SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

Fake BBB SPAM...

FYI...

Fake BBB SPAM / alteshotel .net and bbb-accredited .net
- http://blog.dynamoo.com/2013/03/bbb-spam-alteshotelnet-and-bbb.html
7 Mar 2013 - "This fake BBB spam leads to malware onalteshotel .net and bbb-accredited .net:
Date: Thu, 7 Mar 2013 06:23:12 -0700
From: "Better Business Bureau Warnings" [hurriese3 @bbb .com]
Subject: BBB details regarding your claim No.
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©
Thu, 6 March 2013
Your Accreditation Suspended
[redacted]
The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to temporal Abort your accreditation with Better Business Beaureau. The details of the our decision are available for review at a link below. Please pay attention to this issue and inform us about your glance as soon as possible.
We graciously ask you to overview the TERMINATION REPORT to meet on this claim
-We awaits to your prompt rebound- .
If you think you got this email by mistake - please forward this message to your principal or accountant
Yours respectfully
Hunter Ross
Dispute Advisor
Better Business Bureau
Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 25501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This information was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
========
Date: Thu, 7 Mar 2013 21:19:18 +0800
From: "Better Business Bureau Warnings" [prettifyingde7 @transfers.americanpayroll .org]
Subject: BBB details about your pretense No.
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©
Thu, 6 March 2013
Your Accreditation Suspended
[redacted]
The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to transient Cancell your accreditation with Better Business Beaureau. The details of the our decision are available visiting a link below. Please pay attention to this question and notify us about your belief as soon as possible.
We graciously ask you to visit the ABUSE REPORT to answer on this appeal
- We awaits to your prompt answer. -
If you think you got this email by mistake - please forward this message to your principal or accountant
Faithfully yours
Benjamin Cox
Dispute Councilor
Better Business Bureau
Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 24401
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This letter was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

One potentially malicious payload is at [donotclick]alteshotel .net/detects/review_complain.php (looks like it might be broken - report here*) hosted on:
69.43.161.176 (Parked at Castle Access Inc, US)
The other is at [donotclick]bbb-accredited .net/kill/enjoy-laws-partially-unwanted.php (definitely malicious - report here**) hosted on:
64.207.236.198 (EasyTEL, US)
142.11.195.204 (Hostwinds LLC, US)
149.154.68.214 (TheFirst.RU, Russia) ...
Recommended blocklist:
64.207.236.198
142.11.195.204
149.154.68.214..."
(More detail at the dynamoo uRL above.)
* http://urlquery.net/report.php?id=1302657

** http://urlquery.net/report.php?id=1302670
... Detected live BlackHole v2.0 exploit kit
___

Malware sites to block 7/3/13
- http://blog.dynamoo.com/2013/03/malware-sites-to-block-7313.html
7 March 2013 - "Some Cridex-based nastiness here. These are the malicious domains that I can find on the IPs mentioned, alternatively you can just block:
173.246.102.2 (Gandi, US)
173.255.215.242 (Linode, US)
64.13.172.42 (Silicon Valley Colocation, US)
Blocklist:
173.246.102.2
173.255.215.242
64.13.172.42 ..."
(Long list at the dynamoo URL above.)

:fear:

 

[AplusWebMaster]

Fake Adobe/IRS/LinkedIn SPAM ...

FYI...

Fake Adobe CS4 SPAM / guuderia .ru
- http://blog.dynamoo.com/2013/03/adobe-cs4-spam-guuderiaru.html
8 March 2013 - "This fake Adobe spam leads to malware on guuderia .ru:
From: messages-noreply@bounce .linkedin .com [mailto:messages-noreply@bounce .linkedin .com] On Behalf Of Donnie Cherry via LinkedIn
Sent: 07 March 2013 12:39
Subject: Order N40898
Good afternoon,
You can download your Adobe CS4 License here -
We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.
Adobe Systems Incorporated

The malicious payload is at [donotclick]guuderia .ru:8080/forum/links/column.php (report here*) hosted on:
41.72.150.100 (Hetzner, South Africa)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
212.180.176.4
forum-la .ru
forumla .ru
gimalayad .ru
ginagion .ru
giliaonso .ru
forum-ny .ru
forumny .ru
guuderia .ru
gosbfosod .ru "
* http://urlquery.net/report.php?id=1318046
... Detected suspicious URL pattern... Blackhole 2 Landing Page 212.180.176.4
___

Fake IRS SPAM / gimilako .ru
- http://blog.dynamoo.com/2013/03/your-tax-return-appeal-is-declined.html
8 March 2013 - "This following fake IRS spam leads to malware on gimilako .ru:
From: Myspace [mailto:noreply@message .myspace .com]
Sent: 07 March 2013 20:55
Subject: Your tax return appeal is declined.
Dear Chief Account Officer,
Hereby you are notified that your Income Tax Refund Appeal id#9518045 has been REJECTED. If you believe the IRS did not properly estimate your case due to a misunderstanding of the facts, be prepared to provide additional information. You can obtain the rejection details and re-submit your appeal by using the instructions in the attachment.
Internal Revenue Service
Telephone Assistance for Businesses:
Toll-Free, 1-800-829-4933
Hours of Operation: Monday Friday, 7:00 a.m. 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).

The malicious payload is at [donotclick]gimilako .ru:8080/forum/links/column.php (reported here*) hosted on:
41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
89.107.184.167
212.180.176.4
gimilako .ru
forum-la .ru
forumla .ru
gimalayad .ru
ginagion .ru
giliaonso .ru
forum-ny .ru
forumny .ru
gosbfosod .ru "
* http://urlquery.net/report.php?id=1321924
... Detected suspicious URL pattern... Blackhole 2 Landing Page 89.107.184.167
___

Fake LinkedIn SPAM / giminalso .ru
- http://blog.dynamoo.com/2013/03/linkedin-spam-giminalsoru.html
8 March 2013 - "This fake LinkedIn spam leads to malware on giminalso .ru:
From: messages-noreply@bounce. linkedin .com [mailto:messages-noreply@bounce .linkedin .com] On Behalf Of LinkedIn Password
Sent: 08 March 2013 10:24
Subject: Aylin is now part of your network. Keep connecting...
[redacted], Congratulations!
You and Aylin are now connected.
Aylin Welsh
Tajikistan
2012, LinkedIn Corporation

The malicious payload is at [donotclick]giminalso .ru:8080/forum/links/column.php (report here*) hosted on the same IPs as in this other attack** today:
41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)"
* http://urlquery.net/report.php?id=1322125
... Detected suspicious URL pattern... Blackhole 2 Landing Page 41.72.150.100
** http://blog.dynamoo.com/2013/03/your-tax-return-appeal-is-declined.html
___

Fake AT&T spam (again)
- http://blog.dynamoo.com/2013/03/at-spam-again.html
8 Mar 2013 - "This fake AT&T spam leads to malware on.. well, in this case nothing at all.
Date: Fri, 8 Mar 2013 10:37:24 -0500 [10:37:24 EST]
From: AT&T Customer Care [icare7@amcustomercare .att-mail .com]
Subject: Your AT&T wireless bill is ready to view
att.com | Support | My AT&T Account Rethink Possible
Your wireless bill is ready to view
Dear Customer,
Your monthly wireless bill for your account is now available online.
Total Balance Due: -$1695.64-
Log in to myAT&T to view your bill and make a payment. Or register now to manage your account online. By dialing *PAY (*729) from your wireless phone, you can check your balance or make a payment - it's free.
Smartphone users: download the free app to manage your account anywhere, anytime.
Thank you,
AT&T Online Services ...

> https://lh3.ggpht.com/-9r2z1zqGRKg/UToRQZlYDAI/AAAAAAAABAY/V8WMW3duxJc/s1600/att-bill-2.png

In this case the link goes to a redirector page at [donotclick]vtcrm.update .se/eben/index.html hosted 62.109.34.50 in Sweden. It looks like someone has speedily removed the redirector page so I can't tell you much about the malicious landing page. Kudos to Ilait AB or whoever fixed the problem!"
___

RU:8080 and Amerika SPAM runs
- http://blog.dynamoo.com/2013/03/ru8080-and-amerika-spam-runs.html
8 March 2013 - "For about the past year I have seen two very persistent spam runs leading to malware, typically themed along the lines of fake emails from the BBB, LinkedIn, NACHA, USPS and ADP. The most obvious characteristic of one of the spam runs in the use of a malware landing page containing .ru:8080, registered through NAUNET to the infamous "private person". In order to aid researchers, I have labelled this series as RU:8080*. You can see some current nastiness in action at Malware Must Die**. But there's a second spam run as well, which appears to be similarly themed but using different servers. In this case, the domains registered are typically .net, .org and .com emails (with .pro and .biz used from time-to-time). These domains are registered with fake names and addresses purporting to be in the US, but indicators show that this spam may well originate from within Russia. I've labelled this series as Amerika***... The Amerika spam run is a little harder to identify, so there may be some errors in it. I don't have any deep insight into either spam run or the payloads they deliver, but if you are interested in looking more deeply at the patterns then hopefully this will be of some use!"
* http://blog.dynamoo.com/search/label/RU:8080

** http://malwaremustdie.blogspot.co.uk/2013/03/ru8080columnphp-hey-stealer-what-do-you.html
March 5, 2013

*** http://blog.dynamoo.com/search/label/Amerika
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Electronic Payment Cancellation E-mail Messages - 2013 Mar 08
Fake Business Complaint E-mail Messages - 2013 Mar 08
Fake Italian Online Dating Request E-mail Messages - 2013 Mar 08
Fake Portuguese Payment Invoice E-mail Messages - 2013 Mar 08
Fake Portuguese Banking Service Notification E-mail Messages - 2013 Mar 08
(Links and more detail at the cisco URL above.)

 

[AplusWebMaster]

Fake Wire Transfer SPAM - Something evil on 37.59.214.0/28 // 176.31.140.64/28

FYI...

Something evil on 37.59.214.0/28
- http://blog.dynamoo.com/2013/03/something-evil-on-3759214028.html
11 March 2013 - "37.59.214.0/28 is an OVH IP range* suballocated to a person called Sidharth Shah in Maryland (more of whom later). At the moment it is hosting a number of malware sites with a hard-to-determine payload such as [donotclick]55voolith .info:89/forum/had.php which is evading automated analysis**. The owner of this block is as follows:
organisation: ORG-SS252-RIPE
org-name: Shah Sidharth
org-type: OTHER
address: 12218 Skylark Rd
address: 20871 Clarksburg
address: US
abuse-mailbox: ovhresell @gmail .com
phone: +1.5407378283
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
Malware is hosted on 37.59.214.0, 37.59.214.1 and 37.59.214.0. There do not appears to be any legitimate sites in this range. Google has already flagged some of these as malicious (marked in red), so you can safely assume that they are all malicious..."
(List at the dynamoo URL above.)
** http://urlquery.net/report.php?id=1368280

AS16276 (OVH)
* https://www.google.com/safebrowsing/diagnostic?site=AS:16276
"... over the past 90 days, 6134 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-03-11, and the last time suspicious content was found was on 2013-03-11... Over the past 90 days, we found 911 site(s) on this network... that appeared to function as intermediaries for the infection of 2222 other site(s)... We found 1665 site(s)... that infected 8762 other site(s)..."
___

Something evil on 176.31.140.64/28
- http://blog.dynamoo.com/2013/03/something-evil-on-176311406428.html
11 March 2013 - "176.31.140.64/28 is an OVH block suballocated to Sidharth Shah (mentioned in this earlier post)*. It contains a a small number of malicious domains flagged by Google (in red), most of the rest of the sites have a very poor WOT rating (in yellow). I'll post more details later. You can safely assume that everything in this block is malicious, and I note that some of the domains are refugees from this malware site.
Malware is hosted on 176.31.140.64, 176.31.140.65, 176.31.140.66 and 176.31.140.67. There appear to be no legitimate sites in this block..."
(List at the dynamoo URL above.)
* http://blog.dynamoo.com/2013/03/something-evil-on-3759214028.html
___

Sidharth Shah / OVH / itechline .com
- http://blog.dynamoo.com/2013/03/sidharth-shah-ovh-itechlinecom.html
11 March 2013 - "I have now come across several incidents of malware hosted in an OVH IP address range suballocated to Sidharth Shah. The blocks that I can identify so far are:
5.135.20.0/27
5.135.27.128/27
5.135.204.0/27
5.135.218.32/27
5.135.223.96/27
37.59.93.128/27
37.59.214.0/28
46.105.183.48/28
91.121.228.176/28
94.23.106.224/28
176.31.106.96/27
176.31.140.64/28
178.32.186.0/27
178.32.199.24/29
188.165.180.224/27
These IPs are mostly malware or fake goods. Legitimate sites seem to be nonexistant, although these IP ranges have hosted legitimate sites in the past. I would personally recommend blocking them all, but if you want to see a fuller analysis of WOT ratings and Google Safe Browsing diagnostics see here*...
The email address sidharth134 @gmail .com is also associated with itechline .com which is a company with an unenviable F rating from the BBB, who list the principal as being Sidharth Shah. BBB rating is based on 16 factors.
Factors that lowered the rating for ITechline.com include:
Length of time business has been operating
8 complaints filed against business
Failure to respond to 7 complaints filed against business
> https://lh3.ggpht.com/-D1aA_fdVk64/UT3z3gGLveI/AAAAAAAABAo/ouAPVZ07ays/s1600/itechline.png
... ITechline.com has garnered some very negative consumer reviews..."
* http://www.dynamoo.com/files/sidharth-shah.csv
___

Fake Wire Transfer SPAM / gimikalno .ru
- http://blog.dynamoo.com/2013/03/wire-transfer-spam-gimikalnoru.html
11 Mar 2013 - "This fake wire transfer spam leads to malware on gimikalno .ru:
Date: Mon, 11 Mar 2013 04:00:22 +0000 [00:00:22 EDT]
From: Xanga [noreply@xanga .com]
Subject: Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 16442CU385)
Dear Bank Account Operator,
WIRE TRANSFER: FED62403611378975648
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious payload is at [donotclick]gimikalno .ru:8080/forum/links/column.php (report here*) hosted on:
5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
Blocklist:
5.9.40.136
66.249.23.64
94.102.14.239
212.180.176.4
117.104.150.170
41.72.150.100 ..."
* http://urlquery.net/report.php?id=1371618
... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.102.14.239

:fear:

 

[AplusWebMaster]

Fake BofA, ACH, Wire Transfer SPAM ...

FYI...

Fake BofA emails lead to malware
- http://blog.webroot.com/2013/03/12/...al-certificate-themed-emails-lead-to-malware/
March 12, 2013 - "Over the past 24 hours, we intercepted tens of thousands of malicious emails attempting to socially engineering BofA’s CashPro users into downloading and executing a -bogus- online digital certificate attached to the fake emails...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/03/email_spam_malware_cashpro_social_engineering.png
Detection rate for the malicious executable: MD5: bfe7c4846823174cbcbb10de9daf426b * ... Password-Stealer.
The attachement uses the following naming convention:
cashpro_cert_7585cc6726.zip
cashpro_cert_cc1d4a119071.zip...
It then attempts to connect to 74.207.227.67; 17.optimaxmagnetics .us, and successfully establishes a connection with the C&C server at 50.28.90.36 :8080/forum/viewtopic.php...
More MD5s are known to have phoned back to the same IP..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/...657d9b2ef254d7d852323ba2d077c0bcdf3/analysis/
File name: Ywiti
Detection ratio: 36/45
Analysis date: 2013-03-11
___

Fake "End of Aug. Stat. Required" SPAM / giminkfjol .ru
- http://blog.dynamoo.com/2013/03/end-of-aug-stat-required-spam.html
12 March 2013 - "This spam leads to malware on giminkfjol .ru:
From: user @victimdomain .com
Sent: 12 March 2013 04:19
Subject: Re: End of Aug. Stat. Required
Good morning,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
Regards

The attachment Invoices-ATX993823.htm attempts to redirect the victim to [donotclick]giminkfjol .ru:8080/forum/links/column.php (report here*) hosted on:
5.9.40.136 (Hetzner, Germany)
94.102.14.239 (Netinternet, Turkey)
213.215.240.24 (COLT, Italy)
Blocklist:
5.9.40.136
94.102.14.239
213.215.240.24
giminkfjol .ru ..."
* http://urlquery.net/report.php?id=1389261
... Detected suspicious URL pattern... Blackhole 2 Landing Page 213.215.240.24
___

HP LaserJet printer backdoor
- http://h-online.com/-1821334
12 March 2013 - "A number of HP LaserJet printers can be accessed through the network and unencrypted data can be read from them without authentication. The US-CERT has issued an advisory* that warns users of these printers and is calling on them to update the printer's firmware with a fixed version... HP's own advisory** identifies HP LaserJet Pro P1102w, P1606dn, M1212nf MFP (Multi Function Printer), M1213nf MFP, M1214nfh MFP, M1216nfh MFP, M1217nfw MFP, M1219nf MFP and CP1025nw printers as affected by the problem and has issued firmware and installation instructions for that firmware to close the vulnerability."
* http://www.kb.cert.org/vuls/id/782451
Last revised: 11 Mar 2013

** https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03684249
Last Updated: 2013-03-06
References: CVE-2012-5215
___

Fake News Diet Supplement Site
- http://www.gfi.com/blog/thinspo-tumblr-page-leads-to-fake-news-diet-supplement-site/
March 12, 2013 - "... something called “Thinspo” – it’s a shortened term for “Thinspiration”, usually a tag on social media sites... an attempt at directing such individuals to fake news websites touting “green coffee” weight loss offers. Here’s the Tumblr in question, which contains numerous “Thinspo” pictures...
> http://www.gfi.com/blog/wp-content/uploads/2013/03/thinspo1.jpg
Sending kids and teens with potentially serious body image hang-ups to -fake- news report sites such as this which practically beg them to sign up and lose weight is incredibly creepy... It’s entirely possible there’s more of them lurking on various social networks though, so please be aware that no matter how controversial the subject, someone is always going to want to take advantage of it for their own benefit."
___

Fake ACH Batch Download Notification
- http://security.intuit.com/alert.php?a=77
11 Mar 2013 - "People are receiving fake emails with the title 'ACH Batch Download Notification'. Below is a copy of the email people are receiving, including the mistakes shown.

Refund check in the amount of $4,370.00 for
The following ACH batch has been submitted for processing.
Initiated By: colleen
Initiated Date & Time: Mon, 11 Mar 2013 19:59:38 +0500 Batch ID: 8242710 Batch Template Name: PAYROLL
Please view the attached file to review the transaction details.

This is the end of the fake email.
Steps to Take Now
- Do -not- click on the link in the email or open the attached file...
- Delete the email."
___

Fake Wire Transfer SPAM / giminanvok .ru
- http://blog.dynamoo.com/2013/03/wire-transfer-spam-giminanvokru.html
11 Mar 2013 - "Another wire transfer spam, this time leading to malware on giminanvok .ru:
Date: Mon, 11 Mar 2013 02:46:19 -0300 [01:46:19 EDT]
From: LinkedIn Connections [connections@linkedin.com]
Subject: Fwd: Wire Transfer (5600LJ65)
Dear Bank Account Operator,
WIRE TRANSFER: FED694760330367340
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious payload is at [donotclick]giminanvok .ru:8080/forum/links/column.php (report pending*) hosted on the same IPs used earlier today:
5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
I strongly recommend that you block access to these IPs if you can."

 

[AplusWebMaster]

Fake BBB emails lead to BlackHole Exploit Kit

FYI...

Fake BBB emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/03/13/...themed-emails-lead-to-black-hole-exploit-kit/
March 13, 2013 - "Over the past week, a cybercriminal/gang of cybercriminals whose activities we’ve been actively profiling over a significant period of time, launched two separate massive spam campaigns, this time impersonating the Better Business Bureau (BBB), in an attempt to trick users into thinking that their BBB accreditation has been terminated. Once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the first BBB themed spamvertised campaign:
> https://webrootblog.files.wordpress...m_exploits_malware_black_hole_exploit_kit.png
Sample screenshot of the second BBB themed spamvertised campaign:
> https://webrootblog.files.wordpress...xploits_malware_black_hole_exploit_kit_01.png
... Malicious domain names reconnaissance:
bbb-complaint .org – 63.141.224.171; 149.154.68.214; 155.239.247.247 – Email: gonumina1 @dbzmail .com
Name Server: NS1.STREETCRY .NET – 93.186.171.133 – Email: webclipradio @aol .com
Name Server: NS2.STREETCRY .NET – 15.214.13.118 – Email: webclipradio@aol .com
bbb-accredited .net – not responding
Responding to 149.154.68.214 are also the following malicious domains:
fab73 .ru, misharauto .ru
secureaction120 .com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: markovochn @yandex .ru
secureaction150 .com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: markovochn @yandex .ru
iberiti .com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: biedermann @iberiti .com
notsk .com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: jenifer@notsk .com
metalcrew .net – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: heffner@metalcrew .net
roadix .net – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: marunga@roadix .net
gatovskiedelishki.ru – 149.154.68.214; 155.239.247.247; 141.0.176.234 conbicormiks .ru
Name servers used in the campaign:
Name Server: NS1.STREETCRY .NET – 93.186.171.133 – Email: webclipradio @aol .com
Name Server: NS2.STREETCRY .NET – 15.214.13.118 – Email: webclipradio @aol .com
Name Server: NS1.E-ELEVES .NET – 173.208.88.196
Name Server: NS1.E-ELEVES .NET – 43.109.79.23
Name Server: NS1.LETSGOFIT .NET – 173.208.88.196 – Email: weryrebel @live.com
Name Server: NS1.LETSGOFIT .NET – 11.3.51.158 – Email: weryrebel @live .com
Name Server: NS1.BLACKRAGNAROK .NET – 209.140.18.37 – Email: onetoo @gmx .com
Name Server: NS2.BLACKRAGNAROK .NET – 6.20.13.25 – Email: onetoo @gmx .com
Name Server: NS1.OUTBOUNDUK .NET
Name Server: NS2.OUTBOUNDUK .NET
Not surprisingly, we’ve already seen the onetoo @gmx .com email in the following previously profiled malicious campaign – “Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side exploits and malware“.
Upon successful client-side exploitation, a sampled campaign drops: MD5: 126a104f260cb0059b901c6a23767d76 * ... Worm:Win32/Cridex.E ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/...a32e32538a2d40e49afc786ca94993b3f77/analysis/
File name: cf2d476e6b1a8eae707ffae520c4d019c7226948
Detection ratio: 28/45
Analysis date: 2013-03-10
___

- http://gfisoftware.tumblr.com/post/44796405851/your-better-business-bureau-accreditation-has-been
5 days ago - "... Subjects seen:
BBB Accreditation Terminated
Typical e-mail details:
Valued Owner:
Your accreditation with Better Business Beaureau was Discontinued
A number of latest claims on you / your company motivated us to provisional Suspend your accreditation with Better Business Beaureau. The information about the our decision are available for review at a link below. Please give attention to this issue and inform us about your sight as soon as possible.
We amiably ask you to click and review the SUSPENSION REPORT to meet on this grievance.
If you think you got this email by mistake - please forward this message to your principal or accountant
We awaits to your prompt rebound ..."
___

Zbot sites to block 13/3/13
- http://blog.dynamoo.com/2013/03/zbot-sites-to-block.html
13 Mar 2013 - "These domains and IPs seem to be active as Zbot C&C servers. The obsolete .su (Soviet Union) domain is usually a tell-tale sign of.. something*.
76.185.101.239
77.74.197.190
89.202.183.27
89.253.234.247
201.236.78.182
218.249.154.140
aesssbacktrack .pl
beveragerefine .su
dinitrolkalor .com
dugsextremesda .su
establishingwi .su
eurasianpolicy .net
euroscientists .at
ewebbcst .info
fireinthesgae .pl
girdiocolocai .com
machinelikeleb .su
mixedstorybase .su
satisfactorily .su
smurfberrieswd .su
sputtersmorele .pl
suggestedlean .com
trashinesscro .com
upkeepfilesyst .su
URLs seen:
[donotclick]beveragerefine .su/hjz/file.php
[donotclick]euroscientists .at/hjz/file.php
[donotclick]machinelikeleb .su/fiv/gfhk.php
[donotclick]mixedstorybase .su/hjz/file.php
[donotclick]satisfactorily .su/hjz/file.php
[donotclick]smurfberrieswd .su/hjz/file.php
And for the record, those IPs belong to:
76.185.101.239 (Road Runner, US)
77.74.197.190 (UK Dedicated Servers, UK)
89.202.183.27 (Interoute / PSI, UK)
89.253.234.247 (Rusonyx, Russia)
201.236.78.182 (Municipalidad De Quillota, Chile)
218.249.154.140 (Beijing Zhongbangyatong Telecom, China)..."
* https://www.abuse.ch/?p=3581
___

Fake "Wapiti Lease Corp" SPAM / giminaaaao .ru
- http://blog.dynamoo.com/2013/03/wapiti-lease-corporation-spam.html
13 March 2013 - "A fairly bizarre spam leading to malware on giminaaaao .ru:
From: IESHA WILLEY [mailto:AtticusRambo @tui-infotec .com]
Sent: 13 March 2013 11:22
To: Sara Smith
Subject: Fwd: Wapiti Land Corporation Guiding Principles attached
Hello,
Attached is a draft of the Guiding Principles that the Wapiti Lease Corporation (“W.L.C”) would like to publish. Prior to doing that, WLC would like you to have an opportunity for a preview and to provide any
comments that you would like to make. Please let me know that you have reviewed it and what comments you might have.
Thank you,
IESHA WILLEY
WLC

This comes with an attachment called WLC-A0064.htm although I have another sample "from" a DEANNE AMOS with an attachment of WLC-A5779.htm. In any case, the attachment tries to direct the victim to a malware landing page at [donotclick]giminaaaao .ru:8080/forum/links/column.php (report here*) hosted on:
93.174.138.48 (Cloud Next / Node4, UK)
94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)
Blocklist:
93.174.138.48
94.102.14.239
213.215.240.24
giminaaaao .ru
giminkfjol .ru
giminanvok .ru "
* http://urlquery.net/report.php?id=1406092
... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.102.14.239
___

Fake "Copies of policies" SPAM / giimiiifo .ru
- http://blog.dynamoo.com/2013/03/copies-of-policies-spam-giimiiiforu.html
13 Mar 2013 - "This spam leads to malware on giimiiifo .ru:
Date: Wed, 13 Mar 2013 06:49:25 +0100
From: LinkedIn Email Confirmation [emailconfirm @linkedin .com]
Subject: RE: Alonso - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Alonso SAMS,

The malicious payload is at [donotclick]giimiiifo .ru:8080/forum/links/column.php hosted on two IPs we saw earlier:
94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)"

 

[AplusWebMaster]

Fake Efax, LinkedIn SPAM leads to malware...

FYI...

Fake Efax SPAM / gimiinfinfal .ru
- http://blog.dynamoo.com/2013/03/efax-corporate-spam-gimiinfinfalru.html
14 Mar 2013 - "This eFax-themed spam leads to malware on gimiinfinfal .ru:
Date: Thu, 14 Mar 2013 07:39:23 +0300
From: SarahPoncio @mail .com
Subject: Efax Corporate
Attachments: Efax_Corporate.htm
Fax Message [Caller-ID: 449555234]
You have received a 44 pages fax at Thu, 14 Mar 2013 07:39:23 +0300, (751)-674-3105.
* The reference number for this fax is [eFAX-263482326].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.

There's an attachment called Efax_Corporate.htm which leads to malware on [donotclick]gimiinfinfal .ru:8080/forum/links/column.php (report here) hosted on:
94.102.14.239 (Netinternet, Turkey)
50.116.23.204 (Linode, US)
213.215.240.24 (COLT, Italy)
Blocklist:
50.116.23.204
94.102.14.239
213.215.240.24
giimiiifo .ru
___

Fake LinkedIn SPAM / teenlocal .net
- http://blog.dynamoo.com/2013/03/linkedin-spam-teenlocalnet.html
14 March 2013 - "This fake LinkedIn spam leads to malware on teenlocal .net:
From: messages-noreply@bounce .linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn
Sent: 14 March 2013 16:32
Subject: Frank and Len have endorsed you!
Congratulations! Your connections Frank Garcia and Len Rosenthal have endorsed you for the following skills and expertise:
Program Management
Strategic Planning
Continue
You are receiving Endorsements emails. Unsubscribe.
This email was intended for Paul Stevens (Chief Financial Officer, Vice President and General Manager, Aerospace/Defense, Pacific Consolidated Industries). Learn why we included this. 2013, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA

The malicious payload is at [donotclick]teenlocal.net/kill/force-vision.php (report here) hosted on:
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (Telekom Malaysia, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)
Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247 ..."
(More detail at the dynamoo URL above.)

:fear:

 

[AplusWebMaster]

Fake Wire Transfer emails serve client-side exploits and malware

FYI...

Fake Wire Transfer emails serve client-side exploits and malware
- http://blog.webroot.com/2013/03/15/...mails-serve-client-side-exploits-and-malware/
March 15, 2013 - "Over the last couple of days, a cybercricriminal/gang of cybercriminals that we’ve been extensively profiling, resumed spamvertising tens of thousands of emails, in an attempt to trick users that they have a pending wire transfer. Once users click on any of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...ware_black_hole_exploit_kit_wire_transfer.png
... Sample client-side exploits serving URL: hxxp://gimikalno .ru:8080/forum/links/column.php
Sample malicious payload dropping URL: hxxp://gimikalno .ru:8080/forum/links/column.php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f
Upon successful client-side exploitation, the campaign drops MD5: 93a104caf7b01de69614498de5cf870a * ... Trojan.FakeMS
... phones back to:
149.156.96.9 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
72.251.206.90 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
202.29.5.195 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
213.214.74.5 /AJtw/UCyqrDAA/Ud+asDAA/
We’ve already seen 213.214.74.5 in... previously profiled campaigns
Malicious domain name reconnaissance:
gimikalno .ru – 66.249.23.64; 94.102.14.239; 5.9.40.136
Name Servers: ns1.gimikalno .ru 41.168.5.140
Name Servers: ns2.gimikalno .ru 110.164.58.250 (nangrong.ac.th)
Name Servers: ns3.gimikalno .ru 210.71.250.131 (tecom.com.tw)
Name Servers: ns4.gimikalno .ru 194.249.217.8 (gimnazija-tolmin1.si)
Name Servers: ns5.gimikalno .ru 72.251.206.90 ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/...0a2b706ded02e2f4c3db45db1bed9d46642/analysis/
File name: docprop.dll
Detection ratio: 26/45
Analysis date: 2013-03-13
___

Malware sites to block 15/3/13
- http://blog.dynamoo.com/2013/03/malware-sites-to-block-15313.html
15 March 2013 - "These seem to be the currently active IPs and domains being used by the RU:8080 gang. Of these the domain gilaogbaos .ru seems to be very active this morning. Block 'em if you can:
5.9.40.136
41.72.150.100
50.116.23.204
66.249.23.64
94.102.14.239
212.180.176.4
213.215.240.24...
For the record, these are the registrars either hosting the domains or offering support services. It is possible that some have been taken down already.
5.9.40.136 (Hetzner, Germany)
41.72.150.100 (Hetzner, South Africa)
50.116.23.204 (Linode, US)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
212.180.176.4 (Supermedia, Poland)
213.215.240.24 (COLT, Italy) ..."
(More listed at the dynamoo URL above.)
___

Fake ADP SPAM / picturesofdeath .net
- http://blog.dynamoo.com/2013/03/adp-package-delivery-confirmation-spam.html
15 March 2013 - "This fake ADP spam leads to malware on... picturesofdeath .net:
From: ADP Chesapeake Package Delivery Confirmation [mailto:do_not_reply @adp .com]
Sent: 15 March 2013 14:45
Subject: =?iso-8859-1?Q?ADP Chesapeake - Package Delivery Notification
Importance: High
This message is to notify you that your package has been processed and is on schedule for delivery from ADP.
Here are the details of your delivery:
Package Type: QTR/YE Reporting
Courier: UPS Ground
Estimated Time of Arrival: Tusesday, 5:00pm
Tracking Number (if one is available for this package): 1Z023R643116536498
Details: Click here to overview and/or modify order
We will notify you via email if the status of your delivery changes.
Access these and other valuable tools at support.ADP.com:
o Payroll and Tax Calculators
o Order Payroll Supplies, Blank Checks, and more
o Submit requests online such as SUI Rate Changes, Schedule Changes, and more
o Download Product Documentation, Manuals, and Forms
o Download Software Patches and Updates
o Access Knowledge Solutions / Frequently Asked Questions
o Watch Animated Tours with Guided Input Instructions
Thank You,
ADP Client Services
support.ADP.com ...

The malicious payload is at [donotclick]picturesofdeath.net/kill/long_fills.php (report here*) hosted on:
24.111.157.113 (Midcontinent Media, US)
155.239.247.247 (Centurion Telkom, South Africa)..."
(More URLs listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1446662
... Detected live BlackHole v2.0 exploit kit 24.111.157.113

- http://blog.webroot.com/2013/03/18/...themed-emails-lead-to-black-hole-exploit-kit/
March 18, 2013 - "A currently ongoing malicious email campaign is impersonating ADP in an attempt to trick its customers into thinking that they’ve received a ‘Package Delivery Notification.’ In reality though, once a user clicks on any of the links found in the malicious email, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...m_exploits_malware_black_hole_exploit_kit.png
... responded to 24.111.157.113; 58.26.233.175; 155.239.247.247... 58.26.233.175; 155.239.247.247... 77.241.198.65; 80.241.211.26; 83.255.90.5; 103.14.8.20; 190.30.219.85... phones back to 212.68.63.82..."
(More detail at the webroot URL above.)
___

BoA SPAM - on short list of Scammers’ Spam Lures
- http://www.hotforsecurity.com/blog/bank-of-america-on-short-list-of-scammers-spam-lures-5668.html
March 15, 2013 - "... crooks unleashed a series of aggressive spam campaigns that include the Bank of America in the title as bait. In the context of a security breach, the name of the bank was used to catch customers’ attention, infect them with malware, have them type in sensitive data or entice them into sending money in advance for a service they will never receive. “Online Banking Passcode Modified” invites people to click a link to reset their online banking passcode. The same template and con is entirely recycled from a similar attack in November 2012. This new spamvertised malware campaign attempts to get Bank of America customers to -click a link- to a webpage associated with the Redkit Exploit Kit – a crimeware tool that exploits vulnerabilities in browsers and plugins to silently infect victims’ PCs.
> http://www.hotforsecurity.com/wp-content/uploads/2013/03/Online-Banking-Passcode-Modified.png
"Bank of America Corporate Office Headquarters” and the very recent “Payment Notification from Bank of America” spam campaigns are examples of a complicated Nigerian-like scam informing customers that their funds will be transferred to the United States Treasury Account...
> http://www.hotforsecurity.com/wp-co...-of-America-Corporate-Office-Headquarters.png
"Bank of America Alert: Suspicious Activities on your Account!” and “Bank of America Alert: Sign-in to Online Banking Locked” lure customers to a phishing page...
> http://www.hotforsecurity.com/wp-co...ert-Suspicious-Activities-on-your-Account.png
"Reminder: Bank of America Customer Survey” is another active scam ...
> http://www.hotforsecurity.com/wp-co.../Reminder-Bank-of-America-Customer-Survey.png
Bank of America has been recycled in spammed scams since 2006 and used multiple times a year, for more or less the same results: steal card and identity information, infect people with malware, and unwarily recruit them into money-muling operations..."

 

[AplusWebMaster]

Fake LinkedIn SPAM...

FYI...

Fake LinkedIn SPAM / applockrapidfire .biz
- http://blog.dynamoo.com/2013/03/linkedin-spam-applockrapidfirebiz.html
18 March 2013 - "This fake LinkedIn spam leads to malware on applockrapidfire .biz:
From: David O'Connor - LinkedIn [mailto:kissp @gartenplandesign .de]
Sent: 18 March 2013 15:34
Subject: Join my network on LinkedIn
Importance: High
LinkedIn
REMINDERS
Invitation reminders:
From David O\'Connor (animator at ea)
PENDING MESSAGES
There are a total of 9 messages awaiting your response. Go to InBox now.
This message was sent to username @domain .com. Don't want to receive email notifications? Login to your LinkedIn account to Unsubscribe.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. c 2013, LinkedIn Corporation.

The link in the message goes through a legitimate hacked site to a malware landing page on [donotclick]applockrapidfire .biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here*) hosted on 78.46.222.237 (Hetzner, Germany). applockrapidfire .biz was registered just today to a presumably fake address...
URLquery detects traffic to these additional IPs that you might want to block too:
50.22.196.70 (Softlayer / Maxmind LLC, US)
66.85.130.234 (Secured Servers LLC / Phoenix NAP, US)
194.165.17.3 (ADM Service Ltd, Monaco)
The nameservers are NS1.QUANTUMISPS .COM (5.9.212.43: Hetzner, Germany) and NS2.QUANTUMISPS .COM (66.85.131.123: Secured Servers LLC / Phoenix NAP, US). quantumisps .com was registered to an anonymous person on 2013-03-15...
Recommended blocklist:
5.9.212.43
50.22.196.70
66.85.130.234
66.85.131.123
78.46.222.237
194.165.17.3
quantumisps .com
applockrapidfire .biz"
* http://urlquery.net/report.php?id=1500577
... Detected live BlackHole v2.0 exploit kit
___

Fake DHL emails contain malware
- http://nakedsecurity.sophos.com/2013/03/18/express-shipment-notification-emails-malware/
March 18, 2013 - "... Online criminals have spammed out a large number of messages, claiming to come from DHL Express International, that are designed to install malware onto the computers of unsuspecting PC users. Here is what a typical example of an email spammed out in the attack looks like:
> https://sophosnews.files.wordpress.com/2013/03/dhl.jpg?w=640
Attached to the emails is a ZIP file, containing malware. The filename of the ZIP file can vary, but takes the form "DHL reportXXXXXX.zip" (where the 'X's are a random code)... Troj/BredoZp-S* ..."
* http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~BredoZp-S.aspx

 

[AplusWebMaster]

Fake Statement/Facebook/malicious SPAM...

FYI...

Fake "Statement Reqiured" SPAM / hiskintako .ru
- http://blog.dynamoo.com/2013/03/end-of-aug-statement-reqiured-spam.html
19 Mar 2013 - "This -spam- leads to malware on hiskintako .ru:
Date: Tue, 19 Mar 2013 08:04:18 +0300
From: "package update Ups" [upsdelivercompanyb @ups .com]
Subject: Re: FW: End of Aug. Statement Reqiured
Attachments: Invoices-CAS9927.htm
Hi,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
Regards
-----------------------
Date: Tue, 19 Mar 2013 02:18:06 +0600
From: MyUps [ups-delivery-services @ups .com]
Subject: Re: FW: End of Aug. Stat. Required
Hi,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
Regards

The malicious payload is at [donotclick]hiskintako .ru:8080/forum/links/column.php (report here*) hosted on:
50.22.0.2 (SoftLayer, US)
89.110.131.10 (Netclusive, Germany)
132.230.75.95 (Albert-Ludwigs-Universitaet, Germany)
188.165.202.204 (OVH, France)
BLOCKLIST:
50.22.0.2
89.110.131.10
132.230.75.95
188.165.202.204
forumla .ru
gimiiiank .ru
giminanvok .ru
giminkfjol .ru
giminaaaao .ru
giimiiifo .ru
giliaonso .ru
forumny .ru
hiskintako .ru
gxnaika .ru
gulivaerinf .ru "
* http://urlquery.net/report.php?id=1516090
... Detected live BlackHole v2.0 exploit kit 50.22.0.2
___

Squeak Data / squeakdata .com SPAM
- http://blog.dynamoo.com/2013/03/squeak-data-squeakdatacom-spam.html
19 March 2013 - "... The email address they are sending to has been harvested, so you can be pretty sure that the mailing lists they sell are of very low quality. But there's a bit more to this spam than meets the eye..
From: Squeak Data [enquiries @squeakdata .com] via smtpguru .net
Date: 19 March 2013 13:35
Subject: Squeak Data
Signed by: smtpguru .net
Squeak Data - Qualified & Opted In Prospect Data
- At a fraction of the usual price. We own all the data we sell so we can keep our prices extremely competitive but still deliver on quality and service.
New January 2013 Opted In Business Database - contains over 437k records. This data set is completely new and unique to us. It has been strictly opted in at decision maker level. It contains SME businesses throughout the UK. Every record contains full information fields including a live and valid email address.
We are aware that much larger business databases are currently been offered. It takes a lot of hard work and man hours to produce a truly opted in and quality prospect list. Common sense must prevail and conclude that such large databases cannot possibly be opted in and are very old and tired.
We do not hold old and tired data. Our data is fresh, unique and will help you accomplish your new business targets.
Our data is sold with a 95% email delivery promise and on a multiple use basis...

The domain was registered on 2nd March, so it's only a few days old. But that email address looks familiar.. yes, this is Toucan UK who said last year that they were closing down their business. It turns out that this is a lie too. A brief bit of Googling also brings up this other spam where they are saying pretty much the same thing. It looks like they used to have a Twitter handle of @MoneyTreesData although that appears to have been nuked. Oh well.
Give these spammers a wide berth."
___

Fake Facebook SPAM / heelicotper .ru
- http://blog.dynamoo.com/2013/03/facebook-spam-heelicotperru.html
19 Mar 2013 - "This fake Facebook spam leads to malware on heelicotper .ru:
Date: Tue, 19 Mar 2013 08:37:37 +0200
From: Facebook [updateSIXQG03I44AX @facebookmail .com]
Subject: You have notifications pending
facebook
Hi,
Here's some activity you may have missed on Facebook.
TAMISHA Gore has posted statuses, photos and more on Facebook.
Go To Facebook
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

The malicious payload is at [donotclick]heelicotper .ru:8080/forum/links/column.php which isn't resolving at the moment, but was earlier hosted on:
50.22.0.2 (SoftLayer, US)
132.230.75.95 (Albert-Ludwigs-Universitaet, Germany)
188.165.202.204 (OVH, France)
The payload and associated IPs are the same as in this attack."
___

Malware spam: Cyprus banks...CNN.com / salespeoplerelaunch .org
- http://blog.dynamoo.com/2013/03/malware-spam-opinion-cyprus-banks-shut.html
19 Mar 2013 - "This topically themed (but fake) CNN spam leads to malware on salespeoplerelaunch .org:
Date: Tue, 19 Mar 2013 10:40:22 -0600
From: "CNN Breaking News" [BreakingNews@mail.cnn.com]
Subject: Opinion: Cyprus banks shut extended to Monday - CNN.com
Powered by
* Please note, the sender's email address has not been verified.
You have received the following link from BreakingNews @mail.cnn .com:
Click the following to access the sent link:
Cyprus banks shut extended to Monday - CNN.com*
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here

The malicious payload is at [donotclick]salespeoplerelaunch .org/close/printed_throwing-interpreting-dedicated.php (report here) hosted on 69.197.177.16 (WholeSale Internet, US).
Nameservers are NS1.DNSLVLUP.COM (5.9.212.43, Hetzner / Dolorem Ipsum Management Ltd, Germany) and NS2.DNSLVLUP.COM (66.85.131.123, Secured Servers LLC / Phoenix NAP, US)
Recommended blocklist:
salespeoplerelaunch .org
dnslvlup .com
69.197.177.16
5.9.212.43
66.85.131.123"

Scam of the day: More fake CNN e-mails
- https://isc.sans.edu/diary.html?storyid=15436
Last Updated: 2013-03-19 17:37:08 UTC
> https://isc.sans.edu/diaryimages/images/cnncyprus.png

> http://wepawet.iseclab.org/view.php?hash=dbeb07e4d46aa4cbd38617a925499c22&type=js

 

[AplusWebMaster]

Fake USPS SPAM...

FYI...

Fake USPS SPAM / himalayaori .ru
- http://blog.dynamoo.com/2013/03/usps-spam-himalayaoriru.html
20 March 2013 - "This -fake- UPS (or is it USPS?) spam leads to malware on himalayaori .ru. The malicious link is in an attachment called ATT17235668.htm. For some reason the only sample of the spam that I have is horribly mangled:
From: HamzaRowson @hotmail .com [mailto:HamzaRowson @hotmail .com]
Sent: 19 March 2013 23:40
Subject: United Postal Service Tracking Number H1338091657
Your USPS TEAM for big savings!
Can't see images? CLICK HERE.
UPS UPS SUPPORT 56 Not Ready to Open an Account? The UPS Store® can help with full service packing and shipping.
Learn More >> UPS - Your UPS Team
Good day, [redacted].
Dear User , Delivery Confirmation: Failed
Track your Shipment now!
With best regards , Your UPS Customer Services. Shipping Tracking Calculate Time & Cost
Open an Account @ 2011 United Parcel Service of America, Inc. USPS Team, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to USPS .us Customer Services marketing e-mail For information on UPS's privacy practices, please refer to UPS Privacy Policy. Your USPS .US, 5 Glenlake Parkway, NE - Atlanta, GA 30325
Attn: Customer Communications Department

Clicking on the attachment sends the intended victim to a malicious web page at [donotclick]himalayaori .ru:8080/forum/links/column.php (report here*), in this case via a legitimate hacked site at [donotlick]www.unisgolf .ch/report.htm but that is less important. himalayaori .ru is hosted on a couple of IPs that look familiar:
50.22.0.2 (SoftLayer, US)
188.165.202.204 (OVH, France)
Recommended blocklist:
50.22.0.2
188.165.202.204
himalayaori .ru
hentaimusika .ru
hiskintako .ru
gxnaika .ru
forumla .ru
gulivaerinf .ru
foruminanki.ru
forumny .ru ..."
* http://urlquery.net/report.php?id=1525298
___

Fake Invoice SPAM / hifnsiiip .ru
- http://blog.dynamoo.com/2013/03/end-of-aug-statement-spam-hifnsiiipru.html
20 Mar 2013 - "This fake invoice spam leads to malware on hifnsiiip .ru:
Date: Wed, 20 Mar 2013 05:41:44 +0100
From: LinkedIn Connections [connections @linkedin .com]
Subject: Re: FW: End of Aug. Statement
Attachments: Invoices-AS9927.htm
Good morning,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
Regards

The attached Invoices-AS9927.htm file attempts to direct the victim to a malicious landing page [donotclick]hifnsiiip .ru:8080/forum/links/column.php (report here*) hosted on:
50.22.0.2 (SoftLayer, US)
109.230.229.156 (High Quality Server, Germany)
188.165.202.204 (OVH, France)
Recommended blocklist:
50.22.0.2
109.230.229.156
188.165.202.204..."
(More at the dynamooo URL above.)
* http://urlquery.net/report.php?id=1526708
... Detected suspicious URL pattern... Blackhole 2 Landing Page 188.165.202.204
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake FedEx Parcel Delivery Failure Notification E-mail Messages - 2013 Mar 20
Fake Electronic Payment Cancellation E-mail Messages - 2013 Mar 20
Fake Payment Transaction Notice E-mail Messages - 2013 Mar 19
Fake Wire Transfer Notification E-mail Messages - 2013 Mar 19
Fake Document Attachment E-mail Message - 2013 Mar 19
Fake CashPro Online Digital Certificate Notification E-mail Messages - 2013 Mar 18
Fake Order And Transfer Slip Notification E-mail Messages - 2013 Mar 18
Fake Payment Processing Notice E-mail Messages - 2013 Mar 18
Fake Purchase Order Payment Notification E-mail Messages - 2013 Mar 18
Fake Product Order E-mail Messages - 2013 Mar 18
Fake Online Purchase Receipt E-mail Messages - 2013 Mar 18
(More detail and links at the cisco URL above.)

:fear:

 

[AplusWebMaster]

Fake NACHA / ScanJet SPAM ...

FYI...

Fake NACHA SPAM / encodeshole .org
- http://blog.dynamoo.com/2013/03/nacha-spam.html
21 March 2013 - "This fake NACHA spam leads to malware on encodeshole .org:
From: "Тимур.Родионов @direct.nacha .org" [mailto:biker @wmuttkecompany .com]
Sent: 20 March 2013 18:51
Subject: Payment ID 454806207096 rejected
Importance: High
Dear Sirs,
Herewith we are informing you, that your latest Direct Deposit payment (ID431989197078) was cancelled,due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::
Click here for more information
Please apply to your financial institution to get the necessary updates of the Direct Deposit software.
Best regards,
ACH Network Rules Department
NACHA - The Electronic Payments Association
10933 Sunrise Valley Drive, Suite 771
Herndon, VA 20190
Phone: 703-561-0849 Fax: 703-787-0548

The malicious payload is at [donotclick]encodeshole.org/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here) hosted on 91.234.33.187 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine). The following suspect domains are on the same IP:
91.234.33.187
encodeshole .org
rotariesnotify .org
rigidembraces .info
storeboughtmodelers .info
* http://urlquery.net/report.php?id=1536940
... Detected BlackHole v2.0 exploit kit URL pattern... Detected live BlackHole v2.0 exploit kit 91.234.33.187

- https://www.google.com/safebrowsing/diagnostic?site=AS:56485
"... over the past 90 days, 54 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-03-21, and the last time suspicious content was found was on 2013-03-21... Over the past 90 days, we found 8 site(s) on this network... that appeared to function as intermediaries for the infection of 23 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 13 site(s)... that infected 30 other site(s)..."
___

Fake ScanJet SPAM / hillaryklinton .ru
- http://blog.dynamoo.com/2013/03/scan-from-hewlett-packard-scanjet-spam_21.html
21 March 2013 - "This fake printer spam leads to malware on the amusingly-named hillaryklinton .ru:
From: messages-noreply@bounce .linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn Password
Sent: 21 March 2013 06:56
Subject: Scan from a Hewlett-Packard ScanJet #269644
Attached document was scanned and sent
to you using a Hewlett-Packard HP Officejet 6209P.
Sent by: SANDIE
Images : 1
Attachment Type: .HTM [INTERNET EXPLORER]
Hewlett-Packard Officejet Location: machine location not set

In this case there is an attachment called Scanned_Document.htm which leads to a malicious payload at [donotclick]hillaryklinton .ru:8080/forum/links/column.php (report here*) hosted on:
50.22.0.2 (SoftLayer, US)
62.75.157.196 (Inergenia, Germany)
109.230.229.156 (High Quality Server, Germany)
Blocklist:
50.22.0.2
62.75.157.196
109.230.229.156
foruminanki .ru
forumla .ru
forumny .ru
gulivaerinf .ru
gxnaika .ru
hanofk .ru
heelicotper .ru
hifnsiiip .ru
hillaryklinton .ru
himalayaori .ru
humalinaoo .ru
* http://urlquery.net/report.php?id=1535161
... Detected suspicious URL pattern... Blackhole 2 Landing Page 109.230.229.156
___

Fake CNN emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/03/21/...hemed-emails-lead-to-black-hole-exploit-kit/?
March 21, 2013 - "... thousands of malicious ‘CNN Breaking News’ themed emails... exploit-serving and malware-dropping links found within. Once users click on any of the links found in the bogus emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...social_engineering_black_hole_exploit_kit.png
... Malicious domain name reconnaissance:
webpageparking .net – 109.74.61.59; 24.111.157.113; 58.26.233.175; 155.239.247.247...
Responding to 24.111.157.113 ... malicious domains...
Upon successful clienet-side exploitation, the campaign drops MD5: 24d406ef41e9a4bc558e22bde0917cc5 * ... Worm:Win32/Cridex.E...
* https://www.virustotal.com/en/file/...5c2ca100e539a665a8634e101346ce289be/analysis/
File name: deskadp.dll
Detection ratio: 23/45
Analysis date: 2013-03-21 10:46
___

Fake "Data Processing Service" spam / airtrantran .com
- http://blog.dynamoo.com/2013/03/data-processing-service-spam.html
21 Mar 2013 - "This spam leads to malware on airtrantran .com
Date: Thu, 21 Mar 2013 15:55:22 +0000 [11:55:22 EDT]
From: Data Processing Service [customerservice @dataprocessingservice .com]
Subject: ACH file ID "973.995" has been processed successfully
Files Processing Service
SUCCESS Notification
We have successfully complete ACH file 'ACH2013-03-20-8.txt' (id '973.995') submitted by user '[redacted]' on '2013-03-20 23:24:14.9'.
FILE SUMMARY:
Item count: 21
Total debits: $17,903.59
Total credits: $17,903.59
For addidional info review it here

24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMnet, Malaysia)
109.74.61.59 (Ace Telecom, Hungary)
155.239.247.247 (Centurion Telkom, South Africa)
Blocklist:
24.111.157.113
58.26.233.175
109.74.61.59
155.239.247.247 ..."
___

Fake Facebook SPAM / scriptuserreported .org
- http://blog.dynamoo.com/2013/03/facebook-spam-scriptuserreportedorg.html
21 Mar 2013 - "This Facebook spam has undergone some sort of failure during construction, revealing some of the secrets of how these messages are constructed. It leads to malware on scriptuserreported .org:
Date: Thu, 21 Mar 2013 10:56:28 -0500
From: Facebook [update+oi=MKW63Z @facebookmail .com]
Subject: John Jenkins commented photo of you.
facebook
John Jenkins commented on {l5}.
reply to this email to comment on this photo.
see comment
this message was sent to {mailto_username}@{mailto_domain}. if you don't want to receive these emails from facebook in the future, please unsubscribe.
facebook, inc., attention: department 415, po box 1000{digit}, palo alto, ca 9{digit}3{digit}

The malicious payload is at [donotclick]scriptuserreported .org/close/keys-importance-mention.php hosted on 5.39.37.31 and there are no surprises that this is OVH in France.. but wait a minute because this is in a little suballocated block thusly:
inetnum: 5.39.37.24 - 5.39.37.31
netname: n2p3DoHost
descr: DoHost n2 p3
country: FR ...
Let's start with the server at 5.39.37.31 which is distributing the Blackhole Exploit Kit (report here*). This server also hosts the following potentially malicious domains:
pesteringpricelinecom .net
resolveconsolidate .net
scriptuserreported .org
provingmoa .com
Go back a few IPs to 5.39.37.28 and there is are a couple of work-at-home scam sites:
workhomeheres01 .com
workhomeheres02 .com
There's also a work-at-home scam on 5.39.37.24:
makeworkhome12 .pl
5.39.37.26 appears to be hosting a control panel for the Neutrino Exploit kit:
myadminspanels .info
supermyadminspanels .info
So you can pretty much assume that 5.39.37.24/29 is a sewer and you should block the lot. Who is n2p3DoHost? Well, I don't know.. but there's one more clue at 5.39.37.29 which is the domain rl-host .net...
Does M. Queste own this /29? If he does, then it looks like he has some very bad customers..
Minimum blocklist:
5.39.37.31
pesteringpricelinecom .net
resolveconsolidate .net
scriptuserreported .org
provingmoa .com
Recommended blocklist:
5.39.37.24/29
makeworkhome12 .pl
myadminspanels .info
supermyadminspanels .info
workhomeheres01 .com
workhomeheres02 .com
rl-host .net
pesteringpricelinecom .net
resolveconsolidate.net
scriptuserreported .org
provingmoa .com"
* http://urlquery.net/report.php?id=1539128
... Detected live BlackHole v2.0 exploit kit 5.39.37.31
___

Fake Changelog SPAM / hillairusbomges .ru
- http://blog.dynamoo.com/2013/03/changelog-spam-hillairusbomgesru.html
21 Mar 2013 - "This fake changelog spam leads to malware on hillairusbomges .ru:
Date: Thu, 21 Mar 2013 03:01:59 -0500 [04:01:59 EDT]
From: LinkedIn Email Confirmation [emailconfirm @linkedin .com]
Subject: Re: Changelog Oct.
Good morning,
as prmised updated changelog - View
L. LOYD

The malicious payload is at [donotclick]hillairusbomges .ru:8080/forum/links/column.php (report here*) hosted on:
50.22.0.2 (Softlayer / Monday Sessions Media, US)
66.249.23.64 (Endurance International Group, US)
188.165.202.204 (OVH, France)
Blocklist:
50.22.0.2
66.249.23.64
188.165.202.204 ..."
* http://urlquery.net/report.php?id=1540852
... Detected suspicious URL pattern... Blackhole 2 Landing Page 188.165.202.204

:fear:

 

[AplusWebMaster]

Fake Zendesk pharma SPAM ...

FYI...

Fake Zendesk SPAM / vagh .ru / pillshighest .com
- http://blog.dynamoo.com/2013/03/zendesk-important-notice-about-security.html
22 Mar 2013 - "This unusual spam leads to a fake pharma site on pillshighest .com via vagh .ru and an intermediate -hacked- site.
Date: Fri, 22 Mar 2013 13:52:08 -0700
From: Support Team [pinbot @schwegler .com]
To: [redacted]
Subject: An important notice about security
We recently learned that the vendor we use to answer support requests and other emails (Zendesk) experienced a security breach.
We're sending you this email because we received or answered a message from you using Zendesk. Unfortunately your name, email address and subject line of your message were improperly accessed during their security breach. To help keep your account secure, please:
Don't share your password. We will never send you an email asking for your password. If you get an email like this, please let us know right away.
Beware of suspicious emails. If you get any emails that look like they're from our Support Team but don't feel right, please let us know - especially if they include details about your support request.
Use a strong password. If your password is weak, you can create a new one.
We're really sorry this happened, and we'll keep working with law enforcement and our vendors to ensure your information is protected.
Support Team
Questions? See our FAQ.
This email was sent to [redacted].
�2013 Zendesk, Inc. | All Rights Reserved
Privacy Policy | Terms and Conditions

There appears to be no malware involved in this attack. After the user has clicked through to the -hacked- site (in this case [donotclick]www.2001hockey .com/promo/page/ - report here*) the victim is -bounced- to [donotclick]vagh .ru on 193.105.210.212 (FOP Budko Dmutro Pavlovuch, Ukraine**) and then on to [donotclick]pillshighest .com on 91.217.53.30 (Fanjcom, Czech Republic).
Some IPs and domains you might want to block:
91.217.53.30
193.105.210.212 ..."
(More listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1547240
... RBN - Known Russian Business Network IP - 109.120.138.155***

** https://www.google.com/safebrowsing/diagnostic?site=AS:57954

*** https://www.google.com/safebrowsing/diagnostic?site=AS:30968

- http://nakedsecurity.sophos.com/2013/03/22/fake-zendesk-security-notice/
March 22, 2013
> https://sophosnews.files.wordpress.com/2013/03/fake-security-notice.jpg?w=640
___

Fake ACH email - malware...
- http://www.hoax-slayer.com/ach-file-processed-malware.shtml
March 22, 2013 - "Outline: Message purporting to be from the Automated Clearing House (ACH) claims that a file submitted by a user has been successfully processed and invites recipients to click a link to read more information about the large sum transactions listed....
Brief Analysis: The email is -not- from ACH and the transactions listed in the message are not genuine. The -link- in the email opens a compromised website that harbours information-stealing malware... Those who do click the link will be taken to one of several websites that harbour malware. Once downloaded, such malware can typically make connections with remote servers controlled by criminals, download and install further malware components and harvest personal and financial information from the infected computer.
Scammers have targeted the ACH and the entity's managing body NACHA for several years. Some have been malware attacks such as this one. Others have been phishing scams intent on tricking people into divulging their personal and financial information. The ACH is an official funds transfer system that processes large volumes of credit and debit transactions in the United States and this makes it an attractive target for scammers.
Neither ACH nor NACHA will ever send you an unsolicited email that asks you to open an attachment or follow a link and supply personal information. If you receive an email that claims to be from the ACH or NACHA, do not open any attachments that it may contain. Do not follow any links in the email. Do not reply to the email or supply any information to the senders."
___

Fake Wire Transfer SPAM / dataprocessingservice-alerts .com
- http://blog.dynamoo.com/2013/03/wire-transfer-spam-dataprocessingservic.html
22 Mar 2013 - "This fake Wire Transfer spam leads to malware on dataprocessingservice-alerts .com:
Date: Fri, 22 Mar 2013 10:42:22 -0600
From: support @digitalinsight .com
Subject: Terminated Wire Transfer Notification - Ref: 54133
Immediate Transfers Processing Service
STATUS Notification
The following wire transfer has been submitted for approval. Please visit this link to review the transaction details (ref '54133' submitted by user '[redacted]' ).
TRANSACTION SUMMARY:
Initiated By: [redacted]
Initiated Date & Time: 2013-03-21 4:00:46 PM PST
Reference Number: 54133
For addidional info visit this link

The payload is at [donotclick]dataprocessingservice-alerts .com/kill/chosen_wishs_refuses-limits.php (report here*) hosted on:
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMNet, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)
Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247 ..."
* http://urlquery.net/report.php?id=1548528
... Detected live BlackHole v2.0 exploit kit 24.111.157.113
___

Fake Changelog SPAM / hohohomaza .ru
- http://blog.dynamoo.com/2013/03/changelog-spam-hohohomazaru.html
22 Mar 2013 - "Evil changelog spam episode 274, leading to malware on hohohomaza .ru. Hohoho indeed.
Date: Fri, 22 Mar 2013 11:06:48 -0430
From: Hank Sears via LinkedIn [member @linkedin .com]
Subject: Fwd: Changelog as promised (upd.)
Hello,
as promised changelog - View
L. HENDRICKS

The malware landing page is at [donotclick]hohohomaza .ru:8080/forum/links/column.php hosted on:
50.22.0.2 (Softlayer / Monday Sessions Media, US)
66.249.23.64 (Endurance International Group, US)
80.246.62.143 (Alfahosting / Host Europe, Germany)
Blocklist:
50.22.0.2
66.249.23.64
80.246.62.143 ..."

:fear:

 

[AplusWebMaster]

Fake BBC, BoA, Printer SPAM... more...

FYI...

Fake BBC emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/03/25/...themed-emails-lead-to-black-hole-exploit-kit/
March 25, 2013 - "Cybercriminals are currently spamvertising tens of thousands of malicious emails impersonating BBC News, in an attempt to trick users into thinking that someone has shared a Cyprus bailout themed news item with them. Once users click on any of the links found in the fake emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the fake BBC News email:
> https://webrootblog.files.wordpress...ploits_spam_black_hole_exploit_kit_cyprus.png
... Sample client-side exploits serving URL: hxxp ://crackedserverz .com/kill/larger_emergency.php – 155.239.247.247; 109.74.61.59; 24.111.157.113; 58.26.233.175 – Email: tellecomvideo1 @gmx .us...
Upon successful client-side exploitation the campaign drops MD5: 1d4aaaf4ae7bfdb0d9936cd71ea717b2 * ...Spyware/Win32.Zbot..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/...3f4c2ae609a958819be16e782ad469f38c7/analysis/
File name: 1d4aaaf4ae7bfdb0d9936cd71ea717b2
Detection ratio: 23/45
Analysis date: 2013-03-21

- https://www.net-security.org/malware_news.php?id=2444
25.03.2013
Fake: https://www.net-security.org/images/articles/bbc-cyprus-fake-big.jpg
___

Fake Bank of America SPAM / PAYMENT RECEIPT 25-03-2013-GBK-74
- http://blog.dynamoo.com/2013/03/bank-of-america-spam-payment-receipt-25.html
25 Mar 2013 - "This spam comes with a malicious EXE file in the archive PAYMENT RECEIPT 25-03-2013-GBK-74.zip
Date: Mon, 25 Mar 2013 05:50:18 +0300 [03/24/13 22:50:18 EDT]
From: Bank of America [gaudilyl30 @gmail .com]
Subject: Your transaction is completed
Transaction is completed. $4924 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Payment receipt is attached.
*** This is an automatically generated email, please do not reply ***
Bank of America, N.A. Member FDIC. Equal Housing Lender Opens in new window
© 2013 Bank of America Corporation. All rights reserved

Opening the ZIP file leads to an EXE caled PAYMENT RECEIPT 25-03-2013-GBK-74.EXE which has a pretty patchy detection rate on VirusTotal*. Comodo CAMAS detects traffic to the domains seantit .ru and programcam .ru hosted on:
59.99.226.54 (BSNL Internet, India)
66.248.200.143 (Avante Hosting Services / Dominic Lambie, US)
77.241.198.65 (VPSnet, Lithunia)
81.20.146.229 (GONetwork, Estonia)
103.14.8.20 (Symphony Communication, Thailand)
Plain list:
59.99.226.54
66.248.200.143
77.241.198.65
81.20.146.229
103.14.8.20 ..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en/file/...824d47fe4e74e4742ef4f00cd5007ad755d/analysis/
File name: Loaf Harley Goals
Detection ratio: 22/46
Analysis date: 2013-03-25
___

Fake HP ScanJet SPAM / humaniopa .ru
- http://blog.dynamoo.com/2013/03/scan-from-hp-scanjet-spam-humanioparu.html
25 Mar 2013 - "This fake printer spam leads to malware on humaniopa .ru:
Date: Mon, 25 Mar 2013 03:57:54 -0500
From: LinkedIn Connections [connections @linkedin .com]
Subject: Scan from a HP ScanJet #928909620
Attachments: Scanned_Document.htm
Attached document was scanned and sent
to you using a Hewlett-Packard HP Officejet 98278P.
Sent by: CHANG
Images : 5
Attachment Type: .HTM [INTERNET EXPLORER]
Hewlett-Packard Officejet Location: machine location not set

The attachment Scanned_Document.htm leads to malware on [donotclick]humaniopa .ru:8080/forum/links/column.php (report here*) hosted on:
66.249.23.64 (Endurance International Group, US)
72.11.155.182 (OC3 Networks, US)
72.167.254.194 (GoDaddy, US)
95.211.154.196 (Leaseweb, Netherlands)
Blocklist:
66.249.23.64
72.11.155.182
72.167.254.194
95.211.154.196 ..."
* http://urlquery.net/report.php?id=1592330
... Detected suspicious URL pattern... Blackhole 2 Landing Page 95.211.154.196
___

Fake "Copies of policies" SPAM / heepsteronst .ru
- http://blog.dynamoo.com/2013/03/copies-of-policies-spam-heepsteronstru.html
25 Mar 2013 - "This spam leads to malware on heepsteronst .ru:
Date: Mon, 25 Mar 2013 06:20:54 -0500 [07:20:54 EDT]
From: Ashley Madison [donotreply @ashleymadison .com]
Subject: RE: DEBBRA - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
DEBBRA Barnard,

The malicious payload is at [donotclick]heepsteronst .ru:8080/forum/links/column.php (report here*). The IP addresses used are the same ones as used in this attack**."
* http://urlquery.net/report.php?id=1593558
... Detected suspicious URL pattern... Blackhole 2 Landing Page 72.167.254.194
** http://blog.dynamoo.com/2013/03/scan-from-hp-scanjet-spam-humanioparu.html
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Future of Digital Marketing Event Notification E-mail Message - 2013 Mar 25
Fake Product Order Shipping Documents E-mail Messages - 2013 Mar 25
Fake Online Dating Request E-mail Messages - 2013 Mar 25
Fake Product Sample Request E-mail Messages - 2013 Mar 25
Fake Product Order E-mail Message - 2013 Mar 25
Fake Quotation Request With Attached Sample Design Notification E-mail Messages - 2013 Mar 25
Fake Shipment Notification E-mail Messages - 2013 Mar 25
Fake Bank Repayment Information E-mail Messages - 2013 Mar 25
Fake Payment Transaction Notification E-mail Messages - 2013 Mar 25
(More detail and links at the cisco URL above.)

 

[AplusWebMaster]

Fake ADP, NACHA, DHL SPAM lead to malware

FYI...

Fake ADP emails lead to malware
- http://blog.webroot.com/2013/03/26/adp-payroll-invoice-themed-emails-lead-to-malware/
March 26, 2013 - "Over the past week, we intercepted a massive ‘ADP Payroll Invoice” themed malicious spam campaign, enticing users into executing a malicious file attachment. Once users execute the sample, it downloads additional pieces of malware on the affected host, compromising the integrity, and violating the confidentiality of the affected PC...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...ring_malicious_software_downloader_botnet.png
Detection rate for the malicious attachment:
MD5: 54e9a0495fbd5c952af7507d15ebab90 * ... Trojan.Win32.FakeAV.qqdm
... Initiating the following TCP connections:
213.186.47.54 :8080
195.93.201.42 :80
216.55.186.239 :80
77.92.151.6 :80
66.118.64.208 :80 ...
Detection rates for the downloaded malware samples:
hxxp://infoshore.biz/cx5oMi.exe – MD5: 13eeca375585322c676812cf9e2e9789 ** ... Heuristic.LooksLike.Win32.Suspicious.B
hxxp://axelditter.de/w91qZ5.exe – MD5: 87c658970958bb5794354a91f8cc5a7d – detected by 18 out of 46 antivirus scanners as PWS:Win32/Zbot.gen!AM...
It then attempts multiple UDP connection attempts to the following IPs part of the botnet’s infrastructure:
109.162.153.126 :25603
81.149.242.235 :28768
88.241.148.26 :19376
78.166.167.62 :26509
88.232.36.188 :11389
80.6.67.158 :11016 ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/...ff38bca71f08779f69150298/analysis/1363949422/
File name: ADP_Invoice.exe
Detection ratio: 24/46
Analysis date: 2013-03-22
** https://www.virustotal.com/en/file/...1d77806fa1bfa3eae3de7268/analysis/1363952056/
File name: ADP_cx5oMi.exe
Detection ratio: 3/46
Analysis date: 2013-03-22
___

Fake NACHA SPAM / breathtakingundistinguished .biz
- http://blog.dynamoo.com/2013/03/nacha-spam-breathtakingundistinguishedb.html
26 March 2013 - "This fake NACHA spam leads to malware on breathtakingundistinguished .biz:
From: "Гена.Симонов@direct .nacha .org" [mailto:corruptnessljx953 @bsilogistik .com]
Sent: 25 March 2013 22:26
Subject: Re: Your Direct Deposit disallowance
Importance: High
Attn: Accounting Department
We are sorry to notify you, that your latest Direct Deposit transaction (#963417979218) was disallowed,because your business software package was out of date. The detailed information about this matter is available in the secure section of our web site:
Click here for more information
Please consult with your financial institution to acquire the updated version of the software.
Yours truly,
ACH Network Rules Department
NACHA - The Electronic Payments Association
19681 Sunrise Valley Drive, Suite 275
Herndon, VA 20135
Phone: 703-561-1796 Fax: 703-787-1698

The malicious payload is at [donotclick]breathtakingundistinguished .biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here*) hosted on 62.173.138.71 (Internet-Cosmos Ltd., Russia). The following malicious sites are also hosted on the same server:
necessarytimealtering .biz
hitwiseintelligence .biz
breathtakingundistinguished .biz "
* http://urlquery.net/report.php?id=1615815
... Detected BlackHole v2.0 exploit kit URL pattern... Detected live BlackHole v2.0 exploit kit 62.173.138.71
___

Fake DHL Spam / LABEL-ID-NY26032013-GFK73.zip
- http://blog.dynamoo.com/2013/03/dhl-spam-label-id-ny26032013-gfk73zip.html
26 Mar 2013 - "This DHL-themed spam contains a malicious attachment.
Date: Tue, 26 Mar 2013 17:27:46 +0700 [06:27:46 EDT]
From: Bart Whitt - DHL regional manager [reports @dhl .com]
Subject: DHL delivery report NY20032013-GFK73
Web Version | Update preferences | Unsubscribe
DHL notification
Our company’s courier couldn’t make the delivery of parcel.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: ETBAKPRSU3
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 15 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
DHL Global
Edit your subscription | Unsubscribe
> https://lh3.ggpht.com/-7RU-0iFN_k8/UVGDBXTvZ4I/AAAAAAAABCo/gtvsmzUfMCk/s1600/dhl.png

Attached is a ZIP file called LABEL-ID-NY26032013-GFK73.zip which in turn contains LABEL-ID-NY26032013-GFK73.EXE (note that the date is encoded into the filename, so subsequent versions will change).
VirusTotal detections for this malware are low (7/46*). The malware resists analysis from common tools, so I don't have any deeper insight as to what is going on.
Update: Comodo CAMAS identified some of the phone-home domains which are the same as the ones used here**."
* https://www.virustotal.com/en/file/...5e28df3ccee36c4127b2c92c/analysis/1364296589/
File name: LABEL-ID-NY26032013-GFK73.exe
Detection ratio: 7/46
Analysis date: 2013-03-26
** http://blog.dynamoo.com/2013/03/bank-of-america-spam-payment-receipt-25.html

Screenshot: http://threattrack.tumblr.com/post/46338583720/dhl-notification-spam
__

Fake eFax SPAM / hjuiopsdbgp .ru
- http://blog.dynamoo.com/2013/03/efax-corporate-spam-hjuiopsdbgpru.html
26 Mar 2013 - "This fake eFax spam leads to malware on hjuiopsdbgp.ru:
Date: Tue, 26 Mar 2013 06:23:36 +0800
From: LinkedIn [welcome @linkedin .com]
Subject: Efax Corporate
Attachments: Efax_Pages.htm
Fax Message [Caller-ID: 378677295]
You have received a 59 pages fax at Tue, 26 Mar 2013 06:23:36 +0800, (954)-363-5285.
* The reference number for this fax is [eFAX-677484317].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.

The attachment Efax_Pages.htm leads to a malicious payload at [donotclick]hjuiopsdbgp .ru:8080/forum/links/column.php (report here*) hosted on the following IPs:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
95.211.154.196 (Leaseweb, Netherlands)
Blocklist:
66.249.23.64
69.46.253.241
95.211.154.196 ..."
* http://urlquery.net/report.php?id=1617697
... Detected suspicious URL pattern... Detected live BlackHole v2.0 exploit kit 95.211.154.196
___

Fake UPS SPAM / Label_8827712794 .zip
- http://blog.dynamoo.com/2013/03/ups-spam-label8827712794zip.html
26 Mar 2013 - "This fake UPS spam has a malicious EXE-in-ZIP attachment:
Date: Tue, 26 Mar 2013 20:54:54 +0600 [10:54:54 EDT]
From: UPS Express Services [service-notification @ups .com]
Subject: UPS - Your package is available for pickup ( Parcel 4HS287FD )
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.
CONFIDENTIALITY NOTICE...

The attachment Label_8827712794.zip contains a malicious binary called Label_8827712794.exe which has a VirusTotal score of just 6/46*. ThreatExpert reports** that the malware is a Pony downloader which tries to phone home to:
aseforum.ro (199.19.212.149 / Vexxhost, Canada)
23.localizetoday.com (192.81.131.18 / Linode, US)
Assuming that all domains on those are malicious, this is a partial blocklist:
192.81.131.18
199.19.212.149
aseforum .ro
htlounge .com
htlounge .net
topcancernews .com
23.localizetoday .com
23.localizedonline .com
23.localizedonline .net"
* https://www.virustotal.com/en/file/...058895c9c85b3375b7d0e59e/analysis/1364312344/
File name: Label_8827712794.exe
Detection ratio: 6/46
Analysis date: 2013-03-26
** http://www.threatexpert.com/report.aspx?md5=c87f7ceeec9a9caa5e095b509d678f5e

Screenshot: http://threattrack.tumblr.com/post/46350420117/ups-package-pickup-spam
___

Fake Wire Transfer SPAM / hondatravel .ru
- http://blog.dynamoo.com/2013/03/wire-transfer-spam-hondatravelru.html
26 March 2013 - "This fake Wire Transfer spam leads to malware on hondatravel .ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn
Sent: 26 March 2013 11:52
Subject: Re: Wire Transfer Confirmation (FED_4402D79813)
Dear Bank Account Operator,
WIRE TRANSFER: FED68081773954793456
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious payload is at [donotclick]hondatravel .ru:8080/forum/links/column.php (report here*) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
These IPs were seen earlier with this attack**."
* http://urlquery.net/report.php?id=1618697
... Detected suspicious URL pattern... Blackhole 2 Landing Page 66.249.23.64
** http://blog.dynamoo.com/2013/03/efax-corporate-spam-hjuiopsdbgpru.html

Screenshot: http://threattrack.tumblr.com/post/46002028146/international-transfers-processing-service-spam
___

Fake TRAFFIC TICKET SPAM / hondatravel .ru
- http://blog.dynamoo.com/2013/03/ny-traffic-ticket-spam-hondatravelru.html
26 Mar 2013 - "I haven't seen this type of spam for a while, but here it is.. leading to malware on hondatravel .ru:
Date: Wed, 27 Mar 2013 04:24:14 +0330
From: "LiveJournal .com" [do-not-reply @livejournal .com]
Subject: Fwd: Re: NY TRAFFIC TICKET
New-York Department of Motor Vehicles
TRAFFIC TICKET
NEW-YORK POLICE DEPARTMENT
THE PERSON CHARGED AS FOLLOWS
Time: 2:15 AM
Date of Offense: 28/07/2012
SPEED OVER 50 ZONE
TO PLEAD CLICK HERE AND FILL OUT THE FORM

The malicious payload appears to be identical to this spam run* earlier today."
* http://blog.dynamoo.com/2013/03/wire-transfer-spam-hondatravelru.html

Screenshot: http://threattrack.tumblr.com/post/46359626397/new-york-traffic-ticket-spam

:fear:

 

[AplusWebMaster]

Fake NACHA, Airline E-ticket receipt SPAM

FYI...

Fake Airline E-ticket receipt SPAM / illuminataf .ru
- http://blog.dynamoo.com/2013/03/british-airways-e-ticket-receipts-spam_27.html
27 Mar 2013 - "This fake airline ticket spam leads to malware on illuminataf .ru:
Date: Wed, 27 Mar 2013 03:23:05 +0100
From: "Xanga" [noreply @xanga .com]
Subject: British Airways E-ticket receipts
Attachments: E-Ticket-Receipt.htm
e-ticket receipt
Booking reference: JQ15191488
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services ...

The attachment E-Ticket-Receipt.htm leads to a malicious payload at [donotclick]illuminataf .ru:8080/forum/links/column.php (report here*) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
223.4.209.134 (Alibaba (China) Technology Co, China)
Blocklist:
66.249.23.64
69.46.253.241
223.4.209.134 ..."
* http://urlquery.net/report.php?id=1633301
... Detected suspicious URL pattern... Blackhole 2 Landing Page 69.46.253.241
___

Fake NACHA SPAM / mgithessia .biz
- http://blog.dynamoo.com/2013/03/nacha-spam-mgithessiabiz.html
27 March 2013 - "This fake NACHA spam leads to malware on mgithessia .biz:
From: "Олег.Тихонов@direct .nacha .org" [mailto:universe87 @mmsrealestate .com]
Sent: 27 March 2013 03:25
Subject: Disallowed Direct Deposit payment
Importance: High
To whom it may concern:
We would like to inform you, that your latest Direct Deposit via ACH transaction (Int. No.989391803448) was cancelled,because your business software package was out of date. The details regarding this matter are available in our secure section::
Click here for more information
Please consult with your financial institution to obtain the updated version of the software.
Kind regards,
ACH Network Rules Department
NACHA - The Electronic Payments Association
11329 Sunrise Valley Drive, Suite 865
Herndon, VA 20172
Phone: 703-561-1927 Fax: 703-787-1894

The malicious payload is at [donotclick]mgithessia .biz/closest/repeating-director_concerns.php although I am having difficulty resolving that domain, however it appears to be on 46.4.150.118 (Hetzner, Germany) and the payload looks something like this*.
* http://urlquery.net/report.php?id=1635808
... Detected live BlackHole v2.0 exploit kit 46.4.150.118
DNS services are provided by justintvfreefall .org which is also probably malicious. Nameservers are on 5.187.4.53 (Fornex Hosting, Germany) and 5.187.4.58 (the same).
Recommended blocklist:
46.4.150.118
5.187.4.53
5.187.4.58 ..."
___

Sendspace Spam
- http://threattrack.tumblr.com/post/46423886514/sendspace-spam
27 March, 2013 - "Subjects seen: You have been sent a file (Filename: [removed].pdf)
Typical e-mail details:
Sendspace File Delivery Notification:
You’ve got a file called [removed].pdf, (625.62 KB) waiting to be downloaded at sendspace.(It was sent by CONCHA ).
You can use the following link to retrieve your file:
Download
Thank you,
Sendspace, the best free file sharing service.

Malicious URLs:
my311 .com/info.htm - 173.246.66.199
contentaz .com/info.htm - 66.147.244.103
illuminataf .ru:8080/forum/links/column.php - 69.46.253.241, 66.249.23.64, 140.114.75.84 ..."
Screenshot: https://gs1.wac.edgecastcdn.net/801...b0f6a1f10/tumblr_inline_mkbrye8Kj91qz4rgp.png
___

Xerox WorkJet Pro Spam
- http://threattrack.tumblr.com/post/46443460555/xerox-workjet-pro-spam
27 March 2013 - "Subjects seen:
Fwd: Fwd: Scan from a Xerox W. Pro #[removed]
Typical e-mail details:
A Document was sent to you using a XEROX WorkJet PRO
SENT BY : Anderson
IMAGES : 4
FORMAT (.JPEG) DOWNLOAD

Malicious URLs:
thuocdonga .com/info.htm - 66.147.244.103
ilianorkin .ru:8080/forum/links/column.php - 69.46.253.241, 66.249.23.64, 140.114.75.84
Screenshot: https://gs1.wac.edgecastcdn.net/801...7818c54d7/tumblr_inline_mkc615T7vs1qz4rgp.png

:fear:

 

[AplusWebMaster]

Fake Changelog, Printer SPAM ...

FYI...

Fake Xerox ptr SPAM / ilianorkin .ru
- http://blog.dynamoo.com/2013/03/scan-from-xerox-w-pro-spam-ilianorkinru.html
28 March 2013 - "This fake printer spam leads to malware on ilianorkin .ru:
From: officejet @[victimdomain]
Sent: 27 March 2013 08:35
Subject: Fwd: Fwd: Scan from a Xerox W. Pro #589307
A Document was sent to you using a XEROX WorkJet PRO 481864299.
SENT BY : Omar
IMAGES : 9
FORMAT (.JPEG) DOWNLOAD

The malicious payload is at [donotclick]ilianorkin .ru:8080/forum/links/column.php (report here*) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)
Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84 ..."
* http://urlquery.net/report.php?id=1652917
... Detected suspicious URL pattern... Blackhole 2 Landing Page 140.114.75.84

Screenshot: https://gs1.wac.edgecastcdn.net/801...7818c54d7/tumblr_inline_mkc615T7vs1qz4rgp.png
___

Fake Changelog SPAM / Changelog_Urgent_N992.doc.exe
- http://blog.dynamoo.com/2013/03/changelog-spam-changelogurgentn992docexe.html
28 March 2013 - "This fake "changelog" spam has a malicious attachment Changelog.zip which in turn contains a malware file named Changelog_Urgent_N992.doc.exe
From: Logistics Express [admin @ups .com]
Subject: Re: Changelog 2011 update
Hi,
as promised changelog,
Michaud Abran

VirusTotal* detects the payload as Cridex. The malware is resistant to automated analysis tools, but Comodo CAMAS reports** the creation of a file C:\Documents and Settings\User\Application Data\KB00085031.exe which is pretty distinctive. If your email filter supports it, I strongly recommend that you configure it to block EXE-in-ZIP files as they are malicious in the vast majority of cases."
* https://www.virustotal.com/en/file/...8b50a91059e26149e977eee6/analysis/1364462703/
File name: Changelog_Urgent_N992.doc.exe
Detection ratio: 18/46
Analysis date: 2013-03-28
** http://camas.comodo.com/cgi-bin/sub...392e595daf6023b6799768b50a91059e26149e977eee6
___

Fake Facebook SPAM / ipiniadto .ru
- http://blog.dynamoo.com/2013/03/facebook-spam-ipiniadtoru.html
28 Mar 2013 - "The email address says Filestube. The message says Facebook. This can't be good.. and in fact this message just leads to malware on ipiniadto .ru:
Date: Thu, 28 Mar 2013 04:58:33 +0600 [03/27/13 18:58:33 EDT]
From: FilesTube [filestube @filestube .com]
Subject: You have notifications pending
facebook
Hi,
Here's some activity you may have missed on Facebook.
BERTIE Goldstein has posted statuses, photos and more on Facebook.
Go To Facebook
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

The malicious payload is at [donotclick]ipiniadto .ru:8080/forum/links/column.php (report here*) hosted on the same IPs as used in this attack**:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)
Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84 ..."
* http://urlquery.net/report.php?id=1661788
... Detected suspicious URL pattern... Blackholev2 redirection 66.249.23.64
** http://blog.dynamoo.com/2013/03/scan-from-xerox-w-pro-spam-ilianorkinru.html
___

Key Secured Message Spam
- http://threattrack.tumblr.com/post/46521340100/key-secured-message-spam
28 March 2013 - "Subjects seen:
Key Secured Message
Typical e-mail details:
You have received a Secured Message from:
[removed] @key .com
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - [removed]
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it.
This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from
disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender
immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.
If you have concerns about the validity of this message, please contact the sender directly. For questions about Key’s e-mail encryption service, please contact technical support at 888.764.0016.

Malicious URLs:
24.cellulazetrainingcenter .com/ponyb/gate.php
23.mylocalreports .info/ponyb/gate.php
htlounge .com:8080/ponyb/gate.php
rueba .com/eXkdB.exe
nikosst .com/yttur.exe
bmwautomotiveparts .com/kUXY.exe"
Screenshot: https://gs1.wac.edgecastcdn.net/801...958d3b275/tumblr_inline_mkdvh344wN1qz4rgp.png
___

ADP Netsecure Spam
- http://threattrack.tumblr.com/post/46507370924/adp-netsecure-spam
28 March 2013 - "Subjects seen:
ADP Immediate Notification
Typical e-mail details:
ADP Immediate Notification
Reference #: [removed]
Thu, 28 Mar 2013 -01:38:59 -0800
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
flexdirect .adp.com/client/login.aspx
Please see the following notes:
• Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
• Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!

Malicious URLs:
forum.awake-rp .ru/kpindex.htm
ipiniadto .ru:8080/forum/links/column.php
otrs.gtg .travel/kpindex.htm
ej-co .ru/kpindex.htm
w w w.ddanports .com/kpindex.htm
yunoksoo.g3 .cc/kpindex.htm
w w w.nzles .com/kpindex.htm
thewellshampstead .co.uk/kpindex.htm
Screenshot: https://gs1.wac.edgecastcdn.net/801...216066fd1/tumblr_inline_mkdkuhagxw1qz4rgp.png

Fake ADP Spam / ipiniadto .ru
- http://blog.dynamoo.com/2013/03/adp-spam-ipiniadtoru.html
28 Mar 2013 - "This fake ADP spam leads to malware on ipiniadto .ru:
Date: Thu, 28 Mar 2013 04:22:48 +0600 [03/27/13 18:22:48 EDT]
From: Bebo Service [service @noreply.bebo .com]
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 120327398
Thu, 28 Mar 2013 04:22:48 +0600
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www.flexdirect .adp .com/client/login.aspx
Please see the following notes:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 975316004
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.

The malicious landing page and recommended blocklist are the same as for this parallel attack* also running today."
* http://blog.dynamoo.com/2013/03/facebook-spam-ipiniadtoru.html

:fear:

 

[AplusWebMaster]

Fake 'Overdue Payment' Spam

FYI...

Fake 'Overdue Payment' Spam
- http://threattrack.tumblr.com/post/46594865279/overdue-payment-spam
March 29, 2013 - "Subjects seen:
Please respond - overdue payment
Typical e-mail details:
Please find attached your invoices for the past months. Remit the payment by 02/04/2013 as outlines under our “Payment Terms” agreement.
Thank you for your business,
Sincerely,
Caroline Givens

Malicious URLs:
24.cellutytelosangeles .com/ponyb/gate.php
24.cellutytela .com/ponyb/gate.php
topcancernews .com:8080/ponyb/gate.php
spireportal .net/L3ork1v.exe
ftp(DOT)riddlepress .com/bahpZsn6.exe
easy .com.gr/QpEQ.exe"
Screenshot: https://gs1.wac.edgecastcdn.net/801...c3c55f157/tumblr_inline_mkfg5xe7bS1qz4rgp.png

Fake Overdue payment SPAM / INVOICE_28781731.zip
- http://blog.dynamoo.com/2013/03/please-respond-overdue-payment-spam.html
29 Mar 2013 - "This spam comes with a malware-laden attachment called INVOICE_28781731.zip:
Date: Fri, 29 Mar 2013 10:33:53 -0600 [12:33:53 EDT]
From: Victor_Lindsey @key .com
Subject: Please respond - overdue payment
Please find attached your invoices for the past months. Remit the payment by 02/04/2013
as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Victor Lindsey
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY...

Unzipping the attachment gives a malware filed called INVOICE_28781731.exe with an icon to look like a PDF file. VirusTotal* detections are 16/46 and are mostly pretty generic. Comodo CAMAS reports** a callback to topcancernews .com hosted on 199.19.212.149 (Vexxhost, Canada) which is also being used in this malware attack***. Looking for that IP in your logs might show if any of your clients."
* https://www.virustotal.com/en/file/...d5585dae536ef091ee4c1a16/analysis/1364586082/
File name: INVOICE_28781731.exe
Detection ratio: 16/46
Analysis date: 2013-03-29
** http://camas.comodo.com/cgi-bin/sub...4f02887537d9a1a3e2b0fd5585dae536ef091ee4c1a16
*** http://blog.dynamoo.com/2013/03/ups-spam-label8827712794zip.html
___

Fake FlashPlayer/browser hijack in-the-wild
- http://blogs.technet.com/b/mmpc/arc...en-my-startpage-was-gone.aspx?Redirected=true
26 Mar 2013 - "... The file had been distributed with the file name FlashPlayer.exe and not surprisingly, when executed, it shows the following GUI, partly written in Turkish:
> https://www.microsoft.com/security/portal/blog-images/preflayer.jpg
... most users won’t realize that the program is going to change their browser’s start page. When hitting the button, this fake Flash Player installer downloads and executes a legitimate flash installer as FlashPlayer11.exe... It then changes the user’s browser start page. It changes the start page for the following browsers:
FireFox, Chrome, Internet Explorer, Yandex
... to one of the following pages:
hxxp ://www.anasayfada .net
hxxp ://www.heydex .com
These sites appear to be a type of search engine, but there are pop-up advertisements displayed on the pages, and there was an instance where I was redirected to a different page not of my choosing... Domain info...
hxxp ://www.anasayfada .net - 109.235.251.146
hxxps ://flash-player-download .com/ - 31.3.228.202
hxxp ://www.yonlen .net/ - 37.220.28.122
hxxp ://www.heydex .com - 188.132.235.218 [ now > 109.200.27.170 ]
It’s a fairly simple ruse – misleading file name, misleading GUI, deliberately inaccessible EULA... misleading file properties – and some of the files are even signed. And yet, we’ve received over 70,000 reports of this malware in the last week. Social engineering doesn’t have to be particularly sophisticated to be successful. So the message today is be wary. If you think something ‘feels’ wrong (like that missing scrollbar in the EULA) it may well be. Listen to those feelings and use them to protect yourself by saying 'no' to content you don't trust."

 

[AplusWebMaster]

Fake Facebook Security Check Page

FYI...

Fake Facebook Security Check Page
- http://blog.trendmicro.com/trendlab...ishes-with-fake-facebook-security-check-page/
Mar 31, 2013 - "Facebook’s enduring popularity means that cybercriminals find it a tempting lure for their malicious misdeeds. A newly-spotted phishing scam is no exception. We came across a malware sample, which we detected as TSPY_MINOCDO.A. The goal is to -redirect- users who visit Facebook to a spoofed page, which claims to be a part of the social networking website’s security check feature, even sporting the tagline “Security checks help keep Facebook trustworthy and free of spam”. It does this by redirecting all traffic to facebook .com and www .facebook .com to the system itself (using the affected machine’s HOST file). This ensures that the user can never reach the legitimate Facebook pages. At the same time, the malware is monitoring all browser activity and redirects the user to the malicious site. Users eager to log into Facebook may fall victim to this ruse, taking the ‘security check’ for face value. This may result in them entering their details and thus exposing their credit card accounts to cybercriminal infiltration... we also discovered that that the malware performs DNS queries to several domain names. What this means that the people behind this are prepared for server malfunction and has a backup to continue stealing information. To stay safe and aware of these threats, always keep in mind that social networking websites would never ask for your credit card or online banking account details for verification..."

Screenshot: https://www.net-security.org/images/articles/fake-fb-sec-check.jpg
___

Fake Last Month Remit Spam
- http://threattrack.tumblr.com/post/46851040279/last-month-remit-spam
Apr 1, 2013 - "Subjects seen:
FW: Last Month Remit
Typical e-mail details:
File Validity: 04/05/2013
Company : [removed]
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: ╘ Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls

Malicious URLs:
3ecompany .com:8080/ponyb/gate.php
24.chiaplasticsurgery .com/ponyb/gate.php
24.chicagobodysculpt .com/ponyb/gate.php
brightpacket .com/coS0GiKE.exe
extremeengineering .co.in/Vh3a9601.exe
CornwallCommuter .com/TLJrtcxA.exe
Screenshot: https://gs1.wac.edgecastcdn.net/801...dfc3902af/tumblr_inline_mkl0qsyvth1qz4rgp.png

:fear:

 

[AplusWebMaster]

Fake Changelog, Sendspace... emails lead to malware

FYI...

Fake Changelog emails lead to malware
- http://blog.webroot.com/2013/04/02/...og-as-promised-themed-emails-lead-to-malware/
April 2, 2013 - "... recently intercepted a malicious spam campaign, that’s attempting to trick users into thinking that they’ve received a non-existent “changelog.” Once gullible and socially engineered users execute the malicious attachment, their PCs automatically become part of the botnet operated by the cybercriminal/gang of cybercriminals...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...ftware_social_engineering_changelog.png?w=869
Detection rate for the malicious attachment:
MD5: e01ea945b8d055c5c115ab58749ac502 * ... Worm:Win32/Cridex.E.
Upon execution, the sample creates the following processess on the affected hosts:
C:\WINDOWS\system32\cmd.exe” /c “C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\exp1.tmp.bat
C:\Documents and Settings\<USER>\Application Data\KB00927107.exe
The following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B ...
It then phones back to hxxp://85.214.143.90 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ and to hxxp://91.121.90.92 :8080/AJtw/UCyqrDAA/Ud+asDAA/
We’ve already seen the same C&C (85.214.143.90) used in a previously profiled malicious campaign..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/...8b50a91059e26149e977eee6/analysis/1364475932/
File name: LLSMGR.EXE
Detection ratio: 35/46
Analysis date: 2013-04-01

- https://www.google.com/safebrowsing/diagnostic?site=AS:6724 - 85.214.143.90

- https://www.google.com/safebrowsing/diagnostic?site=AS:16276 - 91.121.90.92
___

Fake Sendspace SPAM / imbrigilia .ru
- http://blog.dynamoo.com/2013/04/sendspace-spam-imbrigiliaru.html
2 Apr 2013 - "This fake Sendspace spam leads to malware on imbrigilia .ru:
Date: Tue, 2 Apr 2013 03:57:26 +0000
From: "JOSIE HARMON" [HARMON_JOSIE @hotmail .com]
Subject: You have been sent a file (Filename: [redacted]-7191.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-463168.pdf, (172.5 KB) waiting to be downloaded at sendspace.(It was sent by JOSIE HARMON).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service...

The malicious payload is at [donotclick]imbrigilia .ru:8080/forum/links/column.php (report here*) hosted on the same IPs used in this attack**:
80.246.62.143 (Alfahosting GmbH, Germany)
94.103.45.34 (ANKARAHOSTING, Turkey)
Blocklist:
80.246.62.143
94.103.45.34 ..."
* http://urlquery.net/report.php?id=1757102
... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.103.45.34
** http://blog.dynamoo.com/2013/04/end-of-aug-statement-required-spam.html

Also: http://threattrack.tumblr.com/post/46942210602/sendspace-spam
2 Apr 2013
Screenshot: https://gs1.wac.edgecastcdn.net/801...e739932b3/tumblr_inline_mkmxxsEWUN1qz4rgp.png
___

Fake "End of Aug. Statement Required" SPAM / ivanovoposel .ru
- http://blog.dynamoo.com/2013/04/end-of-aug-statement-required-spam.html
2 April 2013 - "This spam leads to malware on ivanovoposel .ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply@bounce .linkedin .com] On Behalf Of LinkedIn
Sent: 02 April 2013 10:15
Subject: Re: FW: End of Aug. Statement Reqiured
Hallo,
as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).
Regards
SHONTA SCHMITT

Alternate names:
NORIKO Richmond
Raiden MORRISON
Attachments:
Invoice_U13726798 .htm
Invoice_U453718 .htm
Invoice_U913687 .htm
The attachment leads to malware on [donotclick]ivanovoposel .ru:8080/forum/links/column.php (report here*) hosted on:
80.246.62.143 (Alfahosting GmbH, Germany)
94.103.45.34 (ANKARAHOSTING, Turkey)
Blocklist:
80.246.62.143
94.103.45.34 ..."
* http://urlquery.net/report.php?id=1751267
... Detected live BlackHole v2.0 exploit kit 94.103.45.34

 

[AplusWebMaster]

Something evil on 151.248.123.170

FYI...

Something evil on 151.248.123.170
- http://blog.dynamoo.com/2013/04/something-evil-on-151248123170.html
3 April 2013 - "151.248.123.170 (Reg .ru, Russia) appears to be active in an injection attack at the moment. In the example I saw, the hacked site has injected code pointing to [donotclick]fdozwnqdb.4mydomain .com/jquery/get.php?ver=jquery.latest.js which then leads to a landing page on [donotclick]db0umfdoap.servegame .com/xlawr/next/requirements_anonymous_ordinary.php (report here*) which from the URL looks very much like a BlackHole Exploit kit. This server hosts a lot of sites using various Dynamic DNS domains. I would recommend blocking the Dynamic DNS domains as a block rather than trying to chase down these bad sites individually. In my experience, Dynamic DNS services are being abuse to such an extent that pre-emptive blocking is probably the safest approach..."
(Long list of recommended blocks at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1778882
___

Fake eFax SPAM / ivanikako .ru
- http://blog.dynamoo.com/2013/04/efax-spam-ivanikakoru.html
3 April 2013 - "This fake eFax spam leads to malware on ivanikako .ru:
From: Global Express UPS [mailto:admin @ups .com]
Sent: 02 April 2013 21:12
Subject: Efax Corporate
Fax Message [Caller-ID: 189609656]
You have received a 40 pages fax at Wed, 3 Apr 2013 02:11:58 +0600, (708)-009-8464.
* The reference number for this fax is [eFAX-698329221].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax Ž is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax Ž Customer Agreement.

The malicious payload is at [donotclick]ivanikako .ru:8080/forum/links/column.php (report here*) hosted on:
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
93.187.200.250
94.103.45.34
208.94.108.238 ..."
* http://urlquery.net/report.php?id=1786247
... Detected suspicious URL pattern... Blackholev2 redirection 94.103.45.34

Screenshot: https://gs1.wac.edgecastcdn.net/801...ac721e580/tumblr_inline_mkoo4xbN8o1qz4rgp.png
___

APT malware monitors mouse clicks to evade detection
- https://www.computerworld.com/s/art...use_clicks_to_evade_detection_researchers_say
April 2, 2013 - "... Called Trojan.APT.BaneChant, the malware is distributed via a Word document rigged with an exploit sent during targeted email attacks. The name of the document translates to "Islamic Jihad.doc." "We suspect that this weaponized document was used to target the governments of Middle East and Central Asia," FireEye researcher Chong Rong Hwa said Monday in a blog post*. The attack works in multiple stages. The malicious document downloads and executes a component that attempts to determine if the operating environment is a virtualized one, like an antivirus sandbox or an automated malware analysis system, by waiting to see if there's any mouse activity before initiating the second attack stage. Mouse click monitoring is not a new detection evasion technique, but malware using it in the past generally checked for a single mouse click... The rationale behind using this service is to bypass URL blacklisting services active on the targeted computer or its network... The backdoor program gathers and uploads system information back to a command-and-control server. It also supports several commands including one to download and execute additional files on the infected computers..."
* http://www.fireeye.com/blog/technic...-that-observes-for-multiple-mouse-clicks.html
April 1, 2013
___

Fake Wire Transfer e-mails
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=28112
2013 April 03 - "... significant activity related to spam e-mail messages that claim to contain a wire transfer notification for the recipient. The text in the e-mail message attempts to convince the recipient to open the attachment and view the final confirmation notice. However, the .zip attachment contains a malicious .scr file that, when executed, attempts to infect the system with malicious code. E-mail messages that are related to this threat (RuleID5193 and RuleID5193KVR) may contain the following files:
out going wire. pdf.zip
npxo.scr
Sales Contract Order.zip
DEDE.scr
The npxo.scr file in the out going wire. pdf.zip attachment has a file size of 509,199 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x2A41A06A00F4CF58485AF938F01B128D
The DEDE.scr file in the Sales Contract Order.zip attachment has a file size of 221,696 bytes. The MD5 checksum is the following string: 0x79274D0CFAC51906FAF8334952AF2734
The following text is a sample of the e-mail message that is associated with this threat outbreak:
Subject: Re: Out going wire transfer (High Priority)
Message Body:
We have just received instruction to process a wire transfer of $6,780 from your account. Please download/view the attachment for final confirmation and respond as quickly as possible.
Bank Wire Transfer Department.
-Or-
Subject: New Order
Message Body:
Dear Sir,We are currently running out of stock and would need urgent attentionEnclosed please find a new Order. Please send the delivery as quickly
as possible.Meanwhile, please send us the Invoice for endorsement.Best regards Krystyna..."

:fear: