SPAM frauds, fakes, and other MALWARE deliveries...

**AplusWebMaster** · 2013-05-06, 19:26

FYI...

Mother’s Day SPAM ...
- http://www.symantec.com/connect/blog...t-mother-s-day
6 May 2013 - "... Spam messages related to Mother’s Day have begun flowing into the Symantec Probe Network. Clicking the URL contained in the spam message automatically -redirects- the recipient to a website containing a bogus Mother’s Day offer upon completion of a -fake- survey.
> https://www.symantec.com/connect/sit...others%201.png
Once the survey is completed, a page is then displayed asking the user to enter their personal information in order to receive the -bogus- offer.
> https://www.symantec.com/connect/sit...others%202.png
Next...
> https://www.symantec.com/connect/sit...others%203.png
... Symantec is observing an increase in spam volume related to Mother’s Day, which can be seen in the following graph.
> https://www.symantec.com/connect/sit...others%205.png
... use caution when receiving unsolicited or unexpected emails. We are closely monitoring Mother’s Day spam attacks to ensure that readers are kept up to date with information on the latest threats..."

- https://www.bbb.org/blog/2013/05/avo...y-email-scams/
May 6, 2013

- http://mashable.com/2013/05/01/mothers-day-email-scams/
2013-05-01

**AplusWebMaster** · 2013-05-07, 11:20

FYI...

AutoIt malware - 188.161.9.226 ...
- http://blog.trendmicro.com/trendlabs...-and-toolsets/
May 6, 2013 - "... In addition to tools being found on sites like Pastebin and Pastie, we are also seeing a tremendous increase in the amount of malware utilizing AutoIt as a scripting language. One piece of malware that was found in the wild was particularly interesting. This malware is a variant of the popular DarkComet RAT – utilizing AutoIt. This variant runs a backdoor on the victim machine and communicates outbound to a nefarious host at shark18952012.no-ip .info (188.161.9.226 at the time of writing) over port 1604... In addition to this malware’s outbound communication, it also modifies the local software firewall policies to disable them, in addition to installing itself at startup for persistency... Upon execution of the malware, it immediately disables the Windows Firewall. After disabling the firewall, the malware then disables the ability to get into the registry of Windows to view or undo the changes performed... As scripting languages like AutoIt continue to gain popularity, we expect more of these types of malware to make a migration to using them. The ease of use and learning, as well as the ability to post code easily to popular dropsites make this a great opportunity for actors with nefarious intentions to propagate their tools and malware. We recommend continuing to update your Anti-Virus signatures as well as consider blocking access to Pastebin, Pastie and other code dropsites on your corporate network where applicable."
___

Something evil on 151.248.123.170 Part III
- http://blog.dynamoo.com/2013/05/some...-part-iii.html
7 May 2013 - "I've covered 151.248.123.170 (Reg.ru, Russia*) a couple of times in the past month [1] [2], and it's still actively pushing out malware via dynamic DNS domains, many of which are injection attacks on hacked sites. There are hundreds or possibly thousands of malicious domains on this IP. Blocking them individually is likely to be problematic, the best approach is to block all traffic to 151.248.123.170 or to the Dynamic DNS domains involved.. although this might potentially block access to some legitimate sites..."

1) http://blog.dynamoo.com/2013/04/some...123170_24.html

2) http://blog.dynamoo.com/2013/04/some...248123170.html

* https://www.google.com/safebrowsing/...?site=AS:39134
___

Fake Citibank ‘Merchant Billing Statement’ emails lead to malware
- http://blog.webroot.com/2013/05/07/c...ad-to-malware/
May 7, 2013 - "Over the past 24 hours, we’ve intercepted yet another spam campaign impersonating Citibank in an attempt to socially engineer Citibank customers into thinking that they’ve received a Merchant Billing Statement. Once users execute the malicious attachment found in the fake emails, their PCs automatically join the botnet operated by the cybercriminal/cybercriminals...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/05/citibank_merchant_billing_statement_malware_malicious_software_social_engineering_botnet_botnets_trojan.png
Detection rate for the malicious executable: MD5: 75a666f81847ccf7656790162e6a666a * ... Trojan-Spy.Win32.Zbot.lcnn..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/5...is/1367618876/
File name: Kwmfd2.exe
Detection ratio: 33/46
Analysis date: 2013-05-05

**AplusWebMaster** · 2013-05-08, 11:25

FYI...

Fake Amazon.com SPAM / ehrap .net
- http://blog.dynamoo.com/2013/05/amaz...-ehrapnet.html
8 May 2013 - "This fake Amazon spam leads to malware on ehrap .net:
Date: Tue, 7 May 2013 22:54:26 +0100 [05/07/13 17:54:26 EDT]
From: "Amazon.com" [drudgingb50@m.amazonmail.com]
Subject: Your Amazon.com order confirmation.
Thanks for your order, [redacted]!
Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
Order Information:
E-mail Address: [redacted]
Billing Address:
216 CROSSING CRK N
GAHANNA
United States
Phone: 1-747-289-5672
Order Grand Total: $ 53.99
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More
Order Summary:
Details:
Order #: I12-4392835-6098844
Subtotal of items: $ 53.99
Total before tax: $ 53.99
Tax Collected: $0.00
Grand Total: $ 50.00
Gift Certificates: $ 3.99
Total for this Order: $ 53.99
The following item is auto-delivered to your Kindle or other device. You can view more information about this order by clicking on the title on the Manage Your Kindle page at Amazon.com.
Mockingjay (The Final Book of The Hunger Games) [Kindle Edition] $ 53.99
Sold By: Random House Digital, Inc.
Give Kindle books to anyone with an e-mail address - no Kindle required!
You can review your orders in Your Account. If you've explored the links on that page but still have a question, please visit our online Help Department.
Please note: This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.
Thanks again for shopping with us.
Amazon.com
Earth's Biggest Selection
Prefer not to receive HTML mail? Click here

The link in the email goes through a legitimate hacked site and ends up on [donotclick]ehrap .net/news/days_electric-sources.php (report here*) hosted on (or with nameservers on) the following IPs:
85.41.88.24 (Telecom Italia, Italy)
98.210.212.79 (Comcast, US)
140.121.140.92 (TANet, Taiwan)
178.175.140.185 (Trabia-Network, Moldova)
197.246.3.196 (The Noor Group, Egypt)
216.70.110.21 (Media Temple, US)
The domains involved indicate that this is the gang behind what I call the Amerika series of spam emails.
Blocklist:
85.41.88.24
98.210.212.79
140.121.140.92
178.175.140.185
197.246.3.196
216.70.110.21 ..."
* http://urlquery.net/report.php?id=2377955
___

Fake AV and ransomware combo
- https://www.net-security.org/malware_news.php?id=2486
8 May 2013 - "Ransomware and fake antivirus solutions are well-known threats, but a deadly fraudulent combination of the two has been recently spotted... The software - dubbed "Secure Bit" - first tries to convince the victims that the "security level" of their computer is low and instructs them to call for support so that the “threats” it has "found" can be removed. The claim is accompanied with a pop-ups that lists a great number of them. But if the victims don't do as they are told after a period of time, the fake AV turns nasty (well, nastier), and locks the computer screen. The victims can't do anything on their machine, and they are again told to contact the given phone number in order to regain control of it. The phone call reveals that it will cost the victims $49.99 to do that, and Total Defense's Tsahi Carmona warns* that many users may not recognize it's a scam and may pay the ransom..."
* http://www.totaldefense.com/blogs/20...ecure-bit.aspx
"... This anti-virus software pretender combines two methods of fraud – the fake anti-virus software and a malware that supposedly locks the screen in order to make the victim pay money to unlock. After the user installs this free “anti-virus” software it immediately notifies that the security level of the computer is low and which they need to call for support to address the found “threats”..."
___

Fake Amazon emails lead to malware...
- http://blog.webroot.com/2013/05/08/f...s-and-malware/
May 8, 2013 - "... Cybercriminals are currently mass mailing tens of thousands of fake Amazon “You Kindle E-Book Order” themed emails in an attempt to trick Kindle users into clicking on the malicious links found in these messages. Once they do so, they’ll be automatically exposed to the client-side exploits served by the Black Hole Exploit Kit, ultimately joining the botnet operated by the cybercriminal/cybercriminals that launched the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....ng?w=650&h=486
... MD5 for the Java exploit: MD5: c9bc87eef8db72f64bac0a72f82b04cf * ... HEUR:Exploit.Java.CVE-2012-0507.gen
MD5 for the PDF exploit: MD5: 53c90140fde593713efe6298547ff205 ** ...Exploit:Win32/CVE-2010-0188
Upon successful client-side exploitation, the campaign drops MD5: 330ad00466bd44a5fb2786f0f5e2d0da *** ...Trojan.Win32.Reveton.a (v).
... phones back to:
85.214.143.90
130.79.80.40
213.199.201.180
46.51.189.229
91.121.30.185
89.110.148.213
81.17.22.14
88.119.156.20
161.53.184.3
94.23.6.95
88.191.130.98 /J9/vp/EGa+AAAAAA/2MB9vCAAAA ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/6...is/1367968246/
File name: days_electric-sources.php
Detection ratio: 5/46
Analysis date: 2013-05-07
** https://www.virustotal.com/en/file/f...is/1367968346/
File name: Kindle.pdf
Detection ratio: 26/46
Analysis date: 2013-05-07
*** https://www.virustotal.com/en/file/1...7274/analysis/
File name: sndrec32.exe
Detection ratio: 16/46
Analysis date: 2013-05-08
___

Malicious Better Business Bureau Spam
- http://threattrack.tumblr.com/post/4...ss-bureau-spam
8 May 2013 - "Subjects Seen:
Better Business Beareau Complaint ID [removed]
Typical e-mail details:
The Better Business Bureau has been entered the above mentioned complaint from one of your users in regard to their business contacts with you. The information about the consumer’s concern are available at the link below. Please give attention to this point and notify us about your belief as soon as possible.
We kindly ask you to open the RECLAMATION REPORT to answer on this claim.
We are looking forward to your prompt response.
WBR
Colton Reed
Dispute Advisor
Better Business Bureau

Malicious URLs
stopwulgaryzmom .pl/bbb_view_compl.html?complain=DFMI30GA2_80VJA8
pub.mumbailocaltraintimetable .net/ensure/misuse-restrict-systems_properties.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019...iSm1qz4rgp.png

**AplusWebMaster** · 2013-05-09, 15:19

FYI...

Fake Citibank SPAM / Statement ID 64775-4985.doc
- http://blog.dynamoo.com/2013/05/citi...5-4985doc.html
9 May 2013 - "This fake Citibank spam contains a malicious Word document that leads to malware.
Date: Thu, 9 May 2013 01:22:21 +0200 [05/08/13 19:22:21 EDT]
From: CITIBANK [noreply @citybank .com]
Subject: Merchant Statement
Enclosed DOC is your Citibank Paymentech electronic Merchant Billing Statement. If you need help, please contact your Account Executive or call Merchant Services at the telephone number listed on your statement. PLEASE DO NOT RESPOND BY USING REPLY. This email is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech. Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech's or the Merchant's email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly. ---------- Learn more about Citibank Paymentech Solutions, LLC payment processing services at Citibank. ---------- THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer.

The attached document Statement ID 64775-4985.doc contains an exploit (analysis pending) with a VirusTotal detection rate of just 10/46*. It appears to exploit a flaw in the RTF converter... making sure that your copy of Microsoft Office is up-to-date and fully patched will help to mitigate against this sort of threat."
* https://www.virustotal.com/en/file/2...9347/analysis/
File name: Statement ID 64775-4985.doc
Detection ratio: 10/46
Analysis date: 2013-05-09

Update: another version is using the filename Statement ID 4657-345-347-0332.doc. It looks like it is exploiting CVE-2012-0158* aka MS12-027.
* https://web.nvd.nist.gov/view/vuln/d...=CVE-2012-0158 - 9.3 (HIGH)
Last revised: 03/07/2013
___

Fake Traffic Ticket serves malware
- http://blog.webroot.com/2013/05/09/c...serve-malware/
9 May 2013 - "Cybercriminals are currently spamvertising tens of thousands of -bogus- emails impersonating New York State’s Department of Motor Vehicles (DMV) in an attempt to trick users into thinking they’ve received an uniform traffic ticket, that they should open, print and send to their town’s court. In reality, once users open and execute the malicious attachment, their PCs will automatically join the botnet operated by the cybercriminal/cybercriminals behind the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....ng?w=423&h=290
Detection rate for the malicious executable: MD5: 247c67cb99922fd4d0e2ca5d6976fc29 * ... Trojan-Spy.Win32.Zbot.lhim..."
(More detail available at the webroot URL above.)
* https://www.virustotal.com/en/file/d...43b1/analysis/
File name: Unihl.exe
Detection ratio: 30/45
Analysis date: 2013-05-08

**AplusWebMaster** · 2013-05-10, 14:06

FYI...

Malicious Facebook Friend Notification Spam
- http://threattrack.tumblr.com/post/5...ification-spam
9 May 2013 - "Subjects Seen:
[removed] wants to be friends on Facebook
Typical e-mail details:
[removed] wants to be friends with you on Facebook Facebook.

Malicious URLs
web.jen-pages .de/fbreq.html
job.bgita .ru/fbreq.html
yup.mumbailocaltraintimetable .net/ensure/specified_drop_similarly.php?jnlp=7ad5b52a64
yup.mumbailocaltraintimetable .net/ensure/specified_drop_similarly.php?zvvsj=edwwqnl&wit=tjm
yup.mumbailocaltraintimetable .net/ensure/specified_drop_similarly.php?mf=1i:1f:32:33:2v&le=1m:2v:31:1k:2w:1k:1h:2v:1l:1j&u=1f&yj=i&cp=j&jopa=5216591

Screenshot: https://gs1.wac.edgecastcdn.net/8019...ht71qz4rgp.png
___

Something evil on 151.248.123.170, Part IV
- http://blog.dynamoo.com/2013/05/some...0-part-iv.html
10 May 2013 - "Here are some additional malicious domains from a very evil malware server on 151.248.123.170 (Reg.ru, Russia)... you can download a full list of everything that I can find here** [.txt]. This server is currently being used as the payload for injection attacks. Blocking the IP address is the obvious solution, or you could block the Dynamic DNS domains listed here*..."
* http://blog.dynamoo.com/2013/05/some...-part-iii.html

** http://www.dynamoo.com/files/151-248-123-170.txt
___

USAA Credentials Phish
- http://threattrack.tumblr.com/post/5...dentials-phish
10 May 2013 - "Subjects Seen:
Important Message From Usaa
Typical e-mail details:
Dear Valued Customer,
We have created new dedicated security servers to keep all our
online banking customers account safe and secure. This is server< /span>
has been tested,now we are asking all our online banking customers
to register for the new security server to keep them safe.
To register for this new security server quickly click on the button
below to complete registration immediately.
Click Here To Register
We hope you find our Internet Banking service easy and convenient to use.
Yours sincerely
USAA,
Digital Banking Director

Malicious URLs
sehyup .com/08_dev/board/file/bbs_notice/vi.htm
philanthropyexpert .org/ass/index.html

Screenshot: https://gs1.wac.edgecastcdn.net/8019...K0n1qz4rgp.png

**AplusWebMaster** · 2013-05-13, 12:50

FYI...

Something evil on 188.241.86.33
- http://blog.dynamoo.com/2013/05/some...882418633.html
13 May 2013 - "188.241.86.33 (Megahost, Romania) is a malware server currently involved in injection attacks, serving up the Blackhole exploit kit, Zbot and a side order of Cdorked [1] [2]. This IP hosts a variety of domains, some of which are purely malicious, some of which are hijacked subdomains of legitimate ones. Blocking the IP address is the easiest approach..."
(More detail at the dynamoo URL above.)

1) http://urlquery.net/search.php?q=188...3-05-13&max=50

2) https://www.virustotal.com/en/ip-add...3/information/
___

Browser extension hijacks Facebook profiles
- https://blogs.technet.com/b/mmpc/arc...edirected=true
10 May 2013 - "We have received reports about a wave of malicious browser extensions trying to hijack Facebook profiles. This threat was first discovered in Brazil. We detect it as Trojan:JS/Febipos.A. The malware is a malicious browser extension specifically targeting Chrome and Mozilla Firefox..."
- http://h-online.com/-1861398
13 May 2013 - "... The trojan extensions themselves monitor users' browser activity to see if they are logged into Facebook and then retrieve a configuration file from a site, disguised as a .php file, which contains commands for the extension. The extension is able to like pages, share pages, post, join groups, invite friends to groups, chat to friends or comment on posts... Microsoft recommends that users review their installed extensions..."
___

Fake BoA Paymentech Malicious Word Doc Attachment Spam
- http://threattrack.tumblr.com/post/5...cious-word-doc
13 May 2013 - "Subjects Seen:
BOA Merchant Statement
Typical e-mail details:
Attached (DOC|WORD file|document|file) is your Bank of America Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Bank of America Paymentech.
Bank of America Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Bank of America Paymentech’s or the Merchant’s email service or otherwise. Bank of America Paymentech recommends that Merchants continue to monitor their statement information regularly.

Spam contains malicious attachment.

Screenshot: https://gs1.wac.edgecastcdn.net/8019...xu51qz4rgp.png
___

Malicious Citibank Secure Message Spam
- http://threattrack.tumblr.com/post/5...e-message-spam
13 May 2013 - "Subjects Seen:
You have received a secure message
Typical e-mail details:
Read your secure message by opening the attachment, securedoc.html You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
First time users - will need to register after opening the attachment.
About Email Encryption - citi .com/citi/citizen/privacy/email.htm

Malicious URLs
mail.yaklasim .com:8080/forum/viewtopic.php
116.122.158.195 :8080/forum/viewtopic.php
vulcantire .net/forum/viewtopic.php
westautorepair .com/forum/viewtopic.php
metroimport-tires .com/forum/viewtopic.php
iis1.ontera .net/AUWY5Z.exe

Screenshot: https://gs1.wac.edgecastcdn.net/8019...mUI1qz4rgp.png
___

Fake AMEX SPAM / SecureMail.zip
- http://blog.dynamoo.com/2013/05/conf...from-amex.html
13 May 2013 - "This fake Amex email has a malicious attachment:
Date: Tue, 14 May 2013 01:34:36 +0600 [15:34:36 EDT]
From: American Express [Jarvis_Randall @aexp .com]
Subject: Confidential - Secure Message from AMEX
Secure Message
The security of your personal information is of the utmost importance to American Express, so we have sent the attached as a secure electronic file.
Note: The attached file contains encrypted data.
If you have any questions, please call us at 800-748-8515, option 0. Representatives are available to assist you Monday through Thursday between 8:00 a.m. and 8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.
The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
Thank you,
American Express
2012 American Express Company. All rights reserved.

There is an attachment SecureMail.zip which in turn contains an executable file SecureMail .exe which has an icon designed to look like a PDF file. VirusTotal results for the malware are just 15/46*. Comodo CAMAS reports the following characteristics and also a connection to a known malware C&C server mail.yaklasim .com on 212.58.4.13 (DorukNet, Turkey).
Size 137216
MD5 20de8bad8bf8279e4084e9db461bd140
SHA1 caacc00d68f41dad9b1abb02f9e243911f897852
SHA256 18e2fc0b9386cadc31fb15cb38d9fa5d274f42b8127b349a14c962329b691ee7
The ThreatTrack report*** also shows a connection to 212.58.4.13 as well as 62.233.104.156 (IOMART, UK) and several other IPs that may form part of a botnet. Blocking EXE-in-ZIP files at the perimeter is a good move if you can do it.
Blocklist:
mail.yaklasim .com
212.58.4.13
62.233.104.156 ..."
* https://www.virustotal.com/en/file/1...is/1368476716/
File name: SecureMail.exe
Detection ratio: 15/46
Analysis date: 2013-05-13

** http://camas.comodo.com/cgi-bin/subm...c962329b691ee7

*** http://www.dynamoo.com/files/analysi...db461bd140.pdf

**AplusWebMaster** · 2013-05-14, 14:50

FYI...

Fake BoA SPAM / RECEIPT428-586.doc
- http://blog.dynamoo.com/2013/05/bank...rica-spam.html
14 May 2013 - "This fake Bank of America message has a malicious Word document attached:
Date: Tue, 14 May 2013 10:16:05 +0500 [01:16:05 EDT]
Subject: Your transaction is completed
Transaction is completed. $51317477 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt of payment is attached.
*** This is an automatically generated email, please do not reply ***
Bank of America, N.A. Member FDIC. Equal Housing Lender Opens in new window
© 2013 Bank of America Corporation. All rights reserved

The attached document is RECEIPT428-586.doc which contains a CVE-2012-0158 / MS12-027 exploit, so a fully patched Windows system should be immune. Further analysis is pending, but the payload is likely to be P2P / Gameover Zeus as found in this attack*. VirusTotal detections stand at just 11/46**. Further analysis is pending."
* http://blog.dynamoo.com/2013/05/citi...5-4985doc.html

** https://www.virustotal.com/en/file/a...e356/analysis/
File name: RECEIPT428-586.doc
Detection ratio: 18/43
Analysis date: 2013-05-14
___

Something evil on 94.242.198.16
- http://blog.dynamoo.com/2013/05/some...424219816.html
14 May 2013 - "I'm not entirely sure what this is, I think it's an injection attack leading to a malware server on 94.242.198.16 (Root SA, Luxemburg) which is using various stealth techniques to avoid detection. This is what I'm seeing.. code is getting injected into sites referring to [donotclick]fryzjer .me/hpoxqnj.php (report*) or [donotclick]stempelxpress .nl/vechoix.php (report**) which (if called in the correct way) tries to forward the victim to
[donotclick]ice.zoloni-kemis .info/lyxtp?ftqvixid=94764 or [donotclick]ice.zoloni-kemis .info/lifym?ftypyok=947645 hosted on 94.242.198.16.

VirusTotal reports this as a bad IP***, and out of several domains associated with this IP, almost all are red-flagged by Google for malware. The site contains several subdomains of the following domains.. I would recommend the following blocklist:
94.242.198.16
integrate-koleiko .com
integrate-koleiko .org
integrate-koleiko .net
muroi-uroi-loi .info
muroi-uroi-loi .org
muroi-uroi-loi .net
zoloni-kemis .info ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=2455754

** http://urlquery.net/report.php?id=2455905

*** https://www.virustotal.com/en/ip-add...6/information/

- https://www.google.com/safebrowsing/...c?site=AS:5577
"... over the past 90 days, 50 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-05-14, and the last time suspicious content was found was on 2013-05-14... Over the past 90 days, we found 30 site(s) on this network... that appeared to function as intermediaries for the infection of 131 other site(s)... We found 282 site(s)... that infected 4631 other site(s)..."
___

Malicious Dun and Bradstreet Compliant Spam
- http://threattrack.tumblr.com/post/5...compliant-spam
14 May 2013 - "Subjects Seen:
FW : Complaint - [removed]
Typical e-mail details:
Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
In the interest of time and good customer relations, please provide the DnB with written verification of your position in this matter by May 18, 2013. Your prompt response will allow DnB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.
The Dun & Bradstreet develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.
We encourage you to print this complaint (attached file), answer the questions and respond to us.
We look forward to your prompt attention to this matter.

Malicious URLs
mail.yaklasim .com:8080/forum/viewtopic.php
116.122.158.195 :8080/forum/viewtopic.php
hurricanestormsavings .com/ponyb/gate.php
hurricanestrengthsavings .com/ponyb/gate.php
62.233.104.156 /tHjefFt.exe

Screenshot: https://gs1.wac.edgecastcdn.net/8019...B071qz4rgp.png

**AplusWebMaster** · 2013-05-15, 12:58

FYI...

Fake ‘Free Media Player’ via rogue ‘Adobe Flash Player HD’ ad ...
- http://blog.webroot.com/2013/05/15/f...advertisement/
May 15, 2013 - "Our sensors just picked up a rogue advertisement served through the Yieldmanager ad network, which exposes users to fake Adobe Flash Player HD ads, ultimately dropping a copy of the potentially unwanted application (PUA)/adware, known as Somoto Better Installer...
Sample screenshot of the actual advertisement:
> https://webrootblog.files.wordpress....moto.png?w=869
... once users click, they’re presented with a rogue Free Media Player page, instead of of a Adobe Flash Player HD themed page. Users who fall victim to the social engineering scam will end up installing multiple potentially unwanted applications... Landing domain:
hxxp ://www.softigloo .com – 78.138.105.151. Responding to the same IP is also the following typosquatted domain – hxxp ://down1oads .com...
Detection rate for the sampled malware:
MD5: 3ee49800cc3c2ce74fa63e6174c81dff * ... Somoto BetterInstaller; Adware.Somoto
MD5: b57cc4b5aecd69eb57063f4de914d4dd ** ... Somoto BetterInstaller; TROJ_GEN.F47V0429 ...
And initiates the following TCP connections:
78.138.97.8 :80
54.239.158.55 :80
78.138.127.129 :80
54.239.158.183 :80
54.239.158.247 :80
78.138.127.7 :80
The affiliate network participant that’s abusing the Yieldmanager ad network is currently earning revenue through the Somoto’s BetterInstaller PPI (Pay-Per-Install) revenue sharing network..."
(More detail at the websense URL above.)
* https://www.virustotal.com/en/file/8...is/1368314633/
File name: VLCMediaPlayerSetup-9Kf76Wv.exe
Detection ratio: 8/46
Analysis date: 2013-05-11
** https://www.virustotal.com/en/file/2...is/1368314918/
File name: 7ZipSetup-aVEkw5Y.exe
Detection ratio: 8/46
Analysis date: 2013-05-11

Removal Guide for Somoto.BetterInstaller
> http://forums.spybot.info/showthread...etterInstaller
2013-05-08
___

Malicious FedEx SPAM delivers trojan ...
- http://www.hotforsecurity.com/blog/s...ages-6173.html
May 15, 2013 - "A new wave of malicious FedEx spam delivers Trojans instead of packages, infecting users with malware when opening the attachments. In the last couple months, the Gamarue Trojan has spread intensely in the US, Australia, Croatia, Romania, Iran, the UK, Germany and Spain...
Screenshot1: http://www.hotforsecurity.com/wp-con...packages-1.jpg
... To give credibility to the malicious payload, scammers added links to the authentic shipping company. Trojan.Gamarue silently installs itself on the system, sending sensitive information to the command and control center. The stolen data can then be used for identity theft and other cyber-criminal activities. Gamarue can also download and execute arbitrary files, performing updates without users noticing. The malicious software can also spread to removable drives, so users should be careful when managing important documents through USB devices...
Screenshot2: http://www.hotforsecurity.com/wp-con...packages-2.png
FedEx is a common target for cyber-criminals, who only change the bait from time to time. Other excuses to ship malware include parcel delivery notifications. Scammers also request money in return for delivery of a package by posing as representatives of the shipping service. They also go so far as to create spoofed web sites to collect usernames, passwords, Social Security Numbers, credit card details and more..."
___

Fake Facebook SPAM / otophone .net
- http://blog.dynamoo.com/2013/05/face...ophonenet.html
15 May 2013 - "This fake Facebook spam leads to malware on otophone .net:
Date: Tue, 14 May 2013 15:29:24 -0500 [05/14/13 16:29:24 EDT]
From: Facebook [notification+LTFS15RDTR @facebookmail .com]
Subject: Jonathan Rogers wants to be friends on Facebook
facebook
Jonathan Rogers wants to be friends with you on Facebook Facebook...
1083 friends · 497 photos · 2 notes · 1535 Wall posts
Confirm Friend Request
See All Requests
This message was sent to dynamoo @spamcop .net. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 417 P.O Box 10005 Palo Alto CA 96303

The link in the email goes through a legitimate hacked site and then ends up on a malware landing page at [donotclick]otophone .net/news/appreciate_trick_hanging.php (report here*) hosted on the following IPs:
36.224.16.74 (Chunghwa Telecom, Taiwan)
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)...
Blocklist:
36.224.16.74
108.5.125.134
198.61.147.58 ..."
* http://urlquery.net/report.php?id=2474662
___

Something evil on 184.95.51.123
- http://blog.dynamoo.com/2013/05/some...849551123.html
15 May 2013 - "184.95.51.123 (Secured Servers LLC, US) appears to be trying to serve the Blackhole Exploit kit through an injection attack (for example). The payload appears to be 404ing when viewed in the automated tools I am using, but indications are that the malware on this site is still very much live. The domains on this server belong to a legitimate company, Lifestyle exterior Products, Inc. of Florida who are probably completely unaware of the issue.
These following domains are all flagged by Google as being malicious, and are all based on 184.95.51.123. I would recommend blocking the IP if you can..."
___

Malicious DocuSign Payroll Spam
- http://threattrack.tumblr.com/post/5...n-payroll-spam
15 May 2013 - "Subjects Seen:
Completed: Please DocuSign this document : Payroll May 2013..pdf
Typical e-mail details:
Your document has been completed
Sent on behalf of [removed].
All parties have completed the envelope ‘Please DocuSign this document: Payroll April 2013..pdf’.
To view or print the document download the attachment .
(self-extracting archive, Adobe PDF)
This document contains information confidential and proprietary to [removed]

Malicious URLs
mail.yaklasim .com:8080/forum/viewtopic.php
116.122.158.195 :8080/forum/viewtopic.php
lifestylehomeowners .com/ponyb/gate.php
lifestylehurricaneguide .com/ponyb/gate.php
parpaiol a.com/0nWhFjZ.exe

Screenshot: https://gs1.wac.edgecastcdn.net/8019...AIV1qz4rgp.png
___

Fake ADP SPAM / outlookexpres .net
- http://blog.dynamoo.com/2013/05/adp-...expresnet.html
15 May 2013 - "This fake ADP spam leads to malware on outlookexpres .net:
Date: Wed, 15 May 2013 22:39:26 +0400
From: "donotreply @adp .com" [phrasingr6 @news.adpmail .org]
Subject: adp_subj
ADP Instant Warning
Report #: 55233
Respected ADP Client May, 15 2013
Your Processed Transaction Report(s) have been uploaded to the website:
Sign In here
Please see the following information:
• Please note that your bank account will be charged within 1 business banking day for the sum shown on the Statement(s).
• Please don't try to reply to this message. automative notification system not configured to accept incoming email. Please Contact your ADP Benefits Expert.
This email was sent to existing users in your company that access ADP Netsecure.
As every time, thank you for using ADP as your business affiliate!
Rep: 55233 [redacted]

The link in the spam email goes through a legitimate but hacked site and ends up on a malware landing page at [donotclick]outlookexpres .net/news/estimate_promising.php (report here*) hosted on the same IPs found in this attack:
36.224.16.74 (Chunghwa Telecom, Taiwan)
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
Blocklist:
36.224.16.74
108.5.125.134
198.61.147.58 ..."
* http://urlquery.net/report.php?id=2479638
___

- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Scanned Document Attachment E-mail Messages - 2013 May 15
Fake Product Order E-mail Messages - 2013 May 15
Fake Document Sharing Notification E-mail Messages - 2013 May 15
Fake Invoice Statement Attachment E-mail Messages - 2013 May 15
Malicious Attachment E-mail Messages - 2013 May 15
Fake Delta E-Ticket Attachment E-mail Messages - 2013 May 15
Fake Third Party Consumer Complaint Notification E-mail Messages - 2013 May 15
Fake Portuguese Invoice Notification E-mail Messages - 2013 May 15
Fake Photo Sharing E-mail Messages - 2013 May 15
Fake Product Order Request E-mail Messages - 2013 May 15
Fake Xerox Scan Attachment E-mail Messages - 2013 May 15
Malicious Attachment E-mail Messages - 2013 May 15
(More info and links at the cisco URL above.)

**AplusWebMaster** · 2013-05-16, 15:57

FYI...

Fake "Invoice Copy" SPAM / invoice copy.zip
- http://blog.dynamoo.com/2013/05/invo...e-copyzip.html
16 May 2013 - This fake invoice email contains a malicious attachment:
Date: Thu, 16 May 2013 00:27:41 -0500 [01:27:41 EDT]
From: Karen Parker [Kk.parker @tiffany .com]
Subject: invoice copy
Kindly open to see export License and payment invoice attached,meanwhile we sent the balance payment yesterday.Please confirm if it has settled in your account or you can call ifthere is any problem.ThanksKaren parker

The attachment is invoice copy.zip which in turn contains an executable invoice copy.exe which has an icon to make it look like a spreadsheet. VirusTotal results are a pretty poor 7/45* and indicate that this is a Zbot variant. The Comodo CAMAS report** indicates that the malware seems to be rummaging though address books and gives the following characteristics:
Size 331776
MD5 ebdcd7b8468f28932f235dc7e0cd8bcd
SHA1 a3d251b8f488ef1602e7016cb1f51ffe116d7917
SHA256 4b15971cf928a42d44afdf87a517d229e4aabbb5967cb9230a19592d2b939fe6
... The ThreatTrack report*** is nicely detailed and gives some details about network connections... As ever, blocking EXE-in-ZIP files at the perimeter is the best way to guard against this type of threat."
* https://www.virustotal.com/en/file/4...is/1368687945/
File name: invoice copy.exe
Detection ratio: 7/45
Analysis date: 2013-05-16

** http://camas.comodo.com/cgi-bin/subm...19592d2b939fe6

*** http://www.dynamoo.com/files/analysi...c7e0cd8bcd.pdf
___

Fake HMRC SPAM / VAT Returns Repot 517794350.doc
- http://blog.dynamoo.com/2013/05/hmrc...794350doc.html
16 May 2013 - "This fake HMRC (UK tax authority) spam contains a malicious attachment:
From: noreply @hmrc .gov.uk [mailto:noreply @hmrc .gov.uk]
Sent: 16 May 2013 10:48
Subject: Successful Receipt of Online Submission for Reference 517794350
Thank you for sending your VAT Return online. The submission for reference 517794350 was successfully received on 2013-05-16 T10:45:27 and is being processed. Make VAT Returns is just one of the many online services we offer that can save you time and paperwork.
For the latest information on your VAT Return please open attached report.
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

The attachment is VAT Returns Repot 517794350.doc which contains an exploit which is currently being analysed. It is likely to use the same vulnerability as this attack*. VirusTotal results are just 1/46**, so either this is something completely new or it is a corrupt sample. UPDATE: ThreatTrack reports*** that the malware sample appears to make contact with the following IPs which are all dynamic IP addresses, indicating perhaps a P2P version of Zeus:
62.103.27.242
76.245.44.216
86.124.111.218
92.241.139.165
122.179.128.38
189.223.139.172
190.42.161.35 ..."
* http://blog.dynamoo.com/2013/05/bank...rica-spam.html

** https://www.virustotal.com/en/file/c...is/1368697862/
File name: VAT Returns Repot 517794350.doc
Detection ratio: 1/46
Analysis date: 2013-05-16

*** http://www.dynamoo.com/files/analysi...5b3a8c2a34.pdf
___

Fake Walmart SPAM / bestunallowable .com
- http://blog.dynamoo.com/2013/05/walm...owablecom.html
16 May 2013 - "This fake Walmart spam leads to malware on bestunallowable .com:
From: Wallmart.com [deviledm978 @news.wallmart .com]
Date: 16 May 2013 14:02
Subject: Thanks for your Walmart.com Order 3795695-976140
Walmart
Visit Walmartcom | Help | My Account | Track My Orders
[redacted]
Thanks for ordering from Walmart.com. We're currently processing your order.
Items in your order selected for shipping
• You'll receive another email, with tracking information, when your order ships.
• If you're paying by credit card or Bill Me Later®, your account will not be charged until your order ships. If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available. All other forms of payment are charged at the time the order is placed.
Shipping Information
Ship to Home
Hannah Johnson
1961 12 Rd
Orange, NC 68025-3157
USA
---
Walmart.com Order Number: 3795695-976140
Ship to Home - Standard
Items Qty Arrival Date Price
Philips UN65EH9060 50" 1080p 60Hz Class LED (Internet Connected) 3D HDTV 1 Arrives by Tue., May 21
Eligible for Free Standard Shipping to Home. $898.00
Subtotal: $898.00
Shipping: Free
Tax: $62.86
See our Returns Policy or
contact Customer Service Walmart.com Total: $960.86
Order Summary
Order Date: 05/15/2013
Subtotal: $898.00
Shipping: Free
Tax: $62.86
Order Total: $960.86
Credit card: $960.86
Billing Information
Payment Method:
Credit card
If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
Thanks,
Your Walmart.com Customer Service Team...
Rollbacks Sign Up for Email Savings and Updates
Have the latest Rollbacks, hot new releases, great gift ideas and more sent right to your inbox!
©Walmart.com USA, LLC, All Rights Reserved.

The link goes through a legitimate hacked site and ends up on a malware page at [donotclick]bestunallowable .com/news/ask-index.php (report here*) hosted on:
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
The WHOIS details are characterstic of the Amerika gang...
Blocklist (including nameservers):
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
bestunallowable.com ..."
* http://urlquery.net/report.php?id=2494957
___

More Walmart SPAM / virgin-altantic .net
- http://blog.dynamoo.com/2013/05/walm...tanticnet.html
16 May 2013 - "Another -variant- of this spam* is doing the rounds, this time leading to a landing page on virgin-altantic .net:
From: Wallmart.com [mailto:sculptsu @complains .wallmartmail .com]
Sent: 16 May 2013 15:35
Subject: Thanks for your Walmart.com Order 3450995-348882 ...
---
Subtotal: $898.00
Shipping: Free
Tax: $62.86
See our Returns Policy or
contact Customer Service
Walmart.com Total: $960.86
Order Summary
Order Date: 05/15/2013
Subtotal: $898.00
Shipping: Free
Tax: $62.86
Order Total: $960.86
Credit card: $960.86
Billing Information
Payment Method:
Credit card
If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
Thanks,
Your Walmart.com Customer Service Team...

The malicious payload is at [donotclick]virgin-altantic .net/news/ask-index.php (report here**). IP addresses are the same as in the other attack, although obviously if you are blocking by domain you should add virgin-altantic .net too."
* http://blog.dynamoo.com/2013/05/walm...owablecom.html

** http://urlquery.net/report.php?id=2496275
___

Fake Wells Fargo and Citi SPAM / SecureMessage.zip and Securedoc.zip
- http://blog.dynamoo.com/2013/05/well...citi-spam.html
16 May 2013 - "This fake Wells Fargo message contains a malicious attachment:
Date: Thu, 16 May 2013 23:24:38 +0800 [11:24:38 EDT]
From: "Grover_Covington @wellsfargo .com" [Grover_Covington @wellsfargo .com]
Subject: New Secure Message
Wells Fargo
Help
To Read This Message:
Look for and open SecureMessage.zip (typically at the top or bottom; location varies by email service).
Secure Message
This message was sent to : [redacted]
Email Security Powered by Voltage IBE
Copyright 2013 Wells Fargo. All rights reserved

The attachment SecureMessage.zip contains a file SecureMessage.exe which has a SHA256 of 289bd82b66ed0c66f0e6a947cb61c928275c1053fa5d2b1119828217f61365ba and is only detected by 2/45 scanning engines at VirusTotal**.
The second version is a fake Citi spam with an attachment Securedoc.zip which contains Securedoc.exe. This is the same executable with the same SHA256, just a different name.
Date: Thu, 16 May 2013 10:16:27 -0500 [11:16:27 EDT]
From: "secure.email @citi .com" [secure.email @citi .com]
Subject: You have received a secure message
You have received a secure message
Read your secure message by opening the attachment, securedoc.html You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
First time users - will need to register after opening the attachment.
About Email Encryption - http ://www.citi .com/citi/citizen/privacy/email.htm

... the best analysis is this ThreatTrack report*... some IPs and domains worth blocking:
69.89.21.99
116.122.158.195
212.58.4.13
mail.yaklasim .com
ryulawgroup .com "
* http://www.dynamoo.com/files/analysi...cddcbdc604.pdf

** https://www.virustotal.com/en/file/2...is/1368718128/
File name: SecureMessage.exe
Detection ratio: 2/45
Analysis date: 2013-05-16
___

Get Free Followers! on Instagram? Get Free Malware, Survey Scams Instead
- http://blog.trendmicro.com/trendlabs...scams-instead/
May 16, 2013 - "The popular photosharing app Instagram is the latest social networking site targeted by the ubiquitous survey scams seen on Facebook and Twitter. This time, we found that these survey scams may also lead users to download an Android malware... these Instagram followers have repetitive account names like “Tawna Tawna” and “Concetta Concetta”... Given these suspicious signs, I then checked this “Get Free Followers” picture (which is actually clickable) and was led to this page that supposedly offers the “Get Followers” app. This app is detected by Trend Micro as ANDROIDOS_GCMBOT.A, which can be used to launch malicious webpages or send SMS from the device.
> http://blog.trendmicro.com/trendlabs...vey-scam-4.jpg
Whether users download the said app or not (in my case, I tried to), in the end they are redirected to your run-of-the-mill survey scams. Since Instagram can also be accessed via a PC, we tried to access the malicious website and survey scam using a desktop. Fortunately, this ruse didn’t work. Cybercriminals profit from these survey scams via ad-tracking sites, which users are redirected to before the actual survey page. Plus, these bad guys can also use the data gathered from these scams by either peddling them to other cybercriminal groups or using them in their future schemes. Facebook, Pinterest, Tumblr, and now Instagram. The people behind these scams are jumping on every popular networking sites and potential engineering hooks like the Google Glass contest. To protect yourself against this scam, you must always double-check posts on your social media accounts, even if they come from friends, family members, or known acquaintance. Caution is your best defense..."

**AplusWebMaster** · 2013-05-17, 13:02

FYI...

e-netprotections .su ?
- https://isc.sans.edu/diary.html?storyid=15818
Last Updated: 2013-05-17 - "Like with .biz, I sometimes have the impression that .su and .cc could be sinkholed in their entirety, because the bad domains seem to vastly outnumber whatever (if any) good is running under these TLDs as well. Earlier today, ISC reader Michael contacted us with information that several PCs on his network had started to communicate with iestats .cc, emstats .su, ehistats .su, e-protections .su and a couple other domains. I was pretty sure that I had seen the latter domain on an earlier occasion in a malware outbreak, but I couldn't find it in our records .. until I only searched for "e-protections", and found e-protections .cc. This domain had been implicated back in October 2012 in a malware spree that was linked to the nasty W32.Caphaw, a backdoor/information stealer... each infected box was apparently running a slightly different version of the EXE. Anti-Virus coverage is still thin (Virustotal*) , but the Heuristics of some products seem to be catching on. This sample looks more like a ransomware trojan than Caphaw, but we'll know more once we analyze all the information gathered so far..."
Partial list of IPs involved:
64.85.161.67
85.25.132.55
173.224.210.244
178.63.172.88
188.95.48.152
199.68.199.178
91.227.220.104
* https://www.virustotal.com/en/file/b...9041/analysis/
File name: dwdsrtrt
Detection ratio: 4/46
Analysis date: 2013-05-16

- https://www.abuse.ch/?p=3581
___

Malicious Wells Fargo Secure Message Spam
- http://threattrack.tumblr.com/post/5...e-message-spam
16 May 2013 - "Subjects Seen:
New Secure Message
Typical e-mail details:
View attachment for details
To Read This Message:
Look for and open SecureMessage.zip (typically at the top or bottom; location varies by email service).

Malicious URLs
mail.yaklasim .com:8080/forum/viewtopic.php
116.122.158.195 :8080/forum/viewtopic.php
mylifestylestormproducts .com/forum/viewtopic.php
mysafefloridahomelife .com/forum/viewtopic.php
ryulawgroup .com/Gsdw1.exe

Screenshot: https://gs1.wac.edgecastcdn.net/8019...bl91qz4rgp.png
___

Malicious "Referral link" SPAM / rockingworldds .net and parishiltonnaked2013 .net
- http://blog.dynamoo.com/2013/05/refe...orlddsnet.html
17 May 2013 - "This spam comes from a hacked AOL email account and leads to malware on 62.76.190.11:
From: [AOL sender]
Sent: 17 May 2013 14:12
To: [redacted]
Subject: [AOL screen name]
Subject :RE ( 8 )
Sent: 5/17/2013 2:11:53 PM
referral link
http ://printcopy.co .za/elemqi.php?whvbcfm

The link goes through a legitimate -hacked- site and in this case ends up at [donotclick]rockingworldds .net/sword/in.cgi?6 (report here*) which either -redirects- to a weight loss spam site or alternatively a malware landing page at [donotclick]parishiltonnaked2013 .net/ngen/controlling/coupon_voucher.php (report here**) which appears to load the BlackHole Exploit Kit. Both these sites are hosted on 62.76.190.11 (Clodo-Cloud / IT House, Russia)... I have several IPs blocked in the 62.76.184.0/21 range, you may want to consider blocking the entire lot if you don't have any reason to send web traffic to Russia."
* http://urlquery.net/report.php?id=2512341

** http://urlquery.net/report.php?id=2512431
___

Fake Newegg .com SPAM / balckanweb .com
- http://blog.dynamoo.com/2013/05/newe...kanwebcom.html
17 May 2013 - "This fake Newegg.com spam leads to malware:
Date: Fri, 17 May 2013 10:29:20 -0600 [12:29:20 EDT]
From: Newegg [info @newegg .com]
Subject: Newegg.com - Payment Charged
Priority: High Priority 1
Newegg logo
My Account My Account | Customer Services Customer Services
Twitter Twitter You Tube You Tube Facebook Facebook Myspace Myspace
click to browse e-Blast click to browse Shell Shocker click to browse Daily Deals
Computer Hardware PCs & Laptops Electronics Home Theater Cameras Software Gaming Cell Phones Home & Office MarketPlace Outlet More
Customer ID: [redacted]
Account Number: 23711731
Dear Customer,
Thank you for shopping at Newegg.com.
We are happy to inform you that your order (Sales Order Number: 97850177) has been successfully charged to your AMEX and order verification is now complete.
If you have any questions, please use our LiveChat function or visit our Contact Us Page.
Once You Know, You Newegg.
Your Newegg.com Customer Service Team
ONCE YOU KNOW, YOU NEWEGG. Ž
Policy and Agreement | Privacy Policy | Confidentiality Notice
Newegg.com, 9997 Rose Hills Road, Whittier, CA. 90601-1701 | Š 2000-2013 Newegg Inc. All rights reserved.

Screenshot: https://lh3.ggpht.com/-Si0jHOHqviw/U...600/newegg.png

In the version I have the link doesn't work, but I believe that it goes to [donotclick]balckanweb .com/news/unpleasant-near_finally-events.php (report here*) hosted or having nameservers on the following IPs:
5.231.24.162 (GHOSTnet, Germany)
71.107.107.11 (Verizon, US)
108.5.125.134 (Verizon, US)
198.50.169.2 (OVH, Canada)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
209.59.223.119 (Endurance International Group, US)
The domains and IPs indicate that this is part of the "Amerika" spam run.
Blocklist (including nameservers):
5.231.24.162
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
209.59.223.119 ..."
* http://urlquery.net/report.php?id=2504632

Also at: http://threattrack.tumblr.com/post/5...egg-order-spam
May 17, 2013
Screenshot: https://gs1.wac.edgecastcdn.net/8019...wpg1qz4rgp.png
___

- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Product Order Quotation Attachment E-mail Messages - 2013 May 17
Fake Product Order E-mail Messages - 2013 May 17
Fake Purchase Order E-mail Messages - 2013 May 17
Fake Account Compromise Notification E-mail Messages - 2013 May 17
Fake Scanned Document Attachment E-mail Messages - 2013 May 17
Fake Social Media User Notification E-mail Messages - 2013 May 17
Fake Facebook Security Software E-mail Messages - 2013 May 17
Fake Incoming Fax Message E-mail Messages - 2013 May 17
Fake Document Sharing E-mail Messages - 2013 May 17
Fake Italian Shared Document E-mail Messages - 2013 May 17
Fake Invoice Statement Attachment E-mail Messages - 2013 May 17
Fake Money Transfer Notification E-mail Messages - 2013 May 17
Fake Xerox Scan Attachment E-mail Messages - 2013 May 17
(More detail and links at the cisco URL above.)

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Thread Tools

Display

Mother’s Day SPAM ...

AutoIt malware - 188.161.9.226 ...

Fake Amazon SPAM, Fake AV and ransomware combo...

Fake Citibank, Traffic Ticket SPAM ...

Malicious Facebook SPAM, Evil IP...

Something evil on 188.241.86.33

Fake BoA SPAM, Something evil on 94.242.198.16 ...

Fake Free Media Player, Malicious FedEx SPAM...

Fake Invoice, HMRC, Walmart, Wells Fargo, Citi bank SPAM...

e-netprotections .su, Malicious Wells Fargo SPAM...

Posting Permissions