Fake ADP/Verizon SPAM ...
FYI...
Fake ADP SPAM / faneroomk .ru
- http://blog.dynamoo.com/2013/02/adp-...neroomkru.html
21 Feb 2013 - "This fake ADP spam tries (and fails) to lead to malware on faneroomk .ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply@bounce.linkedin .com] On Behalf Of LinkedIn
Sent: 20 February 2013 20:02
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 001737199
Thu, 21 Feb 2013 02:01:39 +0600
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www.flexdirect .adp.com/client/login.aspx
Please see the following notes:
• Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
• Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 890911798
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.
The malicious payload is meant to be [donotclick]faneroomk .ru:8080/forum/links/column.php but right at the moment it is not resolving... The following IPs and domains are all related:
41.168.5.140
110.164.58.250
184.106.195.200
210.71.250.131
203.171.234.53 ..."
(More detail at the dynamoo URL above.)
___
Fake Verizon Wireless SPAM / participamoz .com
- http://blog.dynamoo.com/2013/02/veri...ipamozcom.html
20 Feb 2013 - "This fake Verizon Wireless spam leads to malware on participamoz .com:
Date: Wed, 20 Feb 2013 23:24:49 +0400
From: "AccountNotify @verizonwireless .com" [cupcakenc0 @irs .gov]
Subject: Verizon wireless online bill.
Important account information from Verizon Wireless
Your current bill for your account ending in XXXX-XX001 is now available online in My Verizon
Total Balance Due: $48.15
Scheduled Automatic Payment Date: 02/25/2012
Mind that payments and/or adjustments made to your account after your bill was generated will be deducted from your automatic payment amount.
> Review and Pay Your Bill
Thank you for choosing Verizon Wireless.
My Verizon is also available 24/7 to assist you with:
Vrowsing your usage
Updating your plan
Adding Account Members
Paying your bill
Finding accessories for your devices
And much, much more...
2011 Verizon Wireless
Verizon Wireless | One Verizon Way | Mail Code: 190WVB | Basking Ridge, NJ 07990
We respect your privacy. Please review our privacy policy for more information
If you are not the intended recipient and feel you have received this email in error; or if you would like to update your customer notification preferences, please click here.
The malicious payload is at [donotclick]participamoz .com/detects/holds_edge.php hosted on:
161.200.156.200 (Chulanet, Thailand)
173.251.62.46 (MSP Digital / Cablevision, US)
The following IPs and domains are connected should be treated as malicious:
161.200.156.200
173.251.62.46
prosctermobile .com
aftandilosmacerati .com
pardontemabelos .com
participamoz .com ..."
___
Fake Verizon emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/02/21/f...e-exploit-kit/
Feb 21, 2013 - "On a periodic basis, cybercriminals are spamvertising malicious campaigns impersonating Verizon Wireless to tens of thousands of Verizon customers across the globe in an attempt to trick them into interacting with the fake emails... one of the most recently spamvertised campaigns impersonating Verizon Wireless. Not surprisingly, once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Malicious domain name reconnaissance:
participamoz .com – 173.251.62.46; 161.200.156.200 – Email: dort.dort @live .com
Name Server: NS1.THEREGISTARS .COM – 31.170.106.17 – Email: lockwr @rocketmail .com
Name Server: NS2.THEREGISTARS .COM – 67.15.223.219 – Email: lockwr @rocketmail .com
... Upon successful client-side exploitation, the campaign drops MD5: 4377dcc591f87cc24e75f8c69a2a7f8f * ... UDS:DangerousObject.Multi.Generic.
It then attempts to phone back to the following IPs:
110.143.183.104, 24.120.165.58, 110.143.183.104, 75.80.49.248, 71.42.56.253, 94.65.0.48,
98.16.107.213, 190.198.30.168, 76.193.173.205, 71.43.217.3, 66.229.110.89, 101.162.73.132,
94.68.49.208, 64.219.121.189, 99.122.152.158, 80.252.59.142, 108.211.64.46, 69.39.74.6,
91.99.146.167, 187.131.70.221, 76.202.211.184, 168.93.99.82, 122.60.136.168, 213.105.24.171,
122.60.136.168, 84.72.243.231, 79.56.80.211 ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/8...3dd9/analysis/
File name: info.exe
Detection ratio: 25/46
Analysis date: 2013-02-21
___
Fake "Efax Corporate" SPAM / fuigadosi .ru
- http://blog.dynamoo.com/2013/02/efax...igadosiru.html
21 Feb 2013 - "This fake eFax spam leads to malware on fuigadosi .ru:
Date: Thu, 21 Feb 2013 -05:24:35 -0800
From: LinkedIn Password [password @linkedin .com]
Subject: Efax Corporate
Attachments: EFAX_Corporate.htm
Fax Message [Caller-ID: 705646877]
You have received a 29 pages fax at Thu, 21 Feb 2013 -05:24:35 -0800, (913)-809-4198.
* The reference number for this fax is [eFAX-806896385].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.
The malicious payload is at [donotclick]fuigadosi .ru:8080/forum/links/column.php (report here*) hosted on:
84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
210.71.250.131 (Chungwa Telecom, China)..."
* http://urlquery.net/report.php?id=1060334
___
Fake Trustwave TrustKeeper emails - Phish ...
- http://blog.spiderlabs.com/2013/02/-...ing-alert.html
21 Feb 2013 - "Over the last few hours, Trustwave has received multiple reports of individuals receiving fake emails pretending to be from Trustwave. These emails did not originate from Trustwave. Recipients should immediately delete the emails and not follow any links presented in them. These emails indicate they are being sent as part of a “TrustKeeper PCI Scan Notification” and are alerting the recipient to login to a portal to respond to an issue related to a vulnerability scan of their network. Early analysis has shown these emails are being sent from many variations of fake Trustwave email addresses and redirecting users to multiple non-Trustwave URLs. Visiting these URLs might introduce malware onto your systems. Below is a screenshot of a fake email:
> http://npercoco.typepad.com/.a/6a013...1337399970c-pi ..."
___
Fake inTuit emails - overdue payment
- http://security.intuit.com/alert.php?a=73
2/21/13 - "People are receiving fake emails with the title "Please respond - overdue payment." Below is a copy of the email people are receiving. The email does not contain a link; however, the email has a .zip attachment that contains malware. Do not open the .zip file:
Please find attached your invoices for the past months. Remit the payment by 02/25/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Earline Robles
This is the end of the fake email.
Steps to Take Now: Do -not- open the attachment in the email..."
___
Fake "Xerox WorkCentre Pro" SPAM / familanar .ru
- http://blog.dynamoo.com/2013/02/scan...-pro-spam.html
21 Feb 2013 - "This familiar printer spam leads to malware on the familanar .ru domain:
Date: Thu, 21 Feb 2013 09:22:25 -0500 [09:22:25 EST]
From: Tagged [Tagged @taggedmail .com]
Subject: Fwd: Re: Scan from a Xerox WorkCentre Pro #800304
A Document was sent to you using a XEROX WorkJet PRO 760820.
SENT BY : BRYNN
IMAGES : 5
FORMAT (.JPEG) DOWNLOAD
The malicious payload is at [donotclick]familanar .ru:8080/forum/links/column.php (report here*) hosted on:
84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
210.71.250.131 (Chungwa Telecom, China)
Which are the same IPs found in this attack** and several others. Block 'em if you can."
* http://www.urlquery.net/report.php?id=1064138
** http://blog.dynamoo.com/2013/02/efax...igadosiru.html
___
Fake ACH transaction SPAM / payment receipt - 884993762994.zip
- http://blog.dynamoo.com/2013/02/ach-...tion-spam.html
21 Feb 2013 - "This fake ACH transaction spam comes with a malicous attachment:
Date: Thu, 21 Feb 2013 14:32:08 -0500 [14:32:08 EST]
From: Payment notification system [homebodiesga38@gmail.com]
Subject: Automatic transfer notification
ACH transaction is completed. $443 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt on payment is attached.
This is an automatically generated email, please do not reply
Attached is a file called payment receipt - 884993762994.zip which unzips to payment receipt - 884993762994.exe which has a disappointing VirusTotal detection count of just 14/46... Blocking EXE-in-ZIP files at the perimeter generally causes very little trouble, assuming you can do it.."
:fear::mad:
Fake Invoice / D.P. Svc SPAM ...
FYI...
Fake Invoice SPAM - "End of Aug. Stat" forummersedec .ru
- http://blog.dynamoo.com/2013/02/end-...ersedecru.html
22 Feb 2013 - "This fake invoice email leads to malware on forummersedec .ru:
Date: Fri, 22 Feb 2013 11:33:38 +0530
From: AlissonNistler@ [victimdomain]
Subject: Re: FW: End of Aug. Stat.
Attachments: Invoices-1207-2012.htm
Hallo,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer/Mozilla Firefox file)
Regards
The attachment attempts to redirect the victim to a malicious payload at [donotclick]forummersedec .ru:8080/forum/links/column.php (report here*) hosted on
84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
The following IPs and domains are related and should be blocked:
84.23.66.74
122.160.168.219...
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1069702
___
Fake "Data Processing" SPAM / dekolink .net
- http://blog.dynamoo.com/2013/02/data...kolinknet.html
22 Feb 2013 - "This fake "Data Processing" spam leads to malware on dekolink .net:
Date: Fri, 22 Feb 2013 08:06:43 -0500
From: "Data Processing Service" [customersupport @dataprocessingservice .com]
Subject: ACH file ID '768.579
Files Processing Service
SUCCESS Note
We have successfully handled ACH file 'ACH2013-02-20-5.txt' (id '768.579') submitted by user '[redacted]' on '2013-02-20 1:14:30.7'.
FILE SUMMARY:
Item count: 79
Total debits: $28,544.53
Total credits: $28,544.53
For more info click here
The malicious payload is at [donotclick]dekolink .net/detects/when-weird-contrast.php (report here*) hosted on the following servers:
50.7.251.59 (FDC Servers, Czech Republic)
176.120.38.238 (Langate, Ukraine).."
* http://urlquery.net/report.php?id=1062564
... BlackHole v2.0 exploit kit
___
Fake LinkedIn SPAM / greatfallsma .com
- http://blog.dynamoo.com/2013/02/link...allsmacom.html
22 Feb 2013 - "This "accidental" LinkedIn spam is a fake and leads to malware on greatfallsma .com:
From: LinkedIn [mailto:papersv@ informer.linkedin .com]
Sent: 22 February 2013 15:58
Subject: Reminder about link requests pending
See who connected with you this week on LinkedIn
Now it's easy to connect with people you email
Continue
This is an accidental LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
© 2013, LinkedIn Corporation. 2089 Stierlin Ct, Mountain View, CA 99063
> Another example:
Date: Fri, 22 Feb 2013 18:21:25 +0200
From: "LinkedIn" [noblest00@ info.linkedin .com]
Subject: Reminder about link requests pending
[redacted]
See who requested link with you on LinkedIn
Now it's easy to connect with people you email
Continue
This is an casual LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
2013, LinkedIn Corporation. 2073 Stierlin Ct, Mountain View, CA 98043
The malicious payload is at [donotclick]greatfallsma .com/detects/impossible_appearing_timing.php (report here*) hosted on:
50.7.251.59 (FDC Servers, Czech Republic)
176.120.38.238 (Langate, Ukraine)
These are the same two servers used in this attack, blocking them would probably be a good idea."
* http://urlquery.net/report.php?id=1071027
... Blackhole 2 Landing Page
:fear::mad:
Fake ACH emails serve client-side exploits and malware
FYI...
Fake ACH emails serve client-side exploits and malware
- http://blog.webroot.com/2013/02/25/m...s-and-malware/
Feb 25, 2013 - "... yet another spam campaign, this time impersonating the “Data Processing Service” company, in an attempt to trick its customers into interacting with the malicious emails. Once they do so, they are automatically exposed to the client-side exploits served by the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....ervice_ach.png
... Upon successful client-side exploitation, the campaign drops MD5: faa3a6c7bbf5b0449f60409c8bf63859 * ... Trojan-Spy.Win32.Zbot.jfpy.
... It then attempts to connect to the following IPs:
24.120.165.58, 66.117.77.134, 64.219.121.189, 66.117.77.134, 75.47.231.138, 108.211.64.46,
91.99.146.167, 108.211.64.46, 71.43.217.3, 81.136.230.235, 101.162.73.132, 99.76.3.38,
85.29.177.249, 24.126.54.116, 108.130.34.42, 99.116.134.54, 80.252.59.142
Malicious domain name reconnaissance:
dekolink .net – 50.7.251.59; 176.120.38.238 – Email: wondermitch @hotmail .com
Name Server: NS1.THEREGISTARS .COM – 31.170.106.17 – Email: lockwr @rocketmail .com
Name Server: NS2.THEREGISTARS .COM – 67.15.223.219 – Email: lockwr @rocketmail .com ..."
(More detail available at the webroot URL above.)
* https://www.virustotal.com/en/file/1...ca62/analysis/
File name: info.exe
Detection ratio: 27/45
Analysis date: 2013-02-25
___
Trustwave Trustkeeper Phish
- https://isc.sans.edu/diary.html?storyid=15271
Last Updated: 2013-02-25 17:41:36 UTC - ... the give away that this is a fake is the from e-mail address as well as the link leading to a different site then advertised. Click on the image for a full size example.
> https://isc.sans.edu/diaryimages/ima...twavephish.png
[Update:] An analysis of this phish by Trustwave's own Spiderlabs can be found here:
- http://blog.spiderlabs.com/2013/02/m...per-phish.html
- http://blog.dynamoo.com/2013/02/trus...ties-scan.html
25 Feb 2013 - "... this "TrustKeeper Vulnerabilities Scan Information" -spam- leads to an exploit kit on saberdelvino .net...
> https://lh3.ggpht.com/-Gyic2-WNNZE/U.../trustwave.png
... The malicious payload is at [donotclick]saberdelvino .net/detects/random-ship-members-daily.php (report here*) hosted on the following IPs:
118.97.77.122 (PT Telekon, Indonesia)
176.120.38.238 (Langate, Ukraine)..."
* http://www.urlquery.net/report.php?id=1120754
... Blackhole 2
:fear::mad:
Fake Facebook/Intuit SPAM ...
FYI...
Fake Facebook SPAM / lazaro-sosa .com
- http://blog.dynamoo.com/2013/02/face...o-sosacom.html
26 Feb 2013 - "This fake Facebook spam leads to malware on lazaro-sosa .com:
Date: Tue, 26 Feb 2013 14:26:20 +0200
From: "Facebook" [twiddlingv29@informer.facebook.com]
Subject: Brian Parker commented your photo.
facebook
Brian Parker commented on Your photo.
Reply to this email to comment on this photo.
See Comment
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.
Facebook, Inc., Attention: Department 415, PO Box 10001, Palo Alto, CA 90307
The malicious payload is at [donotclick]lazaro-sosa .com/detects/queue-breaks-many_suffering.php (report here*) hosted on:
118.97.77.122 (PT Telkom, Indonesia)
147.91.83.31 (AMRES, Serbia)
Blocking these IPs is probably prudent."
* http://www.urlquery.net/report.php?id=1135254
... Blackhole
___
Fake Intuit SPAM / forumligandaz .ru
- http://blog.dynamoo.com/2013/02/intu...igandazru.html
26 Feb 2013 - "This fake Intuit spam leads to malware on forumligandaz .ru:
Date: Tue, 26 Feb 2013 01:27:09 +0330
From: "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject: Payroll Account Holded by Intuit
Direct Deposit Service Informer
Communicatory Only
We cancelled your payroll on Tue, 26 Feb 2013 01:27:09 +0330.
Finances would be gone away from below account # ending in 8733 on Tue, 26 Feb 2013 01:27:09 +0330
amount to be seceded: 3373 USD
Paychecks would be procrastinated to your personnel accounts on: Tue, 26 Feb 2013 01:27:09 +0330
Log In to Review Operation
Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services
The malicious payload is at [donotclick]forumligandaz .ru:8080/forum/links/column.php hosted on:
31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)
Blocklist:
31.200.240.153
83.169.41.58 ..."
(More detail at the dynamoo URL above.)
:mad::fear:
"Follow this link" SPAM ...
FYI...
"Follow this link" SPAM / sidesgenealogist .org
- http://blog.dynamoo.com/2013/02/foll...link-spam.html
28 Feb 2013 - "This rather terse spam appears to lead to an exploit kit on sidesgenealogist .org:
From: Josefina Underwood [mailto:hdFQe @heathrowexpress .com]
Sent: 27 February 2013 16:43
Subject: Follow this link
I have found it http ://www.eurosaudi .com/templates/beez/wps.php?v20120226
Sincerely yours,
Sara Walton
The link is to a legitimate hacked site, and in this case it attempts to bounce to [donotclick]sidesgenealogist .org/closest/c93jfi2jf92ifj39ugh2jfo3g.php but at the time of writing the malware site appears to be overloaded. However, we can find an earlier report for the same sever here* that indicates an exploit kit. The malware is hosted on 188.93.210.226 (Logol.ru, Russia**). I would recommend blocking the entire 188.93.210.0/23 range to be on the safe side. These other two domains are in the same AS and are currently active:
reinstalltwomonthold .org
nephewremovalonly .org
scriptselse .org
everflowinggopayment .net "
* http://urlquery.net/report.php?id=1180853
... Blackholev2 url structure detected... Multiple Exploit Kit Payload detection
** https://www.google.com/safebrowsing/...?site=AS:49352
___
Fake "Contract" SPAM / forumny .ru
- http://blog.dynamoo.com/2013/02/cont...forumnyru.html
28 Feb 2013 - "This contracts-themed spam leads to malware on forumny .ru:
Date: Thu, 28 Feb 2013 11:43:15 +0400
From: "LiveJournal.com" [do-not-reply @livejournal .com]
Subject: Fw: Contract of 09.07.2011
Attachments: Contract_Scan_IM0826.htm
Dear Sirs,
In the attached file I am forwarding you the Translation of the Loan Contract that I have just received a minute ago. I am really sorry for the delay.
Best regards,
SHERLENE DARBY, secretary
The -attachment- Contract_Scan_IM0826.htm leads to malware on [donotclick]forumny .ru:8080/forum/links/column.php (report here*) on:
31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)
Blocklist:
31.200.240.153
83.169.41.58 ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1183959
... suspicious URL pattern
... 31.200.240.153 Blackhole 2 Landing Page
___
Fake job offer
- http://blog.dynamoo.com/2013/02/usan...job-offer.html
28 Feb 2013 - "This fake job offer will be some illegal activity such as money laundering or reshipping stolen goods:
Date: Thu, 28 Feb 2013 14:57:55 -0600
From: andrzej.wojnarowski@[victimdomain]
Subject: There is a vacancy of a Regional manager in USA:
If you have excellent administrative skills, working knowledge of Microsoft Office,
a keen eye for detail, well-versed in the use of social networking sites such as Twitter and Facebook,
are organized, present yourself well and are a team player with the ability to work independently,
are reliable and punctual and can understand and execute instructions are determined to work hard and succeed - we need you.
If you are interested in this job, please, send us your contact information:
Full name:
Country:
City:
E-mail:
Please email us for details: Paulette @usanewwork .com
In this case the email originated from 187.246.25.58, a Mega Cable customer in Guadalajara, Mexico. The domain is registered to an address that does not exist (there is no Pratt Avenue in Tukwila):
Sarah Shepard info @usanewwork .com
360-860-3630 fax: 360-860-3321
4478 Pratt Avenue
Tukwila WA 98168
us
The domain was only registered two days ago on 28/2/13. The nameservers ns1.stageportal .net and ns2.stageportal .net are shared by several other domains offering similar fake jobs...
IP addresses involved are:
5.135.90.19 (OVH, France)
69.169.90.62 (Big Brain Host, US)
199.96.86.139 (Microglobe LLC, US)
This job offer is best avoided unless you like prison food..."
(More detail at the dynamoo URL above.)
___
Fake BBB SPAM / forumnywrk .ru
- http://blog.dynamoo.com/2013/02/bbb-...umnywrkru.html
28 Feb 2013 - "This fake BBB Spam leads to malware on forumnywrk .ru:
Date: Thu, 28 Feb 2013 07:29:10 -0500 [07:29:10 EST]
From: LinkedIn Password [password @linkedin .com]
Subject: Urgent information from BBB
Attn: Owner/Manager
Here with the Better Business Bureau notifies you that we have received a complaint (ID 832708632)
from one of your customers with respect to their dealership with you.
Please open the COMPLAINT REPORT below to obtain more information on this matter and let us know of your point of view as soon as possible.
We are looking forward to your prompt reply.
Regards,
VERSIE Stringer
The malicious payload is on [donotclick]forumnywrk .ru:8080/forum/links/column.php hosted on:
31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)
Blocklist:
83.169.41.58
31.200.240.153 ..."
(More detail at the dynamoo URL above.)
:mad:
Casino-themed Blackhole sites
FYI...
Casino-themed Blackhole sites
- http://blog.dynamoo.com/2013/03/casi...ole-sites.html
1 March 2013 - "Here's a a couple of URLs that look suspicious like a BlackHole Exploit kit, hosted on 130.185.105.74:
[donotclick]888casino-luckystar .net/discussing/sizes_agreed.php
[donotclick]555slotsportal .org/discussing/alternative_distance.php
[donotclick]555slotsportal .net/shrift.php
[donotclick]555slotsportal .net/discussing/alternative_distance.php
[donotclick]555slotsportal .me/discussing/alternative_distance.php
[donotclick]sexstreamsmatez .biz/discussing/alternative_distance.php
You can find a sample report here*... there's nothing of value here and these sites are probably malicious and should be blocked. You might want to consider blocking 130.185.105.0/24 too..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1199381
... Detected BlackHole v2.0 exploit kit URL pattern
:mad::fear:
Fake Delta/eFax/dealer SPAM ...
FYI...
Fake Delta Airlines SPAM / inanimateweaknesses .net and complainpaywall .net
- http://blog.dynamoo.com/2013/03/delt...eaknesses.html
4 March 2013 - "This fake Delta Airlines spam leads to malware on inanimateweaknesses .net and complainpaywall .net:
From: DELTA CONFIRMATION [mailto:cggQozvOc @sutaffu .co.jp]
Sent: 04 March 2013 14:27
Subject: Your Receipt and Itinerary
Thank you for choosing Delta. We encourage you to review this information before your trip.
If you need to contact Delta or check on your flight information, go to delta.com/itineraries
Now, managing your travel plans just got easier. You can exchange, reissue and refund electronic tickets at delta .com/itineraries.
Take control and make changes to your itineraries at delta.com/itineraries.
Speed through the airport. Check-in online for your flight.
Check-in
Flight Information
DELTA CONFIRMATION #: D0514B3
TICKET #: 00920195845933
Bkng Meals/ Seat/
Day Date Flight Status Class City Time Other Cabin
--- ----- --------------- ------ ----- ------------
Mon 11MAR DELTA 372 OK H LV NYC-KENNEDY 820P F 19C
AR SAN FRANCISCO 8211P COACH
Fri 15MAR DELTA 1721 OK H LV LOS ANGELES 1145P V 29A
AR NYC-KENNEDY 812A# COACH
Check your flight information online at delta.com/itineraries
The email contains several links to different hacked sites, which then forward to [donotclick]inanimateweaknesses .net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report here*) or [donotclick]complainpaywall .net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report here**) both of which are hosted on 188.93.211.156 (Logol.ru, Russia). In my opinion 188.93.210.0/23 is a bit of a sewer and should be blocked if you can, as there are probably many other malicious sites nearby.
Of note is that the links in the email only seem to work with a correct referrer and user agent. If those are not set, then you will not end up at the malware page."
* http://urlquery.net/report.php?id=1246850
... Detected BlackHole v2.0 exploit kit URL pattern ... Detected live BlackHole v2.0 exploit kit
** http://urlquery.net/report.php?id=1246854
... Detected BlackHole v2.0 exploit kit URL pattern ... Detected live BlackHole v2.0 exploit kit
___
Fake eFax SPAM / forumla .ru
- http://blog.dynamoo.com/2013/03/efax...forumlaru.html
4 Mar 2013- "This fake eFax spam leads to malware on forumla .ru:
Date: Mon, 4 Mar 2013 08:53:20 +0300
From: LinkedIn [welcome @linkedin .com]
Subject: Efax Corporate
Attachments: Efax_Corporate.htm
Fax Message [Caller-ID: 646370000]
You have received a 57 pages fax at Mon, 4 Mar 2013 08:53:20 +0300, (213)-406-0113.
* The reference number for this fax is [eFAX-336705661].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.
The malicious payload is at [donotclick]forumla .ru:8080/forum/links/column.php (report here*) hosted on 210.71.250.131 (Chungwa Telecom, Taiwan). These other sites are also visible on the same IP:
foruminanki .ru
ny-news-forum .ru
forumilllionois .ru
forum-ny .ru
forumny .ru
forumla .ru"
* http://urlquery.net/report.php?id=1247054
... Detected suspicious URL pattern... Detected live BlackHole v2.0 exploit kit
___
Fake dealerbid .co.uk SPAM
- http://blog.dynamoo.com/2013/03/dealerbidcouk-spam.html
4 March 2013 - "This -spam- uses an email address ONLY used to sign up for dealerbid .co.uk
From: HM Revenue & Customs [enroll @hmrc .gov.uk]
Date: 4 March 2013 13:37
Subject: HMRC Tax Refund ID: 3976244
Dear Taxpayer,
After the last annual calculations of your fiscal activity we have discovered that you are eligible to receive a tax refund of 377.50 GBP. Kindly complete the tax refund request and allow 2-3 working days to process it.
A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. Please click on the attached file in order to access the form for your tax refund.
Currently we are only able to process tax refunds through "LloydsTSB". Alternatively, you can wait for the next few weeks to apply for a full refund through additional financial institutions(Banks).
Kind regards,
Paul McWeeney
Head of Consumer Sales and Service
The email got horribly mangled on the way and luckily whatever payload came with it is buggered. Of interest though, the email originates from 78.136.27.79 which is home to the following websites:
everybodyonline .co.uk
uk-car-discount .co.uk
The email address has been -stolen- from one UK motoring related site, and the spam sent through the hacked server of another UK motoring site. That's a peculiar coincidence, although I do not believe that those site operators are responsible for this spam run. It looks like I am not the only person to notice this same problem*.."
* http://www.reviewcentre.com/Car-Deal...review_1884815
___
Fake Justin Bieber social media claims
- http://www.hoax-slayer.com/bieber-dies-crash-hoax.shtml
March 4, 2013 - "Outline: Message circulating via social media claims that popular young singing star Justin Bieber has died in a car accident...
> http://www.hoax-slayer.com/images/bieber-crash-hoax.jpg
... Many of these false death rumours originate from several tasteless "prank" websites that allow users to create fake news stories detailing the supposed death of various celebrities. Users can generally pick from several "news" templates, add the name of their chosen celebrity and then attempt to fool their friends by sharing the -bogus- story..."
___
Fake Facebook email/SPAM 'Violation of Terms' - Phishing Scam
- http://www.hoax-slayer.com/facebook-...ing-scam.shtml
March 4, 2013 - "Outline: Inbox message purporting to be from "Mark Zurckerberg" claims that the user's Facebook Page has violated the Facebook Terms of Service and may be permanently deleted unless the account is verified by clicking a link in the message... There have been a number of variations of these Facebook account phishing scams distributed in recent years. If you receive any message that claims that your Facebook account may be disabled or deleted if you do not verify account details, do not click on any links or attachments that it may contain. It is always safest to login to your Facebook account - and other online accounts - by entering the address into your browser's address bar rather than by following a link."
:mad::fear:
New Java exploits centered exploit kit
FYI...
New Java exploits centered exploit kit
- http://blog.webroot.com/2013/03/05/c...d-exploit-kit/
March 5, 2013 - "... its current version is entirely based on Java exploits (CVE-2012-1723 and CVE-2013-0431), naturally, with “more exploits to be introduced any time soon”... More details:
Sample screenshot of the statistics page of the newly released Web malware exploitation kit:
> https://webrootblog.files.wordpress....tics_loads.png
The majority of affected users are U.S.-based hosts, and the majority of infected operating systems are Windows NT 6.1, followed by Windows XP... according to the cybercriminals pitching the kit, they’ve also managed to infect some Mac OS X hosts... competing Web malware exploitation kits tend to exploit a much more diversified set of client-side vulnerabilities, consequently, achieving higher exploitation rates... In the wake of two recently announced Java zero day vulnerabilities, users are advised to disable Java, as well as to ensure that they’re not running any outdated versions of their third-party software and browser plugins."
- http://seclists.org/fulldisclosure/2013/Mar/38
4 Mar 2013 - "... 5 -new- security issues were discovered in Java SE 7..."
___
Fake British Airways SPAM / forum-la .ru
- http://blog.dynamoo.com/2013/03/brit...ipts-spam.html
4 March 2013 - "This fake British Airways spam leads to malware on forum-la .ru:
From: LiveJournal.com [do-not-reply @livejournal .com]
Date: 4 March 2013 12:17
Subject: British Airways E-ticket receipts
e-ticket receipt
Booking reference: 9AZ3049885
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services
British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.
British Airways Plc is a public limited company registered in England and Wales. Registered number: 79805156. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.
How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.
If you require further assistance you may contact us
If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.
The email has an attachment named E-Ticket-N93892PK.htm which attempts to direct the victim to a malware page at [donotclick]forum-la .ru:8080/forum/links/column.php (report here*) hosted on:
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)
Blocklist:
198.104.62.49
210.71.250.131
forumla .ru
forumny .ru
forum-la .ru
foruminanki .ru
ny-news-forum .ru
forumilllionois .ru
forum-ny .ru ..."
* http://www.urlquery.net/report.php?id=1251838
... Detected suspicious URL pattern
___
iFrame injections drive traffic to Blackhole exploit kit
- http://nakedsecurity.sophos.com/2013...e-exploit-kit/
March 5, 2013 - "... recent attacks against legitimate websites that are being used to drive unsuspecting user traffic to the Blackhole exploit sites. JavaScript libraries on the legitimate websites are prepended with code... SophosLabs has seen huge volumes of legitimate sites being compromised in this way in recent weeks. In fact, Mal/Iframe-AL has been the most prevalent web threat detected on customer endpoints and web appliances for the past few weeks, accounting for almost 30% of all detected web threats! If we correlate our malicious URL data against the Alexa top million site data, you can see that these Mal/Iframe-AL injections account for almost two-thirds of all popular sites... have been compromised in some way over the past week.
> https://sophosnews.files.wordpress.c...lexa.png?w=640
... Looking at data collected over the past 14 days (Feb 18th - March 4th 2013), I started off by looking at the host ISPs for the compromised web sites. As you can see below, a good spread of ISPs have been hit (368 in total), with 18 of them accounting for approximately half of all infected sites.
> https://sophosnews.files.wordpress.c...isps.png?w=640
Looking at the countries hosting the affected web servers shows the expected spread, somewhat reflective of where hosting providers are based.
> https://sophosnews.files.wordpress.c...ntry.png?w=640
If we take a look at the web server platform, the compromised sites are almost exclusively running Apache. This is in contrast to the 60% or so we would expect* if the attacks were agnostic to the platform.
> https://sophosnews.files.wordpress.c...form.png?w=640
Most of these servers are running CentOS (then Debian then Ubuntu). This last piece of data gives us some clues as to how these attacks are happening. Could it be a rogue Apache module being used to inject the redirect into content as it is delivered from the server? There have been several other recent attacks doing this. Digging around it appears that this is indeed the root cause. The folks over at Sucuri** managed to get hold of the rogue module that was used on one such victim server.
Administrators or owners of sites that have been affected by these attacks should therefore check their Apache configuration as a matter of urgency and look out for unexpected modules being loaded..."
* http://news.netcraft.com/archives/20...er-survey.html
** http://blog.sucuri.net/2013/02/web-s...e-modules.html
___
Something evil on 5.9.196.3 and 5.9.196.6
- http://blog.dynamoo.com/2013/03/some...nd-591966.html
5 March 2013 - "Two IPs in the 5.9.196.0/28 block that you probably want to avoid are 5.9.196.3 and 5.9.196.6. The first of these IPs is being used in an injection attack (in this case via [donotclick]frasselt-kalorama .nl/relay.php) leading to two identified malware landing pages:
[donotclick]kisielius.surfwing .me/world/explode_conscious-scandal.jar (report here*)
[donotclick]alkalichlorideasenteeseen.oyunhan .net/world/romance-apparatus_clinical_repay.php (report here**)
Domains visible on 5.9.196.3 include:
alkalichlorideasenteeseen.oyunhan .net
kisielius.surfwing .me
dificilmentekvelijitten.surfwing .me
kisielius.surfwing .me
befool-immatriculation.nanovit .me
locoburgemeester.toys2bsold .com
ratiocination-wselig.smithsisters .us
A few IPs along is 5.9.196.6 which hosts the following domain that also looks highly suspect:
inspegrafstatkakukano.creatinaweb .com
Blocking these domains completely is probably a good idea:
oyunhan .net
surfwing .me
nanovit .me
toys2bsold .com
smithsisters .us
creatinaweb .com
5.9.196.0/28 is a Hetzner IP*** ... I haven't seen anything of value in this /28, blocking it may be prudent."
* http://www.urlquery.net/report.php?id=1248746
... Zip archive data
** http://www.urlquery.net/report.php?id=1265212
... Adobe PDF Memory Corruption
*** https://www.google.com/safebrowsing/...?site=AS:24940
"... over the past 90 days, 6823 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-03-04, and the last time suspicious content was found was on 2013-03-04..."
___
Fake HP printer SPAM / giliaonso .ru
- http://blog.dynamoo.com/2013/03/scan...njet-spam.html
5 Mar 2013 - "This fake HP printer spam leads to malware on giliaonso .ru:
Date: Tue, 5 Mar 2013 12:53:40 +0500
From: "Classmates . com" [classmatesemail @accounts.classmates .com]
Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet #161051
Attachments: HP_Scan.htm
Attached document was scanned and sent
to you using a HP A-16292P.
SENT BY : Landon
PAGES : 6
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]
The attachment leads to malware on [donotclick]giliaonso .ru:8080/forum/links/column.php (report here*) hosted on the following IPs:
46.4.77.145 (Hetzner, Germany)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)
Blocklist:
46.4.77.145
198.104.62.49
210.71.250.131 ..."
* http://urlquery.net/report.php?id=1266289
... Detected suspicious URL pattern... Blackhole 2 Landing Page 210.71.250.131
___
Fake Sendspace SPAM / forumkianko .ru
- http://blog.dynamoo.com/2013/03/send...mkiankoru.html
5 Mar 2013 - "This fake Sendspace spam leads to malware on forumkianko .ru:
Date: Tue, 5 Mar 2013 06:52:10 +0100
From: AyanaLinney@ [redacted]
Subject: You have been sent a file (Filename: [redacted]-51153.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-01271.pdf, (797.4 KB) waiting to be downloaded at sendspace.(It was sent by DEON VANG).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.
The malicious payload is at [donotclick]forumkianko .ru:8080/forum/links/column.php (report here*) hosted on:
46.4.77.145 (Hetzner, Germany***)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)
These IPs are the same as used in this attack**..."
* http://urlquery.net/report.php?id=1267580
... Detected suspicious URL pattern... Blackhole 2 Landing Page 46.4.77.145
** http://blog.dynamoo.com/2013/03/scan...njet-spam.html
*** https://www.google.com/safebrowsing/...?site=AS:24940
:mad: