Page 15 of 132 FirstFirst ... 51112131415161718192565115 ... LastLast
Results 141 to 150 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #141
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake BBB SPAM...

    FYI...

    Fake BBB SPAM / alteshotel .net and bbb-accredited .net
    - http://blog.dynamoo.com/2013/03/bbb-...t-and-bbb.html
    7 Mar 2013 - "This fake BBB spam leads to malware onalteshotel .net and bbb-accredited .net:
    Date: Thu, 7 Mar 2013 06:23:12 -0700
    From: "Better Business Bureau Warnings" [hurriese3 @bbb .com]
    Subject: BBB details regarding your claim No.
    Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
    Better Business Bureau ©
    Start With Trust ©
    Thu, 6 March 2013
    Your Accreditation Suspended
    [redacted]
    The Better Business Bureau has been temporary Aborted Your Accreditation
    A number of latest complains on you / your company motivated us to temporal Abort your accreditation with Better Business Beaureau. The details of the our decision are available for review at a link below. Please pay attention to this issue and inform us about your glance as soon as possible.
    We graciously ask you to overview the TERMINATION REPORT to meet on this claim
    -We awaits to your prompt rebound- .
    If you think you got this email by mistake - please forward this message to your principal or accountant
    Yours respectfully
    Hunter Ross
    Dispute Advisor
    Better Business Bureau
    Better Business Bureau
    3053 Wilson Blvd, Suite 600 Arlington, VA 25501
    Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
    This information was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
    ========
    Date: Thu, 7 Mar 2013 21:19:18 +0800
    From: "Better Business Bureau Warnings" [prettifyingde7 @transfers.americanpayroll .org]
    Subject: BBB details about your pretense No.
    Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
    Better Business Bureau ©
    Start With Trust ©
    Thu, 6 March 2013
    Your Accreditation Suspended
    [redacted]
    The Better Business Bureau has been temporary Aborted Your Accreditation
    A number of latest complains on you / your company motivated us to transient Cancell your accreditation with Better Business Beaureau. The details of the our decision are available visiting a link below. Please pay attention to this question and notify us about your belief as soon as possible.
    We graciously ask you to visit the ABUSE REPORT to answer on this appeal
    - We awaits to your prompt answer. -
    If you think you got this email by mistake - please forward this message to your principal or accountant
    Faithfully yours
    Benjamin Cox
    Dispute Councilor
    Better Business Bureau
    Better Business Bureau
    3053 Wilson Blvd, Suite 600 Arlington, VA 24401
    Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
    This letter was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe


    One potentially malicious payload is at [donotclick]alteshotel .net/detects/review_complain.php (looks like it might be broken - report here*) hosted on:
    69.43.161.176 (Parked at Castle Access Inc, US)
    The other is at [donotclick]bbb-accredited .net/kill/enjoy-laws-partially-unwanted.php (definitely malicious - report here**) hosted on:
    64.207.236.198 (EasyTEL, US)
    142.11.195.204 (Hostwinds LLC, US)
    149.154.68.214 (TheFirst.RU, Russia) ...
    Recommended blocklist:
    64.207.236.198
    142.11.195.204
    149.154.68.214
    ..."
    (More detail at the dynamoo uRL above.)
    * http://urlquery.net/report.php?id=1302657

    ** http://urlquery.net/report.php?id=1302670
    ... Detected live BlackHole v2.0 exploit kit
    ___

    Malware sites to block 7/3/13
    - http://blog.dynamoo.com/2013/03/malw...lock-7313.html
    7 March 2013 - "Some Cridex-based nastiness here. These are the malicious domains that I can find on the IPs mentioned, alternatively you can just block:
    173.246.102.2 (Gandi, US)
    173.255.215.242 (Linode, US)
    64.13.172.42 (Silicon Valley Colocation, US)
    Blocklist:
    173.246.102.2
    173.255.215.242
    64.13.172.42
    ..."
    (Long list at the dynamoo URL above.)

    Last edited by AplusWebMaster; 2013-03-07 at 18:38.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #142
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Adobe/IRS/LinkedIn SPAM ...

    FYI...

    Fake Adobe CS4 SPAM / guuderia .ru
    - http://blog.dynamoo.com/2013/03/adob...uuderiaru.html
    8 March 2013 - "This fake Adobe spam leads to malware on guuderia .ru:
    From: messages-noreply@bounce .linkedin .com [mailto:messages-noreply@bounce .linkedin .com] On Behalf Of Donnie Cherry via LinkedIn
    Sent: 07 March 2013 12:39
    Subject: Order N40898
    Good afternoon,
    You can download your Adobe CS4 License here -
    We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
    Thank you for buying Adobe InDesign CS4 software.
    Adobe Systems Incorporated


    The malicious payload is at [donotclick]guuderia .ru:8080/forum/links/column.php (report here*) hosted on:
    41.72.150.100 (Hetzner, South Africa)
    212.180.176.4 (Supermedia, Poland)
    Blocklist:
    41.72.150.100
    212.180.176.4

    forum-la .ru
    forumla .ru
    gimalayad .ru
    ginagion .ru
    giliaonso .ru
    forum-ny .ru
    forumny .ru
    guuderia .ru
    gosbfosod .ru "
    * http://urlquery.net/report.php?id=1318046
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 212.180.176.4
    ___

    Fake IRS SPAM / gimilako .ru
    - http://blog.dynamoo.com/2013/03/your...-declined.html
    8 March 2013 - "This following fake IRS spam leads to malware on gimilako .ru:
    From: Myspace [mailto:noreply@message .myspace .com]
    Sent: 07 March 2013 20:55
    Subject: Your tax return appeal is declined.
    Dear Chief Account Officer,
    Hereby you are notified that your Income Tax Refund Appeal id#9518045 has been REJECTED. If you believe the IRS did not properly estimate your case due to a misunderstanding of the facts, be prepared to provide additional information. You can obtain the rejection details and re-submit your appeal by using the instructions in the attachment.
    Internal Revenue Service
    Telephone Assistance for Businesses:
    Toll-Free, 1-800-829-4933
    Hours of Operation: Monday Friday, 7:00 a.m. 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).


    The malicious payload is at [donotclick]gimilako .ru:8080/forum/links/column.php (reported here*) hosted on:
    41.72.150.100 (Hetzner, South Africa)
    89.107.184.167 (WebhostOne, Germany)
    212.180.176.4 (Supermedia, Poland)
    Blocklist:
    41.72.150.100
    89.107.184.167
    212.180.176.4

    gimilako .ru
    forum-la .ru
    forumla .ru
    gimalayad .ru
    ginagion .ru
    giliaonso .ru
    forum-ny .ru
    forumny .ru
    gosbfosod .ru "
    * http://urlquery.net/report.php?id=1321924
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 89.107.184.167
    ___

    Fake LinkedIn SPAM / giminalso .ru
    - http://blog.dynamoo.com/2013/03/link...minalsoru.html
    8 March 2013 - "This fake LinkedIn spam leads to malware on giminalso .ru:
    From: messages-noreply@bounce. linkedin .com [mailto:messages-noreply@bounce .linkedin .com] On Behalf Of LinkedIn Password
    Sent: 08 March 2013 10:24
    Subject: Aylin is now part of your network. Keep connecting...
    [redacted], Congratulations!
    You and Aylin are now connected.
    Aylin Welsh
    Tajikistan
    2012, LinkedIn Corporation


    The malicious payload is at [donotclick]giminalso .ru:8080/forum/links/column.php (report here*) hosted on the same IPs as in this other attack** today:
    41.72.150.100 (Hetzner, South Africa)
    89.107.184.167 (WebhostOne, Germany)
    212.180.176.4 (Supermedia, Poland)"
    * http://urlquery.net/report.php?id=1322125
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 41.72.150.100
    ** http://blog.dynamoo.com/2013/03/your...-declined.html
    ___

    Fake AT&T spam (again)
    - http://blog.dynamoo.com/2013/03/at-spam-again.html
    8 Mar 2013 - "This fake AT&T spam leads to malware on.. well, in this case nothing at all.
    Date: Fri, 8 Mar 2013 10:37:24 -0500 [10:37:24 EST]
    From: AT&T Customer Care [icare7@amcustomercare .att-mail .com]
    Subject: Your AT&T wireless bill is ready to view
    att.com | Support | My AT&T Account Rethink Possible
    Your wireless bill is ready to view
    Dear Customer,
    Your monthly wireless bill for your account is now available online.
    Total Balance Due: -$1695.64-
    Log in to myAT&T to view your bill and make a payment. Or register now to manage your account online. By dialing *PAY (*729) from your wireless phone, you can check your balance or make a payment - it's free.
    Smartphone users: download the free app to manage your account anywhere, anytime.
    Thank you,
    AT&T Online Services ...


    > https://lh3.ggpht.com/-9r2z1zqGRKg/U...att-bill-2.png

    In this case the link goes to a redirector page at [donotclick]vtcrm.update .se/eben/index.html hosted 62.109.34.50 in Sweden. It looks like someone has speedily removed the redirector page so I can't tell you much about the malicious landing page. Kudos to Ilait AB or whoever fixed the problem!"
    ___

    RU:8080 and Amerika SPAM runs
    - http://blog.dynamoo.com/2013/03/ru80...spam-runs.html
    8 March 2013 - "For about the past year I have seen two very persistent spam runs leading to malware, typically themed along the lines of fake emails from the BBB, LinkedIn, NACHA, USPS and ADP. The most obvious characteristic of one of the spam runs in the use of a malware landing page containing .ru:8080, registered through NAUNET to the infamous "private person". In order to aid researchers, I have labelled this series as RU:8080*. You can see some current nastiness in action at Malware Must Die**. But there's a second spam run as well, which appears to be similarly themed but using different servers. In this case, the domains registered are typically .net, .org and .com emails (with .pro and .biz used from time-to-time). These domains are registered with fake names and addresses purporting to be in the US, but indicators show that this spam may well originate from within Russia. I've labelled this series as Amerika***... The Amerika spam run is a little harder to identify, so there may be some errors in it. I don't have any deep insight into either spam run or the payloads they deliver, but if you are interested in looking more deeply at the patterns then hopefully this will be of some use!"
    * http://blog.dynamoo.com/search/label/RU%3A8080

    ** http://malwaremustdie.blogspot.co.uk...at-do-you.html
    March 5, 2013

    *** http://blog.dynamoo.com/search/label/Amerika
    ___

    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Fake Electronic Payment Cancellation E-mail Messages - 2013 Mar 08
    Fake Business Complaint E-mail Messages - 2013 Mar 08
    Fake Italian Online Dating Request E-mail Messages - 2013 Mar 08
    Fake Portuguese Payment Invoice E-mail Messages - 2013 Mar 08
    Fake Portuguese Banking Service Notification E-mail Messages - 2013 Mar 08
    (Links and more detail at the cisco URL above.)

    Last edited by AplusWebMaster; 2013-03-09 at 21:05.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #143
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Wire Transfer SPAM - Something evil on 37.59.214.0/28 // 176.31.140.64/28

    FYI...

    Something evil on 37.59.214.0/28
    - http://blog.dynamoo.com/2013/03/some...759214028.html
    11 March 2013 - "37.59.214.0/28 is an OVH IP range* suballocated to a person called Sidharth Shah in Maryland (more of whom later). At the moment it is hosting a number of malware sites with a hard-to-determine payload such as [donotclick]55voolith .info:89/forum/had.php which is evading automated analysis**. The owner of this block is as follows:
    organisation: ORG-SS252-RIPE
    org-name: Shah Sidharth
    org-type: OTHER
    address: 12218 Skylark Rd
    address: 20871 Clarksburg
    address: US
    abuse-mailbox: ovhresell @gmail .com
    phone: +1.5407378283
    mnt-ref: OVH-MNT
    mnt-by: OVH-MNT
    source: RIPE # Filtered
    Malware is hosted on 37.59.214.0, 37.59.214.1 and 37.59.214.0. There do not appears to be any legitimate sites in this range. Google has already flagged some of these as malicious (marked in red), so you can safely assume that they are all malicious..."
    (List at the dynamoo URL above.)
    ** http://urlquery.net/report.php?id=1368280

    AS16276 (OVH)
    * https://www.google.com/safebrowsing/...?site=AS:16276
    "... over the past 90 days, 6134 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-03-11, and the last time suspicious content was found was on 2013-03-11... Over the past 90 days, we found 911 site(s) on this network... that appeared to function as intermediaries for the infection of 2222 other site(s)... We found 1665 site(s)... that infected 8762 other site(s)..."
    ___

    Something evil on 176.31.140.64/28
    - http://blog.dynamoo.com/2013/03/some...311406428.html
    11 March 2013 - "176.31.140.64/28 is an OVH block suballocated to Sidharth Shah (mentioned in this earlier post)*. It contains a a small number of malicious domains flagged by Google (in red), most of the rest of the sites have a very poor WOT rating (in yellow). I'll post more details later. You can safely assume that everything in this block is malicious, and I note that some of the domains are refugees from this malware site.
    Malware is hosted on 176.31.140.64, 176.31.140.65, 176.31.140.66 and 176.31.140.67. There appear to be no legitimate sites in this block..."
    (List at the dynamoo URL above.)
    * http://blog.dynamoo.com/2013/03/some...759214028.html
    ___

    Sidharth Shah / OVH / itechline .com
    - http://blog.dynamoo.com/2013/03/sidh...chlinecom.html
    11 March 2013 - "I have now come across several incidents of malware hosted in an OVH IP address range suballocated to Sidharth Shah. The blocks that I can identify so far are:
    5.135.20.0/27
    5.135.27.128/27
    5.135.204.0/27
    5.135.218.32/27
    5.135.223.96/27
    37.59.93.128/27
    37.59.214.0/28
    46.105.183.48/28
    91.121.228.176/28
    94.23.106.224/28
    176.31.106.96/27
    176.31.140.64/28
    178.32.186.0/27
    178.32.199.24/29
    188.165.180.224/27

    These IPs are mostly malware or fake goods. Legitimate sites seem to be nonexistant, although these IP ranges have hosted legitimate sites in the past. I would personally recommend blocking them all, but if you want to see a fuller analysis of WOT ratings and Google Safe Browsing diagnostics see here*...
    The email address sidharth134 @gmail .com is also associated with itechline .com which is a company with an unenviable F rating from the BBB, who list the principal as being Sidharth Shah. BBB rating is based on 16 factors.
    Factors that lowered the rating for ITechline.com include:
    Length of time business has been operating
    8 complaints filed against business
    Failure to respond to 7 complaints filed against business

    > https://lh3.ggpht.com/-D1aA_fdVk64/U.../itechline.png
    ... ITechline.com has garnered some very negative consumer reviews..."
    * http://www.dynamoo.com/files/sidharth-shah.csv
    ___

    Fake Wire Transfer SPAM / gimikalno .ru
    - http://blog.dynamoo.com/2013/03/wire...mikalnoru.html
    11 Mar 2013 - "This fake wire transfer spam leads to malware on gimikalno .ru:
    Date: Mon, 11 Mar 2013 04:00:22 +0000 [00:00:22 EDT]
    From: Xanga [noreply@xanga .com]
    Subject: Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 16442CU385)
    Dear Bank Account Operator,
    WIRE TRANSFER: FED62403611378975648
    CURRENT STATUS: PENDING
    Please REVIEW YOUR TRANSACTION as soon as possible.


    The malicious payload is at [donotclick]gimikalno .ru:8080/forum/links/column.php (report here*) hosted on:
    5.9.40.136 (Hetzner, Germany)
    66.249.23.64 (Endurance International Group, US)
    94.102.14.239 (Netinternet, Turkey)
    Blocklist:
    5.9.40.136
    66.249.23.64
    94.102.14.239
    212.180.176.4
    117.104.150.170
    41.72.150.100
    ..."
    * http://urlquery.net/report.php?id=1371618
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.102.14.239

    Last edited by AplusWebMaster; 2013-03-12 at 01:46.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #144
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake BofA, ACH, Wire Transfer SPAM ...

    FYI...

    Fake BofA emails lead to malware
    - http://blog.webroot.com/2013/03/12/f...ad-to-malware/
    March 12, 2013 - "Over the past 24 hours, we intercepted tens of thousands of malicious emails attempting to socially engineering BofA’s CashPro users into downloading and executing a -bogus- online digital certificate attached to the fake emails...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....ngineering.png
    Detection rate for the malicious executable: MD5: bfe7c4846823174cbcbb10de9daf426b * ... Password-Stealer.
    The attachement uses the following naming convention:
    cashpro_cert_7585cc6726.zip
    cashpro_cert_cc1d4a119071.zip...
    It then attempts to connect to 74.207.227.67; 17.optimaxmagnetics .us, and successfully establishes a connection with the C&C server at 50.28.90.36 :8080/forum/viewtopic.php...
    More MD5s are known to have phoned back to the same IP..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/en/file/4...cdf3/analysis/
    File name: Ywiti
    Detection ratio: 36/45
    Analysis date: 2013-03-11
    ___

    Fake "End of Aug. Stat. Required" SPAM / giminkfjol .ru
    - http://blog.dynamoo.com/2013/03/end-...ired-spam.html
    12 March 2013 - "This spam leads to malware on giminkfjol .ru:
    From: user @victimdomain .com
    Sent: 12 March 2013 04:19
    Subject: Re: End of Aug. Stat. Required
    Good morning,
    as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
    Regards


    The attachment Invoices-ATX993823.htm attempts to redirect the victim to [donotclick]giminkfjol .ru:8080/forum/links/column.php (report here*) hosted on:
    5.9.40.136 (Hetzner, Germany)
    94.102.14.239 (Netinternet, Turkey)
    213.215.240.24 (COLT, Italy)
    Blocklist:
    5.9.40.136
    94.102.14.239
    213.215.240.24
    giminkfjol .ru
    ..."
    * http://urlquery.net/report.php?id=1389261
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 213.215.240.24
    ___

    HP LaserJet printer backdoor
    - http://h-online.com/-1821334
    12 March 2013 - "A number of HP LaserJet printers can be accessed through the network and unencrypted data can be read from them without authentication. The US-CERT has issued an advisory* that warns users of these printers and is calling on them to update the printer's firmware with a fixed version... HP's own advisory** identifies HP LaserJet Pro P1102w, P1606dn, M1212nf MFP (Multi Function Printer), M1213nf MFP, M1214nfh MFP, M1216nfh MFP, M1217nfw MFP, M1219nf MFP and CP1025nw printers as affected by the problem and has issued firmware and installation instructions for that firmware to close the vulnerability."
    * http://www.kb.cert.org/vuls/id/782451
    Last revised: 11 Mar 2013

    ** https://h20566.www2.hp.com/portal/si...r_na-c03684249
    Last Updated: 2013-03-06
    References: CVE-2012-5215
    ___

    Fake News Diet Supplement Site
    - http://www.gfi.com/blog/thinspo-tumb...pplement-site/
    March 12, 2013 - "... something called “Thinspo” – it’s a shortened term for “Thinspiration”, usually a tag on social media sites... an attempt at directing such individuals to fake news websites touting “green coffee” weight loss offers. Here’s the Tumblr in question, which contains numerous “Thinspo” pictures...
    > http://www.gfi.com/blog/wp-content/u...3/thinspo1.jpg
    Sending kids and teens with potentially serious body image hang-ups to -fake- news report sites such as this which practically beg them to sign up and lose weight is incredibly creepy... It’s entirely possible there’s more of them lurking on various social networks though, so please be aware that no matter how controversial the subject, someone is always going to want to take advantage of it for their own benefit."
    ___

    Fake ACH Batch Download Notification
    - http://security.intuit.com/alert.php?a=77
    11 Mar 2013 - "People are receiving fake emails with the title 'ACH Batch Download Notification'. Below is a copy of the email people are receiving, including the mistakes shown.

    Refund check in the amount of $4,370.00 for
    The following ACH batch has been submitted for processing.
    Initiated By: colleen
    Initiated Date & Time: Mon, 11 Mar 2013 19:59:38 +0500 Batch ID: 8242710 Batch Template Name: PAYROLL
    Please view the attached file to review the transaction details.


    This is the end of the fake email.
    Steps to Take Now
    - Do -not- click on the link in the email or open the attached file...
    - Delete the email."
    ___

    Fake Wire Transfer SPAM / giminanvok .ru
    - http://blog.dynamoo.com/2013/03/wire...inanvokru.html
    11 Mar 2013 - "Another wire transfer spam, this time leading to malware on giminanvok .ru:
    Date: Mon, 11 Mar 2013 02:46:19 -0300 [01:46:19 EDT]
    From: LinkedIn Connections [connections@linkedin.com]
    Subject: Fwd: Wire Transfer (5600LJ65)
    Dear Bank Account Operator,
    WIRE TRANSFER: FED694760330367340
    CURRENT STATUS: PENDING
    Please REVIEW YOUR TRANSACTION as soon as possible.


    The malicious payload is at [donotclick]giminanvok .ru:8080/forum/links/column.php (report pending*) hosted on the same IPs used earlier today:
    5.9.40.136 (Hetzner, Germany)
    66.249.23.64 (Endurance International Group, US)
    94.102.14.239 (Netinternet, Turkey)
    I strongly recommend that you block access to these IPs if you can."

    Last edited by AplusWebMaster; 2013-03-12 at 20:46.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #145
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake BBB emails lead to BlackHole Exploit Kit

    FYI...

    Fake BBB emails lead to BlackHole Exploit Kit
    - http://blog.webroot.com/2013/03/13/s...e-exploit-kit/
    March 13, 2013 - "Over the past week, a cybercriminal/gang of cybercriminals whose activities we’ve been actively profiling over a significant period of time, launched two separate massive spam campaigns, this time impersonating the Better Business Bureau (BBB), in an attempt to trick users into thinking that their BBB accreditation has been terminated. Once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
    Sample screenshot of the first BBB themed spamvertised campaign:
    > https://webrootblog.files.wordpress....xploit_kit.png
    Sample screenshot of the second BBB themed spamvertised campaign:
    > https://webrootblog.files.wordpress....oit_kit_01.png
    ... Malicious domain names reconnaissance:
    bbb-complaint .org – 63.141.224.171; 149.154.68.214; 155.239.247.247 – Email: gonumina1 @dbzmail .com
    Name Server: NS1.STREETCRY .NET – 93.186.171.133 – Email: webclipradio @aol .com
    Name Server: NS2.STREETCRY .NET – 15.214.13.118 – Email: webclipradio@aol .com
    bbb-accredited .net – not responding
    Responding to 149.154.68.214 are also the following malicious domains:
    fab73 .ru, misharauto .ru
    secureaction120 .com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: markovochn @yandex .ru
    secureaction150 .com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: markovochn @yandex .ru
    iberiti .com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: biedermann @iberiti .com
    notsk .com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: jenifer@notsk .com
    metalcrew .net – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: heffner@metalcrew .net
    roadix .net – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: marunga@roadix .net
    gatovskiedelishki.ru – 149.154.68.214; 155.239.247.247; 141.0.176.234 conbicormiks .ru
    Name servers used in the campaign:
    Name Server: NS1.STREETCRY .NET – 93.186.171.133 – Email: webclipradio @aol .com
    Name Server: NS2.STREETCRY .NET – 15.214.13.118 – Email: webclipradio @aol .com
    Name Server: NS1.E-ELEVES .NET – 173.208.88.196
    Name Server: NS1.E-ELEVES .NET – 43.109.79.23
    Name Server: NS1.LETSGOFIT .NET – 173.208.88.196 – Email: weryrebel @live.com
    Name Server: NS1.LETSGOFIT .NET – 11.3.51.158 – Email: weryrebel @live .com
    Name Server: NS1.BLACKRAGNAROK .NET – 209.140.18.37 – Email: onetoo @gmx .com
    Name Server: NS2.BLACKRAGNAROK .NET – 6.20.13.25 – Email: onetoo @gmx .com
    Name Server: NS1.OUTBOUNDUK .NET
    Name Server: NS2.OUTBOUNDUK .NET
    Not surprisingly, we’ve already seen the onetoo @gmx .com email in the following previously profiled malicious campaign – “Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side exploits and malware“.
    Upon successful client-side exploitation, a sampled campaign drops: MD5: 126a104f260cb0059b901c6a23767d76 * ... Worm:Win32/Cridex.E ..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/en/file/1...3f77/analysis/
    File name: cf2d476e6b1a8eae707ffae520c4d019c7226948
    Detection ratio: 28/45
    Analysis date: 2013-03-10
    ___

    - http://gfisoftware.tumblr.com/post/4...ation-has-been
    5 days ago - "... Subjects seen:
    BBB Accreditation Terminated
    Typical e-mail details:
    Valued Owner:
    Your accreditation with Better Business Beaureau was Discontinued
    A number of latest claims on you / your company motivated us to provisional Suspend your accreditation with Better Business Beaureau. The information about the our decision are available for review at a link below. Please give attention to this issue and inform us about your sight as soon as possible.
    We amiably ask you to click and review the SUSPENSION REPORT to meet on this grievance.
    If you think you got this email by mistake - please forward this message to your principal or accountant
    We awaits to your prompt rebound
    ..."
    ___

    Zbot sites to block 13/3/13
    - http://blog.dynamoo.com/2013/03/zbot...-to-block.html
    13 Mar 2013 - "These domains and IPs seem to be active as Zbot C&C servers. The obsolete .su (Soviet Union) domain is usually a tell-tale sign of.. something*.
    76.185.101.239
    77.74.197.190
    89.202.183.27
    89.253.234.247
    201.236.78.182
    218.249.154.140

    aesssbacktrack .pl
    beveragerefine .su
    dinitrolkalor .com
    dugsextremesda .su
    establishingwi .su
    eurasianpolicy .net
    euroscientists .at
    ewebbcst .info
    fireinthesgae .pl
    girdiocolocai .com
    machinelikeleb .su
    mixedstorybase .su
    satisfactorily .su
    smurfberrieswd .su
    sputtersmorele .pl
    suggestedlean .com
    trashinesscro .com
    upkeepfilesyst .su
    URLs seen:
    [donotclick]beveragerefine .su/hjz/file.php
    [donotclick]euroscientists .at/hjz/file.php
    [donotclick]machinelikeleb .su/fiv/gfhk.php
    [donotclick]mixedstorybase .su/hjz/file.php
    [donotclick]satisfactorily .su/hjz/file.php
    [donotclick]smurfberrieswd .su/hjz/file.php
    And for the record, those IPs belong to:
    76.185.101.239 (Road Runner, US)
    77.74.197.190 (UK Dedicated Servers, UK)
    89.202.183.27 (Interoute / PSI, UK)
    89.253.234.247 (Rusonyx, Russia)
    201.236.78.182 (Municipalidad De Quillota, Chile)
    218.249.154.140 (Beijing Zhongbangyatong Telecom, China)..."
    * https://www.abuse.ch/?p=3581
    ___

    Fake "Wapiti Lease Corp" SPAM / giminaaaao .ru
    - http://blog.dynamoo.com/2013/03/wapi...tion-spam.html
    13 March 2013 - "A fairly bizarre spam leading to malware on giminaaaao .ru:
    From: IESHA WILLEY [mailto:AtticusRambo @tui-infotec .com]
    Sent: 13 March 2013 11:22
    To: Sara Smith
    Subject: Fwd: Wapiti Land Corporation Guiding Principles attached
    Hello,
    Attached is a draft of the Guiding Principles that the Wapiti Lease Corporation (“W.L.C”) would like to publish. Prior to doing that, WLC would like you to have an opportunity for a preview and to provide any
    comments that you would like to make. Please let me know that you have reviewed it and what comments you might have.
    Thank you,
    IESHA WILLEY
    WLC


    This comes with an attachment called WLC-A0064.htm although I have another sample "from" a DEANNE AMOS with an attachment of WLC-A5779.htm. In any case, the attachment tries to direct the victim to a malware landing page at [donotclick]giminaaaao .ru:8080/forum/links/column.php (report here*) hosted on:
    93.174.138.48 (Cloud Next / Node4, UK)
    94.102.14.239 (Netinternet , Turkey)
    213.215.240.24 (COLT, Italy)
    Blocklist:
    93.174.138.48
    94.102.14.239
    213.215.240.24

    giminaaaao .ru
    giminkfjol .ru
    giminanvok .ru "
    * http://urlquery.net/report.php?id=1406092
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.102.14.239
    ___

    Fake "Copies of policies" SPAM / giimiiifo .ru
    - http://blog.dynamoo.com/2013/03/copi...imiiiforu.html
    13 Mar 2013 - "This spam leads to malware on giimiiifo .ru:
    Date: Wed, 13 Mar 2013 06:49:25 +0100
    From: LinkedIn Email Confirmation [emailconfirm @linkedin .com]
    Subject: RE: Alonso - Copies of Policies.
    Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
    Here is the Package and Umbrella,
    and a copy of the most recent schedule.
    Alonso SAMS,


    The malicious payload is at [donotclick]giimiiifo .ru:8080/forum/links/column.php hosted on two IPs we saw earlier:
    94.102.14.239 (Netinternet , Turkey)
    213.215.240.24 (COLT, Italy)"

    Last edited by AplusWebMaster; 2013-03-13 at 23:41.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #146
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Efax, LinkedIn SPAM leads to malware...

    FYI...

    Fake Efax SPAM / gimiinfinfal .ru
    - http://blog.dynamoo.com/2013/03/efax...nfinfalru.html
    14 Mar 2013 - "This eFax-themed spam leads to malware on gimiinfinfal .ru:
    Date: Thu, 14 Mar 2013 07:39:23 +0300
    From: SarahPoncio @mail .com
    Subject: Efax Corporate
    Attachments: Efax_Corporate.htm
    Fax Message [Caller-ID: 449555234]
    You have received a 44 pages fax at Thu, 14 Mar 2013 07:39:23 +0300, (751)-674-3105.
    * The reference number for this fax is [eFAX-263482326].
    View attached fax using your Internet Browser.
    © 2013 j2 Global Communications, Inc. All rights reserved.
    eFax ® is a registered trademark of j2 Global Communications, Inc.
    This account is subject to the terms listed in the eFax ® Customer Agreement.


    There's an attachment called Efax_Corporate.htm which leads to malware on [donotclick]gimiinfinfal .ru:8080/forum/links/column.php (report here) hosted on:
    94.102.14.239 (Netinternet, Turkey)
    50.116.23.204 (Linode, US)
    213.215.240.24 (COLT, Italy)
    Blocklist:
    50.116.23.204
    94.102.14.239
    213.215.240.24
    giimiiifo .ru

    ___

    Fake LinkedIn SPAM / teenlocal .net
    - http://blog.dynamoo.com/2013/03/link...nlocalnet.html
    14 March 2013 - "This fake LinkedIn spam leads to malware on teenlocal .net:
    From: messages-noreply@bounce .linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn
    Sent: 14 March 2013 16:32
    Subject: Frank and Len have endorsed you!
    Congratulations! Your connections Frank Garcia and Len Rosenthal have endorsed you for the following skills and expertise:
    Program Management
    Strategic Planning
    Continue
    You are receiving Endorsements emails. Unsubscribe.
    This email was intended for Paul Stevens (Chief Financial Officer, Vice President and General Manager, Aerospace/Defense, Pacific Consolidated Industries). Learn why we included this. 2013, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA


    The malicious payload is at [donotclick]teenlocal.net/kill/force-vision.php (report here) hosted on:
    24.111.157.113 (Midcontinent Media, US)
    58.26.233.175 (Telekom Malaysia, Malaysia)
    155.239.247.247 (Centurion Telkom, South Africa)
    Blocklist:
    24.111.157.113
    58.26.233.175
    155.239.247.247
    ..."
    (More detail at the dynamoo URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #147
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Wire Transfer emails serve client-side exploits and malware

    FYI...

    Fake Wire Transfer emails serve client-side exploits and malware
    - http://blog.webroot.com/2013/03/15/c...s-and-malware/
    March 15, 2013 - "Over the last couple of days, a cybercricriminal/gang of cybercriminals that we’ve been extensively profiling, resumed spamvertising tens of thousands of emails, in an attempt to trick users that they have a pending wire transfer. Once users click on any of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....e_transfer.png
    ... Sample client-side exploits serving URL: hxxp://gimikalno .ru:8080/forum/links/column.php
    Sample malicious payload dropping URL: hxxp://gimikalno .ru:8080/forum/links/column.php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f
    Upon successful client-side exploitation, the campaign drops MD5: 93a104caf7b01de69614498de5cf870a * ... Trojan.FakeMS
    ... phones back to:
    149.156.96.9 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
    72.251.206.90 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
    202.29.5.195 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
    213.214.74.5 /AJtw/UCyqrDAA/Ud+asDAA/
    We’ve already seen 213.214.74.5 in... previously profiled campaigns
    Malicious domain name reconnaissance:
    gimikalno .ru – 66.249.23.64; 94.102.14.239; 5.9.40.136
    Name Servers: ns1.gimikalno .ru 41.168.5.140
    Name Servers: ns2.gimikalno .ru 110.164.58.250 (nangrong.ac.th)
    Name Servers: ns3.gimikalno .ru 210.71.250.131 (tecom.com.tw)
    Name Servers: ns4.gimikalno .ru 194.249.217.8 (gimnazija-tolmin1.si)
    Name Servers: ns5.gimikalno .ru 72.251.206.90 ..."
    (More detail at the webroot URL above.)
    * https://www.virustotal.com/en/file/b...6642/analysis/
    File name: docprop.dll
    Detection ratio: 26/45
    Analysis date: 2013-03-13
    ___

    Malware sites to block 15/3/13
    - http://blog.dynamoo.com/2013/03/malw...ock-15313.html
    15 March 2013 - "These seem to be the currently active IPs and domains being used by the RU:8080 gang. Of these the domain gilaogbaos .ru seems to be very active this morning. Block 'em if you can:
    5.9.40.136
    41.72.150.100
    50.116.23.204
    66.249.23.64
    94.102.14.239
    212.180.176.4
    213.215.240.24
    ...
    For the record, these are the registrars either hosting the domains or offering support services. It is possible that some have been taken down already.
    5.9.40.136 (Hetzner, Germany)
    41.72.150.100 (Hetzner, South Africa)
    50.116.23.204 (Linode, US)
    66.249.23.64 (Endurance International Group, US)
    94.102.14.239 (Netinternet, Turkey)
    212.180.176.4 (Supermedia, Poland)
    213.215.240.24 (COLT, Italy) ..."
    (More listed at the dynamoo URL above.)
    ___

    Fake ADP SPAM / picturesofdeath .net
    - http://blog.dynamoo.com/2013/03/adp-...tion-spam.html
    15 March 2013 - "This fake ADP spam leads to malware on... picturesofdeath .net:
    From: ADP Chesapeake Package Delivery Confirmation [mailto:do_not_reply @adp .com]
    Sent: 15 March 2013 14:45
    Subject: =?iso-8859-1?Q?ADP Chesapeake - Package Delivery Notification
    Importance: High
    This message is to notify you that your package has been processed and is on schedule for delivery from ADP.
    Here are the details of your delivery:
    Package Type: QTR/YE Reporting
    Courier: UPS Ground
    Estimated Time of Arrival: Tusesday, 5:00pm
    Tracking Number (if one is available for this package): 1Z023R643116536498
    Details: Click here to overview and/or modify order
    We will notify you via email if the status of your delivery changes.
    Access these and other valuable tools at support.ADP.com:
    o Payroll and Tax Calculators
    o Order Payroll Supplies, Blank Checks, and more
    o Submit requests online such as SUI Rate Changes, Schedule Changes, and more
    o Download Product Documentation, Manuals, and Forms
    o Download Software Patches and Updates
    o Access Knowledge Solutions / Frequently Asked Questions
    o Watch Animated Tours with Guided Input Instructions
    Thank You,
    ADP Client Services
    support.ADP.com ...


    The malicious payload is at [donotclick]picturesofdeath.net/kill/long_fills.php (report here*) hosted on:
    24.111.157.113 (Midcontinent Media, US)
    155.239.247.247 (Centurion Telkom, South Africa)..."
    (More URLs listed at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=1446662
    ... Detected live BlackHole v2.0 exploit kit 24.111.157.113

    - http://blog.webroot.com/2013/03/18/a...e-exploit-kit/
    March 18, 2013 - "A currently ongoing malicious email campaign is impersonating ADP in an attempt to trick its customers into thinking that they’ve received a ‘Package Delivery Notification.’ In reality though, once a user clicks on any of the links found in the malicious email, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
    Sample screenshot of the spamvertised email:
    > https://webrootblog.files.wordpress....xploit_kit.png
    ... responded to 24.111.157.113; 58.26.233.175; 155.239.247.247... 58.26.233.175; 155.239.247.247... 77.241.198.65; 80.241.211.26; 83.255.90.5; 103.14.8.20; 190.30.219.85... phones back to 212.68.63.82..."
    (More detail at the webroot URL above.)
    ___

    BoA SPAM - on short list of Scammers’ Spam Lures
    - http://www.hotforsecurity.com/blog/b...ures-5668.html
    March 15, 2013 - "... crooks unleashed a series of aggressive spam campaigns that include the Bank of America in the title as bait. In the context of a security breach, the name of the bank was used to catch customers’ attention, infect them with malware, have them type in sensitive data or entice them into sending money in advance for a service they will never receive. “Online Banking Passcode Modified” invites people to click a link to reset their online banking passcode. The same template and con is entirely recycled from a similar attack in November 2012. This new spamvertised malware campaign attempts to get Bank of America customers to -click a link- to a webpage associated with the Redkit Exploit Kit – a crimeware tool that exploits vulnerabilities in browsers and plugins to silently infect victims’ PCs.
    > http://www.hotforsecurity.com/wp-con...e-Modified.png
    "Bank of America Corporate Office Headquarters” and the very recent “Payment Notification from Bank of America” spam campaigns are examples of a complicated Nigerian-like scam informing customers that their funds will be transferred to the United States Treasury Account...
    > http://www.hotforsecurity.com/wp-con...adquarters.png
    "Bank of America Alert: Suspicious Activities on your Account!” and “Bank of America Alert: Sign-in to Online Banking Locked” lure customers to a phishing page...
    > http://www.hotforsecurity.com/wp-con...ur-Account.png
    "Reminder: Bank of America Customer Survey” is another active scam ...
    > http://www.hotforsecurity.com/wp-con...mer-Survey.png
    Bank of America has been recycled in spammed scams since 2006 and used multiple times a year, for more or less the same results: steal card and identity information, infect people with malware, and unwarily recruit them into money-muling operations..."

    Last edited by AplusWebMaster; 2013-03-18 at 18:28.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #148
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake LinkedIn SPAM...

    FYI...

    Fake LinkedIn SPAM / applockrapidfire .biz
    - http://blog.dynamoo.com/2013/03/link...idfirebiz.html
    18 March 2013 - "This fake LinkedIn spam leads to malware on applockrapidfire .biz:
    From: David O'Connor - LinkedIn [mailto:kissp @gartenplandesign .de]
    Sent: 18 March 2013 15:34
    Subject: Join my network on LinkedIn
    Importance: High
    LinkedIn
    REMINDERS
    Invitation reminders:
    From David O\'Connor (animator at ea)
    PENDING MESSAGES
    There are a total of 9 messages awaiting your response. Go to InBox now.
    This message was sent to username @domain .com. Don't want to receive email notifications? Login to your LinkedIn account to Unsubscribe.
    LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. c 2013, LinkedIn Corporation.


    The link in the message goes through a legitimate hacked site to a malware landing page on [donotclick]applockrapidfire .biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here*) hosted on 78.46.222.237 (Hetzner, Germany). applockrapidfire .biz was registered just today to a presumably fake address...
    URLquery detects traffic to these additional IPs that you might want to block too:
    50.22.196.70 (Softlayer / Maxmind LLC, US)
    66.85.130.234 (Secured Servers LLC / Phoenix NAP, US)
    194.165.17.3 (ADM Service Ltd, Monaco)
    The nameservers are NS1.QUANTUMISPS .COM (5.9.212.43: Hetzner, Germany) and NS2.QUANTUMISPS .COM (66.85.131.123: Secured Servers LLC / Phoenix NAP, US). quantumisps .com was registered to an anonymous person on 2013-03-15...
    Recommended blocklist:
    5.9.212.43
    50.22.196.70
    66.85.130.234
    66.85.131.123
    78.46.222.237
    194.165.17.3
    quantumisps .com
    applockrapidfire .biz
    "
    * http://urlquery.net/report.php?id=1500577
    ... Detected live BlackHole v2.0 exploit kit
    ___

    Fake DHL emails contain malware
    - http://nakedsecurity.sophos.com/2013...mails-malware/
    March 18, 2013 - "... Online criminals have spammed out a large number of messages, claiming to come from DHL Express International, that are designed to install malware onto the computers of unsuspecting PC users. Here is what a typical example of an email spammed out in the attack looks like:
    > https://sophosnews.files.wordpress.c.../dhl.jpg?w=640
    Attached to the emails is a ZIP file, containing malware. The filename of the ZIP file can vary, but takes the form "DHL reportXXXXXX.zip" (where the 'X's are a random code)... Troj/BredoZp-S* ..."
    * http://www.sophos.com/en-us/threat-c...BredoZp-S.aspx

    Last edited by AplusWebMaster; 2013-03-19 at 21:12.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #149
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Statement/Facebook/malicious SPAM...

    FYI...

    Fake "Statement Reqiured" SPAM / hiskintako .ru
    - http://blog.dynamoo.com/2013/03/end-...ured-spam.html
    19 Mar 2013 - "This -spam- leads to malware on hiskintako .ru:
    Date: Tue, 19 Mar 2013 08:04:18 +0300
    From: "package update Ups" [upsdelivercompanyb @ups .com]
    Subject: Re: FW: End of Aug. Statement Reqiured
    Attachments: Invoices-CAS9927.htm
    Hi,
    as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
    Regards
    -----------------------
    Date: Tue, 19 Mar 2013 02:18:06 +0600
    From: MyUps [ups-delivery-services @ups .com]
    Subject: Re: FW: End of Aug. Stat. Required
    Hi,
    as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
    Regards


    The malicious payload is at [donotclick]hiskintako .ru:8080/forum/links/column.php (report here*) hosted on:
    50.22.0.2 (SoftLayer, US)
    89.110.131.10 (Netclusive, Germany)
    132.230.75.95 (Albert-Ludwigs-Universitaet, Germany)
    188.165.202.204 (OVH, France)
    BLOCKLIST:
    50.22.0.2
    89.110.131.10
    132.230.75.95
    188.165.202.204

    forumla .ru
    gimiiiank .ru
    giminanvok .ru
    giminkfjol .ru
    giminaaaao .ru
    giimiiifo .ru
    giliaonso .ru
    forumny .ru
    hiskintako .ru
    gxnaika .ru
    gulivaerinf .ru "
    * http://urlquery.net/report.php?id=1516090
    ... Detected live BlackHole v2.0 exploit kit 50.22.0.2
    ___

    Squeak Data / squeakdata .com SPAM
    - http://blog.dynamoo.com/2013/03/sque...acom-spam.html
    19 March 2013 - "... The email address they are sending to has been harvested, so you can be pretty sure that the mailing lists they sell are of very low quality. But there's a bit more to this spam than meets the eye..
    From: Squeak Data [enquiries @squeakdata .com] via smtpguru .net
    Date: 19 March 2013 13:35
    Subject: Squeak Data
    Signed by: smtpguru .net
    Squeak Data - Qualified & Opted In Prospect Data
    - At a fraction of the usual price. We own all the data we sell so we can keep our prices extremely competitive but still deliver on quality and service.
    New January 2013 Opted In Business Database - contains over 437k records. This data set is completely new and unique to us. It has been strictly opted in at decision maker level. It contains SME businesses throughout the UK. Every record contains full information fields including a live and valid email address.
    We are aware that much larger business databases are currently been offered. It takes a lot of hard work and man hours to produce a truly opted in and quality prospect list. Common sense must prevail and conclude that such large databases cannot possibly be opted in and are very old and tired.
    We do not hold old and tired data. Our data is fresh, unique and will help you accomplish your new business targets.
    Our data is sold with a 95% email delivery promise and on a multiple use basis...


    The domain was registered on 2nd March, so it's only a few days old. But that email address looks familiar.. yes, this is Toucan UK who said last year that they were closing down their business. It turns out that this is a lie too. A brief bit of Googling also brings up this other spam where they are saying pretty much the same thing. It looks like they used to have a Twitter handle of @MoneyTreesData although that appears to have been nuked. Oh well.
    Give these spammers a wide berth."
    ___

    Fake Facebook SPAM / heelicotper .ru
    - http://blog.dynamoo.com/2013/03/face...icotperru.html
    19 Mar 2013 - "This fake Facebook spam leads to malware on heelicotper .ru:
    Date: Tue, 19 Mar 2013 08:37:37 +0200
    From: Facebook [updateSIXQG03I44AX @facebookmail .com]
    Subject: You have notifications pending
    facebook
    Hi,
    Here's some activity you may have missed on Facebook.
    TAMISHA Gore has posted statuses, photos and more on Facebook.
    Go To Facebook
    See All Notifications
    This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
    Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303


    The malicious payload is at [donotclick]heelicotper .ru:8080/forum/links/column.php which isn't resolving at the moment, but was earlier hosted on:
    50.22.0.2 (SoftLayer, US)
    132.230.75.95 (Albert-Ludwigs-Universitaet, Germany)
    188.165.202.204 (OVH, France)
    The payload and associated IPs are the same as in this attack."
    ___

    Malware spam: Cyprus banks...CNN.com / salespeoplerelaunch .org
    - http://blog.dynamoo.com/2013/03/malw...anks-shut.html
    19 Mar 2013 - "This topically themed (but fake) CNN spam leads to malware on salespeoplerelaunch .org:
    Date: Tue, 19 Mar 2013 10:40:22 -0600
    From: "CNN Breaking News" [BreakingNews@mail.cnn.com]
    Subject: Opinion: Cyprus banks shut extended to Monday - CNN.com
    Powered by
    * Please note, the sender's email address has not been verified.
    You have received the following link from BreakingNews @mail.cnn .com:
    Click the following to access the sent link:
    Cyprus banks shut extended to Monday - CNN.com*
    Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
    *This article can also be accessed if you copy and paste the entire address below into your web browser.
    by clicking here


    The malicious payload is at [donotclick]salespeoplerelaunch .org/close/printed_throwing-interpreting-dedicated.php (report here) hosted on 69.197.177.16 (WholeSale Internet, US).
    Nameservers are NS1.DNSLVLUP.COM (5.9.212.43, Hetzner / Dolorem Ipsum Management Ltd, Germany) and NS2.DNSLVLUP.COM (66.85.131.123, Secured Servers LLC / Phoenix NAP, US)
    Recommended blocklist:
    salespeoplerelaunch .org
    dnslvlup .com
    69.197.177.16
    5.9.212.43
    66.85.131.123
    "

    Scam of the day: More fake CNN e-mails
    - https://isc.sans.edu/diary.html?storyid=15436
    Last Updated: 2013-03-19 17:37:08 UTC
    > https://isc.sans.edu/diaryimages/images/cnncyprus.png

    > http://wepawet.iseclab.org/view.php?...499c22&type=js

    Last edited by AplusWebMaster; 2013-03-19 at 20:51.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #150
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake USPS SPAM...

    FYI...

    Fake USPS SPAM / himalayaori .ru
    - http://blog.dynamoo.com/2013/03/usps...layaoriru.html
    20 March 2013 - "This -fake- UPS (or is it USPS?) spam leads to malware on himalayaori .ru. The malicious link is in an attachment called ATT17235668.htm. For some reason the only sample of the spam that I have is horribly mangled:
    From: HamzaRowson @hotmail .com [mailto:HamzaRowson @hotmail .com]
    Sent: 19 March 2013 23:40
    Subject: United Postal Service Tracking Number H1338091657
    Your USPS TEAM for big savings!
    Can't see images? CLICK HERE.
    UPS UPS SUPPORT 56 Not Ready to Open an Account? The UPS Store® can help with full service packing and shipping.
    Learn More >> UPS - Your UPS Team
    Good day, [redacted].
    Dear User , Delivery Confirmation: Failed
    Track your Shipment now!
    With best regards , Your UPS Customer Services. Shipping Tracking Calculate Time & Cost
    Open an Account @ 2011 United Parcel Service of America, Inc. USPS Team, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
    This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to USPS .us Customer Services marketing e-mail For information on UPS's privacy practices, please refer to UPS Privacy Policy. Your USPS .US, 5 Glenlake Parkway, NE - Atlanta, GA 30325
    Attn: Customer Communications Department


    Clicking on the attachment sends the intended victim to a malicious web page at [donotclick]himalayaori .ru:8080/forum/links/column.php (report here*), in this case via a legitimate hacked site at [donotlick]www.unisgolf .ch/report.htm but that is less important. himalayaori .ru is hosted on a couple of IPs that look familiar:
    50.22.0.2 (SoftLayer, US)
    188.165.202.204 (OVH, France)
    Recommended blocklist:
    50.22.0.2
    188.165.202.204

    himalayaori .ru
    hentaimusika .ru
    hiskintako .ru
    gxnaika .ru
    forumla .ru
    gulivaerinf .ru
    foruminanki.ru
    forumny .ru ..."
    * http://urlquery.net/report.php?id=1525298
    ___

    Fake Invoice SPAM / hifnsiiip .ru
    - http://blog.dynamoo.com/2013/03/end-...fnsiiipru.html
    20 Mar 2013 - "This fake invoice spam leads to malware on hifnsiiip .ru:
    Date: Wed, 20 Mar 2013 05:41:44 +0100
    From: LinkedIn Connections [connections @linkedin .com]
    Subject: Re: FW: End of Aug. Statement
    Attachments: Invoices-AS9927.htm
    Good morning,
    as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
    Regards


    The attached Invoices-AS9927.htm file attempts to direct the victim to a malicious landing page [donotclick]hifnsiiip .ru:8080/forum/links/column.php (report here*) hosted on:
    50.22.0.2 (SoftLayer, US)
    109.230.229.156 (High Quality Server, Germany)
    188.165.202.204 (OVH, France)
    Recommended blocklist:
    50.22.0.2
    109.230.229.156
    188.165.202.204
    ..."
    (More at the dynamooo URL above.)
    * http://urlquery.net/report.php?id=1526708
    ... Detected suspicious URL pattern... Blackhole 2 Landing Page 188.165.202.204
    ___

    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Fake FedEx Parcel Delivery Failure Notification E-mail Messages - 2013 Mar 20
    Fake Electronic Payment Cancellation E-mail Messages - 2013 Mar 20
    Fake Payment Transaction Notice E-mail Messages - 2013 Mar 19
    Fake Wire Transfer Notification E-mail Messages - 2013 Mar 19
    Fake Document Attachment E-mail Message - 2013 Mar 19
    Fake CashPro Online Digital Certificate Notification E-mail Messages - 2013 Mar 18
    Fake Order And Transfer Slip Notification E-mail Messages - 2013 Mar 18
    Fake Payment Processing Notice E-mail Messages - 2013 Mar 18
    Fake Purchase Order Payment Notification E-mail Messages - 2013 Mar 18
    Fake Product Order E-mail Messages - 2013 Mar 18
    Fake Online Purchase Receipt E-mail Messages - 2013 Mar 18
    (More detail and links at the cisco URL above.)

    Last edited by AplusWebMaster; 2013-03-20 at 22:23.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •