Results 1 to 10 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. 2014-02-27, 11:57 #34
    AplusWebMaster
    AplusWebMaster is offline
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Amazon + Royal Mail SPAM ...

    FYI...

    Fake Amazon SPAM / 213.152.26.150
    - http://blog.dynamoo.com/2014/02/amaz...ur-online.html
    27 Feb 2014 - "This fake Amazon spam leads to something bad.
    Date: Wed, 26 Feb 2014 13:09:55 -0400 [02/26/14 12:09:55 EST]
    From: "Amazon.com" [t1na@ msn .com]
    Subject: Important For Your Online Account Access .
    Your Account Has Been Held
    Dear Customer ,
    We take you to note that your account has been suspended for protection , Where the password was entered more than once .
    In order to protect ,account has been suspended .Please update your Account Information To verify the account...
    Thanks for Update at Amazon .com...

    Screenshot: https://lh3.ggpht.com/-I0pRhOGLLtA/U...00/amazon2.png

    In the samples that I have seen the link in the email goes to either [donotclick]exivenca .com/support.php or [donotclick]vicorpseguridad .com/support.php both of which are currently -down- but were both legitimate sites hosted on 213.152.26.150 (Neo Telecoms, France). The fact that these sites are down could be because the host is dealing with the problem, however I would expect to see this same email template being used again in the future, so take care.."
    ___

    Fake Royal Mail SPAM
    - http://blog.dynamoo.com/2014/02/roya...sory-spam.html
    27 Feb 2014 - "This -fake- Royal Mail spam has a malicious payload:
    From: Royal Mail noreply@ royalmail .com
    Date: 27 February 2014 14:50
    Subject: Royal Mail Shipping Advisory, Thu, 27 Feb 2014
    Royal Mail Group Shipment Advisory
    The following 1 piece(s) have been sent via Royal Mail on Thu, 27 Feb 2014 15:47:17 +0530, REF# GB36187692IE ...

    Screenshot: https://lh3.ggpht.com/-Uwr252R1CT4/U.../royalmail.png

    This is a ThreeScripts attack, the link in the email goes to:
    [donotclick]wagesforinterns .com/concern/index.html
    and it then runs one or more of the following scripts:
    [donotclick]billigast-el .nu/margarita/garlicky.js
    [donotclick]ftp.arearealestate .com/telecasted/earners.js
    [donotclick]tattitude .co .uk/combines/cartooning.js
    in this case the payload site is at
    [donotclick]northwesternfoods .com/sg3oyoe0v2
    which is hosted on 23.239.12.68 (Linode, US) along with a bunch of hijacked GoDaddy sites... The payload appears to be an Angler Exploit Kit (see this example*).
    Recommended blocklist:
    23.239.12.68
    billigast-el .nu
    ftp.arearealestate .com
    tattitude .co .uk
    n2ocompanies .com
    northerningredients .com
    northwesternfoods .com
    oziama .com
    oziama .net     "
    * http://urlquery.net/report.php?id=9660606

    Last edited by AplusWebMaster; 2014-02-27 at 16:45.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules