FYI...
Fake ADP SPAM / faneroomk .ru
- http://blog.dynamoo.com/2013/02/adp-...neroomkru.html
21 Feb 2013 - "This fake ADP spam tries (and fails) to lead to malware on faneroomk .ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply@bounce.linkedin .com] On Behalf Of LinkedIn
Sent: 20 February 2013 20:02
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 001737199
Thu, 21 Feb 2013 02:01:39 +0600
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www.flexdirect .adp.com/client/login.aspx
Please see the following notes:
• Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
• Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 890911798
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.
The malicious payload is meant to be [donotclick]faneroomk .ru:8080/forum/links/column.php but right at the moment it is not resolving... The following IPs and domains are all related:
41.168.5.140
110.164.58.250
184.106.195.200
210.71.250.131
203.171.234.53 ..."
(More detail at the dynamoo URL above.)
___
Fake Verizon Wireless SPAM / participamoz .com
- http://blog.dynamoo.com/2013/02/veri...ipamozcom.html
20 Feb 2013 - "This fake Verizon Wireless spam leads to malware on participamoz .com:
Date: Wed, 20 Feb 2013 23:24:49 +0400
From: "AccountNotify @verizonwireless .com" [cupcakenc0 @irs .gov]
Subject: Verizon wireless online bill.
Important account information from Verizon Wireless
Your current bill for your account ending in XXXX-XX001 is now available online in My Verizon
Total Balance Due: $48.15
Scheduled Automatic Payment Date: 02/25/2012
Mind that payments and/or adjustments made to your account after your bill was generated will be deducted from your automatic payment amount.
> Review and Pay Your Bill
Thank you for choosing Verizon Wireless.
My Verizon is also available 24/7 to assist you with:
Vrowsing your usage
Updating your plan
Adding Account Members
Paying your bill
Finding accessories for your devices
And much, much more...
2011 Verizon Wireless
Verizon Wireless | One Verizon Way | Mail Code: 190WVB | Basking Ridge, NJ 07990
We respect your privacy. Please review our privacy policy for more information
If you are not the intended recipient and feel you have received this email in error; or if you would like to update your customer notification preferences, please click here.
The malicious payload is at [donotclick]participamoz .com/detects/holds_edge.php hosted on:
161.200.156.200 (Chulanet, Thailand)
173.251.62.46 (MSP Digital / Cablevision, US)
The following IPs and domains are connected should be treated as malicious:
161.200.156.200
173.251.62.46
prosctermobile .com
aftandilosmacerati .com
pardontemabelos .com
participamoz .com ..."
___
Fake Verizon emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/02/21/f...e-exploit-kit/
Feb 21, 2013 - "On a periodic basis, cybercriminals are spamvertising malicious campaigns impersonating Verizon Wireless to tens of thousands of Verizon customers across the globe in an attempt to trick them into interacting with the fake emails... one of the most recently spamvertised campaigns impersonating Verizon Wireless. Not surprisingly, once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Malicious domain name reconnaissance:
participamoz .com – 173.251.62.46; 161.200.156.200 – Email: dort.dort @live .com
Name Server: NS1.THEREGISTARS .COM – 31.170.106.17 – Email: lockwr @rocketmail .com
Name Server: NS2.THEREGISTARS .COM – 67.15.223.219 – Email: lockwr @rocketmail .com
... Upon successful client-side exploitation, the campaign drops MD5: 4377dcc591f87cc24e75f8c69a2a7f8f * ... UDS:DangerousObject.Multi.Generic.
It then attempts to phone back to the following IPs:
110.143.183.104, 24.120.165.58, 110.143.183.104, 75.80.49.248, 71.42.56.253, 94.65.0.48,
98.16.107.213, 190.198.30.168, 76.193.173.205, 71.43.217.3, 66.229.110.89, 101.162.73.132,
94.68.49.208, 64.219.121.189, 99.122.152.158, 80.252.59.142, 108.211.64.46, 69.39.74.6,
91.99.146.167, 187.131.70.221, 76.202.211.184, 168.93.99.82, 122.60.136.168, 213.105.24.171,
122.60.136.168, 84.72.243.231, 79.56.80.211 ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/8...3dd9/analysis/
File name: info.exe
Detection ratio: 25/46
Analysis date: 2013-02-21
___
Fake "Efax Corporate" SPAM / fuigadosi .ru
- http://blog.dynamoo.com/2013/02/efax...igadosiru.html
21 Feb 2013 - "This fake eFax spam leads to malware on fuigadosi .ru:
Date: Thu, 21 Feb 2013 -05:24:35 -0800
From: LinkedIn Password [password @linkedin .com]
Subject: Efax Corporate
Attachments: EFAX_Corporate.htm
Fax Message [Caller-ID: 705646877]
You have received a 29 pages fax at Thu, 21 Feb 2013 -05:24:35 -0800, (913)-809-4198.
* The reference number for this fax is [eFAX-806896385].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.
The malicious payload is at [donotclick]fuigadosi .ru:8080/forum/links/column.php (report here*) hosted on:
84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
210.71.250.131 (Chungwa Telecom, China)..."
* http://urlquery.net/report.php?id=1060334
___
Fake Trustwave TrustKeeper emails - Phish ...
- http://blog.spiderlabs.com/2013/02/-...ing-alert.html
21 Feb 2013 - "Over the last few hours, Trustwave has received multiple reports of individuals receiving fake emails pretending to be from Trustwave. These emails did not originate from Trustwave. Recipients should immediately delete the emails and not follow any links presented in them. These emails indicate they are being sent as part of a “TrustKeeper PCI Scan Notification” and are alerting the recipient to login to a portal to respond to an issue related to a vulnerability scan of their network. Early analysis has shown these emails are being sent from many variations of fake Trustwave email addresses and redirecting users to multiple non-Trustwave URLs. Visiting these URLs might introduce malware onto your systems. Below is a screenshot of a fake email:
> http://npercoco.typepad.com/.a/6a013...1337399970c-pi ..."
___
Fake inTuit emails - overdue payment
- http://security.intuit.com/alert.php?a=73
2/21/13 - "People are receiving fake emails with the title "Please respond - overdue payment." Below is a copy of the email people are receiving. The email does not contain a link; however, the email has a .zip attachment that contains malware. Do not open the .zip file:
Please find attached your invoices for the past months. Remit the payment by 02/25/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Earline Robles
This is the end of the fake email.
Steps to Take Now: Do -not- open the attachment in the email..."
___
Fake "Xerox WorkCentre Pro" SPAM / familanar .ru
- http://blog.dynamoo.com/2013/02/scan...-pro-spam.html
21 Feb 2013 - "This familiar printer spam leads to malware on the familanar .ru domain:
Date: Thu, 21 Feb 2013 09:22:25 -0500 [09:22:25 EST]
From: Tagged [Tagged @taggedmail .com]
Subject: Fwd: Re: Scan from a Xerox WorkCentre Pro #800304
A Document was sent to you using a XEROX WorkJet PRO 760820.
SENT BY : BRYNN
IMAGES : 5
FORMAT (.JPEG) DOWNLOAD
The malicious payload is at [donotclick]familanar .ru:8080/forum/links/column.php (report here*) hosted on:
84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
210.71.250.131 (Chungwa Telecom, China)
Which are the same IPs found in this attack** and several others. Block 'em if you can."
* http://www.urlquery.net/report.php?id=1064138
** http://blog.dynamoo.com/2013/02/efax...igadosiru.html
___
Fake ACH transaction SPAM / payment receipt - 884993762994.zip
- http://blog.dynamoo.com/2013/02/ach-...tion-spam.html
21 Feb 2013 - "This fake ACH transaction spam comes with a malicous attachment:
Date: Thu, 21 Feb 2013 14:32:08 -0500 [14:32:08 EST]
From: Payment notification system [homebodiesga38@gmail.com]
Subject: Automatic transfer notification
ACH transaction is completed. $443 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt on payment is attached.
This is an automatically generated email, please do not reply
Attached is a file called payment receipt - 884993762994.zip which unzips to payment receipt - 884993762994.exe which has a disappointing VirusTotal detection count of just 14/46... Blocking EXE-in-ZIP files at the perimeter generally causes very little trouble, assuming you can do it.."