Fake IRS, Wells Fargo SPAM ...
FYI...
Fake IRS SPAM / oooole .org
- http://blog.dynamoo.com/2013/09/irs-...nder-spam.html
30 Sep 2013 - "This fake IRS spam leads to malware on oooole .org:
Date: Mon, 30 Sep 2013 03:44:12 -0800 [07:44:12 EDT]
From: "Fire@irs.gov" [burbleoe9@ irs .org]
Subject: Invalid File Email Reminder
9/30/2013
Valued Transmitter,
We few weeks agoreceived your electronic file(s) of information returns; but, the file(s) contained errors. As of the date of this email, we have not received a good replacement file. If we do not receive the replacement file within the allowed time from your transmission, late filing payoff may be applied. For further clarification on sending a timely filed replacement, please see Publication 1220, Part B, Section 7.03. The following is a list of your incorrect file(s) that need to be replaced:
Filename # of Times
Email Has
Been Sent Tax
Year
ORIG.62U55.2845 2 2012...
The link in the email goes through a legitimate -hacked- site and then -redirects- through one of the following three scripts:
[donotclick]savingourdogs .com/boneheads/meditatively.js
[donotclick]solaropti.manclinux3.ukdns .biz/resonators/sunbonnet.js
[donotclick]polamedia .se/augusts/fraudulence.js
The next step is a malware landing page on a hijacked GoDaddy domain at [donotclick]oooole .org/topic/latest-blog-news.php hosted on 75.98.172.238 (A2 Hosting, US) along with several other hijacked domains...
Recommended blocklist:
75.98.172.238 ..."
- https://www.virustotal.com/en/ip-add...8/information/
___
Fake Wells Fargo SPAM - malicious ZIP file
- http://blog.dynamoo.com/2013/09/well...ents-spam.html
30 Sep 2013 - "This fake Wells Fargo spam comes with a malicious attachment:
Date: Mon, 30 Sep 2013 11:54:15 -0600 [13:54:15 EDT]
From: Bryon Faulkner [Bryon.Faulkner@ wellsfargo .com]
Subject: Important Documents
Please review attached documents.
Bryon Faulkner
Wells Fargo Advisors
817-527-6769 office
817-380-3921 cell Bryon.Faulkner@ wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...
The attached document is starts with "Documents_" and then has the first part of the recipient's email address as part of the filename. Or that's the way it is meant to work because in practice it will probably be a different recipient in the same domain. Inside is an executable file with the date encoded into the filename (in this case Documents_09302013.exe). The executable file is (obviously) malware, and has a VirusTotal detection rate of just 3/48*... attempted connection to the site demandtosupply .com on 84.22.177.37 (ioMart, UK) which is a server spotted in a similar attack a few weeks ago**. Unfortunately, where more than one domain on a server is compromised then it looks like the bad guys have complete control of the server and can do what they like. There are a number of legitimate sites (including one IT security company) on this box... so exercise caution if deciding to block them.
Recommended blocklist:
84.22.177.37
demandtosupply .com
ce-cloud .com"
* https://www.virustotal.com/en/file/3...is/1380564661/
** http://blog.dynamoo.com/2013/09/scan...ched-spam.html
- https://www.virustotal.com/en/ip-add...7/information/
