]sexstreamsmatez .biz/discussing/alternative_distance.php
You can find a sample report here*... there's nothing of value here and these sites are probably malicious and should be blocked. You might want to consider blocking 130.185.105.0/24 too..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1199381
... Detected BlackHole v2.0 exploit kit URL pattern
:mad::fear:
-
Fake Delta/eFax/dealer SPAM ...
FYI...
Fake Delta Airlines SPAM / inanimateweaknesses .net and complainpaywall .net
- http://blog.dynamoo.com/2013/03/delt...eaknesses.html
4 March 2013 - "This fake Delta Airlines spam leads to malware on inanimateweaknesses .net and complainpaywall .net:
From: DELTA CONFIRMATION [mailto:cggQozvOc @sutaffu .co.jp]
Sent: 04 March 2013 14:27
Subject: Your Receipt and Itinerary
Thank you for choosing Delta. We encourage you to review this information before your trip.
If you need to contact Delta or check on your flight information, go to delta.com/itineraries
Now, managing your travel plans just got easier. You can exchange, reissue and refund electronic tickets at delta .com/itineraries.
Take control and make changes to your itineraries at delta.com/itineraries.
Speed through the airport. Check-in online for your flight.
Check-in
Flight Information
DELTA CONFIRMATION #: D0514B3
TICKET #: 00920195845933
Bkng Meals/ Seat/
Day Date Flight Status Class City Time Other Cabin
--- ----- --------------- ------ ----- ------------
Mon 11MAR DELTA 372 OK H LV NYC-KENNEDY 820P F 19C
AR SAN FRANCISCO 8211P COACH
Fri 15MAR DELTA 1721 OK H LV LOS ANGELES 1145P V 29A
AR NYC-KENNEDY 812A# COACH
Check your flight information online at delta.com/itineraries
The email contains several links to different hacked sites, which then forward to [donotclick]inanimateweaknesses .net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report here*) or [donotclick]complainpaywall .net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report here**) both of which are hosted on 188.93.211.156 (Logol.ru, Russia). In my opinion 188.93.210.0/23 is a bit of a sewer and should be blocked if you can, as there are probably many other malicious sites nearby.
Of note is that the links in the email only seem to work with a correct referrer and user agent. If those are not set, then you will not end up at the malware page."
* http://urlquery.net/report.php?id=1246850
... Detected BlackHole v2.0 exploit kit URL pattern ... Detected live BlackHole v2.0 exploit kit
** http://urlquery.net/report.php?id=1246854
... Detected BlackHole v2.0 exploit kit URL pattern ... Detected live BlackHole v2.0 exploit kit
___
Fake eFax SPAM / forumla .ru
- http://blog.dynamoo.com/2013/03/efax...forumlaru.html
4 Mar 2013- "This fake eFax spam leads to malware on forumla .ru:
Date: Mon, 4 Mar 2013 08:53:20 +0300
From: LinkedIn [welcome @linkedin .com]
Subject: Efax Corporate
Attachments: Efax_Corporate.htm
Fax Message [Caller-ID: 646370000]
You have received a 57 pages fax at Mon, 4 Mar 2013 08:53:20 +0300, (213)-406-0113.
* The reference number for this fax is [eFAX-336705661].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.
The malicious payload is at [donotclick]forumla .ru:8080/forum/links/column.php (report here*) hosted on 210.71.250.131 (Chungwa Telecom, Taiwan). These other sites are also visible on the same IP:
foruminanki .ru
ny-news-forum .ru
forumilllionois .ru
forum-ny .ru
forumny .ru
forumla .ru"
* http://urlquery.net/report.php?id=1247054
... Detected suspicious URL pattern... Detected live BlackHole v2.0 exploit kit
___
Fake dealerbid .co.uk SPAM
- http://blog.dynamoo.com/2013/03/dealerbidcouk-spam.html
4 March 2013 - "This -spam- uses an email address ONLY used to sign up for dealerbid .co.uk
From: HM Revenue & Customs [enroll @hmrc .gov.uk]
Date: 4 March 2013 13:37
Subject: HMRC Tax Refund ID: 3976244
Dear Taxpayer,
After the last annual calculations of your fiscal activity we have discovered that you are eligible to receive a tax refund of 377.50 GBP. Kindly complete the tax refund request and allow 2-3 working days to process it.
A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. Please click on the attached file in order to access the form for your tax refund.
Currently we are only able to process tax refunds through "LloydsTSB". Alternatively, you can wait for the next few weeks to apply for a full refund through additional financial institutions(Banks).
Kind regards,
Paul McWeeney
Head of Consumer Sales and Service
The email got horribly mangled on the way and luckily whatever payload came with it is buggered. Of interest though, the email originates from 78.136.27.79 which is home to the following websites:
everybodyonline .co.uk
uk-car-discount .co.uk
The email address has been -stolen- from one UK motoring related site, and the spam sent through the hacked server of another UK motoring site. That's a peculiar coincidence, although I do not believe that those site operators are responsible for this spam run. It looks like I am not the only person to notice this same problem*.."
* http://www.reviewcentre.com/Car-Deal...review_1884815
___
Fake Justin Bieber social media claims
- http://www.hoax-slayer.com/bieber-dies-crash-hoax.shtml
March 4, 2013 - "Outline: Message circulating via social media claims that popular young singing star Justin Bieber has died in a car accident...
> http://www.hoax-slayer.com/images/bieber-crash-hoax.jpg
... Many of these false death rumours originate from several tasteless "prank" websites that allow users to create fake news stories detailing the supposed death of various celebrities. Users can generally pick from several "news" templates, add the name of their chosen celebrity and then attempt to fool their friends by sharing the -bogus- story..."
___
Fake Facebook email/SPAM 'Violation of Terms' - Phishing Scam
- http://www.hoax-slayer.com/facebook-...ing-scam.shtml
March 4, 2013 - "Outline: Inbox message purporting to be from "Mark Zurckerberg" claims that the user's Facebook Page has violated the Facebook Terms of Service and may be permanently deleted unless the account is verified by clicking a link in the message... There have been a number of variations of these Facebook account phishing scams distributed in recent years. If you receive any message that claims that your Facebook account may be disabled or deleted if you do not verify account details, do not click on any links or attachments that it may contain. It is always safest to login to your Facebook account - and other online accounts - by entering the address into your browser's address bar rather than by following a link."
:mad::fear:
-
New Java exploits centered exploit kit
FYI...
New Java exploits centered exploit kit
- http://blog.webroot.com/2013/03/05/c...d-exploit-kit/
March 5, 2013 - "... its current version is entirely based on Java exploits (CVE-2012-1723 and CVE-2013-0431), naturally, with “more exploits to be introduced any time soon”... More details:
Sample screenshot of the statistics page of the newly released Web malware exploitation kit:
> https://webrootblog.files.wordpress....tics_loads.png
The majority of affected users are U.S.-based hosts, and the majority of infected operating systems are Windows NT 6.1, followed by Windows XP... according to the cybercriminals pitching the kit, they’ve also managed to infect some Mac OS X hosts... competing Web malware exploitation kits tend to exploit a much more diversified set of client-side vulnerabilities, consequently, achieving higher exploitation rates... In the wake of two recently announced Java zero day vulnerabilities, users are advised to disable Java, as well as to ensure that they’re not running any outdated versions of their third-party software and browser plugins."
- http://seclists.org/fulldisclosure/2013/Mar/38
4 Mar 2013 - "... 5 -new- security issues were discovered in Java SE 7..."
___
Fake British Airways SPAM / forum-la .ru
- http://blog.dynamoo.com/2013/03/brit...ipts-spam.html
4 March 2013 - "This fake British Airways spam leads to malware on forum-la .ru:
From: LiveJournal.com [do-not-reply @livejournal .com]
Date: 4 March 2013 12:17
Subject: British Airways E-ticket receipts
e-ticket receipt
Booking reference: 9AZ3049885
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services
British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.
British Airways Plc is a public limited company registered in England and Wales. Registered number: 79805156. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.
How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.
If you require further assistance you may contact us
If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.
The email has an attachment named E-Ticket-N93892PK.htm which attempts to direct the victim to a malware page at [donotclick]forum-la .ru:8080/forum/links/column.php (report here*) hosted on:
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)
Blocklist:
198.104.62.49
210.71.250.131
forumla .ru
forumny .ru
forum-la .ru
foruminanki .ru
ny-news-forum .ru
forumilllionois .ru
forum-ny .ru ..."
* http://www.urlquery.net/report.php?id=1251838
... Detected suspicious URL pattern
___
iFrame injections drive traffic to Blackhole exploit kit
- http://nakedsecurity.sophos.com/2013...e-exploit-kit/
March 5, 2013 - "... recent attacks against legitimate websites that are being used to drive unsuspecting user traffic to the Blackhole exploit sites. JavaScript libraries on the legitimate websites are prepended with code... SophosLabs has seen huge volumes of legitimate sites being compromised in this way in recent weeks. In fact, Mal/Iframe-AL has been the most prevalent web threat detected on customer endpoints and web appliances for the past few weeks, accounting for almost 30% of all detected web threats! If we correlate our malicious URL data against the Alexa top million site data, you can see that these Mal/Iframe-AL injections account for almost two-thirds of all popular sites... have been compromised in some way over the past week.
> https://sophosnews.files.wordpress.c...lexa.png?w=640
... Looking at data collected over the past 14 days (Feb 18th - March 4th 2013), I started off by looking at the host ISPs for the compromised web sites. As you can see below, a good spread of ISPs have been hit (368 in total), with 18 of them accounting for approximately half of all infected sites.
> https://sophosnews.files.wordpress.c...isps.png?w=640
Looking at the countries hosting the affected web servers shows the expected spread, somewhat reflective of where hosting providers are based.
> https://sophosnews.files.wordpress.c...ntry.png?w=640
If we take a look at the web server platform, the compromised sites are almost exclusively running Apache. This is in contrast to the 60% or so we would expect* if the attacks were agnostic to the platform.
> https://sophosnews.files.wordpress.c...form.png?w=640
Most of these servers are running CentOS (then Debian then Ubuntu). This last piece of data gives us some clues as to how these attacks are happening. Could it be a rogue Apache module being used to inject the redirect into content as it is delivered from the server? There have been several other recent attacks doing this. Digging around it appears that this is indeed the root cause. The folks over at Sucuri** managed to get hold of the rogue module that was used on one such victim server.
Administrators or owners of sites that have been affected by these attacks should therefore check their Apache configuration as a matter of urgency and look out for unexpected modules being loaded..."
* http://news.netcraft.com/archives/20...er-survey.html
** http://blog.sucuri.net/2013/02/web-s...e-modules.html
___
Something evil on 5.9.196.3 and 5.9.196.6
- http://blog.dynamoo.com/2013/03/some...nd-591966.html
5 March 2013 - "Two IPs in the 5.9.196.0/28 block that you probably want to avoid are 5.9.196.3 and 5.9.196.6. The first of these IPs is being used in an injection attack (in this case via [donotclick]frasselt-kalorama .nl/relay.php) leading to two identified malware landing pages:
[donotclick]kisielius.surfwing .me/world/explode_conscious-scandal.jar (report here*)
[donotclick]alkalichlorideasenteeseen.oyunhan .net/world/romance-apparatus_clinical_repay.php (report here**)
Domains visible on 5.9.196.3 include:
alkalichlorideasenteeseen.oyunhan .net
kisielius.surfwing .me
dificilmentekvelijitten.surfwing .me
kisielius.surfwing .me
befool-immatriculation.nanovit .me
locoburgemeester.toys2bsold .com
ratiocination-wselig.smithsisters .us
A few IPs along is 5.9.196.6 which hosts the following domain that also looks highly suspect:
inspegrafstatkakukano.creatinaweb .com
Blocking these domains completely is probably a good idea:
oyunhan .net
surfwing .me
nanovit .me
toys2bsold .com
smithsisters .us
creatinaweb .com
5.9.196.0/28 is a Hetzner IP*** ... I haven't seen anything of value in this /28, blocking it may be prudent."
* http://www.urlquery.net/report.php?id=1248746
... Zip archive data
** http://www.urlquery.net/report.php?id=1265212
... Adobe PDF Memory Corruption
*** https://www.google.com/safebrowsing/...?site=AS:24940
"... over the past 90 days, 6823 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-03-04, and the last time suspicious content was found was on 2013-03-04..."
___
Fake HP printer SPAM / giliaonso .ru
- http://blog.dynamoo.com/2013/03/scan...njet-spam.html
5 Mar 2013 - "This fake HP printer spam leads to malware on giliaonso .ru:
Date: Tue, 5 Mar 2013 12:53:40 +0500
From: "Classmates . com" [classmatesemail @accounts.classmates .com]
Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet #161051
Attachments: HP_Scan.htm
Attached document was scanned and sent
to you using a HP A-16292P.
SENT BY : Landon
PAGES : 6
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]
The attachment leads to malware on [donotclick]giliaonso .ru:8080/forum/links/column.php (report here*) hosted on the following IPs:
46.4.77.145 (Hetzner, Germany)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)
Blocklist:
46.4.77.145
198.104.62.49
210.71.250.131 ..."
* http://urlquery.net/report.php?id=1266289
... Detected suspicious URL pattern... Blackhole 2 Landing Page 210.71.250.131
___
Fake Sendspace SPAM / forumkianko .ru
- http://blog.dynamoo.com/2013/03/send...mkiankoru.html
5 Mar 2013 - "This fake Sendspace spam leads to malware on forumkianko .ru:
Date: Tue, 5 Mar 2013 06:52:10 +0100
From: AyanaLinney@ [redacted]
Subject: You have been sent a file (Filename: [redacted]-51153.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-01271.pdf, (797.4 KB) waiting to be downloaded at sendspace.(It was sent by DEON VANG).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.
The malicious payload is at [donotclick]forumkianko .ru:8080/forum/links/column.php (report here*) hosted on:
46.4.77.145 (Hetzner, Germany***)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)
These IPs are the same as used in this attack**..."
* http://urlquery.net/report.php?id=1267580
... Detected suspicious URL pattern... Blackhole 2 Landing Page 46.4.77.145
** http://blog.dynamoo.com/2013/03/scan...njet-spam.html
*** https://www.google.com/safebrowsing/...?site=AS:24940
:mad:
-
Fake BT SPAM ...
FYI...
Fake BT SPAM / ginagion .ru
- http://blog.dynamoo.com/2013/03/bt-b...inagionru.html
6 March 2013 - "This fake BT spam leads to malware on ginagion .ru:
From: Bebo Service [mailto:service=noreply.bebo .com@bebo .com] On Behalf Of Bebo Service
Sent: 05 March 2013 21:22
Subject: BT Business Direct Order
Notice of delivery
Hi,
We're pleased to confirm that we have now accepted and despatched your order on Wed, 6 Mar 2013 03:21:30 +0600.
Unless you chose a next day or other premium delivery service option, then in most cases your order will arrive within 1-3 days. If we despatched your order via Letterpost, it may take a little longer.
***Please note that your order may have shipped in separate boxes and this means that separate consignment numbers may be applicable***
We've despatched...
..using the attached shipment details...
Courier Ref Carriage method
Royal Mail FM320725534 1-3 Days
Please note that you will only be able to use this tracking reference once the courier has scanned the parcel into their depot. Please allow 24 hours from the date of this email before tracking your parcel online.
For information on how track your delivery, please follow to attached file.
Important information for Yodel deliveries:
If your consignment number starts with 3S3996956 your delivery will require a signature. If there is no-one at the delivery address to sign for the goods a card will be left containing the contact details of the courier so that you can re-arrange delivery or arrange a collection.
The malicious payload is at [donotclick]ginagion .ru:8080/forum/links/column.php ... hosted on:
41.72.150.100 (Hetzner, South Africa)
117.104.150.170 (NTT, Japan)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
117.104.150.170
212.180.176.4
gosbfosod .ru
giliaonso .ru
forum-ny .ru
ginagion .ru ..."
___
Pizza SPAM / gimalayad .ru
- http://blog.dynamoo.com/2013/03/pizz...malayadru.html
6 Mar 2013 - "... This spam actually leads to malware on gimalayad .ru:
Date: Wed, 6 Mar 2013 12:22:04 +0330
From: Tagged [Tagged @taggedmail .com]
Subject: Fwd: Order confirmation
You??™ve just ordered pizza from our site
Pizza Ultimate Cheese Lover's with extras:
Drinks
- Grolsch x 6
- 7up x 3
- Budweiser x 4
- Carling x 2...
If you haven??™t made the order and it??™s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!
If you don??™t do that shortly, the order will be confirmed and delivered to you...
Total Charge: 232.33$
========
Date: Wed, 6 Mar 2013 09:16:56 +0100
From: "Xanga" [noreply @xanga .com]
Subject: Re: Fwd: Order confirmation
You??™ve just ordered pizza from our site
Pizza Ultimate Cheese Lover's with extras:
- Beef
- Pepperoni...
- Extra Sauce
Pizza Italian Trio with extras:
- Beef
- Black Olives...
Drinks
- Simply Orange x 4
- Fanta x 2
- 7up x 2
- Heineken x 2
- Lift x 5
- Pepsi x 4
- Budweiser x 4
Total Charge: 242.67$
If you haven??™t made the order and it??™s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!
If you don??™t do that shortly, the order will be confirmed and delivered to you.
With Respect
PIERO`s Pizzeria
The malicious payload is at [donotclick]gimalayad .ru:8080/forum/links/column.php (report here*) hosted on the same IPs used in this attack:
41.72.150.100 (Hetzner, South Africa)
117.104.150.170 (NTT, Japan)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
117.104.150.170
212.180.176.4 ..."
* http://www.urlquery.net/report.php?id=1289205
... Detected suspicious URL pattern... Blackhole 2 Landing Page 212.180.176.4
___
Fake inTuit email
- http://security.intuit.com/alert.php?a=76
3/06/13 - "People are receiving fake emails with the title 'Please respond - overdue payment.' These mails are coming from auto-invoice @quickbooks .com, which is -not- a legitimate email address. Below is a copy of the email... The email does not contain a link; however, the email has a .zip attachment that contains malware. Do not open the .zip file.
Please find attached your invoices for the past months. Remit the payment by 02/25/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Earline Robles
This is the end of the fake email.
Steps to Take Now:
- Do -not- open the attachment in the email...
- Delete the email..."
___
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Malicious Attachment E-mail Messages - March 06, 2013
Fake Unpaid Debt Invoice E-mail Messages - March 06, 2013
Fake Overdue Payment Notification E-mail Messages - March 06, 2013
Fake Employee Document Sharing Notification E-mail - March 06, 2013
Fake Money Transfer Notification E-mail Messages - March 06, 2013
Fake UPS Payment Document Attachment E-mail Messages - March 06, 2013
(Links and more info at the cisco URL above.)
:mad:
-
Fake BBB SPAM...
FYI...
Fake BBB SPAM / alteshotel .net and bbb-accredited .net
- http://blog.dynamoo.com/2013/03/bbb-...t-and-bbb.html
7 Mar 2013 - "This fake BBB spam leads to malware onalteshotel .net and bbb-accredited .net:
Date: Thu, 7 Mar 2013 06:23:12 -0700
From: "Better Business Bureau Warnings" [hurriese3 @bbb .com]
Subject: BBB details regarding your claim No.
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©
Thu, 6 March 2013
Your Accreditation Suspended
[redacted]
The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to temporal Abort your accreditation with Better Business Beaureau. The details of the our decision are available for review at a link below. Please pay attention to this issue and inform us about your glance as soon as possible.
We graciously ask you to overview the TERMINATION REPORT to meet on this claim
-We awaits to your prompt rebound- .
If you think you got this email by mistake - please forward this message to your principal or accountant
Yours respectfully
Hunter Ross
Dispute Advisor
Better Business Bureau
Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 25501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This information was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
========
Date: Thu, 7 Mar 2013 21:19:18 +0800
From: "Better Business Bureau Warnings" [prettifyingde7 @transfers.americanpayroll .org]
Subject: BBB details about your pretense No.
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©
Thu, 6 March 2013
Your Accreditation Suspended
[redacted]
The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to transient Cancell your accreditation with Better Business Beaureau. The details of the our decision are available visiting a link below. Please pay attention to this question and notify us about your belief as soon as possible.
We graciously ask you to visit the ABUSE REPORT to answer on this appeal
- We awaits to your prompt answer. -
If you think you got this email by mistake - please forward this message to your principal or accountant
Faithfully yours
Benjamin Cox
Dispute Councilor
Better Business Bureau
Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 24401
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This letter was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
One potentially malicious payload is at [donotclick]alteshotel .net/detects/review_complain.php (looks like it might be broken - report here*) hosted on:
69.43.161.176 (Parked at Castle Access Inc, US)
The other is at [donotclick]bbb-accredited .net/kill/enjoy-laws-partially-unwanted.php (definitely malicious - report here**) hosted on:
64.207.236.198 (EasyTEL, US)
142.11.195.204 (Hostwinds LLC, US)
149.154.68.214 (TheFirst.RU, Russia) ...
Recommended blocklist:
64.207.236.198
142.11.195.204
149.154.68.214..."
(More detail at the dynamoo uRL above.)
* http://urlquery.net/report.php?id=1302657
** http://urlquery.net/report.php?id=1302670
... Detected live BlackHole v2.0 exploit kit
___
Malware sites to block 7/3/13
- http://blog.dynamoo.com/2013/03/malw...lock-7313.html
7 March 2013 - "Some Cridex-based nastiness here. These are the malicious domains that I can find on the IPs mentioned, alternatively you can just block:
173.246.102.2 (Gandi, US)
173.255.215.242 (Linode, US)
64.13.172.42 (Silicon Valley Colocation, US)
Blocklist:
173.246.102.2
173.255.215.242
64.13.172.42 ..."
(Long list at the dynamoo URL above.)
:mad::fear:
-
Fake Adobe/IRS/LinkedIn SPAM ...
FYI...
Fake Adobe CS4 SPAM / guuderia .ru
- http://blog.dynamoo.com/2013/03/adob...uuderiaru.html
8 March 2013 - "This fake Adobe spam leads to malware on guuderia .ru:
From: messages-noreply@bounce .linkedin .com [mailto:messages-noreply@bounce .linkedin .com] On Behalf Of Donnie Cherry via LinkedIn
Sent: 07 March 2013 12:39
Subject: Order N40898
Good afternoon,
You can download your Adobe CS4 License here -
We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.
Adobe Systems Incorporated
The malicious payload is at [donotclick]guuderia .ru:8080/forum/links/column.php (report here*) hosted on:
41.72.150.100 (Hetzner, South Africa)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
212.180.176.4
forum-la .ru
forumla .ru
gimalayad .ru
ginagion .ru
giliaonso .ru
forum-ny .ru
forumny .ru
guuderia .ru
gosbfosod .ru "
* http://urlquery.net/report.php?id=1318046
... Detected suspicious URL pattern... Blackhole 2 Landing Page 212.180.176.4
___
Fake IRS SPAM / gimilako .ru
- http://blog.dynamoo.com/2013/03/your...-declined.html
8 March 2013 - "This following fake IRS spam leads to malware on gimilako .ru:
From: Myspace [mailto:noreply@message .myspace .com]
Sent: 07 March 2013 20:55
Subject: Your tax return appeal is declined.
Dear Chief Account Officer,
Hereby you are notified that your Income Tax Refund Appeal id#9518045 has been REJECTED. If you believe the IRS did not properly estimate your case due to a misunderstanding of the facts, be prepared to provide additional information. You can obtain the rejection details and re-submit your appeal by using the instructions in the attachment.
Internal Revenue Service
Telephone Assistance for Businesses:
Toll-Free, 1-800-829-4933
Hours of Operation: Monday Friday, 7:00 a.m. 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).
The malicious payload is at [donotclick]gimilako .ru:8080/forum/links/column.php (reported here*) hosted on:
41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
89.107.184.167
212.180.176.4
gimilako .ru
forum-la .ru
forumla .ru
gimalayad .ru
ginagion .ru
giliaonso .ru
forum-ny .ru
forumny .ru
gosbfosod .ru "
* http://urlquery.net/report.php?id=1321924
... Detected suspicious URL pattern... Blackhole 2 Landing Page 89.107.184.167
___
Fake LinkedIn SPAM / giminalso .ru
- http://blog.dynamoo.com/2013/03/link...minalsoru.html
8 March 2013 - "This fake LinkedIn spam leads to malware on giminalso .ru:
From: messages-noreply@bounce. linkedin .com [mailto:messages-noreply@bounce .linkedin .com] On Behalf Of LinkedIn Password
Sent: 08 March 2013 10:24
Subject: Aylin is now part of your network. Keep connecting...
[redacted], Congratulations!
You and Aylin are now connected.
Aylin Welsh
Tajikistan
2012, LinkedIn Corporation
The malicious payload is at [donotclick]giminalso .ru:8080/forum/links/column.php (report here*) hosted on the same IPs as in this other attack** today:
41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)"
* http://urlquery.net/report.php?id=1322125
... Detected suspicious URL pattern... Blackhole 2 Landing Page 41.72.150.100
** http://blog.dynamoo.com/2013/03/your...-declined.html
___
Fake AT&T spam (again)
- http://blog.dynamoo.com/2013/03/at-spam-again.html
8 Mar 2013 - "This fake AT&T spam leads to malware on.. well, in this case nothing at all.
Date: Fri, 8 Mar 2013 10:37:24 -0500 [10:37:24 EST]
From: AT&T Customer Care [icare7@amcustomercare .att-mail .com]
Subject: Your AT&T wireless bill is ready to view
att.com | Support | My AT&T Account Rethink Possible
Your wireless bill is ready to view
Dear Customer,
Your monthly wireless bill for your account is now available online.
Total Balance Due: -$1695.64-
Log in to myAT&T to view your bill and make a payment. Or register now to manage your account online. By dialing *PAY (*729) from your wireless phone, you can check your balance or make a payment - it's free.
Smartphone users: download the free app to manage your account anywhere, anytime.
Thank you,
AT&T Online Services ...
> https://lh3.ggpht.com/-9r2z1zqGRKg/U...att-bill-2.png
In this case the link goes to a redirector page at [donotclick]vtcrm.update .se/eben/index.html hosted 62.109.34.50 in Sweden. It looks like someone has speedily removed the redirector page so I can't tell you much about the malicious landing page. Kudos to Ilait AB or whoever fixed the problem!"
___
RU:8080 and Amerika SPAM runs
- http://blog.dynamoo.com/2013/03/ru80...spam-runs.html
8 March 2013 - "For about the past year I have seen two very persistent spam runs leading to malware, typically themed along the lines of fake emails from the BBB, LinkedIn, NACHA, USPS and ADP. The most obvious characteristic of one of the spam runs in the use of a malware landing page containing .ru:8080, registered through NAUNET to the infamous "private person". In order to aid researchers, I have labelled this series as RU:8080*. You can see some current nastiness in action at Malware Must Die**. But there's a second spam run as well, which appears to be similarly themed but using different servers. In this case, the domains registered are typically .net, .org and .com emails (with .pro and .biz used from time-to-time). These domains are registered with fake names and addresses purporting to be in the US, but indicators show that this spam may well originate from within Russia. I've labelled this series as Amerika***... The Amerika spam run is a little harder to identify, so there may be some errors in it. I don't have any deep insight into either spam run or the payloads they deliver, but if you are interested in looking more deeply at the patterns then hopefully this will be of some use!"
* http://blog.dynamoo.com/search/label/RU%3A8080
** http://malwaremustdie.blogspot.co.uk...at-do-you.html
March 5, 2013
*** http://blog.dynamoo.com/search/label/Amerika
___
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Electronic Payment Cancellation E-mail Messages - 2013 Mar 08
Fake Business Complaint E-mail Messages - 2013 Mar 08
Fake Italian Online Dating Request E-mail Messages - 2013 Mar 08
Fake Portuguese Payment Invoice E-mail Messages - 2013 Mar 08
Fake Portuguese Banking Service Notification E-mail Messages - 2013 Mar 08
(Links and more detail at the cisco URL above.)
:mad:
-
Fake Wire Transfer SPAM - Something evil on 37.59.214.0/28 // 176.31.140.64/28
FYI...
Something evil on 37.59.214.0/28
- http://blog.dynamoo.com/2013/03/some...759214028.html
11 March 2013 - "37.59.214.0/28 is an OVH IP range* suballocated to a person called Sidharth Shah in Maryland (more of whom later). At the moment it is hosting a number of malware sites with a hard-to-determine payload such as [donotclick]55voolith .info:89/forum/had.php which is evading automated analysis**. The owner of this block is as follows:
organisation: ORG-SS252-RIPE
org-name: Shah Sidharth
org-type: OTHER
address: 12218 Skylark Rd
address: 20871 Clarksburg
address: US
abuse-mailbox: ovhresell @gmail .com
phone: +1.5407378283
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
Malware is hosted on 37.59.214.0, 37.59.214.1 and 37.59.214.0. There do not appears to be any legitimate sites in this range. Google has already flagged some of these as malicious (marked in red), so you can safely assume that they are all malicious..."
(List at the dynamoo URL above.)
** http://urlquery.net/report.php?id=1368280
AS16276 (OVH)
* https://www.google.com/safebrowsing/...?site=AS:16276
"... over the past 90 days, 6134 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-03-11, and the last time suspicious content was found was on 2013-03-11... Over the past 90 days, we found 911 site(s) on this network... that appeared to function as intermediaries for the infection of 2222 other site(s)... We found 1665 site(s)... that infected 8762 other site(s)..."
___
Something evil on 176.31.140.64/28
- http://blog.dynamoo.com/2013/03/some...311406428.html
11 March 2013 - "176.31.140.64/28 is an OVH block suballocated to Sidharth Shah (mentioned in this earlier post)*. It contains a a small number of malicious domains flagged by Google (in red), most of the rest of the sites have a very poor WOT rating (in yellow). I'll post more details later. You can safely assume that everything in this block is malicious, and I note that some of the domains are refugees from this malware site.
Malware is hosted on 176.31.140.64, 176.31.140.65, 176.31.140.66 and 176.31.140.67. There appear to be no legitimate sites in this block..."
(List at the dynamoo URL above.)
* http://blog.dynamoo.com/2013/03/some...759214028.html
___
Sidharth Shah / OVH / itechline .com
- http://blog.dynamoo.com/2013/03/sidh...chlinecom.html
11 March 2013 - "I have now come across several incidents of malware hosted in an OVH IP address range suballocated to Sidharth Shah. The blocks that I can identify so far are:
5.135.20.0/27
5.135.27.128/27
5.135.204.0/27
5.135.218.32/27
5.135.223.96/27
37.59.93.128/27
37.59.214.0/28
46.105.183.48/28
91.121.228.176/28
94.23.106.224/28
176.31.106.96/27
176.31.140.64/28
178.32.186.0/27
178.32.199.24/29
188.165.180.224/27
These IPs are mostly malware or fake goods. Legitimate sites seem to be nonexistant, although these IP ranges have hosted legitimate sites in the past. I would personally recommend blocking them all, but if you want to see a fuller analysis of WOT ratings and Google Safe Browsing diagnostics see here*...
The email address sidharth134 @gmail .com is also associated with itechline .com which is a company with an unenviable F rating from the BBB, who list the principal as being Sidharth Shah. BBB rating is based on 16 factors.
Factors that lowered the rating for ITechline.com include:
Length of time business has been operating
8 complaints filed against business
Failure to respond to 7 complaints filed against business
> https://lh3.ggpht.com/-D1aA_fdVk64/U.../itechline.png
... ITechline.com has garnered some very negative consumer reviews..."
* http://www.dynamoo.com/files/sidharth-shah.csv
___
Fake Wire Transfer SPAM / gimikalno .ru
- http://blog.dynamoo.com/2013/03/wire...mikalnoru.html
11 Mar 2013 - "This fake wire transfer spam leads to malware on gimikalno .ru:
Date: Mon, 11 Mar 2013 04:00:22 +0000 [00:00:22 EDT]
From: Xanga [noreply@xanga .com]
Subject: Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 16442CU385)
Dear Bank Account Operator,
WIRE TRANSFER: FED62403611378975648
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.
The malicious payload is at [donotclick]gimikalno .ru:8080/forum/links/column.php (report here*) hosted on:
5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
Blocklist:
5.9.40.136
66.249.23.64
94.102.14.239
212.180.176.4
117.104.150.170
41.72.150.100 ..."
* http://urlquery.net/report.php?id=1371618
... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.102.14.239
:fear::mad:
-
Fake BofA, ACH, Wire Transfer SPAM ...
FYI...
Fake BofA emails lead to malware
- http://blog.webroot.com/2013/03/12/f...ad-to-malware/
March 12, 2013 - "Over the past 24 hours, we intercepted tens of thousands of malicious emails attempting to socially engineering BofA’s CashPro users into downloading and executing a -bogus- online digital certificate attached to the fake emails...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....ngineering.png
Detection rate for the malicious executable: MD5: bfe7c4846823174cbcbb10de9daf426b * ... Password-Stealer.
The attachement uses the following naming convention:
cashpro_cert_7585cc6726.zip
cashpro_cert_cc1d4a119071.zip...
It then attempts to connect to 74.207.227.67; 17.optimaxmagnetics .us, and successfully establishes a connection with the C&C server at 50.28.90.36 :8080/forum/viewtopic.php...
More MD5s are known to have phoned back to the same IP..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/4...cdf3/analysis/
File name: Ywiti
Detection ratio: 36/45
Analysis date: 2013-03-11
___
Fake "End of Aug. Stat. Required" SPAM / giminkfjol .ru
- http://blog.dynamoo.com/2013/03/end-...ired-spam.html
12 March 2013 - "This spam leads to malware on giminkfjol .ru:
From: user @victimdomain .com
Sent: 12 March 2013 04:19
Subject: Re: End of Aug. Stat. Required
Good morning,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
Regards
The attachment Invoices-ATX993823.htm attempts to redirect the victim to [donotclick]giminkfjol .ru:8080/forum/links/column.php (report here*) hosted on:
5.9.40.136 (Hetzner, Germany)
94.102.14.239 (Netinternet, Turkey)
213.215.240.24 (COLT, Italy)
Blocklist:
5.9.40.136
94.102.14.239
213.215.240.24
giminkfjol .ru ..."
* http://urlquery.net/report.php?id=1389261
... Detected suspicious URL pattern... Blackhole 2 Landing Page 213.215.240.24
___
HP LaserJet printer backdoor
- http://h-online.com/-1821334
12 March 2013 - "A number of HP LaserJet printers can be accessed through the network and unencrypted data can be read from them without authentication. The US-CERT has issued an advisory* that warns users of these printers and is calling on them to update the printer's firmware with a fixed version... HP's own advisory** identifies HP LaserJet Pro P1102w, P1606dn, M1212nf MFP (Multi Function Printer), M1213nf MFP, M1214nfh MFP, M1216nfh MFP, M1217nfw MFP, M1219nf MFP and CP1025nw printers as affected by the problem and has issued firmware and installation instructions for that firmware to close the vulnerability."
* http://www.kb.cert.org/vuls/id/782451
Last revised: 11 Mar 2013
** https://h20566.www2.hp.com/portal/si...r_na-c03684249
Last Updated: 2013-03-06
References: CVE-2012-5215
___
Fake News Diet Supplement Site
- http://www.gfi.com/blog/thinspo-tumb...pplement-site/
March 12, 2013 - "... something called “Thinspo” – it’s a shortened term for “Thinspiration”, usually a tag on social media sites... an attempt at directing such individuals to fake news websites touting “green coffee” weight loss offers. Here’s the Tumblr in question, which contains numerous “Thinspo” pictures...
> http://www.gfi.com/blog/wp-content/u...3/thinspo1.jpg
Sending kids and teens with potentially serious body image hang-ups to -fake- news report sites such as this which practically beg them to sign up and lose weight is incredibly creepy... It’s entirely possible there’s more of them lurking on various social networks though, so please be aware that no matter how controversial the subject, someone is always going to want to take advantage of it for their own benefit."
___
Fake ACH Batch Download Notification
- http://security.intuit.com/alert.php?a=77
11 Mar 2013 - "People are receiving fake emails with the title 'ACH Batch Download Notification'. Below is a copy of the email people are receiving, including the mistakes shown.
Refund check in the amount of $4,370.00 for
The following ACH batch has been submitted for processing.
Initiated By: colleen
Initiated Date & Time: Mon, 11 Mar 2013 19:59:38 +0500 Batch ID: 8242710 Batch Template Name: PAYROLL
Please view the attached file to review the transaction details.
This is the end of the fake email.
Steps to Take Now
- Do -not- click on the link in the email or open the attached file...
- Delete the email."
___
Fake Wire Transfer SPAM / giminanvok .ru
- http://blog.dynamoo.com/2013/03/wire...inanvokru.html
11 Mar 2013 - "Another wire transfer spam, this time leading to malware on giminanvok .ru:
Date: Mon, 11 Mar 2013 02:46:19 -0300 [01:46:19 EDT]
From: LinkedIn Connections [connections@linkedin.com]
Subject: Fwd: Wire Transfer (5600LJ65)
Dear Bank Account Operator,
WIRE TRANSFER: FED694760330367340
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.
The malicious payload is at [donotclick]giminanvok .ru:8080/forum/links/column.php (report pending*) hosted on the same IPs used earlier today:
5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
I strongly recommend that you block access to these IPs if you can."
:mad:
-
Fake BBB emails lead to BlackHole Exploit Kit
FYI...
Fake BBB emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/03/13/s...e-exploit-kit/
March 13, 2013 - "Over the past week, a cybercriminal/gang of cybercriminals whose activities we’ve been actively profiling over a significant period of time, launched two separate massive spam campaigns, this time impersonating the Better Business Bureau (BBB), in an attempt to trick users into thinking that their BBB accreditation has been terminated. Once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the first BBB themed spamvertised campaign:
> https://webrootblog.files.wordpress....xploit_kit.png
Sample screenshot of the second BBB themed spamvertised campaign:
> https://webrootblog.files.wordpress....oit_kit_01.png
... Malicious domain names reconnaissance:
bbb-complaint .org – 63.141.224.171; 149.154.68.214; 155.239.247.247 – Email: gonumina1 @dbzmail .com
Name Server: NS1.STREETCRY .NET – 93.186.171.133 – Email: webclipradio @aol .com
Name Server: NS2.STREETCRY .NET – 15.214.13.118 – Email: webclipradio@aol .com
bbb-accredited .net – not responding
Responding to 149.154.68.214 are also the following malicious domains:
fab73 .ru, misharauto .ru
secureaction120 .com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: markovochn @yandex .ru
secureaction150 .com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: markovochn @yandex .ru
iberiti .com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: biedermann @iberiti .com
notsk .com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: jenifer@notsk .com
metalcrew .net – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: heffner@metalcrew .net
roadix .net – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: marunga@roadix .net
gatovskiedelishki.ru – 149.154.68.214; 155.239.247.247; 141.0.176.234 conbicormiks .ru
Name servers used in the campaign:
Name Server: NS1.STREETCRY .NET – 93.186.171.133 – Email: webclipradio @aol .com
Name Server: NS2.STREETCRY .NET – 15.214.13.118 – Email: webclipradio @aol .com
Name Server: NS1.E-ELEVES .NET – 173.208.88.196
Name Server: NS1.E-ELEVES .NET – 43.109.79.23
Name Server: NS1.LETSGOFIT .NET – 173.208.88.196 – Email: weryrebel @live.com
Name Server: NS1.LETSGOFIT .NET – 11.3.51.158 – Email: weryrebel @live .com
Name Server: NS1.BLACKRAGNAROK .NET – 209.140.18.37 – Email: onetoo @gmx .com
Name Server: NS2.BLACKRAGNAROK .NET – 6.20.13.25 – Email: onetoo @gmx .com
Name Server: NS1.OUTBOUNDUK .NET
Name Server: NS2.OUTBOUNDUK .NET
Not surprisingly, we’ve already seen the onetoo @gmx .com email in the following previously profiled malicious campaign – “Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side exploits and malware“.
Upon successful client-side exploitation, a sampled campaign drops: MD5: 126a104f260cb0059b901c6a23767d76 * ... Worm:Win32/Cridex.E ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/1...3f77/analysis/
File name: cf2d476e6b1a8eae707ffae520c4d019c7226948
Detection ratio: 28/45
Analysis date: 2013-03-10
___
- http://gfisoftware.tumblr.com/post/4...ation-has-been
5 days ago - "... Subjects seen:
BBB Accreditation Terminated
Typical e-mail details:
Valued Owner:
Your accreditation with Better Business Beaureau was Discontinued
A number of latest claims on you / your company motivated us to provisional Suspend your accreditation with Better Business Beaureau. The information about the our decision are available for review at a link below. Please give attention to this issue and inform us about your sight as soon as possible.
We amiably ask you to click and review the SUSPENSION REPORT to meet on this grievance.
If you think you got this email by mistake - please forward this message to your principal or accountant
We awaits to your prompt rebound ..."
___
Zbot sites to block 13/3/13
- http://blog.dynamoo.com/2013/03/zbot...-to-block.html
13 Mar 2013 - "These domains and IPs seem to be active as Zbot C&C servers. The obsolete .su (Soviet Union) domain is usually a tell-tale sign of.. something*.
76.185.101.239
77.74.197.190
89.202.183.27
89.253.234.247
201.236.78.182
218.249.154.140
aesssbacktrack .pl
beveragerefine .su
dinitrolkalor .com
dugsextremesda .su
establishingwi .su
eurasianpolicy .net
euroscientists .at
ewebbcst .info
fireinthesgae .pl
girdiocolocai .com
machinelikeleb .su
mixedstorybase .su
satisfactorily .su
smurfberrieswd .su
sputtersmorele .pl
suggestedlean .com
trashinesscro .com
upkeepfilesyst .su
URLs seen:
[donotclick]beveragerefine .su/hjz/file.php
[donotclick]euroscientists .at/hjz/file.php
[donotclick]machinelikeleb .su/fiv/gfhk.php
[donotclick]mixedstorybase .su/hjz/file.php
[donotclick]satisfactorily .su/hjz/file.php
[donotclick]smurfberrieswd .su/hjz/file.php
And for the record, those IPs belong to:
76.185.101.239 (Road Runner, US)
77.74.197.190 (UK Dedicated Servers, UK)
89.202.183.27 (Interoute / PSI, UK)
89.253.234.247 (Rusonyx, Russia)
201.236.78.182 (Municipalidad De Quillota, Chile)
218.249.154.140 (Beijing Zhongbangyatong Telecom, China)..."
* https://www.abuse.ch/?p=3581
___
Fake "Wapiti Lease Corp" SPAM / giminaaaao .ru
- http://blog.dynamoo.com/2013/03/wapi...tion-spam.html
13 March 2013 - "A fairly bizarre spam leading to malware on giminaaaao .ru:
From: IESHA WILLEY [mailto:AtticusRambo @tui-infotec .com]
Sent: 13 March 2013 11:22
To: Sara Smith
Subject: Fwd: Wapiti Land Corporation Guiding Principles attached
Hello,
Attached is a draft of the Guiding Principles that the Wapiti Lease Corporation (“W.L.C”) would like to publish. Prior to doing that, WLC would like you to have an opportunity for a preview and to provide any
comments that you would like to make. Please let me know that you have reviewed it and what comments you might have.
Thank you,
IESHA WILLEY
WLC
This comes with an attachment called WLC-A0064.htm although I have another sample "from" a DEANNE AMOS with an attachment of WLC-A5779.htm. In any case, the attachment tries to direct the victim to a malware landing page at [donotclick]giminaaaao .ru:8080/forum/links/column.php (report here*) hosted on:
93.174.138.48 (Cloud Next / Node4, UK)
94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)
Blocklist:
93.174.138.48
94.102.14.239
213.215.240.24
giminaaaao .ru
giminkfjol .ru
giminanvok .ru "
* http://urlquery.net/report.php?id=1406092
... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.102.14.239
___
Fake "Copies of policies" SPAM / giimiiifo .ru
- http://blog.dynamoo.com/2013/03/copi...imiiiforu.html
13 Mar 2013 - "This spam leads to malware on giimiiifo .ru:
Date: Wed, 13 Mar 2013 06:49:25 +0100
From: LinkedIn Email Confirmation [emailconfirm @linkedin .com]
Subject: RE: Alonso - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Alonso SAMS,
The malicious payload is at [donotclick]giimiiifo .ru:8080/forum/links/column.php hosted on two IPs we saw earlier:
94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)"
:mad:
-
Fake Efax, LinkedIn SPAM leads to malware...
FYI...
Fake Efax SPAM / gimiinfinfal .ru
- http://blog.dynamoo.com/2013/03/efax...nfinfalru.html
14 Mar 2013 - "This eFax-themed spam leads to malware on gimiinfinfal .ru:
Date: Thu, 14 Mar 2013 07:39:23 +0300
From: SarahPoncio @mail .com
Subject: Efax Corporate
Attachments: Efax_Corporate.htm
Fax Message [Caller-ID: 449555234]
You have received a 44 pages fax at Thu, 14 Mar 2013 07:39:23 +0300, (751)-674-3105.
* The reference number for this fax is [eFAX-263482326].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.
There's an attachment called Efax_Corporate.htm which leads to malware on [donotclick]gimiinfinfal .ru:8080/forum/links/column.php (report here) hosted on:
94.102.14.239 (Netinternet, Turkey)
50.116.23.204 (Linode, US)
213.215.240.24 (COLT, Italy)
Blocklist:
50.116.23.204
94.102.14.239
213.215.240.24
giimiiifo .ru
___
Fake LinkedIn SPAM / teenlocal .net
- http://blog.dynamoo.com/2013/03/link...nlocalnet.html
14 March 2013 - "This fake LinkedIn spam leads to malware on teenlocal .net:
From: messages-noreply@bounce .linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn
Sent: 14 March 2013 16:32
Subject: Frank and Len have endorsed you!
Congratulations! Your connections Frank Garcia and Len Rosenthal have endorsed you for the following skills and expertise:
Program Management
Strategic Planning
Continue
You are receiving Endorsements emails. Unsubscribe.
This email was intended for Paul Stevens (Chief Financial Officer, Vice President and General Manager, Aerospace/Defense, Pacific Consolidated Industries). Learn why we included this. 2013, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
The malicious payload is at [donotclick]teenlocal.net/kill/force-vision.php (report here) hosted on:
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (Telekom Malaysia, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)
Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247 ..."
(More detail at the dynamoo URL above.)
:fear::mad:
-
Fake Wire Transfer emails serve client-side exploits and malware
FYI...
Fake Wire Transfer emails serve client-side exploits and malware
- http://blog.webroot.com/2013/03/15/c...s-and-malware/
March 15, 2013 - "Over the last couple of days, a cybercricriminal/gang of cybercriminals that we’ve been extensively profiling, resumed spamvertising tens of thousands of emails, in an attempt to trick users that they have a pending wire transfer. Once users click on any of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....e_transfer.png
... Sample client-side exploits serving URL: hxxp://gimikalno .ru:8080/forum/links/column.php
Sample malicious payload dropping URL: hxxp://gimikalno .ru:8080/forum/links/column.php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f
Upon successful client-side exploitation, the campaign drops MD5: 93a104caf7b01de69614498de5cf870a * ... Trojan.FakeMS
... phones back to:
149.156.96.9 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
72.251.206.90 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
202.29.5.195 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
213.214.74.5 /AJtw/UCyqrDAA/Ud+asDAA/
We’ve already seen 213.214.74.5 in... previously profiled campaigns
Malicious domain name reconnaissance:
gimikalno .ru – 66.249.23.64; 94.102.14.239; 5.9.40.136
Name Servers: ns1.gimikalno .ru 41.168.5.140
Name Servers: ns2.gimikalno .ru 110.164.58.250 (nangrong.ac.th)
Name Servers: ns3.gimikalno .ru 210.71.250.131 (tecom.com.tw)
Name Servers: ns4.gimikalno .ru 194.249.217.8 (gimnazija-tolmin1.si)
Name Servers: ns5.gimikalno .ru 72.251.206.90 ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/b...6642/analysis/
File name: docprop.dll
Detection ratio: 26/45
Analysis date: 2013-03-13
___
Malware sites to block 15/3/13
- http://blog.dynamoo.com/2013/03/malw...ock-15313.html
15 March 2013 - "These seem to be the currently active IPs and domains being used by the RU:8080 gang. Of these the domain gilaogbaos .ru seems to be very active this morning. Block 'em if you can:
5.9.40.136
41.72.150.100
50.116.23.204
66.249.23.64
94.102.14.239
212.180.176.4
213.215.240.24...
For the record, these are the registrars either hosting the domains or offering support services. It is possible that some have been taken down already.
5.9.40.136 (Hetzner, Germany)
41.72.150.100 (Hetzner, South Africa)
50.116.23.204 (Linode, US)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
212.180.176.4 (Supermedia, Poland)
213.215.240.24 (COLT, Italy) ..."
(More listed at the dynamoo URL above.)
___
Fake ADP SPAM / picturesofdeath .net
- http://blog.dynamoo.com/2013/03/adp-...tion-spam.html
15 March 2013 - "This fake ADP spam leads to malware on... picturesofdeath .net:
From: ADP Chesapeake Package Delivery Confirmation [mailto:do_not_reply @adp .com]
Sent: 15 March 2013 14:45
Subject: =?iso-8859-1?Q?ADP Chesapeake - Package Delivery Notification
Importance: High
This message is to notify you that your package has been processed and is on schedule for delivery from ADP.
Here are the details of your delivery:
Package Type: QTR/YE Reporting
Courier: UPS Ground
Estimated Time of Arrival: Tusesday, 5:00pm
Tracking Number (if one is available for this package): 1Z023R643116536498
Details: Click here to overview and/or modify order
We will notify you via email if the status of your delivery changes.
Access these and other valuable tools at support.ADP.com:
o Payroll and Tax Calculators
o Order Payroll Supplies, Blank Checks, and more
o Submit requests online such as SUI Rate Changes, Schedule Changes, and more
o Download Product Documentation, Manuals, and Forms
o Download Software Patches and Updates
o Access Knowledge Solutions / Frequently Asked Questions
o Watch Animated Tours with Guided Input Instructions
Thank You,
ADP Client Services
support.ADP.com ...
The malicious payload is at [donotclick]picturesofdeath.net/kill/long_fills.php (report here*) hosted on:
24.111.157.113 (Midcontinent Media, US)
155.239.247.247 (Centurion Telkom, South Africa)..."
(More URLs listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1446662
... Detected live BlackHole v2.0 exploit kit 24.111.157.113
- http://blog.webroot.com/2013/03/18/a...e-exploit-kit/
March 18, 2013 - "A currently ongoing malicious email campaign is impersonating ADP in an attempt to trick its customers into thinking that they’ve received a ‘Package Delivery Notification.’ In reality though, once a user clicks on any of the links found in the malicious email, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... responded to 24.111.157.113; 58.26.233.175; 155.239.247.247... 58.26.233.175; 155.239.247.247... 77.241.198.65; 80.241.211.26; 83.255.90.5; 103.14.8.20; 190.30.219.85... phones back to 212.68.63.82..."
(More detail at the webroot URL above.)
___
BoA SPAM - on short list of Scammers’ Spam Lures
- http://www.hotforsecurity.com/blog/b...ures-5668.html
March 15, 2013 - "... crooks unleashed a series of aggressive spam campaigns that include the Bank of America in the title as bait. In the context of a security breach, the name of the bank was used to catch customers’ attention, infect them with malware, have them type in sensitive data or entice them into sending money in advance for a service they will never receive. “Online Banking Passcode Modified” invites people to click a link to reset their online banking passcode. The same template and con is entirely recycled from a similar attack in November 2012. This new spamvertised malware campaign attempts to get Bank of America customers to -click a link- to a webpage associated with the Redkit Exploit Kit – a crimeware tool that exploits vulnerabilities in browsers and plugins to silently infect victims’ PCs.
> http://www.hotforsecurity.com/wp-con...e-Modified.png
"Bank of America Corporate Office Headquarters” and the very recent “Payment Notification from Bank of America” spam campaigns are examples of a complicated Nigerian-like scam informing customers that their funds will be transferred to the United States Treasury Account...
> http://www.hotforsecurity.com/wp-con...adquarters.png
"Bank of America Alert: Suspicious Activities on your Account!” and “Bank of America Alert: Sign-in to Online Banking Locked” lure customers to a phishing page...
> http://www.hotforsecurity.com/wp-con...ur-Account.png
"Reminder: Bank of America Customer Survey” is another active scam ...
> http://www.hotforsecurity.com/wp-con...mer-Survey.png
Bank of America has been recycled in spammed scams since 2006 and used multiple times a year, for more or less the same results: steal card and identity information, infect people with malware, and unwarily recruit them into money-muling operations..."
:mad:
-
Fake LinkedIn SPAM...
FYI...
Fake LinkedIn SPAM / applockrapidfire .biz
- http://blog.dynamoo.com/2013/03/link...idfirebiz.html
18 March 2013 - "This fake LinkedIn spam leads to malware on applockrapidfire .biz:
From: David O'Connor - LinkedIn [mailto:kissp @gartenplandesign .de]
Sent: 18 March 2013 15:34
Subject: Join my network on LinkedIn
Importance: High
LinkedIn
REMINDERS
Invitation reminders:
From David O\'Connor (animator at ea)
PENDING MESSAGES
There are a total of 9 messages awaiting your response. Go to InBox now.
This message was sent to username @domain .com. Don't want to receive email notifications? Login to your LinkedIn account to Unsubscribe.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. c 2013, LinkedIn Corporation.
The link in the message goes through a legitimate hacked site to a malware landing page on [donotclick]applockrapidfire .biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here*) hosted on 78.46.222.237 (Hetzner, Germany). applockrapidfire .biz was registered just today to a presumably fake address...
URLquery detects traffic to these additional IPs that you might want to block too:
50.22.196.70 (Softlayer / Maxmind LLC, US)
66.85.130.234 (Secured Servers LLC / Phoenix NAP, US)
194.165.17.3 (ADM Service Ltd, Monaco)
The nameservers are NS1.QUANTUMISPS .COM (5.9.212.43: Hetzner, Germany) and NS2.QUANTUMISPS .COM (66.85.131.123: Secured Servers LLC / Phoenix NAP, US). quantumisps .com was registered to an anonymous person on 2013-03-15...
Recommended blocklist:
5.9.212.43
50.22.196.70
66.85.130.234
66.85.131.123
78.46.222.237
194.165.17.3
quantumisps .com
applockrapidfire .biz"
* http://urlquery.net/report.php?id=1500577
... Detected live BlackHole v2.0 exploit kit
___
Fake DHL emails contain malware
- http://nakedsecurity.sophos.com/2013...mails-malware/
March 18, 2013 - "... Online criminals have spammed out a large number of messages, claiming to come from DHL Express International, that are designed to install malware onto the computers of unsuspecting PC users. Here is what a typical example of an email spammed out in the attack looks like:
> https://sophosnews.files.wordpress.c.../dhl.jpg?w=640
Attached to the emails is a ZIP file, containing malware. The filename of the ZIP file can vary, but takes the form "DHL reportXXXXXX.zip" (where the 'X's are a random code)... Troj/BredoZp-S* ..."
* http://www.sophos.com/en-us/threat-c...BredoZp-S.aspx
:mad:
-
Fake Statement/Facebook/malicious SPAM...
FYI...
Fake "Statement Reqiured" SPAM / hiskintako .ru
- http://blog.dynamoo.com/2013/03/end-...ured-spam.html
19 Mar 2013 - "This -spam- leads to malware on hiskintako .ru:
Date: Tue, 19 Mar 2013 08:04:18 +0300
From: "package update Ups" [upsdelivercompanyb @ups .com]
Subject: Re: FW: End of Aug. Statement Reqiured
Attachments: Invoices-CAS9927.htm
Hi,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
Regards
-----------------------
Date: Tue, 19 Mar 2013 02:18:06 +0600
From: MyUps [ups-delivery-services @ups .com]
Subject: Re: FW: End of Aug. Stat. Required
Hi,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
Regards
The malicious payload is at [donotclick]hiskintako .ru:8080/forum/links/column.php (report here*) hosted on:
50.22.0.2 (SoftLayer, US)
89.110.131.10 (Netclusive, Germany)
132.230.75.95 (Albert-Ludwigs-Universitaet, Germany)
188.165.202.204 (OVH, France)
BLOCKLIST:
50.22.0.2
89.110.131.10
132.230.75.95
188.165.202.204
forumla .ru
gimiiiank .ru
giminanvok .ru
giminkfjol .ru
giminaaaao .ru
giimiiifo .ru
giliaonso .ru
forumny .ru
hiskintako .ru
gxnaika .ru
gulivaerinf .ru "
* http://urlquery.net/report.php?id=1516090
... Detected live BlackHole v2.0 exploit kit 50.22.0.2
___
Squeak Data / squeakdata .com SPAM
- http://blog.dynamoo.com/2013/03/sque...acom-spam.html
19 March 2013 - "... The email address they are sending to has been harvested, so you can be pretty sure that the mailing lists they sell are of very low quality. But there's a bit more to this spam than meets the eye..
From: Squeak Data [enquiries @squeakdata .com] via smtpguru .net
Date: 19 March 2013 13:35
Subject: Squeak Data
Signed by: smtpguru .net
Squeak Data - Qualified & Opted In Prospect Data
- At a fraction of the usual price. We own all the data we sell so we can keep our prices extremely competitive but still deliver on quality and service.
New January 2013 Opted In Business Database - contains over 437k records. This data set is completely new and unique to us. It has been strictly opted in at decision maker level. It contains SME businesses throughout the UK. Every record contains full information fields including a live and valid email address.
We are aware that much larger business databases are currently been offered. It takes a lot of hard work and man hours to produce a truly opted in and quality prospect list. Common sense must prevail and conclude that such large databases cannot possibly be opted in and are very old and tired.
We do not hold old and tired data. Our data is fresh, unique and will help you accomplish your new business targets.
Our data is sold with a 95% email delivery promise and on a multiple use basis...
The domain was registered on 2nd March, so it's only a few days old. But that email address looks familiar.. yes, this is Toucan UK who said last year that they were closing down their business. It turns out that this is a lie too. A brief bit of Googling also brings up this other spam where they are saying pretty much the same thing. It looks like they used to have a Twitter handle of @MoneyTreesData although that appears to have been nuked. Oh well.
Give these spammers a wide berth."
___
Fake Facebook SPAM / heelicotper .ru
- http://blog.dynamoo.com/2013/03/face...icotperru.html
19 Mar 2013 - "This fake Facebook spam leads to malware on heelicotper .ru:
Date: Tue, 19 Mar 2013 08:37:37 +0200
From: Facebook [updateSIXQG03I44AX @facebookmail .com]
Subject: You have notifications pending
facebook
Hi,
Here's some activity you may have missed on Facebook.
TAMISHA Gore has posted statuses, photos and more on Facebook.
Go To Facebook
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
The malicious payload is at [donotclick]heelicotper .ru:8080/forum/links/column.php which isn't resolving at the moment, but was earlier hosted on:
50.22.0.2 (SoftLayer, US)
132.230.75.95 (Albert-Ludwigs-Universitaet, Germany)
188.165.202.204 (OVH, France)
The payload and associated IPs are the same as in this attack."
___
Malware spam: Cyprus banks...CNN.com / salespeoplerelaunch .org
- http://blog.dynamoo.com/2013/03/malw...anks-shut.html
19 Mar 2013 - "This topically themed (but fake) CNN spam leads to malware on salespeoplerelaunch .org:
Date: Tue, 19 Mar 2013 10:40:22 -0600
From: "CNN Breaking News" [BreakingNews@mail.cnn.com]
Subject: Opinion: Cyprus banks shut extended to Monday - CNN.com
Powered by
* Please note, the sender's email address has not been verified.
You have received the following link from BreakingNews @mail.cnn .com:
Click the following to access the sent link:
Cyprus banks shut extended to Monday - CNN.com*
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here
The malicious payload is at [donotclick]salespeoplerelaunch .org/close/printed_throwing-interpreting-dedicated.php (report here) hosted on 69.197.177.16 (WholeSale Internet, US).
Nameservers are NS1.DNSLVLUP.COM (5.9.212.43, Hetzner / Dolorem Ipsum Management Ltd, Germany) and NS2.DNSLVLUP.COM (66.85.131.123, Secured Servers LLC / Phoenix NAP, US)
Recommended blocklist:
salespeoplerelaunch .org
dnslvlup .com
69.197.177.16
5.9.212.43
66.85.131.123"
Scam of the day: More fake CNN e-mails
- https://isc.sans.edu/diary.html?storyid=15436
Last Updated: 2013-03-19 17:37:08 UTC
> https://isc.sans.edu/diaryimages/images/cnncyprus.png
> http://wepawet.iseclab.org/view.php?...499c22&type=js
:mad:
-
Fake USPS SPAM...
FYI...
Fake USPS SPAM / himalayaori .ru
- http://blog.dynamoo.com/2013/03/usps...layaoriru.html
20 March 2013 - "This -fake- UPS (or is it USPS?) spam leads to malware on himalayaori .ru. The malicious link is in an attachment called ATT17235668.htm. For some reason the only sample of the spam that I have is horribly mangled:
From: HamzaRowson @hotmail .com [mailto:HamzaRowson @hotmail .com]
Sent: 19 March 2013 23:40
Subject: United Postal Service Tracking Number H1338091657
Your USPS TEAM for big savings!
Can't see images? CLICK HERE.
UPS UPS SUPPORT 56 Not Ready to Open an Account? The UPS Store® can help with full service packing and shipping.
Learn More >> UPS - Your UPS Team
Good day, [redacted].
Dear User , Delivery Confirmation: Failed
Track your Shipment now!
With best regards , Your UPS Customer Services. Shipping Tracking Calculate Time & Cost
Open an Account @ 2011 United Parcel Service of America, Inc. USPS Team, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to USPS .us Customer Services marketing e-mail For information on UPS's privacy practices, please refer to UPS Privacy Policy. Your USPS .US, 5 Glenlake Parkway, NE - Atlanta, GA 30325
Attn: Customer Communications Department
Clicking on the attachment sends the intended victim to a malicious web page at [donotclick]himalayaori .ru:8080/forum/links/column.php (report here*), in this case via a legitimate hacked site at [donotlick]www.unisgolf .ch/report.htm but that is less important. himalayaori .ru is hosted on a couple of IPs that look familiar:
50.22.0.2 (SoftLayer, US)
188.165.202.204 (OVH, France)
Recommended blocklist:
50.22.0.2
188.165.202.204
himalayaori .ru
hentaimusika .ru
hiskintako .ru
gxnaika .ru
forumla .ru
gulivaerinf .ru
foruminanki.ru
forumny .ru ..."
* http://urlquery.net/report.php?id=1525298
___
Fake Invoice SPAM / hifnsiiip .ru
- http://blog.dynamoo.com/2013/03/end-...fnsiiipru.html
20 Mar 2013 - "This fake invoice spam leads to malware on hifnsiiip .ru:
Date: Wed, 20 Mar 2013 05:41:44 +0100
From: LinkedIn Connections [connections @linkedin .com]
Subject: Re: FW: End of Aug. Statement
Attachments: Invoices-AS9927.htm
Good morning,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
Regards
The attached Invoices-AS9927.htm file attempts to direct the victim to a malicious landing page [donotclick]hifnsiiip .ru:8080/forum/links/column.php (report here*) hosted on:
50.22.0.2 (SoftLayer, US)
109.230.229.156 (High Quality Server, Germany)
188.165.202.204 (OVH, France)
Recommended blocklist:
50.22.0.2
109.230.229.156
188.165.202.204..."
(More at the dynamooo URL above.)
* http://urlquery.net/report.php?id=1526708
... Detected suspicious URL pattern... Blackhole 2 Landing Page 188.165.202.204
___
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake FedEx Parcel Delivery Failure Notification E-mail Messages - 2013 Mar 20
Fake Electronic Payment Cancellation E-mail Messages - 2013 Mar 20
Fake Payment Transaction Notice E-mail Messages - 2013 Mar 19
Fake Wire Transfer Notification E-mail Messages - 2013 Mar 19
Fake Document Attachment E-mail Message - 2013 Mar 19
Fake CashPro Online Digital Certificate Notification E-mail Messages - 2013 Mar 18
Fake Order And Transfer Slip Notification E-mail Messages - 2013 Mar 18
Fake Payment Processing Notice E-mail Messages - 2013 Mar 18
Fake Purchase Order Payment Notification E-mail Messages - 2013 Mar 18
Fake Product Order E-mail Messages - 2013 Mar 18
Fake Online Purchase Receipt E-mail Messages - 2013 Mar 18
(More detail and links at the cisco URL above.)
:fear::mad:
-
Fake NACHA / ScanJet SPAM ...
FYI...
Fake NACHA SPAM / encodeshole .org
- http://blog.dynamoo.com/2013/03/nacha-spam.html
21 March 2013 - "This fake NACHA spam leads to malware on encodeshole .org:
From: "Тимур.Родионов @direct.nacha .org" [mailto:biker @wmuttkecompany .com]
Sent: 20 March 2013 18:51
Subject: Payment ID 454806207096 rejected
Importance: High
Dear Sirs,
Herewith we are informing you, that your latest Direct Deposit payment (ID431989197078) was cancelled,due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::
Click here for more information
Please apply to your financial institution to get the necessary updates of the Direct Deposit software.
Best regards,
ACH Network Rules Department
NACHA - The Electronic Payments Association
10933 Sunrise Valley Drive, Suite 771
Herndon, VA 20190
Phone: 703-561-0849 Fax: 703-787-0548
The malicious payload is at [donotclick]encodeshole.org/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here) hosted on 91.234.33.187 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine). The following suspect domains are on the same IP:
91.234.33.187
encodeshole .org
rotariesnotify .org
rigidembraces .info
storeboughtmodelers .info
* http://urlquery.net/report.php?id=1536940
... Detected BlackHole v2.0 exploit kit URL pattern... Detected live BlackHole v2.0 exploit kit 91.234.33.187
- https://www.google.com/safebrowsing/...?site=AS:56485
"... over the past 90 days, 54 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-03-21, and the last time suspicious content was found was on 2013-03-21... Over the past 90 days, we found 8 site(s) on this network... that appeared to function as intermediaries for the infection of 23 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 13 site(s)... that infected 30 other site(s)..."
___
Fake ScanJet SPAM / hillaryklinton .ru
- http://blog.dynamoo.com/2013/03/scan...t-spam_21.html
21 March 2013 - "This fake printer spam leads to malware on the amusingly-named hillaryklinton .ru:
From: messages-noreply@bounce .linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn Password
Sent: 21 March 2013 06:56
Subject: Scan from a Hewlett-Packard ScanJet #269644
Attached document was scanned and sent
to you using a Hewlett-Packard HP Officejet 6209P.
Sent by: SANDIE
Images : 1
Attachment Type: .HTM [INTERNET EXPLORER]
Hewlett-Packard Officejet Location: machine location not set
In this case there is an attachment called Scanned_Document.htm which leads to a malicious payload at [donotclick]hillaryklinton .ru:8080/forum/links/column.php (report here*) hosted on:
50.22.0.2 (SoftLayer, US)
62.75.157.196 (Inergenia, Germany)
109.230.229.156 (High Quality Server, Germany)
Blocklist:
50.22.0.2
62.75.157.196
109.230.229.156
foruminanki .ru
forumla .ru
forumny .ru
gulivaerinf .ru
gxnaika .ru
hanofk .ru
heelicotper .ru
hifnsiiip .ru
hillaryklinton .ru
himalayaori .ru
humalinaoo .ru
* http://urlquery.net/report.php?id=1535161
... Detected suspicious URL pattern... Blackhole 2 Landing Page 109.230.229.156
___
Fake CNN emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/03/21/f...-exploit-kit/?
March 21, 2013 - "... thousands of malicious ‘CNN Breaking News’ themed emails... exploit-serving and malware-dropping links found within. Once users click on any of the links found in the bogus emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Malicious domain name reconnaissance:
webpageparking .net – 109.74.61.59; 24.111.157.113; 58.26.233.175; 155.239.247.247...
Responding to 24.111.157.113 ... malicious domains...
Upon successful clienet-side exploitation, the campaign drops MD5: 24d406ef41e9a4bc558e22bde0917cc5 * ... Worm:Win32/Cridex.E...
* https://www.virustotal.com/en/file/3...89be/analysis/
File name: deskadp.dll
Detection ratio: 23/45
Analysis date: 2013-03-21 10:46
___
Fake "Data Processing Service" spam / airtrantran .com
- http://blog.dynamoo.com/2013/03/data...vice-spam.html
21 Mar 2013 - "This spam leads to malware on airtrantran .com
Date: Thu, 21 Mar 2013 15:55:22 +0000 [11:55:22 EDT]
From: Data Processing Service [customerservice @dataprocessingservice .com]
Subject: ACH file ID "973.995" has been processed successfully
Files Processing Service
SUCCESS Notification
We have successfully complete ACH file 'ACH2013-03-20-8.txt' (id '973.995') submitted by user '[redacted]' on '2013-03-20 23:24:14.9'.
FILE SUMMARY:
Item count: 21
Total debits: $17,903.59
Total credits: $17,903.59
For addidional info review it here
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMnet, Malaysia)
109.74.61.59 (Ace Telecom, Hungary)
155.239.247.247 (Centurion Telkom, South Africa)
Blocklist:
24.111.157.113
58.26.233.175
109.74.61.59
155.239.247.247 ..."
___
Fake Facebook SPAM / scriptuserreported .org
- http://blog.dynamoo.com/2013/03/face...portedorg.html
21 Mar 2013 - "This Facebook spam has undergone some sort of failure during construction, revealing some of the secrets of how these messages are constructed. It leads to malware on scriptuserreported .org:
Date: Thu, 21 Mar 2013 10:56:28 -0500
From: Facebook [update+oi=MKW63Z @facebookmail .com]
Subject: John Jenkins commented photo of you.
facebook
John Jenkins commented on {l5}.
reply to this email to comment on this photo.
see comment
this message was sent to {mailto_username}@{mailto_domain}. if you don't want to receive these emails from facebook in the future, please unsubscribe.
facebook, inc., attention: department 415, po box 1000{digit}, palo alto, ca 9{digit}3{digit}
The malicious payload is at [donotclick]scriptuserreported .org/close/keys-importance-mention.php hosted on 5.39.37.31 and there are no surprises that this is OVH in France.. but wait a minute because this is in a little suballocated block thusly:
inetnum: 5.39.37.24 - 5.39.37.31
netname: n2p3DoHost
descr: DoHost n2 p3
country: FR ...
Let's start with the server at 5.39.37.31 which is distributing the Blackhole Exploit Kit (report here*). This server also hosts the following potentially malicious domains:
pesteringpricelinecom .net
resolveconsolidate .net
scriptuserreported .org
provingmoa .com
Go back a few IPs to 5.39.37.28 and there is are a couple of work-at-home scam sites:
workhomeheres01 .com
workhomeheres02 .com
There's also a work-at-home scam on 5.39.37.24:
makeworkhome12 .pl
5.39.37.26 appears to be hosting a control panel for the Neutrino Exploit kit:
myadminspanels .info
supermyadminspanels .info
So you can pretty much assume that 5.39.37.24/29 is a sewer and you should block the lot. Who is n2p3DoHost? Well, I don't know.. but there's one more clue at 5.39.37.29 which is the domain rl-host .net...
Does M. Queste own this /29? If he does, then it looks like he has some very bad customers..
Minimum blocklist:
5.39.37.31
pesteringpricelinecom .net
resolveconsolidate .net
scriptuserreported .org
provingmoa .com
Recommended blocklist:
5.39.37.24/29
makeworkhome12 .pl
myadminspanels .info
supermyadminspanels .info
workhomeheres01 .com
workhomeheres02 .com
rl-host .net
pesteringpricelinecom .net
resolveconsolidate.net
scriptuserreported .org
provingmoa .com"
* http://urlquery.net/report.php?id=1539128
... Detected live BlackHole v2.0 exploit kit 5.39.37.31
___
Fake Changelog SPAM / hillairusbomges .ru
- http://blog.dynamoo.com/2013/03/chan...sbomgesru.html
21 Mar 2013 - "This fake changelog spam leads to malware on hillairusbomges .ru:
Date: Thu, 21 Mar 2013 03:01:59 -0500 [04:01:59 EDT]
From: LinkedIn Email Confirmation [emailconfirm @linkedin .com]
Subject: Re: Changelog Oct.
Good morning,
as prmised updated changelog - View
L. LOYD
The malicious payload is at [donotclick]hillairusbomges .ru:8080/forum/links/column.php (report here*) hosted on:
50.22.0.2 (Softlayer / Monday Sessions Media, US)
66.249.23.64 (Endurance International Group, US)
188.165.202.204 (OVH, France)
Blocklist:
50.22.0.2
66.249.23.64
188.165.202.204 ..."
* http://urlquery.net/report.php?id=1540852
... Detected suspicious URL pattern... Blackhole 2 Landing Page 188.165.202.204
:fear::mad:
-
Fake Zendesk pharma SPAM ...
FYI...
Fake Zendesk SPAM / vagh .ru / pillshighest .com
- http://blog.dynamoo.com/2013/03/zend...-security.html
22 Mar 2013 - "This unusual spam leads to a fake pharma site on pillshighest .com via vagh .ru and an intermediate -hacked- site.
Date: Fri, 22 Mar 2013 13:52:08 -0700
From: Support Team [pinbot @schwegler .com]
To: [redacted]
Subject: An important notice about security
We recently learned that the vendor we use to answer support requests and other emails (Zendesk) experienced a security breach.
We're sending you this email because we received or answered a message from you using Zendesk. Unfortunately your name, email address and subject line of your message were improperly accessed during their security breach. To help keep your account secure, please:
Don't share your password. We will never send you an email asking for your password. If you get an email like this, please let us know right away.
Beware of suspicious emails. If you get any emails that look like they're from our Support Team but don't feel right, please let us know - especially if they include details about your support request.
Use a strong password. If your password is weak, you can create a new one.
We're really sorry this happened, and we'll keep working with law enforcement and our vendors to ensure your information is protected.
Support Team
Questions? See our FAQ.
This email was sent to [redacted].
�2013 Zendesk, Inc. | All Rights Reserved
Privacy Policy | Terms and Conditions
There appears to be no malware involved in this attack. After the user has clicked through to the -hacked- site (in this case [donotclick]www.2001hockey .com/promo/page/ - report here*) the victim is -bounced- to [donotclick]vagh .ru on 193.105.210.212 (FOP Budko Dmutro Pavlovuch, Ukraine**) and then on to [donotclick]pillshighest .com on 91.217.53.30 (Fanjcom, Czech Republic).
Some IPs and domains you might want to block:
91.217.53.30
193.105.210.212 ..."
(More listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1547240
... RBN - Known Russian Business Network IP - 109.120.138.155***
** https://www.google.com/safebrowsing/...?site=AS:57954
*** https://www.google.com/safebrowsing/...?site=AS:30968
- http://nakedsecurity.sophos.com/2013...curity-notice/
March 22, 2013
> https://sophosnews.files.wordpress.c...tice.jpg?w=640
___
Fake ACH email - malware...
- http://www.hoax-slayer.com/ach-file-...-malware.shtml
March 22, 2013 - "Outline: Message purporting to be from the Automated Clearing House (ACH) claims that a file submitted by a user has been successfully processed and invites recipients to click a link to read more information about the large sum transactions listed....
Brief Analysis: The email is -not- from ACH and the transactions listed in the message are not genuine. The -link- in the email opens a compromised website that harbours information-stealing malware... Those who do click the link will be taken to one of several websites that harbour malware. Once downloaded, such malware can typically make connections with remote servers controlled by criminals, download and install further malware components and harvest personal and financial information from the infected computer.
Scammers have targeted the ACH and the entity's managing body NACHA for several years. Some have been malware attacks such as this one. Others have been phishing scams intent on tricking people into divulging their personal and financial information. The ACH is an official funds transfer system that processes large volumes of credit and debit transactions in the United States and this makes it an attractive target for scammers.
Neither ACH nor NACHA will ever send you an unsolicited email that asks you to open an attachment or follow a link and supply personal information. If you receive an email that claims to be from the ACH or NACHA, do not open any attachments that it may contain. Do not follow any links in the email. Do not reply to the email or supply any information to the senders."
___
Fake Wire Transfer SPAM / dataprocessingservice-alerts .com
- http://blog.dynamoo.com/2013/03/wire...ingservic.html
22 Mar 2013 - "This fake Wire Transfer spam leads to malware on dataprocessingservice-alerts .com:
Date: Fri, 22 Mar 2013 10:42:22 -0600
From: support @digitalinsight .com
Subject: Terminated Wire Transfer Notification - Ref: 54133
Immediate Transfers Processing Service
STATUS Notification
The following wire transfer has been submitted for approval. Please visit this link to review the transaction details (ref '54133' submitted by user '[redacted]' ).
TRANSACTION SUMMARY:
Initiated By: [redacted]
Initiated Date & Time: 2013-03-21 4:00:46 PM PST
Reference Number: 54133
For addidional info visit this link
The payload is at [donotclick]dataprocessingservice-alerts .com/kill/chosen_wishs_refuses-limits.php (report here*) hosted on:
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMNet, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)
Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247 ..."
* http://urlquery.net/report.php?id=1548528
... Detected live BlackHole v2.0 exploit kit 24.111.157.113
___
Fake Changelog SPAM / hohohomaza .ru
- http://blog.dynamoo.com/2013/03/chan...ohomazaru.html
22 Mar 2013 - "Evil changelog spam episode 274, leading to malware on hohohomaza .ru. Hohoho indeed.
Date: Fri, 22 Mar 2013 11:06:48 -0430
From: Hank Sears via LinkedIn [member @linkedin .com]
Subject: Fwd: Changelog as promised (upd.)
Hello,
as promised changelog - View
L. HENDRICKS
The malware landing page is at [donotclick]hohohomaza .ru:8080/forum/links/column.php hosted on:
50.22.0.2 (Softlayer / Monday Sessions Media, US)
66.249.23.64 (Endurance International Group, US)
80.246.62.143 (Alfahosting / Host Europe, Germany)
Blocklist:
50.22.0.2
66.249.23.64
80.246.62.143 ..."
:mad::fear:
-
Fake BBC, BoA, Printer SPAM... more...
FYI...
Fake BBC emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/03/25/m...e-exploit-kit/
March 25, 2013 - "Cybercriminals are currently spamvertising tens of thousands of malicious emails impersonating BBC News, in an attempt to trick users into thinking that someone has shared a Cyprus bailout themed news item with them. Once users click on any of the links found in the fake emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the fake BBC News email:
> https://webrootblog.files.wordpress....kit_cyprus.png
... Sample client-side exploits serving URL: hxxp ://crackedserverz .com/kill/larger_emergency.php – 155.239.247.247; 109.74.61.59; 24.111.157.113; 58.26.233.175 – Email: tellecomvideo1 @gmx .us...
Upon successful client-side exploitation the campaign drops MD5: 1d4aaaf4ae7bfdb0d9936cd71ea717b2 * ...Spyware/Win32.Zbot..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/4...38c7/analysis/
File name: 1d4aaaf4ae7bfdb0d9936cd71ea717b2
Detection ratio: 23/45
Analysis date: 2013-03-21
- https://www.net-security.org/malware_news.php?id=2444
25.03.2013
Fake: https://www.net-security.org/images/...s-fake-big.jpg
___
Fake Bank of America SPAM / PAYMENT RECEIPT 25-03-2013-GBK-74
- http://blog.dynamoo.com/2013/03/bank...eceipt-25.html
25 Mar 2013 - "This spam comes with a malicious EXE file in the archive PAYMENT RECEIPT 25-03-2013-GBK-74.zip
Date: Mon, 25 Mar 2013 05:50:18 +0300 [03/24/13 22:50:18 EDT]
From: Bank of America [gaudilyl30 @gmail .com]
Subject: Your transaction is completed
Transaction is completed. $4924 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Payment receipt is attached.
*** This is an automatically generated email, please do not reply ***
Bank of America, N.A. Member FDIC. Equal Housing Lender Opens in new window
© 2013 Bank of America Corporation. All rights reserved
Opening the ZIP file leads to an EXE caled PAYMENT RECEIPT 25-03-2013-GBK-74.EXE which has a pretty patchy detection rate on VirusTotal*. Comodo CAMAS detects traffic to the domains seantit .ru and programcam .ru hosted on:
59.99.226.54 (BSNL Internet, India)
66.248.200.143 (Avante Hosting Services / Dominic Lambie, US)
77.241.198.65 (VPSnet, Lithunia)
81.20.146.229 (GONetwork, Estonia)
103.14.8.20 (Symphony Communication, Thailand)
Plain list:
59.99.226.54
66.248.200.143
77.241.198.65
81.20.146.229
103.14.8.20 ..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en/file/b...755d/analysis/
File name: Loaf Harley Goals
Detection ratio: 22/46
Analysis date: 2013-03-25
___
Fake HP ScanJet SPAM / humaniopa .ru
- http://blog.dynamoo.com/2013/03/scan...manioparu.html
25 Mar 2013 - "This fake printer spam leads to malware on humaniopa .ru:
Date: Mon, 25 Mar 2013 03:57:54 -0500
From: LinkedIn Connections [connections @linkedin .com]
Subject: Scan from a HP ScanJet #928909620
Attachments: Scanned_Document.htm
Attached document was scanned and sent
to you using a Hewlett-Packard HP Officejet 98278P.
Sent by: CHANG
Images : 5
Attachment Type: .HTM [INTERNET EXPLORER]
Hewlett-Packard Officejet Location: machine location not set
The attachment Scanned_Document.htm leads to malware on [donotclick]humaniopa .ru:8080/forum/links/column.php (report here*) hosted on:
66.249.23.64 (Endurance International Group, US)
72.11.155.182 (OC3 Networks, US)
72.167.254.194 (GoDaddy, US)
95.211.154.196 (Leaseweb, Netherlands)
Blocklist:
66.249.23.64
72.11.155.182
72.167.254.194
95.211.154.196 ..."
* http://urlquery.net/report.php?id=1592330
... Detected suspicious URL pattern... Blackhole 2 Landing Page 95.211.154.196
___
Fake "Copies of policies" SPAM / heepsteronst .ru
- http://blog.dynamoo.com/2013/03/copi...teronstru.html
25 Mar 2013 - "This spam leads to malware on heepsteronst .ru:
Date: Mon, 25 Mar 2013 06:20:54 -0500 [07:20:54 EDT]
From: Ashley Madison [donotreply @ashleymadison .com]
Subject: RE: DEBBRA - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
DEBBRA Barnard,
The malicious payload is at [donotclick]heepsteronst .ru:8080/forum/links/column.php (report here*). The IP addresses used are the same ones as used in this attack**."
* http://urlquery.net/report.php?id=1593558
... Detected suspicious URL pattern... Blackhole 2 Landing Page 72.167.254.194
** http://blog.dynamoo.com/2013/03/scan...manioparu.html
___
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Future of Digital Marketing Event Notification E-mail Message - 2013 Mar 25
Fake Product Order Shipping Documents E-mail Messages - 2013 Mar 25
Fake Online Dating Request E-mail Messages - 2013 Mar 25
Fake Product Sample Request E-mail Messages - 2013 Mar 25
Fake Product Order E-mail Message - 2013 Mar 25
Fake Quotation Request With Attached Sample Design Notification E-mail Messages - 2013 Mar 25
Fake Shipment Notification E-mail Messages - 2013 Mar 25
Fake Bank Repayment Information E-mail Messages - 2013 Mar 25
Fake Payment Transaction Notification E-mail Messages - 2013 Mar 25
(More detail and links at the cisco URL above.)
:mad::mad:
-
Fake ADP, NACHA, DHL SPAM lead to malware
FYI...
Fake ADP emails lead to malware
- http://blog.webroot.com/2013/03/26/a...ad-to-malware/
March 26, 2013 - "Over the past week, we intercepted a massive ‘ADP Payroll Invoice” themed malicious spam campaign, enticing users into executing a malicious file attachment. Once users execute the sample, it downloads additional pieces of malware on the affected host, compromising the integrity, and violating the confidentiality of the affected PC...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....der_botnet.png
Detection rate for the malicious attachment:
MD5: 54e9a0495fbd5c952af7507d15ebab90 * ... Trojan.Win32.FakeAV.qqdm
... Initiating the following TCP connections:
213.186.47.54 :8080
195.93.201.42 :80
216.55.186.239 :80
77.92.151.6 :80
66.118.64.208 :80 ...
Detection rates for the downloaded malware samples:
hxxp://infoshore.biz/cx5oMi.exe – MD5: 13eeca375585322c676812cf9e2e9789 ** ... Heuristic.LooksLike.Win32.Suspicious.B
hxxp://axelditter.de/w91qZ5.exe – MD5: 87c658970958bb5794354a91f8cc5a7d – detected by 18 out of 46 antivirus scanners as PWS:Win32/Zbot.gen!AM...
It then attempts multiple UDP connection attempts to the following IPs part of the botnet’s infrastructure:
109.162.153.126 :25603
81.149.242.235 :28768
88.241.148.26 :19376
78.166.167.62 :26509
88.232.36.188 :11389
80.6.67.158 :11016 ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/f...is/1363949422/
File name: ADP_Invoice.exe
Detection ratio: 24/46
Analysis date: 2013-03-22
** https://www.virustotal.com/en/file/8...is/1363952056/
File name: ADP_cx5oMi.exe
Detection ratio: 3/46
Analysis date: 2013-03-22
___
Fake NACHA SPAM / breathtakingundistinguished .biz
- http://blog.dynamoo.com/2013/03/nach...nguishedb.html
26 March 2013 - "This fake NACHA spam leads to malware on breathtakingundistinguished .biz:
From: "Гена.Симонов@direct .nacha .org" [mailto:corruptnessljx953 @bsilogistik .com]
Sent: 25 March 2013 22:26
Subject: Re: Your Direct Deposit disallowance
Importance: High
Attn: Accounting Department
We are sorry to notify you, that your latest Direct Deposit transaction (#963417979218) was disallowed,because your business software package was out of date. The detailed information about this matter is available in the secure section of our web site:
Click here for more information
Please consult with your financial institution to acquire the updated version of the software.
Yours truly,
ACH Network Rules Department
NACHA - The Electronic Payments Association
19681 Sunrise Valley Drive, Suite 275
Herndon, VA 20135
Phone: 703-561-1796 Fax: 703-787-1698
The malicious payload is at [donotclick]breathtakingundistinguished .biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here*) hosted on 62.173.138.71 (Internet-Cosmos Ltd., Russia). The following malicious sites are also hosted on the same server:
necessarytimealtering .biz
hitwiseintelligence .biz
breathtakingundistinguished .biz "
* http://urlquery.net/report.php?id=1615815
... Detected BlackHole v2.0 exploit kit URL pattern... Detected live BlackHole v2.0 exploit kit 62.173.138.71
___
Fake DHL Spam / LABEL-ID-NY26032013-GFK73.zip
- http://blog.dynamoo.com/2013/03/dhl-...-gfk73zip.html
26 Mar 2013 - "This DHL-themed spam contains a malicious attachment.
Date: Tue, 26 Mar 2013 17:27:46 +0700 [06:27:46 EDT]
From: Bart Whitt - DHL regional manager [reports @dhl .com]
Subject: DHL delivery report NY20032013-GFK73
Web Version | Update preferences | Unsubscribe
DHL notification
Our company’s courier couldn’t make the delivery of parcel.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: ETBAKPRSU3
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 15 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
DHL Global
Edit your subscription | Unsubscribe
> https://lh3.ggpht.com/-7RU-0iFN_k8/U.../s1600/dhl.png
Attached is a ZIP file called LABEL-ID-NY26032013-GFK73.zip which in turn contains LABEL-ID-NY26032013-GFK73.EXE (note that the date is encoded into the filename, so subsequent versions will change).
VirusTotal detections for this malware are low (7/46*). The malware resists analysis from common tools, so I don't have any deeper insight as to what is going on.
Update: Comodo CAMAS identified some of the phone-home domains which are the same as the ones used here**."
* https://www.virustotal.com/en/file/f...is/1364296589/
File name: LABEL-ID-NY26032013-GFK73.exe
Detection ratio: 7/46
Analysis date: 2013-03-26
** http://blog.dynamoo.com/2013/03/bank...eceipt-25.html
Screenshot: http://threattrack.tumblr.com/post/4...ification-spam
__
Fake eFax SPAM / hjuiopsdbgp .ru
- http://blog.dynamoo.com/2013/03/efax...opsdbgpru.html
26 Mar 2013 - "This fake eFax spam leads to malware on hjuiopsdbgp.ru:
Date: Tue, 26 Mar 2013 06:23:36 +0800
From: LinkedIn [welcome @linkedin .com]
Subject: Efax Corporate
Attachments: Efax_Pages.htm
Fax Message [Caller-ID: 378677295]
You have received a 59 pages fax at Tue, 26 Mar 2013 06:23:36 +0800, (954)-363-5285.
* The reference number for this fax is [eFAX-677484317].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.
The attachment Efax_Pages.htm leads to a malicious payload at [donotclick]hjuiopsdbgp .ru:8080/forum/links/column.php (report here*) hosted on the following IPs:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
95.211.154.196 (Leaseweb, Netherlands)
Blocklist:
66.249.23.64
69.46.253.241
95.211.154.196 ..."
* http://urlquery.net/report.php?id=1617697
... Detected suspicious URL pattern... Detected live BlackHole v2.0 exploit kit 95.211.154.196
___
Fake UPS SPAM / Label_8827712794 .zip
- http://blog.dynamoo.com/2013/03/ups-...712794zip.html
26 Mar 2013 - "This fake UPS spam has a malicious EXE-in-ZIP attachment:
Date: Tue, 26 Mar 2013 20:54:54 +0600 [10:54:54 EDT]
From: UPS Express Services [service-notification @ups .com]
Subject: UPS - Your package is available for pickup ( Parcel 4HS287FD )
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.
CONFIDENTIALITY NOTICE...
The attachment Label_8827712794.zip contains a malicious binary called Label_8827712794.exe which has a VirusTotal score of just 6/46*. ThreatExpert reports** that the malware is a Pony downloader which tries to phone home to:
aseforum.ro (199.19.212.149 / Vexxhost, Canada)
23.localizetoday.com (192.81.131.18 / Linode, US)
Assuming that all domains on those are malicious, this is a partial blocklist:
192.81.131.18
199.19.212.149
aseforum .ro
htlounge .com
htlounge .net
topcancernews .com
23.localizetoday .com
23.localizedonline .com
23.localizedonline .net"
* https://www.virustotal.com/en/file/b...is/1364312344/
File name: Label_8827712794.exe
Detection ratio: 6/46
Analysis date: 2013-03-26
** http://www.threatexpert.com/report.a...095b509d678f5e
Screenshot: http://threattrack.tumblr.com/post/4...ge-pickup-spam
___
Fake Wire Transfer SPAM / hondatravel .ru
- http://blog.dynamoo.com/2013/03/wire...atravelru.html
26 March 2013 - "This fake Wire Transfer spam leads to malware on hondatravel .ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn
Sent: 26 March 2013 11:52
Subject: Re: Wire Transfer Confirmation (FED_4402D79813)
Dear Bank Account Operator,
WIRE TRANSFER: FED68081773954793456
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.
The malicious payload is at [donotclick]hondatravel .ru:8080/forum/links/column.php (report here*) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
These IPs were seen earlier with this attack**."
* http://urlquery.net/report.php?id=1618697
... Detected suspicious URL pattern... Blackhole 2 Landing Page 66.249.23.64
** http://blog.dynamoo.com/2013/03/efax...opsdbgpru.html
Screenshot: http://threattrack.tumblr.com/post/4...g-service-spam
___
Fake TRAFFIC TICKET SPAM / hondatravel .ru
- http://blog.dynamoo.com/2013/03/ny-t...atravelru.html
26 Mar 2013 - "I haven't seen this type of spam for a while, but here it is.. leading to malware on hondatravel .ru:
Date: Wed, 27 Mar 2013 04:24:14 +0330
From: "LiveJournal .com" [do-not-reply @livejournal .com]
Subject: Fwd: Re: NY TRAFFIC TICKET
New-York Department of Motor Vehicles
TRAFFIC TICKET
NEW-YORK POLICE DEPARTMENT
THE PERSON CHARGED AS FOLLOWS
Time: 2:15 AM
Date of Offense: 28/07/2012
SPEED OVER 50 ZONE
TO PLEAD CLICK HERE AND FILL OUT THE FORM
The malicious payload appears to be identical to this spam run* earlier today."
* http://blog.dynamoo.com/2013/03/wire...atravelru.html
Screenshot: http://threattrack.tumblr.com/post/4...ic-ticket-spam
:mad::fear:
-
Fake NACHA, Airline E-ticket receipt SPAM
FYI...
Fake Airline E-ticket receipt SPAM / illuminataf .ru
- http://blog.dynamoo.com/2013/03/brit...s-spam_27.html
27 Mar 2013 - "This fake airline ticket spam leads to malware on illuminataf .ru:
Date: Wed, 27 Mar 2013 03:23:05 +0100
From: "Xanga" [noreply @xanga .com]
Subject: British Airways E-ticket receipts
Attachments: E-Ticket-Receipt.htm
e-ticket receipt
Booking reference: JQ15191488
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services ...
The attachment E-Ticket-Receipt.htm leads to a malicious payload at [donotclick]illuminataf .ru:8080/forum/links/column.php (report here*) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
223.4.209.134 (Alibaba (China) Technology Co, China)
Blocklist:
66.249.23.64
69.46.253.241
223.4.209.134 ..."
* http://urlquery.net/report.php?id=1633301
... Detected suspicious URL pattern... Blackhole 2 Landing Page 69.46.253.241
___
Fake NACHA SPAM / mgithessia .biz
- http://blog.dynamoo.com/2013/03/nach...hessiabiz.html
27 March 2013 - "This fake NACHA spam leads to malware on mgithessia .biz:
From: "Олег.Тихонов@direct .nacha .org" [mailto:universe87 @mmsrealestate .com]
Sent: 27 March 2013 03:25
Subject: Disallowed Direct Deposit payment
Importance: High
To whom it may concern:
We would like to inform you, that your latest Direct Deposit via ACH transaction (Int. No.989391803448) was cancelled,because your business software package was out of date. The details regarding this matter are available in our secure section::
Click here for more information
Please consult with your financial institution to obtain the updated version of the software.
Kind regards,
ACH Network Rules Department
NACHA - The Electronic Payments Association
11329 Sunrise Valley Drive, Suite 865
Herndon, VA 20172
Phone: 703-561-1927 Fax: 703-787-1894
The malicious payload is at [donotclick]mgithessia .biz/closest/repeating-director_concerns.php although I am having difficulty resolving that domain, however it appears to be on 46.4.150.118 (Hetzner, Germany) and the payload looks something like this*.
* http://urlquery.net/report.php?id=1635808
... Detected live BlackHole v2.0 exploit kit 46.4.150.118
DNS services are provided by justintvfreefall .org which is also probably malicious. Nameservers are on 5.187.4.53 (Fornex Hosting, Germany) and 5.187.4.58 (the same).
Recommended blocklist:
46.4.150.118
5.187.4.53
5.187.4.58 ..."
___
Sendspace Spam
- http://threattrack.tumblr.com/post/4...sendspace-spam
27 March, 2013 - "Subjects seen: You have been sent a file (Filename: [removed].pdf)
Typical e-mail details:
Sendspace File Delivery Notification:
You’ve got a file called [removed].pdf, (625.62 KB) waiting to be downloaded at sendspace.(It was sent by CONCHA ).
You can use the following link to retrieve your file:
Download
Thank you,
Sendspace, the best free file sharing service.
Malicious URLs:
my311 .com/info.htm - 173.246.66.199
contentaz .com/info.htm - 66.147.244.103
illuminataf .ru:8080/forum/links/column.php - 69.46.253.241, 66.249.23.64, 140.114.75.84 ..."
Screenshot: https://gs1.wac.edgecastcdn.net/8019...Kj91qz4rgp.png
___
Xerox WorkJet Pro Spam
- http://threattrack.tumblr.com/post/4...rkjet-pro-spam
27 March 2013 - "Subjects seen:
Fwd: Fwd: Scan from a Xerox W. Pro #[removed]
Typical e-mail details:
A Document was sent to you using a XEROX WorkJet PRO
SENT BY : Anderson
IMAGES : 4
FORMAT (.JPEG) DOWNLOAD
Malicious URLs:
thuocdonga .com/info.htm - 66.147.244.103
ilianorkin .ru:8080/forum/links/column.php - 69.46.253.241, 66.249.23.64, 140.114.75.84
Screenshot: https://gs1.wac.edgecastcdn.net/8019...7vs1qz4rgp.png
:fear::mad:
-
Fake Changelog, Printer SPAM ...
FYI...
Fake Xerox ptr SPAM / ilianorkin .ru
- http://blog.dynamoo.com/2013/03/scan...anorkinru.html
28 March 2013 - "This fake printer spam leads to malware on ilianorkin .ru:
From: officejet @[victimdomain]
Sent: 27 March 2013 08:35
Subject: Fwd: Fwd: Scan from a Xerox W. Pro #589307
A Document was sent to you using a XEROX WorkJet PRO 481864299.
SENT BY : Omar
IMAGES : 9
FORMAT (.JPEG) DOWNLOAD
The malicious payload is at [donotclick]ilianorkin .ru:8080/forum/links/column.php (report here*) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)
Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84 ..."
* http://urlquery.net/report.php?id=1652917
... Detected suspicious URL pattern... Blackhole 2 Landing Page 140.114.75.84
Screenshot: https://gs1.wac.edgecastcdn.net/8019...7vs1qz4rgp.png
___
Fake Changelog SPAM / Changelog_Urgent_N992.doc.exe
- http://blog.dynamoo.com/2013/03/chan...992docexe.html
28 March 2013 - "This fake "changelog" spam has a malicious attachment Changelog.zip which in turn contains a malware file named Changelog_Urgent_N992.doc.exe
From: Logistics Express [admin @ups .com]
Subject: Re: Changelog 2011 update
Hi,
as promised changelog,
Michaud Abran
VirusTotal* detects the payload as Cridex. The malware is resistant to automated analysis tools, but Comodo CAMAS reports** the creation of a file C:\Documents and Settings\User\Application Data\KB00085031.exe which is pretty distinctive. If your email filter supports it, I strongly recommend that you configure it to block EXE-in-ZIP files as they are malicious in the vast majority of cases."
* https://www.virustotal.com/en/file/f...is/1364462703/
File name: Changelog_Urgent_N992.doc.exe
Detection ratio: 18/46
Analysis date: 2013-03-28
** http://camas.comodo.com/cgi-bin/subm...e26149e977eee6
___
Fake Facebook SPAM / ipiniadto .ru
- http://blog.dynamoo.com/2013/03/face...iniadtoru.html
28 Mar 2013 - "The email address says Filestube. The message says Facebook. This can't be good.. and in fact this message just leads to malware on ipiniadto .ru:
Date: Thu, 28 Mar 2013 04:58:33 +0600 [03/27/13 18:58:33 EDT]
From: FilesTube [filestube @filestube .com]
Subject: You have notifications pending
facebook
Hi,
Here's some activity you may have missed on Facebook.
BERTIE Goldstein has posted statuses, photos and more on Facebook.
Go To Facebook
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
The malicious payload is at [donotclick]ipiniadto .ru:8080/forum/links/column.php (report here*) hosted on the same IPs as used in this attack**:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)
Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84 ..."
* http://urlquery.net/report.php?id=1661788
... Detected suspicious URL pattern... Blackholev2 redirection 66.249.23.64
** http://blog.dynamoo.com/2013/03/scan...anorkinru.html
___
Key Secured Message Spam
- http://threattrack.tumblr.com/post/4...d-message-spam
28 March 2013 - "Subjects seen:
Key Secured Message
Typical e-mail details:
You have received a Secured Message from:
[removed] @key .com
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - [removed]
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it.
This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from
disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender
immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.
If you have concerns about the validity of this message, please contact the sender directly. For questions about Key’s e-mail encryption service, please contact technical support at 888.764.0016.
Malicious URLs:
24.cellulazetrainingcenter .com/ponyb/gate.php
23.mylocalreports .info/ponyb/gate.php
htlounge .com:8080/ponyb/gate.php
rueba .com/eXkdB.exe
nikosst .com/yttur.exe
bmwautomotiveparts .com/kUXY.exe"
Screenshot: https://gs1.wac.edgecastcdn.net/8019...4wN1qz4rgp.png
___
ADP Netsecure Spam
- http://threattrack.tumblr.com/post/4...netsecure-spam
28 March 2013 - "Subjects seen:
ADP Immediate Notification
Typical e-mail details:
ADP Immediate Notification
Reference #: [removed]
Thu, 28 Mar 2013 -01:38:59 -0800
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
flexdirect .adp.com/client/login.aspx
Please see the following notes:
• Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
• Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Malicious URLs:
forum.awake-rp .ru/kpindex.htm
ipiniadto .ru:8080/forum/links/column.php
otrs.gtg .travel/kpindex.htm
ej-co .ru/kpindex.htm
w w w.ddanports .com/kpindex.htm
yunoksoo.g3 .cc/kpindex.htm
w w w.nzles .com/kpindex.htm
thewellshampstead .co.uk/kpindex.htm
Screenshot: https://gs1.wac.edgecastcdn.net/8019...gxw1qz4rgp.png
Fake ADP Spam / ipiniadto .ru
- http://blog.dynamoo.com/2013/03/adp-...iniadtoru.html
28 Mar 2013 - "This fake ADP spam leads to malware on ipiniadto .ru:
Date: Thu, 28 Mar 2013 04:22:48 +0600 [03/27/13 18:22:48 EDT]
From: Bebo Service [service @noreply.bebo .com]
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 120327398
Thu, 28 Mar 2013 04:22:48 +0600
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www.flexdirect .adp .com/client/login.aspx
Please see the following notes:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 975316004
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.
The malicious landing page and recommended blocklist are the same as for this parallel attack* also running today."
* http://blog.dynamoo.com/2013/03/face...iniadtoru.html
:fear::mad:
-
Fake 'Overdue Payment' Spam
FYI...
Fake 'Overdue Payment' Spam
- http://threattrack.tumblr.com/post/4...e-payment-spam
March 29, 2013 - "Subjects seen:
Please respond - overdue payment
Typical e-mail details:
Please find attached your invoices for the past months. Remit the payment by 02/04/2013 as outlines under our “Payment Terms” agreement.
Thank you for your business,
Sincerely,
Caroline Givens
Malicious URLs:
24.cellutytelosangeles .com/ponyb/gate.php
24.cellutytela .com/ponyb/gate.php
topcancernews .com:8080/ponyb/gate.php
spireportal .net/L3ork1v.exe
ftp(DOT)riddlepress .com/bahpZsn6.exe
easy .com.gr/QpEQ.exe"
Screenshot: https://gs1.wac.edgecastcdn.net/8019...7bS1qz4rgp.png
Fake Overdue payment SPAM / INVOICE_28781731.zip
- http://blog.dynamoo.com/2013/03/plea...ment-spam.html
29 Mar 2013 - "This spam comes with a malware-laden attachment called INVOICE_28781731.zip:
Date: Fri, 29 Mar 2013 10:33:53 -0600 [12:33:53 EDT]
From: Victor_Lindsey @key .com
Subject: Please respond - overdue payment
Please find attached your invoices for the past months. Remit the payment by 02/04/2013
as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Victor Lindsey
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY...
Unzipping the attachment gives a malware filed called INVOICE_28781731.exe with an icon to look like a PDF file. VirusTotal* detections are 16/46 and are mostly pretty generic. Comodo CAMAS reports** a callback to topcancernews .com hosted on 199.19.212.149 (Vexxhost, Canada) which is also being used in this malware attack***. Looking for that IP in your logs might show if any of your clients."
* https://www.virustotal.com/en/file/d...is/1364586082/
File name: INVOICE_28781731.exe
Detection ratio: 16/46
Analysis date: 2013-03-29
** http://camas.comodo.com/cgi-bin/subm...6ef091ee4c1a16
*** http://blog.dynamoo.com/2013/03/ups-...712794zip.html
___
Fake FlashPlayer/browser hijack in-the-wild
- http://blogs.technet.com/b/mmpc/arch...edirected=true
26 Mar 2013 - "... The file had been distributed with the file name FlashPlayer.exe and not surprisingly, when executed, it shows the following GUI, partly written in Turkish:
> https://www.microsoft.com/security/p.../preflayer.jpg
... most users won’t realize that the program is going to change their browser’s start page. When hitting the button, this fake Flash Player installer downloads and executes a legitimate flash installer as FlashPlayer11.exe... It then changes the user’s browser start page. It changes the start page for the following browsers:
FireFox, Chrome, Internet Explorer, Yandex
... to one of the following pages:
hxxp ://www.anasayfada .net
hxxp ://www.heydex .com
These sites appear to be a type of search engine, but there are pop-up advertisements displayed on the pages, and there was an instance where I was redirected to a different page not of my choosing... Domain info...
hxxp ://www.anasayfada .net - 109.235.251.146
hxxps ://flash-player-download .com/ - 31.3.228.202
hxxp ://www.yonlen .net/ - 37.220.28.122
hxxp ://www.heydex .com - 188.132.235.218 [ now > 109.200.27.170 ]
It’s a fairly simple ruse – misleading file name, misleading GUI, deliberately inaccessible EULA... misleading file properties – and some of the files are even signed. And yet, we’ve received over 70,000 reports of this malware in the last week. Social engineering doesn’t have to be particularly sophisticated to be successful. So the message today is be wary. If you think something ‘feels’ wrong (like that missing scrollbar in the EULA) it may well be. Listen to those feelings and use them to protect yourself by saying 'no' to content you don't trust."
:mad:
-
Fake Facebook Security Check Page
FYI...
Fake Facebook Security Check Page
- http://blog.trendmicro.com/trendlabs...ty-check-page/
Mar 31, 2013 - "Facebook’s enduring popularity means that cybercriminals find it a tempting lure for their malicious misdeeds. A newly-spotted phishing scam is no exception. We came across a malware sample, which we detected as TSPY_MINOCDO.A. The goal is to -redirect- users who visit Facebook to a spoofed page, which claims to be a part of the social networking website’s security check feature, even sporting the tagline “Security checks help keep Facebook trustworthy and free of spam”. It does this by redirecting all traffic to facebook .com and www .facebook .com to the system itself (using the affected machine’s HOST file). This ensures that the user can never reach the legitimate Facebook pages. At the same time, the malware is monitoring all browser activity and redirects the user to the malicious site. Users eager to log into Facebook may fall victim to this ruse, taking the ‘security check’ for face value. This may result in them entering their details and thus exposing their credit card accounts to cybercriminal infiltration... we also discovered that that the malware performs DNS queries to several domain names. What this means that the people behind this are prepared for server malfunction and has a backup to continue stealing information. To stay safe and aware of these threats, always keep in mind that social networking websites would never ask for your credit card or online banking account details for verification..."
Screenshot: https://www.net-security.org/images/...-sec-check.jpg
___
Fake Last Month Remit Spam
- http://threattrack.tumblr.com/post/4...nth-remit-spam
Apr 1, 2013 - "Subjects seen:
FW: Last Month Remit
Typical e-mail details:
File Validity: 04/05/2013
Company : [removed]
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: ╘ Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls
Malicious URLs:
3ecompany .com:8080/ponyb/gate.php
24.chiaplasticsurgery .com/ponyb/gate.php
24.chicagobodysculpt .com/ponyb/gate.php
brightpacket .com/coS0GiKE.exe
extremeengineering .co.in/Vh3a9601.exe
CornwallCommuter .com/TLJrtcxA.exe
Screenshot: https://gs1.wac.edgecastcdn.net/8019...vth1qz4rgp.png
:mad::fear:
-
Fake Changelog, Sendspace... emails lead to malware
FYI...
Fake Changelog emails lead to malware
- http://blog.webroot.com/2013/04/02/s...ad-to-malware/
April 2, 2013 - "... recently intercepted a malicious spam campaign, that’s attempting to trick users into thinking that they’ve received a non-existent “changelog.” Once gullible and socially engineered users execute the malicious attachment, their PCs automatically become part of the botnet operated by the cybercriminal/gang of cybercriminals...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....elog.png?w=869
Detection rate for the malicious attachment:
MD5: e01ea945b8d055c5c115ab58749ac502 * ... Worm:Win32/Cridex.E.
Upon execution, the sample creates the following processess on the affected hosts:
C:\WINDOWS\system32\cmd.exe” /c “C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\exp1.tmp.bat
C:\Documents and Settings\<USER>\Application Data\KB00927107.exe
The following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B ...
It then phones back to hxxp://85.214.143.90 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ and to hxxp://91.121.90.92 :8080/AJtw/UCyqrDAA/Ud+asDAA/
We’ve already seen the same C&C (85.214.143.90) used in a previously profiled malicious campaign..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/f...is/1364475932/
File name: LLSMGR.EXE
Detection ratio: 35/46
Analysis date: 2013-04-01
- https://www.google.com/safebrowsing/...c?site=AS:6724 - 85.214.143.90
- https://www.google.com/safebrowsing/...?site=AS:16276 - 91.121.90.92
___
Fake Sendspace SPAM / imbrigilia .ru
- http://blog.dynamoo.com/2013/04/send...rigiliaru.html
2 Apr 2013 - "This fake Sendspace spam leads to malware on imbrigilia .ru:
Date: Tue, 2 Apr 2013 03:57:26 +0000
From: "JOSIE HARMON" [HARMON_JOSIE @hotmail .com]
Subject: You have been sent a file (Filename: [redacted]-7191.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-463168.pdf, (172.5 KB) waiting to be downloaded at sendspace.(It was sent by JOSIE HARMON).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service...
The malicious payload is at [donotclick]imbrigilia .ru:8080/forum/links/column.php (report here*) hosted on the same IPs used in this attack**:
80.246.62.143 (Alfahosting GmbH, Germany)
94.103.45.34 (ANKARAHOSTING, Turkey)
Blocklist:
80.246.62.143
94.103.45.34 ..."
* http://urlquery.net/report.php?id=1757102
... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.103.45.34
** http://blog.dynamoo.com/2013/04/end-...ired-spam.html
Also: http://threattrack.tumblr.com/post/4...sendspace-spam
2 Apr 2013
Screenshot: https://gs1.wac.edgecastcdn.net/8019...WUN1qz4rgp.png
___
Fake "End of Aug. Statement Required" SPAM / ivanovoposel .ru
- http://blog.dynamoo.com/2013/04/end-...ired-spam.html
2 April 2013 - "This spam leads to malware on ivanovoposel .ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply@bounce .linkedin .com] On Behalf Of LinkedIn
Sent: 02 April 2013 10:15
Subject: Re: FW: End of Aug. Statement Reqiured
Hallo,
as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).
Regards
SHONTA SCHMITT
Alternate names:
NORIKO Richmond
Raiden MORRISON
Attachments:
Invoice_U13726798 .htm
Invoice_U453718 .htm
Invoice_U913687 .htm
The attachment leads to malware on [donotclick]ivanovoposel .ru:8080/forum/links/column.php (report here*) hosted on:
80.246.62.143 (Alfahosting GmbH, Germany)
94.103.45.34 (ANKARAHOSTING, Turkey)
Blocklist:
80.246.62.143
94.103.45.34 ..."
* http://urlquery.net/report.php?id=1751267
... Detected live BlackHole v2.0 exploit kit 94.103.45.34
:mad::mad:
-
Something evil on 151.248.123.170
FYI...
Something evil on 151.248.123.170
- http://blog.dynamoo.com/2013/04/some...248123170.html
3 April 2013 - "151.248.123.170 (Reg .ru, Russia) appears to be active in an injection attack at the moment. In the example I saw, the hacked site has injected code pointing to [donotclick]fdozwnqdb.4mydomain .com/jquery/get.php?ver=jquery.latest.js which then leads to a landing page on [donotclick]db0umfdoap.servegame .com/xlawr/next/requirements_anonymous_ordinary.php (report here*) which from the URL looks very much like a BlackHole Exploit kit. This server hosts a lot of sites using various Dynamic DNS domains. I would recommend blocking the Dynamic DNS domains as a block rather than trying to chase down these bad sites individually. In my experience, Dynamic DNS services are being abuse to such an extent that pre-emptive blocking is probably the safest approach..."
(Long list of recommended blocks at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1778882
___
Fake eFax SPAM / ivanikako .ru
- http://blog.dynamoo.com/2013/04/efax...anikakoru.html
3 April 2013 - "This fake eFax spam leads to malware on ivanikako .ru:
From: Global Express UPS [mailto:admin @ups .com]
Sent: 02 April 2013 21:12
Subject: Efax Corporate
Fax Message [Caller-ID: 189609656]
You have received a 40 pages fax at Wed, 3 Apr 2013 02:11:58 +0600, (708)-009-8464.
* The reference number for this fax is [eFAX-698329221].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax Ž is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax Ž Customer Agreement.
The malicious payload is at [donotclick]ivanikako .ru:8080/forum/links/column.php (report here*) hosted on:
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
93.187.200.250
94.103.45.34
208.94.108.238 ..."
* http://urlquery.net/report.php?id=1786247
... Detected suspicious URL pattern... Blackholev2 redirection 94.103.45.34
Screenshot: https://gs1.wac.edgecastcdn.net/8019...N8o1qz4rgp.png
___
APT malware monitors mouse clicks to evade detection
- https://www.computerworld.com/s/arti...esearchers_say
April 2, 2013 - "... Called Trojan.APT.BaneChant, the malware is distributed via a Word document rigged with an exploit sent during targeted email attacks. The name of the document translates to "Islamic Jihad.doc." "We suspect that this weaponized document was used to target the governments of Middle East and Central Asia," FireEye researcher Chong Rong Hwa said Monday in a blog post*. The attack works in multiple stages. The malicious document downloads and executes a component that attempts to determine if the operating environment is a virtualized one, like an antivirus sandbox or an automated malware analysis system, by waiting to see if there's any mouse activity before initiating the second attack stage. Mouse click monitoring is not a new detection evasion technique, but malware using it in the past generally checked for a single mouse click... The rationale behind using this service is to bypass URL blacklisting services active on the targeted computer or its network... The backdoor program gathers and uploads system information back to a command-and-control server. It also supports several commands including one to download and execute additional files on the infected computers..."
* http://www.fireeye.com/blog/technica...se-clicks.html
April 1, 2013
___
Fake Wire Transfer e-mails
- http://tools.cisco.com/security/cent...?alertId=28112
2013 April 03 - "... significant activity related to spam e-mail messages that claim to contain a wire transfer notification for the recipient. The text in the e-mail message attempts to convince the recipient to open the attachment and view the final confirmation notice. However, the .zip attachment contains a malicious .scr file that, when executed, attempts to infect the system with malicious code. E-mail messages that are related to this threat (RuleID5193 and RuleID5193KVR) may contain the following files:
out going wire. pdf.zip
npxo.scr
Sales Contract Order.zip
DEDE.scr
The npxo.scr file in the out going wire. pdf.zip attachment has a file size of 509,199 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x2A41A06A00F4CF58485AF938F01B128D
The DEDE.scr file in the Sales Contract Order.zip attachment has a file size of 221,696 bytes. The MD5 checksum is the following string: 0x79274D0CFAC51906FAF8334952AF2734
The following text is a sample of the e-mail message that is associated with this threat outbreak:
Subject: Re: Out going wire transfer (High Priority)
Message Body:
We have just received instruction to process a wire transfer of $6,780 from your account. Please download/view the attachment for final confirmation and respond as quickly as possible.
Bank Wire Transfer Department.
-Or-
Subject: New Order
Message Body:
Dear Sir,We are currently running out of stock and would need urgent attentionEnclosed please find a new Order. Please send the delivery as quickly
as possible.Meanwhile, please send us the Invoice for endorsement.Best regards Krystyna..."
:fear: :mad: