FYI...
Fake Amazon SPAM / 213.152.26.150
- http://blog.dynamoo.com/2014/02/amaz...ur-online.html
27 Feb 2014 - "This fake Amazon spam leads to something bad.
Date: Wed, 26 Feb 2014 13:09:55 -0400 [02/26/14 12:09:55 EST]
From: "Amazon.com" [t1na@ msn .com]
Subject: Important For Your Online Account Access .
Your Account Has Been Held
Dear Customer ,
We take you to note that your account has been suspended for protection , Where the password was entered more than once .
In order to protect ,account has been suspended .Please update your Account Information To verify the account...
Thanks for Update at Amazon .com...
Screenshot: https://lh3.ggpht.com/-I0pRhOGLLtA/U...00/amazon2.png
In the samples that I have seen the link in the email goes to either [donotclick]exivenca .com/support.php or [donotclick]vicorpseguridad .com/support.php both of which are currently -down- but were both legitimate sites hosted on 213.152.26.150 (Neo Telecoms, France). The fact that these sites are down could be because the host is dealing with the problem, however I would expect to see this same email template being used again in the future, so take care.."
___
Fake Royal Mail SPAM
- http://blog.dynamoo.com/2014/02/roya...sory-spam.html
27 Feb 2014 - "This -fake- Royal Mail spam has a malicious payload:
From: Royal Mail noreply@ royalmail .com
Date: 27 February 2014 14:50
Subject: Royal Mail Shipping Advisory, Thu, 27 Feb 2014
Royal Mail Group Shipment Advisory
The following 1 piece(s) have been sent via Royal Mail on Thu, 27 Feb 2014 15:47:17 +0530, REF# GB36187692IE ...
Screenshot: https://lh3.ggpht.com/-Uwr252R1CT4/U.../royalmail.png
This is a ThreeScripts attack, the link in the email goes to:
[donotclick]wagesforinterns .com/concern/index.html
and it then runs one or more of the following scripts:
[donotclick]billigast-el .nu/margarita/garlicky.js
[donotclick]ftp.arearealestate .com/telecasted/earners.js
[donotclick]tattitude .co .uk/combines/cartooning.js
in this case the payload site is at
[donotclick]northwesternfoods .com/sg3oyoe0v2
which is hosted on 23.239.12.68 (Linode, US) along with a bunch of hijacked GoDaddy sites... The payload appears to be an Angler Exploit Kit (see this example*).
Recommended blocklist:
23.239.12.68
billigast-el .nu
ftp.arearealestate .com
tattitude .co .uk
n2ocompanies .com
northerningredients .com
northwesternfoods .com
oziama .com
oziama .net "
* http://urlquery.net/report.php?id=9660606