FYI...
Fake TAX Return Reminder SPAM / cpa.state.tx .us.tax-returns.mattwaltererie .net
- http://blog.dynamoo.com/2013/07/tax-...tetxustax.html
12 July 2013 - "This fake tax return reminder leads to malware on cpa.state.tx.us.tax-returns.mattwaltererie .net:
--- Version 1 --------------------
Date: Fri, 12 Jul 2013 14:35:31 +0300
From: DO.NOT.REPLY @REMINDER.STATE .TX .US.GOV
Subject: TAX Return Reminder
After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $964.17. Please submit the tax refund request and allow us 2-5 business days to process it.
A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline
Returns can be electronically filed at www .cpa.state.tx .us/returns_caseid=035549412645
For security reasons we will record your IP address, date and time.
Deliberate scam inputs are criminally pursued and indicated.
Please do not reply to this e-mail.
Please disregard this reminder if the return has already been submitted.
--- Version 2 --------------------
Date: Fri, 12 Jul 2013 17:05:39 +0530 [07:35:39 EDT]
From: tax.help @STATE.TX .GOV .US
Subject: TAX Return Reminder
After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $909.70. Please submit the tax refund request and allow us 2-3 business days to process it.
A refund may be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline
Returns can be electronically filed at www .cpa.state.tx .us/returns_caseid=488702484517
For security reasons we will record your IP address, date and time.
Deliberate wrong inputs are criminally pursued and indicated.
Please do not reply to this e-mail.
Please disregard this reminder if the return has already been submitted.
Unusually, the link in the email goes directly to the malware landing page rather than going through a legitimate -hacked- site, in this case directly to [donotclick]cpa.state.tx.us.tax-returns.mattwaltererie .net/news/tax_refund-caseid7436463593.php?[snip] (example 1*, example 2**) but I cannot get the malware to reveal itself (there's either a fault or it is resistant to analysis).
cpa.state.tx.us.tax-returns.mattwaltererie .net is hosted on the following IP addresses that are under control of what I call the Amerika gang:
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S., Turkey)
150.244.233.146 (Universidad Autonoma de Madrid, Spain)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)
The domain mattwaltererie .net also features the fake US WHOIS details that are characteristic of the Amerika gang (which is where they get their name from)...
Below is a partial blocklist that I would recommened you use in conjunction with this one:
46.45.182.27
150.244.233.146
203.236.232.42
209.222.67.251 ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=3689715
** http://urlquery.net/report.php?id=3688402