Fake "SecureMessage" SPAM ...
FYI...
Fake "SecureMessage" SPAM / infiesdirekt .asia, pacesetting .asia and siteswillsrockf .net
- http://blog.dynamoo.com/2012/12/secu...irektasia.html
23 Dec 2012 - "Another fake "SecureMessage" spam leading to malware, the same in principle to this spam run* and again hosted on the same Serverius-owned** IPs of 46.249.42.161 and 46.249.42.168. There are several variants of the spam, but they are all very similar and look something like this:
Date: Sun, 23 Dec 2012 14:26:32 +0530
From: "Secure.Message"
Subject: Alert: New message
Click here to view the online version.
Hello [redacted],
You have 4 new messages.
Read now
Copyright 2012 SecureMessage. All rights reserved.
If you would like to update your profile or unsubscribe, please click here.
PLEASE DO NOT REPLY TO THIS MESSAGE.
If you require Technical Support, please check Support Center for information.
... suspect that there is more malicious activity in the 46.249.42.0/24 range and blocking access to it would be a very good thing to do. These are the malicious domains that I can currently identify on those IPs..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/2012/12/new-...ived-spam.html
** https://www.google.com/safebrowsing/...?site=AS:50673
:mad:
Pharma/Eastern bloc SPAM...
FYI...
Eastern bloc SPAM...
- http://blog.dynamoo.com/2012/12/godl...-athiests.html
25 Dec 2012 - "... eastern bloc... spammers are sending out today.
Date: Tue, 25 Dec 2012 22:56:51 -0700
From: "Ticket Support"
Subject: Password Assistance
Thank you for your letter of Dec 25, your information arrived today.
Alright, here's the link to the site:
Proceed to Site
If we can help in any way, please do not hesitate to contact us.
Regards, Yuonne Ferro, Support Team manager.
Some variants of the body text:
- "Thank you for contacting us, your information arrived today."
- "Thank you for your letter regarding our products and services, your information arrived today."
- "Thank you for considering our products and services, your information arrived today."
Some alternative sender names: "Jonie Gunther", "Noreen Macklin", "Bonny Oconnell". The spamvertised site is hosted on 84.22.104.123, which is Cyberbunker*. Given their awful reputation, I am surprised that they haven't been de-peered. Yet. There's certainly nothing of value at all in the 84.22.96.0/19 range, blocking the whole lot will cause you no harm. These are the other spammy domains on the same IP..."
(More detail at the dynamoo URL above.)
* https://en.wikipedia.org/wiki/CyberB...siness_Network
"... a host of the infamous Russian Business Network cyber-crime gang..."
> https://www.google.com/safebrowsing/...?site=AS:34109
___
Pharmaceutical scammers spamvertise YouTube emails - counterfeit drugs...
- http://blog.webroot.com/2012/12/25/p...terfeit-drugs/
Dec 25, 2012 - "Pharmaceutical scammers are currently spamvertising a YouTube themed email campaign, attempting to socially engineer users into clicking on the links found in the legitimately looking emails. Upon clicking on the fake YouTube personal message notification, users are -redirected- to a website reselling popular counterfeit drugs. The cybercriminals behind the campaign then earn revenue through an affiliate network...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....ng?w=373&h=244
Once users click on the link found in the email, they’re redirected to the following holiday-themed pharmaceutical web site:
> https://webrootblog.files.wordpress...._01.png?w=1009
Spamvertised URL: hxxp ://roomwithaviewstudios .com/inherits.html
Landing URL: hxxp ://canadapharmcanadian .net – 109.120.138.155
... fraudulent pharmaceutical sites have also been known to respond to the same IP (109.120.138.155)...
(More detail at the webroot URL above.)...
This isn’t the first time that we’ve intercepted attempts by pharmaceutical scammers to socially engineer potential customers into clicking on the links found in legitimately looking emails. In the past, we’ve found fake Google Pharmacies and emails impersonating YouTube and Twitter, as well as Facebook Inc., in an attempt to add more authenticity and legitimacy to their campaigns. We expect to see -more- of these campaigns in 2013, with a logical peak over the next couple of days, so watch what you click on, don’t enter your credit card details on websites found in spam emails, and never bargain with your health."
___
Fake E-billing SPAM / proxfied .net
- http://blog.dynamoo.com/2012/12/e-bi...oxfiednet.html
26 Dec 2012 - "There are various e-billing spam emails circulating today, pointing to malware on proxfied .net:
Date: Wed, 26 Dec 2012 18:49:37 +0300
From: alets-no-reply @customercenter .citibank .com
Subject: Your Further eBill from Citibank Credit Card
Member: [redacted]
Add alerts@ serviceemail2. citibank .com to your address book to ensure delivery.
Your Account: Important Warning
New eBill Available
Account Number: **************8
Due Date: 12/28/2012
Amount Due: 175.36
Minimum Amount Due: 175.36
How do I view this bill?
1. Sign on to Citibank Online using this link.
2. Use the Payments Menu to find the bill mentioned in this message.
3. Select View Bill to review your bill details. Select the icon to see your bill summary.
Please don't reply to this message.
If you have any questions about your bill, please contact Citibank Credit Card directly. For online payment questions, please choose Bill Payment from the menu.
E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its purpose is to help you examine that the e-mail was actually sent by Citibank. If you have questions, please visit our help center. To learn more about fraud, click "Security" at the bottom of the screen.
To set up alerts sign on by clicking this link and go to Account Profile.
I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
If you want to communicate with us in writing concerning this email, please direct your correspondence to:
Citibank Customer Care Service
P. O. Box 6200
Sioux Hills, SD 57870
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at by clicking this link and clicking on "Contact Us" from the "Help / Contact Us" menu.
2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
3843054050826645
1/LO/439463/221/1I/6H/EH/7126/SYSTEF1 /E5225514741628064/2187
====================
(More sample FAKE emails shown at the dynamoo URL above.)
The malicious payload is at [donotclick]proxfied.net/detects/inform_rates.php hosted on 59.57.247.185 in China (a well-known malware IP address) along with these following malicious domains:
sessionid0147239047829578349578239077 .pl
latticesoft .net
proxfied .net ..."
___
Fake NACHA SPAM / bunakaranka .ru:
- http://blog.dynamoo.com/2012/12/nach...karankaru.html
26 Dec 2012 - "This fake ACH / NACHA spam leads to malware on bunakaranka .ru:
Date: Wed, 26 Dec 2012 06:48:11 +0100
From: Tagged [Tagged @taggedmail .com]
Subject: Re: Fwd: Banking security update.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department
The malicious payload is on [donotclick]bunakaranka .ru:8080/forum/links/column.php hosted on the following well-known IPs:
91.224.135.20 (Proservis UAB, Lithuania)
187.85.160.106 (Ksys Soluções Web, Brazil)
210.71.250.131 (Chunghwa Telecom, Taiwan)
Plain list:
91.224.135.20
187.85.160.106
210.71.250.131
Associated domains..."
:mad: :mad:
Fake Twitter/UPS/E-ticket SPAM ...
FYI...
Fake Twitter DM emails leads to Canadian Pharma SPAM
- http://www.gfi.com/blog/fake-twitter...n-pharma-spam/
Dec 27, 2012 - "We’re seeing quite a few of these “Can I use your…” style messages arriving in mailboxes, taking the form of fake Twitter DM notifications. The most common fakeouts seem to be asking about videos and photographs.
> http://www.gfi.com/blog/wp-content/u...icpublish1.png
"Hello, Can i publish link to your photo on my web page?" Another one says:
"Hi. Can i publish link to your video on my home page?"
In both cases, the emails will lead end-users to sites that are most definitely not Twitter. Some of the URLs are offline, but here’s one that is still standing:
> http://www.gfi.com/blog/wp-content/u...icpublish2.jpg
Festive Pharma spam – probably not what you need in your post-Xmas stocking. Do your best to steer clear of these."
___
Fake British Airways E-ticket receipts serve malware
- http://blog.webroot.com/2012/12/26/c...serve-malware/
Dec 26, 2012 - "... Cybercriminals have resumed spamvertising fake British Airways themed E-receipts — we intercepted the same campaign back in October — in an attempt to trick its customers into executing the malicious attachment found in the emails...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....ware.png?w=553
Sample detection rate for the malicious attachment:
MD5: b46709cf7a6ff6071a6342eff3699bf0 * ... Worm:Win32/Gamarue.I
Upon execution, it creates the following mutex on infected hosts: SHIMLIB_LOG_MUTEX
It also initiates POST requests to the following IP: 87.255.51.229/ff/image.php
As well as DNS requests to the following hosts:
zzbb45nnagdpp43gn56 .com – 87.255.51.229
a9h23nuian3owj12 .com – 87.255.51.229
zzbg1zv329sbgn56 .com – 87.255.51.229
http ://www.update .microsoft .com – 65.55.185.26
ddbbzmjdkas .us
ddbbzmjdkas .us
The IPs are currently sinkholed by Abuse.ch..."
* https://www.virustotal.com/file/fa3e...is/1356554124/
File name: BritishAirways-eticket.exe
Detection ratio: 39/46
Analysis date: 2012-12-26
___
Fake ‘UPS Delivery Confirmation Failed’ emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/12/27/f...e-exploit-kit/
Dec 27, 2012 - "... cybercriminals are currently mass mailing tens of thousands of emails impersonating UPS, in an attempt to trick users into clicking on the malicious links found in the legitimate-looking emails. Once they click on the links, they’re automatically exposed to the client-side exploits served by the BlackHole Exploit kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...._kit.png?w=603
Sample spamvertised compromised URLs:
hxxp ://www.aberdyn .fr/letter.htm
hxxp ://www.aberdyn .fr/osc.htm
Sample client-side exploits serving URLs:
hxxp ://apendiksator .ru:8080/forum/links/column.php
hxxp ://sectantes-x .ru:8080/forum/links/column.php
Sample malicious payload dropping URL:
hxxp://sectantes-x .ru:8080/forum/links/column.php?uvt=0a04070634&wvqi=33&yrhsb=3307093738070736060b&vjppc=02000200020002
Client-side exploits served: CVE-2010-0188
Although we couldn’t reproduce the client-side exploitation taking place through these domains in the time of posting this analysis, we know that on 2012-09-27 one of the domains (sectantes-x .ru) also served client-side exploits, and dropped a particular piece of malware – MD5: 9f86a132c0a5f00705433632879a20b9 * ... Trojan-Ransom.Win32.PornoAsset.abup.
Upon execution, the sample phones back to the following command and control servers:
178.77.76.102 (AS20773)
91.121.144.158 (AS16276)
213.135.42.98 (AS15396)
207.182.144.115 (AS10297)
More MD5s are known to have phoned back to the same IPs..."
* https://www.virustotal.com/file/56e0...9be3/analysis/
File name: e284d8a62b6d75b6818ed1150dde2a8bcc3489ee
Detection ratio: 27/42
Analysis date: 2012-09-30
:mad: :mad: :mad:
Fake IRS SPAM ... 2012.12.28
FYI...
Fake IRS SPAM / tv-usib .com
- http://blog.dynamoo.com/2012/12/irs-...v-usibcom.html
28 December 2012 - "This fake IRS spam leads to malware on tv-usib .com:
Date: Thu, 27 Dec 2012 22:14:44 +0400
From: Internal Revenue Service [information @irs .gov]
Subject: Your transaction is not approved
Your Income Tax outstanding transaction (ID: 3870703170305), recently ordered for processing from your checking account was rejected by Internal Revenue Service payment processing unit.
Canceled Tax transfer
Tax Transaction ID: 3870703170305
Rejection ID See details in the report below
Federal Tax Transaction Report tax_report_3870703170305.pdf (Adobe Acrobat Document)
Internal Revenue Service 3192 Aliquam Rd. Edmond 65332 Oregon
The malicious payload is at [donotclick]tv-usib .com/detects/property-mass-dollar_figure.php hosted on the well-known IP of 59.57.247.185 in China. The following malicious domains appear to be on that IP:
sessionid0147239047829578349578239077.pl
tv-usib .com
proxfied .net
timesofnorth .net
latticesoft .net ..."
:fear::mad:
Malware sites to block - 2 Jan 2013
FYI...
Malware sites to block - 2 Jan 2013
- http://blog.dynamoo.com/2013/01/malw...lock-2113.html
2 Jan 2013 - "The following sites and IPs seem to be active today, being pushed out by spam campaigns. I'll post email samples when I get them...
91.224.135.20
187.85.160.106
210.71.250.131
afjdoospf .ru
akionokao .ru
bilainkos .ru
bumarazhkaio .ru
bunakaranka .ru ..."
___
Malware sites to block - 2 Jan 2013 part II
- http://blog.dynamoo.com/2013/01/malw...3-part-ii.html
2 Jan 2013 - "Here's a bunch of malicious IPs and domains to block, mostly based on this in-depth research* at the Malware Must Die! blog.
* http://malwaremustdie.blogspot.com/2...m-up-with.html
As far as I can see, the domains in use are exclusively compromised consumer PCs dotted around the globe, rather than compromised or evil web servers.. so the ISPs are pretty irrelevant in this case. This type of infected host has a relatively short shelf-life, possibly just a few days, so you may or may not want to add them to your blocklist.
IPs... Domains ..."
(Long list at the dynamoo URL above.)
:mad:
Twitter Phish DMs 2013.01.04
FYI...
Twitter Phish DMs: “This profile on Twitter is spreading nasty blogs around about you”
- http://www.gfi.com/blog/twitter-phis...und-about-you/
Jan 4, 2013 - "... the following missive doing the rounds on Twitter via DMs on compromised accounts:
> http://www.gfi.com/blog/wp-content/u.../twitspam1.jpg
There’s a number of URLs and fake logins being posted right now to users in a wide range of geographical locations, and it all comes down to Twitter phishing with at least one of the phish URLs being registered to an individual claiming to be located in Shanghai, China. That particular site - ivtvtter(dot)com – is currently offline (and also listed in Phishtank*)... attempting to login would result in a 404 error then a redirect to the real Twitter site to make everything look nice and legitimate. These types of Twitter scam come around often, and end-users should always be wary of “Have you seen this” style messaging from contacts..."
* http://www.phishtank.com/phish_detai...ish_id=1643038
___
Fake Ebay/Paypal emails lead to client-side exploits and malware
- http://blog.webroot.com/2013/01/04/f...s-and-malware/
Jan 4, 2013 - "Over the past 24 hours, cybercriminals have launched yet another massive spam campaign, this time impersonating both eBay and PayPal, in an attempt to trick their users into clicking on the client-side exploits and malware serving links found in the malicious emails...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Malicious domain names reconnaissance:
litefragmented .pro – 59.64.144.239 – Email: kee_mckibben0869 @macfreak .com
Name Server: NS1.CHELSEAFUN .NET
Name Server: NS2.CHELSEAFUN .NET...
... ibertomoralles .com – 59.57.247.185 – Email: rick.baxter @costcontrolsoftware .com
Name Server: NS1.SOFTVIK .NET – 84.32.116.189 – Email: farbonite @hotmail .com
Name Server: NS2.SOFTVIK .NET – 15.209.33.133 – Email: farbonite @hotmail .com ...
___
Fake 'bank reports' emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/01/03/a...e-exploit-kit/
Jan 3, 2013 - "Cybercriminals are currently spamvertising tens of thousands of emails in an attempt to impersonate the recipients’ bank, tricking them into thinking that the Ministry of Finance in their country has introduced new rules for records keeping, and that they need to print and sign a non-existent document. Once users click on the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Malicious domain name reconnaissance:
apendiksator .ru – 91.224.135.20; 210.71.250.131; 187.85.160.106
Name server: ns1.apendiksator .ru – 62.76.186.24
Name server: ns2.apendiksator .ru – 110.164.58.250
Name server: ns3.apendiksator .ru – 42.121.116.38
Name server: ns4.apendiksator .ru – 41.168.5.140
Responding to the same IPs are also the following malicious domains part of the campaign’s infrastructure:
afjdoospf .ru – 91.224.135.20
angelaonfl .ru – 91.224.135.20
akionokao .ru – 91.224.135.20 ...
Although we couldn’t reproduce the malicious payload at apendiksator .ru, we found that the malicious payload served by immerialtv .ru (known to have responded to the same IP) is identical to the MD5: 83db494b36bd38646e54210f6fdcbc0d * ... VirTool:Win32/CeeInject. This MD5 was dropped in a previously profiled campaign..."
* https://www.virustotal.com/file/6260...73da/analysis/
File name: cs8v0k.exe
Detection ratio: 34/42
Analysis date: 2012-06-20
___
Fake BBB (Better Business Bureau) emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/01/02/f...e-exploit-kit/
Jan 2, 2013 - "Cybercriminals have recently launched yet another massive spam campaign, impersonating a rather popular brand used in a decent percentage of social engineering driven email campaigns – the BBB (Better Business Bureau). Once users click on any of the links in the malicious emails, they’re automatically exposed to the client-side exploits served by the BlackHole Exploit kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Malicious domain name reconnaissance:
tv-usib.com – 59.57.247.185 – Email: twine.tour1 @yahoo .com
Name Server: NS1.AMISHSHOPPE .NET - Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE .NET - Email: solaradvent @yahoo .com...
Upon successful client-side exploitation, the campaign drops MD5: 2646f13db754654aff315ff9da9fa911 * ... Worm:Win32/Cridex.E.
Upon execution, the sample phones back to: 94.73.129.120 :8080/rxrt0CA/hIvhA/K66fEB/ ..."
* https://www.virustotal.com/file/4dec...1bff/analysis/
File name: KB00182962.exe
Detection ratio: 30/45
Analysis date: 2013-01-04
___
Fake Verizon Wireless emails serve client-side exploits and malware
- http://blog.webroot.com/2013/01/02/s...s-and-malware/
Jan 2, 2013 - "... yet another Verizon Wireless themed malicious campaign, enticing users to click on the malicious link found in the email. Once users click on the link, they’re automatically exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
Sample email subjects: Fresh eBill is Should Be Complete. From: Verizon Wireless; Your Recent eBill from Verizon Wireless...
Malicious domain name reconnaissance:
proxfied .net – 59.57.247.185 – Email: colorsandforms @aol .com
Name Server: NS1.AMISHSHOPPE .NET – Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE .NET – Email: solaradvent @yahoo .com ..."
:mad:
Fake O2 Shop emails - Phish ...
FYI...
Fake O2 Shop emails - Phish ...
- http://www.gfi.com/blog/fake-o2-shop...e-phishy-bait/
Jan 7, 2013 - "... fake O2 Shop emails are in circulation at the moment, in the form of a “security update” asking for login credentials on the back of an “O2 account update” the recipient is supposed to have made. They’re pretty bare bones in terms of how they look, and you’ll notice that in the below example GMail flags it as spam so hopefully lots of other mail service providers will be doing the same thing.
> http://www.gfi.com/blog/wp-content/u.../01/fakeo2.jpg
Dear User,
You can now check the progress of your account at My O2. Just go to [url removed] and enter your username and password. If you’ve forgotten these, we can send you a reminder here too. Once you’ve signed in, go to My account and follow the instructions.
Regards,
O2 Customer Service
As with so many of these fire and forget spam campaigns, the bulk of them seem to lead to currently AWOL phish pages so they’re likely being taken offline at a fair old pace... treat random mails asking for login credentials with large portions of suspicion, especially when – as above – they’re referencing changes made to your account that you haven’t actually made."
:mad: :fear:
Malware sites to block, Fake ACH and BBB SPAM - 8 Jan 2013
FYI...
Malware sites to block 8/1/13
- http://blog.dynamoo.com/2013/01/malw...lock-8113.html
8 Jan 2013 - "These IPs and domains appear to be active in malicious spam runs today:
41.168.5.140
42.121.116.38
62.76.186.24
82.165.193.26
91.224.135.20
110.164.58.250
187.85.160.106
210.71.250.131
belnialamsik .ru
Quite a few of these IPs have been used in multiple attacks, blocking them would be prudent.
Update: some sample emails pointing to a malicious landing page at [donotclick]belnialamsik .ru:8080/forum/links/column.php:
Date: Tue, 8 Jan 2013 10:05:55 +0100
From: Shavonda Duke via LinkedIn [member@linkedin.com]
Subject: Re: Fwd: Security update for banking accounts.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department
===
Date: Tue, 8 Jan 2013 01:31:43 -0300 [01/07/13 23:31:43 EST]
From: FilesTube [filestube @filestubecom]
Subject: Fwd: Re: Banking security update.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department
___
Fake "Federal ACH Announcement" SPAM / cookingcarlog .net
- http://blog.dynamoo.com/2013/01/fede...ment-spam.html
8 Jan 2013 - This rather terse spam leads to malware on cookingcarlog .net:
From: Federal Reserve Services @ sys.frb .org [ACHR_59273219 @fedmail .frb .org]
Date: 8 January 2013 15:11
Subject: FedMail (R): Federal ACH Announcement - End of Day - 12/27/12
Please find the ACH Letter of Advice Reporting from the Federal Reserve System clicking here.
The link in the email goes to an exploit kit on [donotclick]cookingcarlog .net/detects/occasional-average-fairly.php (report here*) which is hosted on 89.207.132.144 (Snel Internet Services, Netherlands).
* http://wepawet.iseclab.org/view.php?...658280&type=js
Added - a BBB spam is also doing the rounds with the same payload:
Better Business Bureau ©
Start With Trust �
Mon, 7 Jan 2013
RE: Case N. 54809787
[redacted]
The Better Business Bureau has been recorded the above said claim from one of your customers in respect to their dealings with you. The detailed description of the consumer's worry are available for review at a link below. Please pay attention to this issue and communicate with us about your judgment as soon as possible.
We pleasantly ask you to click and review the CLAIM REPORT to meet on this claim letter.
We are looking forward to your prompt response.
WBR
Mason Turner
Dispute Consultant
Better Business Bureau
Better Business Bureau
3063 Wilson Blvd, Suite 600 Arlington, VA 22701
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
___
Fake BBB SPAM / royalwinnipegballet .net
- http://blog.dynamoo.com/2013/01/bbb-...balletnet.html
8 Jan 2013 - "This fake BBB spam leads to malware on royalwinnipegballet .net:
Date: Tue, 8 Jan 2013 19:18:34 +0200 [12:18:34 EST]
From: Better Business Bureau <information @bbb .org>
To: [redacted]Subject: BBB information regarding your customer's appeal ¹ 96682901
Better Business Bureau ©
Start With Trust ©
Mon, 7 Jan 2013
RE: Complaint # 96682901
[redacted]
The Better Business Bureau has been registered the above mentioned appeal from one of your clients as regards their business contacts with you. The details of the consumer's worry are available for review at a link below. Please give attention to this matter and notify us about your sight as soon as possible.
We graciously ask you to open the CLAIM REPORT to answer on this reclamation.
We are looking forward to your prompt answer.
Faithfully yours
Alex Green
Dispute Counselor
Better Business Bureau
3063 Wilson Blvd, Suite 600 Arlington, VA 27201
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This note was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
===
Date: Tue, 8 Jan 2013 19:12:58 +0200 [12:12:58 EST]
From: Better Business Bureau <donotreply @bbb .org>
Subject: Better Business Beareau Pretense ¹ C6273504
Priority: High Priority 1
Better Business Bureau ©
Start With Trust ©
Mon, 7 Jan 2013
RE: Issue No. C6273504
[redacted]
The Better Business Bureau has been registered the above said reclamation from one of your users in respect of their business contacts with you. The information about the consumer's anxiety are available visiting a link below. Please give attention to this problem and notify us about your mind as soon as possible.
We kindly ask you to overview the APPEAL REPORT to meet on this claim letter.
We are looking forward to your prompt rebound.
Yours respectfully
Julian Morales
Dispute Advisor
Better Business Bureau
3013 Wilson Blvd, Suite 600 Arlington, VA 20701
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
The malicious payload is on [donotclick]royalwinnipegballet .net/detects/occasional-average-fairly.php hosted on 89.207.132.144 (Snel Internet, Netherlands) which was hosting another attack site this morning (so best blocked in my opinion)
:mad::mad::mad:
Fake AICPA emails, Phishing attacks - 2013.01.09
FYI...
Fake AICPA emails serve client-side exploits and malware
- http://blog.webroot.com/2013/01/09/s...s-and-malware/
Jan 9, 2013 - "... recently spamvertised campaigns impersonating the American Institute of Certified Public Accountants, also known as AICPA...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
Second screenshot of the spamvertised email from the same campaign:
> https://webrootblog.files.wordpress....oit_kit_01.png
Sample subjects: Tax return assistance contrivance; Suspension of your CPA license; Revocation of your CPA license; Your accountant license can be end off; Your accountant CPA License Expiration...
Upon successful client-side exploitation, the campaign drops MD5: 5b7aafd9ab99aa2ec0e879a24610844a * ... Worm:Win32/Cridex.E.
Once executed, the sample performs the following actions:
Creates a batch script
Accesses Firefox’s Password Manager local database
Creates a thread in a remote process
Installs a program to run automatically at logon
It also drops the following MD5 on the affected hosts: MD5: 3e2df81077283e5c9d457bf688779773 ** ... PWS:Win32/Fareit.
It also phones back to the following C&C servers:
hxxp:// 69.64.89.82 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
132.248.49.112
173.192.229.36
64.120.193.112
89.221.242.217
174.143.174.136
209.51.221.247
We’ve also seen and profiled the same IP (132.248.49.112) in multiple previously analyzed malware campaigns..."
* https://www.virustotal.com/file/5f99...2e12/analysis/
File name: contacts.exe
Detection ratio: 31/45
Analysis date: 2012-12-18
** https://www.virustotal.com/file/2925...d67d/analysis/
File name: exp3C6.tmp.exe
Detection ratio: 27/45
Analysis date: 2013-01-04
___
New Year, New Old Threats
- http://www.gfi.com/blog/new-year-new-old-threats/
Jan 9, 2013 - "... we have found an old Facebook scam, which dates back from two years ago, making rounds again and a spam-phishing ploy that is so 2007...
(Screenshots available at the gfi URL above.)
Previous versions of this scam usually asks visitors to click “Like” buttons for pages, a method usually employed for the purpose of increasing the popularity of pages and their monetary value once sold. For the scam to proliferate within the network, users are also asked to update their Facebook profile with the above status message and link. Some versions present either a list of surveys to fill in or a form where users can enter their mobile numbers; only this latest scam offers both... Our researchers in the AV Labs found an in-the-wild email spam leading to a phishing attack. It targets users of the open-source webmail application, SquirrelMail... The email is exactly as it was back in 2007, so any user can take their cues from the outdated versions of the app mentioned and the supposed solution to the issue the email is attempting to address... advice? Delete the spam at once."
___
Something evil on 173.246.102.246
- http://blog.dynamoo.com/2013/01/some...246102246.html
9 Jan 2013 - "173.246.102.246 (Gandi, US) looks like it is being used for exploit kits being promoted either through malvertising or through exploited OpenX ad servers. In the example I have seen, the malicious payload is at [donotclick]11.lamarianella .info/read/defined_regulations-frequently.php (report here*). These other domains appear to be on the same server, all of which can be assumed to be malicious:
11.livinghistorytheatre .ca
11.awarenesscreateschange .com
11.livinghistorytheatre .com
11.b2cviaggi .com
11.13dayz .com
11.lamarianella .info
11.studiocitynorth .tv
11.scntv .tv
These all appear to be legitimate but hijacked domains, you may want to block the whole domain rather than just the 11. subdomain."
* http://wepawet.iseclab.org/view.php?...e4a3f1&type=js
> https://www.google.com/safebrowsing/...?site=AS:29169
"... in the past 90 days. We found 67 site(s)... that infected 262 other site(s)..."
___
Fake ADP SPAM / demoralization .ru
- http://blog.dynamoo.com/2013/01/adp-...izationru.html
9 Jan 2013 - "This fake ADP spam leads to malware on demoralization .ru:
Date: Wed, 9 Jan 2013 04:23:03 -0600
From: Habbo Hotel [auto-contact @habbo .com]
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 948284271
Wed, 9 Jan 2013 04:23:03 -0600
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www .flexdirect .adp.com/client/login.aspx
Please see the following notes:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 703814359
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
� 2013 ADP, Inc. All rights reserved.
The malicious payload is at [donotclick]demoralization .ru:8080/forum/links/column.php hosted on the following IPs:
82.165.193.26 (1&1, Germany)
91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
The following IPs and domains are all related:
82.165.193.26
91.224.135.20
187.85.160.106
demoralization .ru
belnialamsik .ru
bananamamor .ru ..."
___
Fake BBB SPAM / hotelrosaire .net
- http://blog.dynamoo.com/2013/01/bbb-...osairenet.html
9 Jan 2013 - "This fake BBB spam leads to malware on hotelrosaire .net:
Date: Wed, 9 Jan 2013 09:21:32 -0600 [10:21:32 EST]
From: Better Business Bureau <complaint @bbb .org>
Subject: BBB notification regarding your cliente's pretense No. 62850348
Better Business Bureau ©
Start With Trust �
Tue, 8 Jan 2013
RE: Complaint N. 62850348
[redacted]
The Better Business Bureau has been booked the above said complaint from one of your users in regard to their business contacts with you. The detailed description of the consumer's anxiety are available for review at a link below. Please give attention to this problem and inform us about your sight as soon as possible.
We pleasantly ask you to click and review the APPEAL REPORT to respond on this claim letter.
We awaits to your prompt reaction.
Yours respectfully
Liam Barnes
Dispute Consultant
Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 25501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
========
Date: Wed, 9 Jan 2013 23:21:42 +0800 [10:21:42 EST]
From: Better Business Bureau <donotreply @bbb .org>
Subject: BBB Complaint No. C1343110
Better Business Bureau ©
Start With Trust ©
Tue, 8 Jan 2013
RE: Case No. C1343110
[redacted]
The Better Business Bureau has been booked the above mentioned complaint from one of your clients as regards their business relations with you. The information about the consumer's anxiety are available for review at a link below. Please pay attention to this question and inform us about your glance as soon as possible.
We pleasantly ask you to overview the COMPLAINT REPORT to reply on this grievance.
We are looking forward to your prompt reaction.
Yours respectfully
Hunter Gomez
Dispute Counselor
Better Business Bureau
Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 22801
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
The malicious payload is on [donotclick]hotelrosaire .net/detects/keyboard_ones-piece-ring.php hosted on 64.120.177.139 (HostNOC, US) which also hosts royalwinnipegballet .net which was seen in another BBB spam run yesterday."
>> https://www.google.com/safebrowsing/...?site=AS:21788
"... in the past 90 days. We found 543 site(s).. that infected 5049 other site(s)..."
:mad::mad:
Fake U.S Air/ADP emails lead to malware...
FYI...
Fake U.S Airways emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/01/10/p...e-exploit-kit/
Jan 10, 2013 - "... On numerous occasions, we intercepted related campaigns attempting to trick customers into clicking on malicious links, which ultimately exposed them to the client-side exploits served by the latest version of the BlackHole Exploit Kit. Apparently, the click-through rates for these campaigns were good enough for cybercriminals to resume spamvertising related campaigns. In this post, I’ll profile the most recently spamvertised campaign impersonating U.S Airways...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....expoit_kit.png
... Malicious domain name reconnaissance:
attachedsignup .pro – 41.215.225.202 – Email: kee_mckibben0869 @macfreak .com
... Upon successful client-side exploitation, the campaign drops MD5: 6f51e309530f8900be935716c3015f58 * ... Worm:Win32/Cridex.E
The executable creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B
As well as the following mutexes:
Local\XMM000003F8
Local\XMI000003F8
Local\XMRFB119394
Local\XMM000005E4
Local\XMI000005E4
Local\XMM0000009C
Local\XMI0000009C
Local\XMM000000C8
Local\XMI000000C8
Once executed, the sample phones back to the following C&C servers:
180.235.150.72 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
174.143.174.136 :8080/AJtw/UCyqrDAA/Ud+asDAA/
We’ve already seen the same pseudo-random C&C phone back characters used... previously profiled malicious campaigns..."
* https://www.virustotal.com/file/d11f...d1fe/analysis/
File name: 6f51e309530f8900be935716c3015f58
Detection ratio: 24/46
Analysis date: 2012-12-07
___
Fake ADP SPAM / tetraboro .net and advertizing* .com
- http://blog.dynamoo.com/2013/01/adp-...tizingcom.html
10 Jan 2013 - "This fake ADP spam leads to malware on tetraboro .net. It contains some errors, one of which is the subject line just says "adp_subj" rather than having been filled out properly...
Date: Thu, 10 Jan 2013 17:48:09 +0200 [10:48:09 EST]
From: "ADPClientServices @adp .com" [ADPClientServices @adp .com]
Subject: adp_subj
ADP Urgent Note
Note No.: 33469
Respected ADP Consumer January, 9 2013
Your Processed Payroll Record(s) have been uploaded to the web site:
Click here to Sign In
Please take a look at the following details:
• Please note that your bank account will be debited within one banking day for the amount(s) specified on the Protocol(s).
Please don't reply to this message. auomatic informational system not configured to accept incoming mail. Please Contact your ADP Benefits Specialist.
This notification was sent to current clients in your company that approach ADP Netsecure.
As general, thank you for choosing ADP as your business butty!
Ref: 33469
The malicious payload is on [donotclick]tetraboro .net/detects/coming_lost-source.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). A quick look indicates a number of related malicious domains and IPs, including advertizing1 .com through to advertizing9 .com. All of these should be blocked.
5.135.90.19 (OVH, France - suballocated to premiervps.net, UK)
91.227.220.121 (VooServers, UK)
94.102.55.23 (Ecatel, Netherlands)
119.78.243.16 (China Science & Technology Network, China)
198.144.191.50 (New Wave Netconnect, US)
199.233.233.232 (Quickpacket, US)
203.1.6.211 (China Telecom, China)
222.238.109.66 (Hanaro Telecom, Korea)
Plain list:
advertizing1 .com
advertizing2 .com
advertizing3 .com
advertizing4 .com
advertizing5 .com
advertizing6 .com
advertizing7 .com
advertizing8 .com
advertizing9 .com
cookingcarlog .ne
hotelrosaire .net
richbergs .com
royalwinnipegballet .net
tetraboro .net
5.135.90.19
91.227.220.121
94.102.55.23
119.78.243.16
198.144.191.50
199.233.233.232
203.1.6.211
222.238.109.66 ..."
:mad: