SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

Fake FFIEC SPAM ...

FYI...

Fake FFIEC SPAM / live-satellite-view .net
- http://blog.dynamoo.com/2013/02/ffiec-spam-live-satellite-viewnet.html
7 Feb 2013 - "This spam attempts to load malware from live-satellite-view .net, but fails because at the moment the domain isn't registered. However, you can expect them to try again.. so watch out for emails like this.
From: FFIEC [mailto:complaints @ffiec .gov]
Sent: 06 February 2013 16:17
Subject: FFIEC Occasion No. 77715
This summons is meant to make advise of file # 77715 which is opened and under interrogative with FFIEC following a accusation of your Financial Institution regarding suspect financial activity on your account.
A hard copy of this judicial process will be delivered to your business address.
Our institution will forward information to competent government agencies following this accusation.
Information and contacts regarding your Occasion file # can be found at
Occasion Number: 77715
Observed by
Federal Financial Institution Examination Council
Emily Gray

The attempted download is from [donotclick]live-satellite-view .net/detects/advanced_selected_determines_comparison.php although it fails to resolve. Perhaps the registrar nuked the domain? However, it is possible to tell that the nameservers were ns1.http-page .net and ns2.http-page .net, and up investigate it turns out that all the following IPs and domains are related and should be treated as malicious:
7.129.51.158
31.170.106.17
74.4.6.128
98.144.191.50
175.121.229.209
198.144.191.50
208.117.43.145
222.238.109.66
able-stock .net
capeinn .net
duriginal .net
euronotedetector .net
gonita .net
gutprofzumbns .com
http-page .net
live-satellite-view .net
morepowetradersta .com
ocean-movie .net
starsoftgroup .net
vespaboise .net "
___

Ransomware Spam Pages on Github, Sourceforge, Others
- http://www.gfi.com/blog/ransomware-spam-pages-on-github-sourceforge-others/
Feb 7, 2013 - "There’s currently a large and determined effort to infect computers with Ransomware, courtesy of the Stamp EK exploit kit... The bait for most of these redirects to Ransomware appears to be a slice of US news reporters in various “fake” (ie nonexistent) nude pictures, along with a smattering of film actresses / singers – in other words, the usual shenanigans. Curiously, we’ve observed a lot of wrestlers / people involved in the wrestling industry listed on many of the spam pages too... There are pages and pages of ripped content sitting on various websites such as one located on a .ua domain... So far we have observed Weelsof and Reveton Ransomware being dropped. The below piece of Ransomware is demanding $300 to “Unlock your computer and avoid other legal consequences”. As with other similar forms of Ransomware, it accuses the user of accessing illegal pornography and makes no bones about the fact that they should be paying up “or else”... Unfortunately much of the same content can currently be found on both Github and Sourceforge, typically in the form of a Youtube page or a collection of sex pictures lifted from a real porn site. We’ve also seen air rifle stores, a rip of a Windows for Dummies site, Twitter pages and a whole lot more besides. A lot of these pages seem to be in the process of being taken down, but there’s still enough floating around out there to be a problem..."
(Screenshots available at the gfi URL above.)
___

Telepests... Robocalls ...
- http://blog.dynamoo.com/2013/02/20-3-2983245-telepest.html
7 Feb 2013 - "For some reason I've been plagued with cold calling telepests recently. This particular one (+20 3 2983245) offered the usual "press 5 to be ripped off" and "press 9 to try to unsubscribe which we will ignore" recorded message about claiming for an accident. There was a very politely spoken and nice young man on the end of the phone. He seemed a bit perplexed and upset when I told him to f**k off and leave me alone. Good. I don't know exactly who is behind this nuisance activity, but they were calling a TPS-registered phone from a number in Alexandria, Egypt. Offshoring fraudulent activity like this is quite common, but this is the first time that I've had to swear at an Egyptian. Perhaps the poor guy will consider doing something less scummy instead."

- https://www.bbb.org/blog/2013/01/consumers-phones-being-flooded-with-annoying-robocalls/

> http://www.ftc.gov/bcp/edu/microsites/robocalls/
___

Whitehole Exploit Kit in-the-wild...
- http://blog.trendmicro.com/trendlabs-security-intelligence/whitehole-exploit-kit-emerges/
Feb 6, 2013 - "... there is news of an emerging exploit kit dubbed Whitehole Exploit Kit. The name Whitehole Exploit Kit is just a randomly selected name to differentiate it from BHEK. While it uses similar code as Blackhole Exploit kit, BHEK in particular uses JavaScript to hide its usage of plugindetect.js, while Whitehole does not. It directly uses it without obfuscating this. We analysed the related samples, including the exploit malware cited in certain reports. The malware (detected as JAVA_EXPLOYT.NTW) takes advantage of the following vulnerabilities to download malicious files onto the system:
• CVE-2012-5076
• CVE-2011-3544
• CVE-2012-4681
• CVE-2012-1723
• CVE-2013-0422
Worth noting is CVE-2013-0422, which was involved in the zero-day incident that distributed REVETON variants and was used in toolkits like the Blackhole Exploit Kit and Cool exploit kit. Because of its serious security implication, Oracle immediately addressed this issue and released a software update, which was received with skepticism. The downloaded files are detected as BKDR_ZACCESS.NTW and TROJ_RANSOM.NTW respectively. ZACCESS/SIRIEF variants are known bootkit malware that download other malware and push fake applications. This specific ZACCESS variant connects to certain websites to send and receive information as well as terminates certain processes. It also downloads additional malicious files onto already infected systems. On the other hand, ransomware typically locks systems until users pay a sum of money via specific payment modes... Whitehole Exploit Kit is purportedly under development and runs in “test-release” mode. However, the people behind this kit are already peddling the kit and even command a fee ranging from USD 200 to USD 1800. Other notable features of this new toolkit include its ability to evade antimalware detections, to prevent Google Safe Browsing from blocking it, and to load a maximum of 20 files at once. Given Whitehole’s current state, we may be seeing more noteworthy changes to the exploit kit these coming months. Thus, we are continuously monitoring this threat for any developments..."
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Bank Wire Transfer Notification E-mail Messages - February 07, 2013
Fake Real Estate Offer E-mail Messages - February 07, 2013
Fake Money Transfer Notification E-mail Messages - February 07, 2013
Fake Debt Collection E-mail Messages - February 07, 2013
Fake Money Transfer Notification E-mail Messages - February 07, 2013
Malicious Attachment E-mail Messages - February 07, 2013
Fake Product Order Quotation Attachment E-mail Messages - February 07, 2013
(More detail and links available at the cisco URL above.)

 

[AplusWebMaster]

Something evil on 5.135.67.160/28 ...

FYI...

radarsky .biz and something evil on 5.135.67.160/28
- http://blog.dynamoo.com/2013/02/radarskybiz-and-something-evil-on.html
8 Feb 2013 - "There is currently an injection attack -redirecting- visitors to a domain radarsky .biz (for example) hosted on 5.135.67.173 (OVH*) and suballocated to:
inetnum: 5.135.67.160 - 5.135.67.175
netname: MMuskatov-FI
descr: MMuskatov
country: FI
org: ORG-OH6-RIPE
admin-c: OTC15-RIPE
tech-c: OTC15-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered
"MMuskatov" was involved in this attack too, and a quick inspection of 5.135.67.160/28 doesn't look promising, you might want to block it and 5.135.67.144/28 and 5.135.67.192/28 as well. A deeper analysis is in progress."

* https://www.google.com/safebrowsing/diagnostic?site=AS:16276
"... over the past 90 days, 7580 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-02-08, and the last time suspicious content was found was on 2013-02-08... we found 518 site(s) on this network... that appeared to function as intermediaries for the infection of 3631 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 1465 site(s)... that infected 7340 other site(s)..."
___

Fake ACH Batch Download Notification emails
- http://security.intuit.com/alert.php?a=71
2/8/13 - "People are receiving fake emails with the title "ACH Batch Download Notification". Below is a copy of the email people are receiving, including the mistakes shown.
Refund check in the amount of $4,370.00 for
The following ACH batch has been submitted for processing.
Initiated By: colleen
Initiated Date & Time: Fri, 8 Feb 2013 21:38:16 +0600 Batch ID: 7718720 Batch Template Name: PAYROLL
Please view the attached file to review the transaction details.

This is the end of the fake email..."
___

Fake BBB SPAM / madcambodia .net
- http://blog.dynamoo.com/2013/02/bbb-spam-madcambodianet.html
8 Feb 2013 - "This fake BBB spam leads to malware on madcambodia .net:
Date: Fri, 8 Feb 2013 11:55:55 -0500 [11:55:55 EST]
From: Better Business Bureau [notify @bbb .org]
Subject: BBB details about your cliente's pretense ID 43C796S77
Better Business Bureau ©
Start With Trust ©
Thu, 7 Feb 2013
RE: Issue No. 43C796S77
[redacted]
The Better Business Bureau has been booked the above mentioned claim letter from one of your purchasers in respect of their business contacts with you. The detailed description of the consumer's concern are available for review at a link below. Please pay attention to this subject and let us know about your judgment as soon as possible.
We pleasantly ask you to visit the GRIEVANCE REPORT to reply on this claim.
We awaits to your prompt response.
Best regards
Luis Davis
Dispute Advisor
Better Business Bureau
3073 Wilson Blvd, Suite 600 Arlington, VA 23501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The malicious payload is at [donotclick]madcambodia .net/detects/review_complain.php (report here) hosted on:
175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US) ..."
___

Fake ADP SPAM / 048575623_02082013 .zip
- http://blog.dynamoo.com/2013/02/adp-spam-04857562302082013zip.html
8 Feb 2013 - "This fake ADP spam comes with a malicious attachment:
Date: Fri, 8 Feb 2013 18:26:05 +0100 [12:26:05 EST]
From: "ops_invoice @adp .com" [ops_invoice @adp .com]
Subject: ADP Payroll Invoice for week ending 02/08/2013 - 01647
Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Thank you for choosing ADP Payroll.
Important: Please do not respond to this message. It comes from an unattended mailbox.

In this case there was a ZIP file called 048575623_02082013 .zip (this may vary) with an attachment 048575623_02082013 .exe designed to look like a PDF file. VirusTotal* identifies it as a Zbot variant. According to ThreatExpert**, the malware attempts to connect to the following hosts:
eyon-neos .eu
quest.social-neos .eu
social-neos .eu
These may be legitimate hacked domains, but if you are seeing unexpected traffic going to them then it could be a Zbot indicator.
* https://www.virustotal.com/file/d96...6c62238c02268c2566aea288/analysis/1360370000/
File name: 048575623_02082013.exe
Detection ratio: 17/45
Analysis date: 2013-02-09

** http://www.threatexpert.com/report.aspx?md5=22fe0ab14da8c14d1e0342013e5d0ad0

:fear:

 

[AplusWebMaster]

Fake Support Center / ADP SPAM

FYI...

Fake "Support Center" SPAM / phticker .com
- http://blog.dynamoo.com/2013/02/support-center-spam-phtickercom.html
11 Feb 2013 - "Not malware this time, but this fake "Support Center" spam leads to a fake pharma site at phticker .com:
Date: Mon, 11 Feb 2013 06:13:52 -0700
From: "Brinda Wimberly" [noreply @mdsconsulting .be]
Subject: Support Center
Welcome to Help Support Center
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or report new ticket here
See All tickets
Go To Profile
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.

The site appears to be clean from a malware perspective and is hosted on 171.25.190.246 (Verus AS, Latvia) along with other fake pharma sites..."
___

Something evil on 46.163.79.209
- http://blog.dynamoo.com/2013/02/something-evil-on-4616379209.html
11 Feb 2013 - "The following sites are connected with some ADP-themed malware that has been doing the rounds for the past few days. As far as I can tell, they are some sort of download server for this malware, hosted on 46.163.79.209 (Host Europe, Germany), it all looks quite nasty.
social-neos .eu
cloud.social-neos .eu
quest.social-neos .eu
archiv.social-neos .eu
eyon-neos .eu
international.eyon-neos .eu
ns.eyon-neos .eu
euroherz.eyon-neos .eu
The domains look like they might be legitimate ones that have been hijacked, nonetheless blocking them would be an excellent move."
___

Fake Citi Group SPAM
- http://www.hotforsecurity.com/blog/spammed-malware-campaign-targets-citi-group-customers-5322.html
Feb 11, 2013 - "... it’s time Citi clients keep an eye open for e-mails that read “You have received a secure message” inviting them to read the message by opening the attachments securedoc .html...
> http://www.hotforsecurity.com/wp-co...are-Campaign-Targets-Citi-Group-Customers.png
The emails include a link and an attachment. While the link is harmless, taking receivers to the legitimate Citi page, the attachment is a password stealer that opens a backdoor for remote attackers. Some instances appear to also download components of the BlackHole or ZeuS exploit kits. Untrained eyes could fall for this trick, since these e-mails are written in good English, with decent grammar and harmless-looking attachments. Of the countless ways of infecting a computer, spam delivering malware continues to pay off despite restless efforts of media and the security community. Infecting PCs via spam proves an efficient dissemination method, since users are still caught off-guard by malicious links or attachments such as this message addressed to Citi Group clients..."
___

Fake British Airways SPAM / epianokif .ru
- http://blog.dynamoo.com/2013/02/british-airways-spam-epianokifru.html
11 Feb 2013 - "This fake British Airways spam leads to malware on epianokif .ru:
Date: Mon, 11 Feb 2013 11:30:39 +0330
From: JamesTieszen @[victimdomain .com]
Subject: British Airways E-ticket receipts
Attachments: E-Ticket-N234922XM .htm
e-ticket receipt
Booking reference: DZ87548418
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services
British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.
British Airways Plc is a public limited company registered in England and Wales. Registered number: 74665737. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.
How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.
If you require further assistance you may contact us
If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.

The malicious payload is at [donotclick]epianokif .ru:8080/forum/links/column.php (report here) hosted on:
82.148.98.36 (Qatar Telecom, Qatar)
195.210.47.208 (PS Internet Company, Kazakhstan)
202.72.245.146 (Railcom, Mongolia) ..."
___

Fake NACHA SPAM / albaperu .net
- http://blog.dynamoo.com/2013/02/nacha-spam-albaperunet.html
11 Feb 2013 - "This fake NACHA spam leads to malware on albaperu .net:
Date: Mon, 11 Feb 2013 11:39:03 -0500 [11:39:03 EST]
From: ACH Network [reproachedwp41 @direct.nacha .org]
Subject: ACH Transfer canceled
Aborted transfer
The ACH process (ID: 838907191379), recently initiated from your checking account (by one of your account members), was reversed by the other financial institution.
Transaction ID: 838907191379
Reason of Cancellation See detailed information in the despatch below
Transaction Detailed Report RP838907191379.doc (Microsoft Word Document)
13150 Sunrise Drive, Suite 100 Herndon, VA 20172 (703) 561-1600
2013 NACHA - The Electronic Payments Association

The malicious payload is at [donotclick]albaperu .net/detects/case_offices.php (report here) hosted on:
175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)..."
___

Something evil on 46.165.206.16
- http://blog.dynamoo.com/2013/02/something-evil-on-4616520616.html
11 Feb 2013 - "This is a little group of fake analytics sites containing malware (for example*), hosted on 46.165.206.16 (Leaseweb, Germany**). Sites listed in -red- have already been tagged by Google Safe Browsing diagnostics, presumably the others have stayed below the radar.
adstat150 .com
cexstat20 .com
katestat77 .us
kmstat505 .us
kmstat515 .us
kmstat530 .com
lmstat450 .com
mptraf11 .info
mptraf2 .info
mxstat205 .us
mxstat570 .com
mxstat740 .com
mxstat760 .com
rxtraf25 .ru
rxtraf26 .ru
skeltds .us
vmstat100 .com
vmstat120 .com
vmstat140 .com
vmstat210 .com
vmstat230 .com
vmstat320 .com ..."
* http://urlquery.net/report.php?id=738388

Diagnostic page for AS16265 (LEASEWEB)
** https://www.google.com/safebrowsing/diagnostic?site=AS:16265
"... over the past 90 days, 3350 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-02-12, and the last time suspicious content was found was on 2013-02-12... we found 1006 site(s) on this network... that appeared to function as intermediaries for the infection of 3958 other site(s)... We found 1567 site(s)... that infected 6879 other site(s)..."

:fear:

 

[AplusWebMaster]

Fake IRS / Changelog SPAM

FYI...

Fake IRS SPAM / micropowerboating .net
- http://blog.dynamoo.com/2013/02/changelog-spam-emaianemru.html
12 Feb 2013 - "This fake IRS spam leads to malware on micropowerboating .net:
Date: Tue, 12 Feb 2013 22:06:55 +0800
From: Internal Revenue Service [damonfq43 @taxes.irs .gov]
Subject: Income Tax Refund TURNED DOWN
Hereby we have to note that Your State Tax Refund Appeal ({ID: 796839212518), recently has been RETURNED. If you believe that IRS did not properly estimate your case due to misunderstanding of the fact(s), be prepared to serve additional information. You can obtain refusal to accept details and re-submit your appeal by browsing a link below.
Please enter official website for information
Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
9611 Tellus. Av.
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
===
Date: Tue, 12 Feb 2013 15:00:35 +0100
From: Internal Revenue Service [zirconiumiag0 @irs .gov]
Subject: Income Tax Refund NOT ACCEPTED
Hereby we hav to inform that Your Income Tax Refund Appeal ({ID: 46303803645929), recently has been CANCELED. If you believe that IRS did not properly estimate your case due to misapprehension of the fact(s), be prepared to equip additional information. You can obtain non-acceptance details and re-submit your appeal by browsing a link below.
Please browse official site for more information
Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
3192 Aliquam Rd.
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
===
Date: Tue, 12 Feb 2013 15:13:37 +0100 [09:13:37 EST]
From: Internal Revenue Service [idealizesmtz @informer.irs .gov]
Subject: Income Tax Refund TURNED DOWN
Hereby You notified that Your Income Tax Outstanding transaction Appeal (No: 8984589927661), recently was CANCELED. If you believe that IRS did not properly estimate your case due to misapprehension of the fact(s), be prepared to deliver additional information. You can obtain refusal of acceptance details and re-submit your appeal by using a link below.
Please enter official site for information
Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
P.O. Box 265
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.

The malicious payload is on [donotclick]micropowerboating .net/detects/pending_details.php (report here) hosted on:
175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)
The following IPs and domains should be blocked:
175.121.229.209
198.144.191.50
micropowerboating .net
morepowetradersta .com
asistyapipressta .com
uminteraktifcozumler .com
rebelldagsanet .com
madcambodia .net
acctnmrxm .net
capeinn .net
albaperu .net
live-satellite-view .net ..."
___

Fake Changelog SPAM / emaianem .ru
- http://blog.dynamoo.com/2013/02/changelog-spam-emaianemru.html
12 Feb 2013 - "This changelog spam leads to malware on emaianem .ru:
Date: Tue, 12 Feb 2013 09:11:11 +0200
From: LinkedIn Password [password@linkedin.com]
Subject: Re: Changlog 10.2011
Good day,
changelog update - View
L. KIRKLAND
===
Date: Tue, 12 Feb 2013 05:14:54 -0600
From: LinkedIn [welcome @linkedin .com]
Subject: Fwd: Re: Changelog as promised(updated)
Good morning,
as prmised updated changelog - View
L. AGUILAR

The malicious payload is at [donotclick]emaianem .ru:8080/forum/links/column.php and is hosted on the same servers as found here*."
* http://blog.dynamoo.com/2013/02/efax-spam-estipaindoru.html
46.175.224.21 (Maxnet Lukasz Hamerski, Poland)
91.121.57.231 (OVH, France)
202.72.245.146 (Railcom, Mongolia)
___

Something evil on 192.81.129.219
- http://blog.dynamoo.com/2013/02/something-evil-on-19281129219.html
12 Feb 2013 - "It looks like there's a nasty case of the Blackhole Exploit kit on 192.81.129.219 (see example*). The IP is controlled by Linode in the US who have been a bit quiet recently... active domains that I can identify on this IP..."
(Long list at the dynamoo URL above.)
* http://urlquery.net/report.php?id=986474

:fear :

 

[AplusWebMaster]

Fake NACHA SPAM ...

FYI...

Fake NACHA SPAM / thedigidares .net
- http://blog.dynamoo.com/2013/02/nacha-spam-thedigidaresnet.html
13 Feb 2013 - "This fake NACHA spam leads to malware on thedigidares .net:
Date: Wed, 13 Feb 2013 12:10:27 +0000
From: " NACHA" [limbon@direct .nacha .org]
Subject: Aborted transfer
Canceled transaction
The ACH process (ID: 648919687408), recently sent from your bank account (by you), was canceled by the other financial institution.
Transaction ID: 648919687408
Cancellation Reason Review additional info in the statement below
Transaction Detailed Report Report_648919687408.xls (Microsoft/Open Office Word Document)
13150 Sunrise Street, Suite 100 Herndon, VA 20174 (703) 561-1200
2013 NACHA - The Electronic Payments Association

The malicious payload is at [donotclick]thedigidares .net/detects/irritating-crashed-registers.php (report here*) hosted on:
134.74.14.98 (City College of New York, US)
175.121.229.209 (Hanaro Telecom, Korea)
The following IPs and domains are linked and should be blocked:
134.74.14.98
175.121.229.209
albaperu .net
capeinn .net
thedigidares .net
madcambodia .net
micropowerboating .net
dressaytam .net
acctnmrxm .net
albaperu .net
live-satellite-view .net
dressaytam .net "
* http://urlquery.net/report.php?id=993904
BlackHole v2.0 exploit kit

- http://blog.dynamoo.com/2013/02/nacha-spam-eminakotprru.html
13 Feb 2013 - "More fake NACHA spam, this time leading to malware on eminakotpr .ru:
Date: Wed, 13 Feb 2013 05:24:26 +0530
From: "ACH Network" [risk-management@nacha.org]
Subject: Re: Fwd: ACH Transfer rejected
The ACH transaction, initiated from your checking acc., was canceled.
Canceled transfer:
Transfer ID: FE-65426265630US
Transaction Report: View
August BLUE
NACHA - The National Automated Clearing House Association

The malicious payload is at [donotclick]eminakotpr .ru:8080/forum/links/column.php hosted on:
46.175.224.21 (MAXNET Lukasz Hamerski, Poland)
91.121.57.231 (OVH, France)
202.72.245.146 (Railcom, Mongolia)..."
___

Malware sites to block 13/2/13
- http://blog.dynamoo.com/2013/02/malware-sites-to-block-13213.html
13 Feb 2013 - "These malicious sites appear to be part of a Waledac botnet. I haven't had much time to analyse what exactly what it going on, but here is one example from [donotclick]merwiqca .ru/nothing.exe: URLquery, VirusTotal*, Comodo CAMAS, ThreatExpert**.
I'm still working on IP addresses (there are a LOT), but these are the domains that I have managed to identify.."
(Long list [mostly *.ru] at the dynamoo URL above.)
* https://www.virustotal.com/file/a60...d9d474072f6d83e20d1786dd/analysis/1360769367/
File name: khgkg01.exe
Detection ratio: 8/43
Analysis date: 2013-02-13
Behavioural information
TCP connections...
85.121.3.1:80
76.169.151.26:80
195.228.43.24:80
46.162.243.26:80
** http://www.threatexpert.com/report.aspx?md5=100467dc5e2b345030988293dffbdc9a
192.5.5.241
___

- http://tools.cisco.com/security/cen...currentPage=1&sortOrder=d&pageNo=1&sortType=d
Fake CashPro Online Digital Certificate Notification E-mail Messages - February 13, 2013
Fake Failed Package Delivery Notification E-mail Messages - February 13, 2013
Fake Message Receipt Notification E-mail Messages - February 13, 2013
Fake Western Union Money Transfer Transaction E-Mail Messages - February 13, 2013
Fake Payment Request E-mail Messages - February 13, 2013
Fake Voicemail Message Notification E-mail Messages - February 13, 2013
Fake Turkish Airline Ticket Booking Confirmation E-mail Messages - February 13, 2013
Fake Antiphishing Notification E-mail Messages - February 13, 2013
Fake Bank Transfer Confirmation Notification E-mail Messages - February 13, 2013
Fake Product Order Change Notification E-mail Messages - February 13, 2013
Fake Italian Policy Change Notification E-mail Messages - February 13, 2013
Fake United Parcel Service Shipment Error E-mail Messages - February 13, 2013
(Links and more info available at the cisco URL above.)
___

Fake Bank "Secure Email Notification" SPAM
- http://blog.dynamoo.com/2013/02/first-foundation-bank-secure-email.html
13 Feb 2013 - "It looks a bit like a phish, but this "First Foundation Bank Secure Email Notification" spam has a ZIP file that leads to malware:
Date: Wed, 13 Feb 2013 20:08:46 +0200 [13:08:46 EST]
From: FF-inc Secure Notification [secure.notification @ff-inc .com]
Subject: First Foundation Bank Secure Email Notification - 94JIMEEQ
You have received a secure message
Read your secure message by opening the attachment, secure_mail_94JIMEEQ. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile @res.ff-inc .com to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.795.7643.
2000-2013 First Foundation Inc. All rights reserved.

Attached is a file called secure_mail_94JIMEEQ.zip which expands into.. well, nothing good.. a file called secure_mail_{_Case_DIG}.exe with an icon that is meant to disguise it as an Acrobat file. VirusTotal detection rates* are just 15/45 and the malware is resistant to analysis. Incidentally, emailing mobile @res.ff-inc .com just generates a failure message. Avoid."
* https://www.virustotal.com/file/71b...b0b202731dde9a67389faa35/analysis/1360795797/
File name: secure_mail_{_Case_DIG}.exe
Detection ratio: 15/45
Analysis date: 2013-02-13

 

[AplusWebMaster]

Something evil on 92.63.105.23

FYI...

Something evil on 92.63.105.23
- http://blog.dynamoo.com/2013/02/something-evil-on-926310523.html
14 Feb 2013 - "Looks like a nasty infestion of Blackhole is lurking on 92.63.105.23 (TheFirst-RU, Russia*) - see an example of the nastiness here** (this link is safe to click!). The following domains are present on this address, although there are probably more..."
(Long list at the dynamoo URL above.)
** http://urlquery.net/report.php?id=995495
... Blackholev2 url structure detected

* https://www.google.com/safebrowsing/diagnostic?site=AS:29182
"... over the past 90 days, 606 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-02-14, and the last time suspicious content was found was on 2013-02-14... we found 182 site(s) on this network... that appeared to function as intermediaries for the infection of 652 other site(s)... We found 655 site(s)... that infected 4547 other site(s)..."
___

Top 10 Valentine’s Day Scams...
- http://www.hotforsecurity.com/blog/...ine-offers-and-online-heart-experts-5357.html
Feb 14, 2013 - "... advises users to stay away from fake limousine offers and online ‘heart experts’ who claim to heal troubled relationships. This type of scam spreads through spam and redirects users to phishing, fraud and malware-infected websites... The bait that tricks men these days includes fake chocolate offers, diamond-like rings, perfumes, personalized gifts, heart-shaped jewelry and replica watches... A fast spreading scam tricks victims to download Valentine’s Day wallpapers which redirect to fraudulent websites. Users are told they won an iPhone 5 and asked for personal details. In the name of Cupid, similar scams circulate on Facebook, too. Valentine’s Day games and Android apps downloaded from unofficial marketplaces such as free love calculators may install adware and malware. Britons should be especially careful with flower offers. Valentine’s Day is not only the busiest day of the year for UK florists, but also for fake ‘flower’ scammers..."
> http://www.hotforsecurity.com/wp-co...mousine-offers-and-online-heart-experts-1.jpg
___

Malicious URL hits related to “valentine” from January to Feb. 14
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/02/Malicious-URLs-2013.png

Malware detections related to “valentine” from January to Feb. 14
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/02/Malware-Valentines-2013.png
___

Fake 'Facebook blocked' emails serve client-side exploits and malware
- http://blog.webroot.com/2013/02/14/...mails-serve-client-side-exploits-and-malware/
14 Feb 2013 - "Cybercriminals are currently spamvertising two separate campaigns, impersonating Facebook Inc., in an attempt to trick its users into thinking that their Facebook account has been disabled. What these two campaigns have in common is the fact that the client-side exploits serving domains are both parked on the same IP. Once users click on -any- of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised campaign:
> https://webrootblog.files.wordpress...d_exploits_malware_black_hole_exploit_kit.png
... Malicious domain names reconnaissance:
gonita .net – 222.238.109.66 – Email: lockwr @rocketmail .com
able-stock .net – 222.238.109.66
capeinn .net – 222.238.109.66; 198.144.191.50 – Email: softonlines @yahoo .com
Name servers used in the campaign:
Name Server: NS1.HTTP-PAGE .NET
Name Server: NS2.HTTP-PAGE .NET
We’ve already seen the same name servers used in... malicious campaigns...
Responding to 222.238.109.66 are... malicious/fraudulent domains...
Responding to 198.144.191.50 are... malicious domains...
We’ve already seen the same pseudo-randm C&C communication characters (EGa+AAAAAA), as well as the same C&C server (173.201.177.77) in... previously profiled campaigns..."
(More detail at the webroot URL above.)
___

Fake HP ScanJet SPAM / eipuonam .ru
- http://blog.dynamoo.com/2013/02/hp-scanjet-spam-eipuonamru.html
14 Feb 2013 - "This fake printer spam leads to malware on eipuonam .ru:
Date: Thu, 14 Feb 2013 -02:00:50 -0800
From: "Xanga" [noreply@xanga.com]
Subject: Fwd: Scan from a HP ScanJet #72551
Attachments: HP_Document.htm
Attached document was scanned and sent
to you using a HP A-39329P.
SENT BY : Ingrid
PAGES : 0
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

The attachment HP_Document.htm contains a script that attempts to direct visitors to [donotclick]eipuonam .ru:8080/forum/links/column.php (report here*) hosted on:
91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1000763
... Detected suspicious URL pattern
___

Fake "Copies of policies" SPAM / ewinhdutik .ru
- http://blog.dynamoo.com/2013/02/copies-of-policies-spam-ewinhdutikru.html
14 Feb 2013 - "This spam leads to malware on ewinhdutik .ru:
Date: Thu, 14 Feb 2013 07:16:28 -0500
From: "Korbin BERG" [ConnorAlmeida @telia .com]
Subject: RE: Korbin - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Korbin BERG,
===
Date: Thu, 14 Feb 2013 03:30:52 +0530
From: Tagged [Tagged @taggedmail .com]
Subject: RE: KESHIA - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
KESHIA LEVINE,

The malicious payload is at [donotclick]ewinhdutik .ru:8080/forum/links/column.php (report here*) hosted on the same IP addresses as this attack we saw earlier:
- http://blog.dynamoo.com/2013/02/hp-scanjet-spam-eipuonamru.html
91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)"
* http://urlquery.net/report.php?id=1001864
... AS48716** Kazakhstan... suspicious URL pattern
** https://www.google.com/safebrowsing/diagnostic?site=AS:48716
___

Fake HP ScanJet SPAM / 202.72.245.146
- http://blog.dynamoo.com/2013/02/hp-scanjet-spam-20272245146.html
14 Feb 2013 - "This fake printer spam leads to malware on 202.72.245.146:
Date: Thu, 14 Feb 2013 10:10:56 +0000
From: AntonioShapard @hotmail .com
Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet #6293
Attachments: HP_Document.htm
Attached document was scanned and sent
to you using a HP A-32347P.
SENT BY : TRISH
PAGES : 3
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]
===
Date: Thu, 14 Feb 2013 06:07:00 -0800
From: LinkedIn Password [password @linkedin .com]
Subject: Fwd: Scan from a Hewlett-Packard ScanJet 83097855
Attachments: HP_Document.htm
Attached document was scanned and sent
to you using a HP A-775861P.
SENT BY : CARLINE
PAGES : 4
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

The malicious payload is on [donotclick]202.72.245.146 :8080/forum/links/column.php which is a familiar IP address belonging to Railcom in Mongolia. The following malicious websites are also active on the same server..."
(Long list at the dynamoo URL above.)
___

Fake Intuit SPAM / epionkalom .ru
- http://blog.dynamoo.com/2013/02/intuit-spam-epionkalomru.html
14 Feb 2013 - "This fake Intuit spam leads to malware on epionkalom .ru:
Date: Thu, 14 Feb 2013 09:05:48 -0500
From: "Classmates . com" [classmatesemail @accounts.classmates .com]
Subject: Payroll Account Holded by Intuit
Direct Deposit Service Informer
Communicatory Only
We cancelled your payroll on Thu, 14 Feb 2013 09:05:48 -0500.
Finances would be gone away from below account # ending in 2317 on Thu, 14 Feb 2013 09:05:48 -0500
amount to be seceded: 2246 USD
Paychecks would be procrastinated to your personnel accounts on: Thu, 14 Feb 2013 09:05:48 -0500
Log In to Review Operation
Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services

The malicious payload is at [donotclick]epionkalom .ru:8080/forum/links/column.php hosted on a bunch of IP addresses that we have seen many, many times before:
91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia) ..."
___

Fake 'TurboTax State Return Rejected' SPAM
- http://security.intuit.com/alert.php?a=72
2/14/13 - "People are receiving fake emails with the title 'TurboTax State Return Rejected'. Below is a copy of the email people are receiving. The email does not contain a link; however, the email has a .zip attachment that contains malware. Do not open the .zip file.
> http://security.intuit.com/images/turbotaxstate.jpg
This is the end of the fake email..."

 

[AplusWebMaster]

Fake IRS emails lead to BlackHole Exploit Kit

FYI...

Fake IRS emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/02/15/...themed-emails-lead-to-black-hole-exploit-kit/
Feb 15, 2013 - "Its tax season and cybercriminals are mass mailing tens of thousands of IRS (Internal Revenue Service) themed emails in an attempt to trick users into thinking that their income tax refund has been “turned down”. Once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...spam_email_malware_black_hole_exploit_kit.png
... Malicious domain name reconnaissance:
micropowerboating .net – 175.121.229.209; 198.144.191.50 – Email: dooronemars @aol .com
Name Server: NS1.POOPHANAM .NET – 31.170.106.17
Name Server: NS2.POOPHANAM .NET – 65.135.199.21
The following malicious domains also respond to the same IPs (175.121.229.209; 198.144.191.50) and are part of the campaign’s infrastructure...
Although the initial client-side exploits serving domain used in the campaign (micropowerboating .net) was down when we attempted to reproduce its malicious payload, we managed to reproduce the malicious payload for a different domain parked at the same IP (175.121.229.209), namely, madcambodia .net.
Detection rate for the dropped malware:
madcambodia .net – 175.121.229.209 – MD5: * ... Trojan-Spy.Win32.Zbot.ivkf.
Once executed, the sample also phones back to the following C&C (command and control) servers: 94.68.61.135 :14511, 99.76.3.38 :11350
We also got another MD5 phoning back to the same IP..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/...48dd2d96d03be83b3bbcb0627715ea19a70/analysis/
File name: 2da28ae0df7a90ce89c7c43878927a9f
Detection ratio: 23/45
Analysis date: 2013-02-10 05
___

Malware sites to block 15/2/13
- http://blog.dynamoo.com/2013/02/malware-sites-to-block-15313.html
15 Feb 2013 - "A set of malware sites.. or I think two sets of malware sites that you might want to block. The .ru domains are connected with this botnet, a second set of sites seem to be something else malicious. Both groups of sites are connected by a server at 142.0.45.27 (Volumedrive, US**) which may be a C&C server. Interested parties might want to poke at the server a bit.. As a bonus, these are the IPs* that I can find connected with the .ru botnet that I have collected over the past few days. Some of them are dynamic, but it might be a starting point if anyone wants to poke at that botnet a bit more..."
* http://www.dynamoo.com/files/botnet-feb-13.txt

** https://www.google.com/safebrowsing/diagnostic?site=AS:46664
___

Fake IRS SPAM / azsocseclawyer .net
- http://blog.dynamoo.com/2013/02/cum-avenue-irs-spam-azsocseclawyernet.html
15 Feb 2013 - "This fake IRS spam (from an office on "Cum Avenue"!) actually leads to malware on azsocseclawyer .net:
Date: Fri, 15 Feb 2013 09:47:25 -0500
From: Internal Revenue Service [ahabfya196 @etax.irs .gov]
Subject: pecuniary penalty for delay of tax return filling
Herewith we are informing you that you are required to pay a surcharge for not filling the income tax return prior to January 31.
Please note that IRS Section 7117-F-8 specifies a money penalty of $2.000 for each Form 479 that is filled later than deadline for filling the income tax return or does not contain the exhaustive information described in 7117-F-8.
You will be released from the pecuniary penalty when the taxpayer shows that the failure to file was caused by substantial reason.
Please visit official website for more information
Internal Revenue Services United States, Department of Treasury
Ap #822-9450 Cum Avenue
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.

The malicious payload is at [donotclick]azsocseclawyer .net/detects/necessary_documenting_broadcasts-sensitive.php (report here*) hosted on:
77.241.192.47 (VPSNET, Lithunia)
175.121.229.209 (Hanaro Telecom, Korea)..."
* http://urlquery.net/report.php?id=1009373
... BlackHole v2.0 exploit kit
___

Fake Wire transfer SPAM / 202.72.245.146
- http://blog.dynamoo.com/2013/02/wire-transfer-spam-20272245146.html
15 Feb 2013 - "This fake wire transfer spam leads to malware on 202.72.245.146:
Date: Fri, 15 Feb 2013 07:24:40 -0500
From: Tasha Rosenthal via LinkedIn [member @linkedin .com]
Subject: RE: Wire transfer cancelled
Good day,
Wire Transfer was canceled by the other bank.
Canceled transaction:
FED NR: 94813904RE5666838
Transfer Report: View
The Federal Reserve Wire Network

The malicious payload is on [donotclick]202.72.245.146 :8080/forum/links/public_version.php (Railcom, Mongolia) (report here) which is a well-known malicious IP that you should definitely block if you can.
Update: there is also a "Scan from a HP ScanJet #841548" spam for the same IP, sending victims to [donotclick]202.72.245.146 :8080/forum/links/column.php..."

:fear::fear:

 

[AplusWebMaster]

Facebook Wall posts malware propagations ...

FYI...

Facebook Wall posts malware propagations ...
- http://blog.webroot.com/2013/02/18/malware-propagates-through-localized-facebook-wall-posts/
Feb 18, 2013 - "We’ve recently intercepted a localized — to Bulgarian — malware campaign, that’s propagating through Facebook Wall posts. Basically, a malware-infected user would unknowingly post a link+enticing message, in this case “Check it out!“, on their friend’s Walls, in an attempt to abuse their trusted relationship and provoke them to click on the malicious link. Once users click on the link, they’re exposed to the malicious software...
Sample screenshot of the propagation in action:
> https://webrootblog.files.wordpress.com/2013/02/facebook_wall_spam_malware_links.png
Sample spamvertised URL appearing on Facebook users’ Walls:
hxxp ://0845 .com/fk7u
Sample redirection chain:
hxxp ://0845 .com/fk7u -> hxxp ://connectiveinnovations .com/mandolin.html?excavator=kmlumm -> hxxp ://91.218.38.245 /imagedl11.php
Sample detection rates for the malicious executables participating in the campaign:
hxxp ://91.218.38.245 /imagedl11.php – MD5: 1ad434025cd1fb681597db80447290e4 * ... Backdoor:Win32/Tofsee.F ...
Responding to this IP (91.218.38.245, AS197145 Infium Ltd.) are also... malicious/fraudulent domains...
More MD5s are known to have phoned back to 91.218.38.245:
MD5: 20057f1155515dd3a37afde0b459b2cf
MD5: 665419c0e458883122a790f260115ada
MD5: 1ea373c41eabd0ad3787039dd0927525
MD5: f3472ec713d3ab2e255091194e4dccaa
MD5: 4d54a2c022dad057f8e44701d52fec6b
MD5: 6807409c44a4a9c83ce67abc3d5fe982
As well as related MD5s phoning back to 185.4.227.76:
MD5: 6b1e671746373a5d95e55d17edec5623
MD5: 377c2e63ff3fd6f5fdd93ff27c8216fe
MD5: 2D4C5B95321C5A9051874CEE9C9E9CDC
MD5: 3f9df3fd39778b1a856dedebf8f39654
MD5: 82e2672c2ca1b3200d234c6c419fc83a
MD5: 796967255c8b99640d281e89e3ffe673
MD5: bc1883b07b47423bd30645e54db4775c
MD5: e6f081d2c5a3608fad9b2294f1cb6762
What’s special about the second C&C phone back IP (185.4.227.76) is that it was used in another Facebook themed malware campaign back in December, 2012, indicating that this cybercriminal/group of cybercriminals are actively impersonating Facebook Inc. for malicious and fraudulent purposes..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/...e8c471a2296abe00cdb8db8e67e14075947/analysis/
File name: Dionis
Detection ratio: 31/45
Analysis date: 2013-02-15

AS197145 Infium
- https://www.google.com/safebrowsing/diagnostic?site=AS:197145

:fear:

 

[AplusWebMaster]

Fake Wire Transfer emails serve client-side exploits and malware

FYI...

Fake Wire Transfer emails serve client-side exploits and malware
- http://blog.webroot.com/2013/02/19/...mails-serve-client-side-exploits-and-malware/
Feb 19, 2013 - "... a persistent attempt to infect tens of thousands of users with malware through a systematic rotation of multiple social engineering themes... they all share the same malicious infrastructure. Let’s profile one of the most recently spamvertised campaigns, and expose the cybercriminals’ complete portfolio of malicious domains, their related name servers, dropped MD5 and its associated run time behavior...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...wire_transfer_fake_black_hole_exploit_kit.png
Sample spamvertised compromised URLs:
hxxp://2555.ruksadindan .com/page-329.htm
hxxp://www.athenassoftware .com.br/page-329.htm
hxxp://www.sweetgarden .ca/page-329.htm
hxxp://lab.monohrom .uz/page-329.htm
hxxp://easy2winpoker .com/page-329.htm
hxxp://ideashtor .ru/page-329.htm
Sample client-side exploits serving URL:
hxxp:// 202.72.245.146 :8080/forum/links/public_version.php
... malicious domains also respond to the same IP (202.72.245.146) and are part of multiple campaigns spamvertised over the past couple of days...
(Long list available at the webroot URL above.)...
Sample malicious payload dropping URL:
hxxp:// 202.72.245.146 :8080/forum/links/public_version.php?mmltejvt=1g:2v:33:2v:2w&pstvw=3d&xrej=1j:33:32:1l:1g:1i:1o:1n:1o:1i&vczaspnq=1n:1d:1f:1d:1f:1d:1j:1k:1l
Sample client-side exploits served: CVE-2010-0188
Upon successful client-side exploitation, the campaign drops MD5: 04e9d4167c9a1b82e622e04ad85f8e99 * ... Trojan.Win32.Yakes.cdxy.
Once executed, the sample creates... Registry Keys... And modifies them..."
(More detail available at the webroot URL above.)
* https://www.virustotal.com/en/file/...24ba3fe4020ed268094f7b63ec53439d48d/analysis/
File name: contacts.exe
Detection ratio: 33/46
Analysis date: 2013-02-18
___

Something evil on 67.208.74.71
- http://blog.dynamoo.com/2013/02/something-evil-on-672087471.html
19 Feb 2013 - "67.208.74.71 (Inforelay, US) is a parking IP with several thousand IPs hosted on it. However, it also includes a large number of malicious sites using Dynamic DNS servces. Some of these sites have recently moved from the server mentioned here*.
Probably most of the sites on this server are legitimate and blocking access to it might cause some problems. However, you can block most of these malicious domains by targeting the Dynamic DNS domain...
You can find a copy of the domains, IPs, WOT ratings and Google prognosis here** [csv].
These following domains are hosted on 67.208.74.71 and are listed as malicious by Google's Safe Browsing Diagnostics...
These domains are hosted on 67.208.74.71 and are not flagged by Google, but almost all have a poor WOT reputation and are very likely to be malicious...
These sites appear to have been hosted recently on 67.208.74.71 and are flagged as malware by Google, but are not resolving at present...
These domains appear to have been recently hosted on 67.208.74.71, are not flagged as malicious by Google but are nonetheless suspect..."
(More detail available at the dynamoo URL above.)
* http://blog.dynamoo.com/2013/02/something-evil-on-926310523.html

** http://www.dynamoo.com/files/67-208-74-71.csv

- https://www.google.com/safebrowsing/diagnostic?site=AS:33597
___

Fake UPS SPAM / emmmhhh .ru
- http://blog.dynamoo.com/2013/02/ups-spam-emmmhhhru.html
19 Feb 2013 - "The spammers sending this stuff out always confuse UPS with USPS, this one is not exception although on balance it is more UPS than USPS.. anyway, it leads to malware on emmmhhh .ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of Valda Gill via LinkedIn
Sent: 19 February 2013 10:00
Subject: United Postal Service Tracking Nr. H9878032462
You can use UPS .COM to:
Ship Online
Schedule a Pickup
Open a UPS .COM Account
Welcome to UPS Team
Hi, [redacted].
DEAR CUSTOMER , We were not able to delivery the post package
PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT.
With best regards , UPS Customer Services.
Copyright 2011 United Parcel Service of America, Inc. Your USPS ...us

There is an attachment UPS_ID5408466.htm which attempts to direct visitors to [donotclick]emmmhhh .ru:8080/forum/links/column.php hosted on:
50.31.1.104 (Steadfast Networks, US)
66.249.23.64 (Endurance International, US)
195.210.47.208 (PS Internet Company, Kazakhstan)
The following IPs and domains are all malicious and should be blocked:
50.31.1.104
66.249.23.64
195.210.47.208..."
___

Something evil on 74.208.148.35
- http://blog.dynamoo.com/2013/02/something-evil-on-7420814835.html
19 Feb 2013 - "Spotted by the good folks at GFI Labs here*, here** and here*** are several Canadian domains on the same server, 74.208.148.35 (1&1, US):
justcateringfoodservices .com
dontgetcaught .ca
blog.ritual .ca
lumberlandnorth .com
Obviously, there's some sort of server-level compromise here. Blocking access to 74.208.148.35 will give some protection against several very active malicious spam campaigns..."
* http://gfisoftware.tumblr.com/post/43492163416/adp-payroll-invoice-spam

** http://gfisoftware.tumblr.com/post/43411593074/dun-bradstreet-complaint-spam

*** http://gfisoftware.tumblr.com/post/43163682384/citibank-incoming-international-wire-transfer-spam
___

Fake pharma SPAM - Cyberbunker / 84.22.104.123
- http://blog.dynamoo.com/2013/02/cyberbunker-fake-pharma-spam-8422104123.html
19 Feb 2013 - "Crime-friendly host Cyberbunker strikes again, this time hosting more fake pharma sites on 84.22.104.123, being promoted through this suspicious looking spam:
Date: Tue, 19 Feb 2013 22:58:26 +0000 (GMT)
From: Apple [noreply @bellona.wg.saar .de]
To: [redacted]
Subject: Your Apple ID was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5
Dear Customer,
Your Apple ID ([redacted]) was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5.
If you have not recently set up an iPhone with your Apple ID, then you should change your Apple ID password. Learn More.
Privacy Policy
Copyright 2013 Apple Inc. 1 Infinite Loop, Cupertino CA 95014 - All Rights Reserved.

The spam has a link to an illegally hacked legitimate site that then bounces to drugstorepillstablets .ru hosted on 84.22.104.123 along with... spammy sites... Cyberbunker is nothing but bad news. Blocking 84.22.96.0/19 is an exceptionally good idea.
(More detail at the dynamoo URL above.)

* https://www.google.com/safebrowsing/diagnostic?site=AS:34109

:fear:

 

[AplusWebMaster]

Fake USPS SPAM with malware attachment...

FYI...

Fake USPS SPAM / USPS delivery failure report.zip
- http://blog.dynamoo.com/2013/02/usps-spam-usps-delivery-failure.html
20 Feb 2013 - "This fake USPS spam contains malware in an attachment called USPS delivery failure report.zip.
Date: Wed, 20 Feb 2013 06:40:39 +0200 [02/19/13 23:40:39 EST]
From: USPS client manager Michael Brewer [reports @usps .com]
Subject: USPS delivery failure report
USPS notification
Our company’s courier couldn’t make the delivery of package.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: KnoxvilleFort
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: M1PZN6BI4F
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
USPS Global.

The attachment is double-zipped, presumably to try to evade virus and content scanners. Opening it extracts another ZIP file called USPS report id 943577924988734.zip which contains another file called USPS report id 943577924988734.exe.
The VirusTotal detections for this are patchy and fairly generic*. Automated analysis tools are pretty inconclusive** when it comes to the payload, although if you are trying to clean it up then starting with HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched (which is set to "C:\Documents and Settings\All Users\svchost.exe") is probably a good start."
* https://www.virustotal.com/en/file/...5431a33963ac5b32d8e28682/analysis/1361351470/
File name: USPS report id 943577924988734.exe
Detection ratio: 27/46
Analysis date: 2013-02-20
** http://camas.comodo.com/cgi-bin/sub...d7ad4cbe84e366c44cc465431a33963ac5b32d8e28682
___

Something evil on 62.212.130.115
- http://blog.dynamoo.com/2013/02/something-evil-on-62212130115.html
20 Feb 2013 - "Something evil seems to be lurking on 62.212.130.115 (Xenosite, Netherlands) - a collection of sites connected with the Blackhole exploit kit, plus indications of evil subdomains of legitimate hacked sites. All-in-all, this IP is probably worth avoiding.
Firstly, there are the evil subomains that have a format like 104648746540365e.familyholidayaccommodation .co.za - these are mostly hijacked .co.za and .cl domains. The following list contains the legitimate domains and IPs that appear to have been hijacked. Ones marked in red have been flagged as malicious by Google. Remember, these IPs are not evil, it is just the subdomains that are (on a different IP)...
The second bunch of domains appear to be connected with the Blackhole Exploit kit (according to this report*) and can be assumed to be malicious, and are hosted on 62.212.130.115...
The final group is where it gets messy. These are malicious subdomains that either are on (or have recently been on) 62.212.130.115. It looks like they are hardened against analysis, but they certainly shouldn't be here and can be assumed to be malicious too..."
(More detail at the dynamoo URL above.)
* http://pastebin.com/FNjkdB34
___

famagatra .ru injection attack in progress
- http://blog.dynamoo.com/2013/02/famagatraru-injection-attack-in-progress.html
20 Feb 2013 - "There seems to be an injection attack in progress, leading visitors to a hacked website to a malicious page on the server famagatra .ru.
The payload is at [donotclick]famagatra .ru:8080/forum/links/public_version.php?atd=1n:33:2v:1l:1h&qav=3j&yvxhqg=1j:33:32:1l:1g:1i:1o:1n:1o:1i&jehmppj=1n:1d:1f:1d:1f:1d:1j:1k:1l (report here*) which is basically a nasty dose of Blackhole.
84.23.66.74 (EUserv Internet, Germany)
195.210.47.208 (PS Inernet Company, Kazakhstan)
210.71.250.131 (Chungwa Telecom, Taiwan)
The following domains are IPs are all part of the same evil circus:
84.23.66.74
195.210.47.208
210.71.250.131..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1050803
... Blackholev2 redirection successful
___

Fake Wire transfer SPAM / fulinaohps .ru
- http://blog.dynamoo.com/2013/02/wire-transfer-spam-fulinaohpsru.html
20 Feb 2013 - "This fake wire transfer spam leads to malware on fulinaohps .ru:
Date: Wed, 20 Feb 2013 04:28:14 +0600
From: accounting@[victimdomain]
Subject: Fwd: ACH and Wire transfers disabled.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department

The malicious payload is at [donotclick]fulinaohps .ru:8080/forum/links/column.php (report here*) hosted om the following IPs:
84.23.66.74 (EUserv Internet, Germany)
195.210.47.208 (PS Internet Company, Kazakhstan)
210.71.250.131 (Chungwa Telecom, Taiwan)
These are the same IPs as used in this attack**, you should block them if you can."
* http://urlquery.net/report.php?id=1051770
... suspicious URL pattern... obfuscated URL
** http://blog.dynamoo.com/2013/02/famagatraru-injection-attack-in-progress.html
___

Fake SendSecure Support SPAM / secure_message... .zip
- http://blog.dynamoo.com/2013/02/sendsecure-support-spam.html
20 Feb 2013 - "This fake SendSecure Support / Bank of America spam comes with a malicious attachment called secure_message_02202013_01590106757637303.zip:
Date: Wed, 20 Feb 2013 11:23:43 -0400 [10:23:43 EST]
From: SendSecure Support [SendSecure.Support @bankofamerica .com]
Subject: You have received a secure message from Bank Of America
You have received a secure message.
Read your secure message by opening the attachment. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly.
First time users - will need to register after opening the attachment.
Help - https ://securemail.bankofamerica .com/websafe/help?topic=Envelope

The zip file secure_message_02202013_01590106757637303 .zip unzips into secure_message_02202013_01590106757637303 .exe with a VirusTotal detection**... According to ThreatExpert***, the malware installs a keylogger and also tries to phone home to:
blog.ritual .ca
dontgetcaught .ca
These sites are hosted on 74.208.148.35 which I posted about yesterday*. Blocking access to this IP might mitigate against this particular threat somewhat."
* http://blog.dynamoo.com/2013/02/something-evil-on-7420814835.html

** https://www.virustotal.com/en/file/...a7e6f3290b3d4ae0854afd7e/analysis/1361376818/
File name: secure_message_02202013_{DIGIT[17]}.exe
Detection ratio: 6/46
Analysis date: 2013-02-20

*** http://www.threatexpert.com/report.aspx?md5=d89e680d6e9fee363b27e6479a4dffd3
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Airline Ticket Credit Card Processing E-mail Messages - February 20, 2013
Fake CashPro Online Digital Certificate Notification E-mail Messages - February 20, 2013
Fake Tax Document Notification E-mail Messages - February 20, 2013
Fake Rejected Tax Form Notification E-mail Messages - February 20, 2013
Fake Bank Deposit Notification E-mail Messages - February 20, 2013
Fake Package Delivery Failure E-mail Messages - February 20, 2013
Fake Product Order E-mail Messages - February 20, 2013
(More info and links available at the cisco URL above.)

:fear:

 

[AplusWebMaster]

Fake ADP/Verizon SPAM ...

FYI...

Fake ADP SPAM / faneroomk .ru
- http://blog.dynamoo.com/2013/02/adp-spam-faneroomkru.html
21 Feb 2013 - "This fake ADP spam tries (and fails) to lead to malware on faneroomk .ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply@bounce.linkedin .com] On Behalf Of LinkedIn
Sent: 20 February 2013 20:02
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 001737199
Thu, 21 Feb 2013 02:01:39 +0600
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www.flexdirect .adp.com/client/login.aspx
Please see the following notes:
• Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
• Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 890911798
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.

The malicious payload is meant to be [donotclick]faneroomk .ru:8080/forum/links/column.php but right at the moment it is not resolving... The following IPs and domains are all related:
41.168.5.140
110.164.58.250
184.106.195.200
210.71.250.131
203.171.234.53 ..."
(More detail at the dynamoo URL above.)
___

Fake Verizon Wireless SPAM / participamoz .com
- http://blog.dynamoo.com/2013/02/verizon-wireless-spam-participamozcom.html
20 Feb 2013 - "This fake Verizon Wireless spam leads to malware on participamoz .com:
Date: Wed, 20 Feb 2013 23:24:49 +0400
From: "AccountNotify @verizonwireless .com" [cupcakenc0 @irs .gov]
Subject: Verizon wireless online bill.
Important account information from Verizon Wireless
Your current bill for your account ending in XXXX-XX001 is now available online in My Verizon
Total Balance Due: $48.15
Scheduled Automatic Payment Date: 02/25/2012
Mind that payments and/or adjustments made to your account after your bill was generated will be deducted from your automatic payment amount.
> Review and Pay Your Bill
Thank you for choosing Verizon Wireless.
My Verizon is also available 24/7 to assist you with:
Vrowsing your usage
Updating your plan
Adding Account Members
Paying your bill
Finding accessories for your devices
And much, much more...
2011 Verizon Wireless
Verizon Wireless | One Verizon Way | Mail Code: 190WVB | Basking Ridge, NJ 07990
We respect your privacy. Please review our privacy policy for more information
If you are not the intended recipient and feel you have received this email in error; or if you would like to update your customer notification preferences, please click here.

The malicious payload is at [donotclick]participamoz .com/detects/holds_edge.php hosted on:
161.200.156.200 (Chulanet, Thailand)
173.251.62.46 (MSP Digital / Cablevision, US)
The following IPs and domains are connected should be treated as malicious:
161.200.156.200
173.251.62.46
prosctermobile .com
aftandilosmacerati .com
pardontemabelos .com
participamoz .com ..."
___

Fake Verizon emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/02/21/...themed-emails-lead-to-black-hole-exploit-kit/
Feb 21, 2013 - "On a periodic basis, cybercriminals are spamvertising malicious campaigns impersonating Verizon Wireless to tens of thousands of Verizon customers across the globe in an attempt to trick them into interacting with the fake emails... one of the most recently spamvertised campaigns impersonating Verizon Wireless. Not surprisingly, once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...m_exploits_malware_black_hole_exploit_kit.png
... Malicious domain name reconnaissance:
participamoz .com – 173.251.62.46; 161.200.156.200 – Email: dort.dort @live .com
Name Server: NS1.THEREGISTARS .COM – 31.170.106.17 – Email: lockwr @rocketmail .com
Name Server: NS2.THEREGISTARS .COM – 67.15.223.219 – Email: lockwr @rocketmail .com
... Upon successful client-side exploitation, the campaign drops MD5: 4377dcc591f87cc24e75f8c69a2a7f8f * ... UDSangerousObject.Multi.Generic.
It then attempts to phone back to the following IPs:
110.143.183.104, 24.120.165.58, 110.143.183.104, 75.80.49.248, 71.42.56.253, 94.65.0.48,
98.16.107.213, 190.198.30.168, 76.193.173.205, 71.43.217.3, 66.229.110.89, 101.162.73.132,
94.68.49.208, 64.219.121.189, 99.122.152.158, 80.252.59.142, 108.211.64.46, 69.39.74.6,
91.99.146.167, 187.131.70.221, 76.202.211.184, 168.93.99.82, 122.60.136.168, 213.105.24.171,
122.60.136.168, 84.72.243.231, 79.56.80.211 ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/...0d203b7bdab6d8f13ee988bd5b51b9b3dd9/analysis/
File name: info.exe
Detection ratio: 25/46
Analysis date: 2013-02-21
___

Fake "Efax Corporate" SPAM / fuigadosi .ru
- http://blog.dynamoo.com/2013/02/efax-corporate-spam-fuigadosiru.html
21 Feb 2013 - "This fake eFax spam leads to malware on fuigadosi .ru:
Date: Thu, 21 Feb 2013 -05:24:35 -0800
From: LinkedIn Password [password @linkedin .com]
Subject: Efax Corporate
Attachments: EFAX_Corporate.htm
Fax Message [Caller-ID: 705646877]
You have received a 29 pages fax at Thu, 21 Feb 2013 -05:24:35 -0800, (913)-809-4198.
* The reference number for this fax is [eFAX-806896385].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.

The malicious payload is at [donotclick]fuigadosi .ru:8080/forum/links/column.php (report here*) hosted on:
84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
210.71.250.131 (Chungwa Telecom, China)..."
* http://urlquery.net/report.php?id=1060334
___

Fake Trustwave TrustKeeper emails - Phish ...
- http://blog.spiderlabs.com/2013/02/-trustwave-trustkeeper-pci-scan-notification-phishing-alert.html
21 Feb 2013 - "Over the last few hours, Trustwave has received multiple reports of individuals receiving fake emails pretending to be from Trustwave. These emails did not originate from Trustwave. Recipients should immediately delete the emails and not follow any links presented in them. These emails indicate they are being sent as part of a “TrustKeeper PCI Scan Notification” and are alerting the recipient to login to a portal to respond to an issue related to a vulnerability scan of their network. Early analysis has shown these emails are being sent from many variations of fake Trustwave email addresses and redirecting users to multiple non-Trustwave URLs. Visiting these URLs might introduce malware onto your systems. Below is a screenshot of a fake email:
> http://npercoco.typepad.com/.a/6a0133f264aa62970b017d41337399970c-pi ..."
___

Fake inTuit emails - overdue payment
- http://security.intuit.com/alert.php?a=73
2/21/13 - "People are receiving fake emails with the title "Please respond - overdue payment." Below is a copy of the email people are receiving. The email does not contain a link; however, the email has a .zip attachment that contains malware. Do not open the .zip file:
Please find attached your invoices for the past months. Remit the payment by 02/25/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Earline Robles

This is the end of the fake email.
Steps to Take Now: Do -not- open the attachment in the email..."
___

Fake "Xerox WorkCentre Pro" SPAM / familanar .ru
- http://blog.dynamoo.com/2013/02/scan-from-xerox-workcentre-pro-spam.html
21 Feb 2013 - "This familiar printer spam leads to malware on the familanar .ru domain:
Date: Thu, 21 Feb 2013 09:22:25 -0500 [09:22:25 EST]
From: Tagged [Tagged @taggedmail .com]
Subject: Fwd: Re: Scan from a Xerox WorkCentre Pro #800304
A Document was sent to you using a XEROX WorkJet PRO 760820.
SENT BY : BRYNN
IMAGES : 5
FORMAT (.JPEG) DOWNLOAD

The malicious payload is at [donotclick]familanar .ru:8080/forum/links/column.php (report here*) hosted on:
84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
210.71.250.131 (Chungwa Telecom, China)
Which are the same IPs found in this attack** and several others. Block 'em if you can."
* http://www.urlquery.net/report.php?id=1064138

** http://blog.dynamoo.com/2013/02/efax-corporate-spam-fuigadosiru.html
___

Fake ACH transaction SPAM / payment receipt - 884993762994.zip
- http://blog.dynamoo.com/2013/02/ach-transaction-spam.html
21 Feb 2013 - "This fake ACH transaction spam comes with a malicous attachment:
Date: Thu, 21 Feb 2013 14:32:08 -0500 [14:32:08 EST]
From: Payment notification system [homebodiesga38@gmail.com]
Subject: Automatic transfer notification
ACH transaction is completed. $443 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt on payment is attached.
This is an automatically generated email, please do not reply

Attached is a file called payment receipt - 884993762994.zip which unzips to payment receipt - 884993762994.exe which has a disappointing VirusTotal detection count of just 14/46... Blocking EXE-in-ZIP files at the perimeter generally causes very little trouble, assuming you can do it.."

:fear:

 

[AplusWebMaster]

Fake Invoice / D.P. Svc SPAM ...

FYI...

Fake Invoice SPAM - "End of Aug. Stat" forummersedec .ru
- http://blog.dynamoo.com/2013/02/end-of-aug-stat-spam-forummersedecru.html
22 Feb 2013 - "This fake invoice email leads to malware on forummersedec .ru:
Date: Fri, 22 Feb 2013 11:33:38 +0530
From: AlissonNistler@ [victimdomain]
Subject: Re: FW: End of Aug. Stat.
Attachments: Invoices-1207-2012.htm
Hallo,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer/Mozilla Firefox file)
Regards

The attachment attempts to redirect the victim to a malicious payload at [donotclick]forummersedec .ru:8080/forum/links/column.php (report here*) hosted on
84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
The following IPs and domains are related and should be blocked:
84.23.66.74
122.160.168.219...
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1069702
___

Fake "Data Processing" SPAM / dekolink .net
- http://blog.dynamoo.com/2013/02/data-processing-spam-dekolinknet.html
22 Feb 2013 - "This fake "Data Processing" spam leads to malware on dekolink .net:
Date: Fri, 22 Feb 2013 08:06:43 -0500
From: "Data Processing Service" [customersupport @dataprocessingservice .com]
Subject: ACH file ID '768.579
Files Processing Service
SUCCESS Note
We have successfully handled ACH file 'ACH2013-02-20-5.txt' (id '768.579') submitted by user '[redacted]' on '2013-02-20 1:14:30.7'.
FILE SUMMARY:
Item count: 79
Total debits: $28,544.53
Total credits: $28,544.53
For more info click here

The malicious payload is at [donotclick]dekolink .net/detects/when-weird-contrast.php (report here*) hosted on the following servers:
50.7.251.59 (FDC Servers, Czech Republic)
176.120.38.238 (Langate, Ukraine).."
* http://urlquery.net/report.php?id=1062564
... BlackHole v2.0 exploit kit
___

Fake LinkedIn SPAM / greatfallsma .com
- http://blog.dynamoo.com/2013/02/linkedin-spam-greatfallsmacom.html
22 Feb 2013 - "This "accidental" LinkedIn spam is a fake and leads to malware on greatfallsma .com:
From: LinkedIn [mailtoapersv@ informer.linkedin .com]
Sent: 22 February 2013 15:58
Subject: Reminder about link requests pending
See who connected with you this week on LinkedIn
Now it's easy to connect with people you email
Continue
This is an accidental LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
© 2013, LinkedIn Corporation. 2089 Stierlin Ct, Mountain View, CA 99063

> Another example:
Date: Fri, 22 Feb 2013 18:21:25 +0200
From: "LinkedIn" [noblest00@ info.linkedin .com]
Subject: Reminder about link requests pending
[redacted]
See who requested link with you on LinkedIn
Now it's easy to connect with people you email
Continue
This is an casual LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
2013, LinkedIn Corporation. 2073 Stierlin Ct, Mountain View, CA 98043

The malicious payload is at [donotclick]greatfallsma .com/detects/impossible_appearing_timing.php (report here*) hosted on:
50.7.251.59 (FDC Servers, Czech Republic)
176.120.38.238 (Langate, Ukraine)
These are the same two servers used in this attack, blocking them would probably be a good idea."
* http://urlquery.net/report.php?id=1071027
... Blackhole 2 Landing Page

:fear:

 

[AplusWebMaster]

Fake ACH emails serve client-side exploits and malware

FYI...

Fake ACH emails serve client-side exploits and malware
- http://blog.webroot.com/2013/02/25/...mails-serve-client-side-exploits-and-malware/
Feb 25, 2013 - "... yet another spam campaign, this time impersonating the “Data Processing Service” company, in an attempt to trick its customers into interacting with the malicious emails. Once they do so, they are automatically exposed to the client-side exploits served by the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...e_exploit_kit_data_processing_service_ach.png
... Upon successful client-side exploitation, the campaign drops MD5: faa3a6c7bbf5b0449f60409c8bf63859 * ... Trojan-Spy.Win32.Zbot.jfpy.
... It then attempts to connect to the following IPs:
24.120.165.58, 66.117.77.134, 64.219.121.189, 66.117.77.134, 75.47.231.138, 108.211.64.46,
91.99.146.167, 108.211.64.46, 71.43.217.3, 81.136.230.235, 101.162.73.132, 99.76.3.38,
85.29.177.249, 24.126.54.116, 108.130.34.42, 99.116.134.54, 80.252.59.142
Malicious domain name reconnaissance:
dekolink .net – 50.7.251.59; 176.120.38.238 – Email: wondermitch @hotmail .com
Name Server: NS1.THEREGISTARS .COM – 31.170.106.17 – Email: lockwr @rocketmail .com
Name Server: NS2.THEREGISTARS .COM – 67.15.223.219 – Email: lockwr @rocketmail .com ..."
(More detail available at the webroot URL above.)
* https://www.virustotal.com/en/file/...8205bec547eb50080cbed6eeaee7968ca62/analysis/
File name: info.exe
Detection ratio: 27/45
Analysis date: 2013-02-25
___

Trustwave Trustkeeper Phish
- https://isc.sans.edu/diary.html?storyid=15271
Last Updated: 2013-02-25 17:41:36 UTC - ... the give away that this is a fake is the from e-mail address as well as the link leading to a different site then advertised. Click on the image for a full size example.
> https://isc.sans.edu/diaryimages/images/trustwavephish.png
[Update:] An analysis of this phish by Trustwave's own Spiderlabs can be found here:
- http://blog.spiderlabs.com/2013/02/more-on-the-trustkeeper-phish.html

- http://blog.dynamoo.com/2013/02/trustkeeper-vulnerabilities-scan.html
25 Feb 2013 - "... this "TrustKeeper Vulnerabilities Scan Information" -spam- leads to an exploit kit on saberdelvino .net...
> https://lh3.ggpht.com/-Gyic2-WNNZE/USu7TzQllfI/AAAAAAAAA9w/y_R4ahAMgrY/s1600/trustwave.png
... The malicious payload is at [donotclick]saberdelvino .net/detects/random-ship-members-daily.php (report here*) hosted on the following IPs:
118.97.77.122 (PT Telekon, Indonesia)
176.120.38.238 (Langate, Ukraine)..."
* http://www.urlquery.net/report.php?id=1120754
... Blackhole 2

:fear:

 

[AplusWebMaster]

Fake Facebook/Intuit SPAM ...

FYI...

Fake Facebook SPAM / lazaro-sosa .com
- http://blog.dynamoo.com/2013/02/facebook-spam-lazaro-sosacom.html
26 Feb 2013 - "This fake Facebook spam leads to malware on lazaro-sosa .com:
Date: Tue, 26 Feb 2013 14:26:20 +0200
From: "Facebook" [twiddlingv29@informer.facebook.com]
Subject: Brian Parker commented your photo.
facebook
Brian Parker commented on Your photo.
Reply to this email to comment on this photo.
See Comment
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.
Facebook, Inc., Attention: Department 415, PO Box 10001, Palo Alto, CA 90307

The malicious payload is at [donotclick]lazaro-sosa .com/detects/queue-breaks-many_suffering.php (report here*) hosted on:
118.97.77.122 (PT Telkom, Indonesia)
147.91.83.31 (AMRES, Serbia)
Blocking these IPs is probably prudent."
* http://www.urlquery.net/report.php?id=1135254
... Blackhole
___

Fake Intuit SPAM / forumligandaz .ru
- http://blog.dynamoo.com/2013/02/intuit-spam-forumligandazru.html
26 Feb 2013 - "This fake Intuit spam leads to malware on forumligandaz .ru:
Date: Tue, 26 Feb 2013 01:27:09 +0330
From: "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject: Payroll Account Holded by Intuit
Direct Deposit Service Informer
Communicatory Only
We cancelled your payroll on Tue, 26 Feb 2013 01:27:09 +0330.
Finances would be gone away from below account # ending in 8733 on Tue, 26 Feb 2013 01:27:09 +0330
amount to be seceded: 3373 USD
Paychecks would be procrastinated to your personnel accounts on: Tue, 26 Feb 2013 01:27:09 +0330
Log In to Review Operation
Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services

The malicious payload is at [donotclick]forumligandaz .ru:8080/forum/links/column.php hosted on:
31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)
Blocklist:
31.200.240.153
83.169.41.58 ..."
(More detail at the dynamoo URL above.)

:fear:

 

[AplusWebMaster]

Fake US Airways SPAM...

FYI...

Fake US Airways SPAM / berrybots .net
- http://blog.dynamoo.com/2013/02/us-airways-spam-berrybotsnet.html
27 Feb 2013 - "... fake US Airways spam leads to malware on berrybots .net:
Date: Wed, 27 Feb 2013 08:09:36 -0500 [08:09:36 EST]
From: bursarp1 @email-usairways .com
Subject: Your US Airways trip...
> http://images.usairways.com/newEmail/gen3/templates/header_630px_yrs.gif
Confirmation code: B339AO
Date issued: Tuesday, February 26, 2013
Barcode
[redacted]
Scan at any US Airways kiosk to check in
Passenger summary
Passenger name
Frequent flyer # (Airline)
Ticket number
Special needs
Angel Morris 40614552582 (US) 22401837506661
Robert White 12938253579871
Fly details Download to Outlook
Depart: Philadelphia, PA (PHL) Chicago, IL (O'Hare) (ORD)...

(More detail at the dynamoo URL above.)

Picture version (click to enlarge):
> http://blog.dynamoo.com/2013/02/us-airways-spam-berrybotsnet.html
The malicious payload is at [donotclick]berrybots .net/detects/circulation-comparatively.php (report here*) hosted on:
118.97.77.122 (PT Telkon, Jakarta)
147.91.83.31 (AMRES, Serbia)
195.88.139.78 (Neiron Systems, Ukraine)
Recommended blocklist:
118.97.77.122
147.91.83.31
195.88.139.78
greatfallsma .com
lazaro-sosa .com
yoga-thegame .net
dekolink .net
saberdelvino .net
berrybots .net ..."
* http://www.urlquery.net/report.php?id=1168427
... Blackhole Java applet with obfuscated URL
... 147.91.83.31 Blackhole 2 Landing Page
___

Fake Invoice-themed SPAM / forumusaaa .ru
- http://blog.dynamoo.com/2013/02/end-of-aug-statement-spam-forumusaaaru.html
27 Feb 2013 - "This invoice-themed spam leads to malware on forumusaaa .ru:
Date: Thu, 28 Feb 2013 06:04:08 +0530
From: "Lisa HAGEN" [WilsonVenditti @ykm .com .tr]
Subject: Re: FW: End of Aug. Statement
Attachments: Invoice_JAN-2966.htm
Good day,
as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).
Regards
Lisa HAGEN

The malware is hosted at [donotclick]forumusaaa .ru:8080/forum/links/column.php (report here*) hosted on:
31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)
Blocklist:
31.200.240.153
83.169.41.58..."
(More listed at the dynamoo URL above.)
* http://www.urlquery.net/report.php?id=1170276
... suspicious URL pattern
... 31.200.240.153 Blackhole 2 Landing Page
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Payment Advice Notification E-mail Messages - February 27, 2013
Fake Overdue Payment Notification E-mail Messages - February 27, 2013
Fake Bank Account Update E-mail Messages - February 27, 2013
Fake Product Order E-mail Messages - February 27, 2013
Fake Product Order Quotation Attachment E-mail - February 27, 2013
Fake Wire Transfer Notification E-mail Messages - February 27, 2013
Fake Invoice Statement Attachment E-mail Messages - February 27, 2013
Fake Bank Account Statement Notification E-mail Messages - February 27, 2013
Fake Quotation Attachment E-mail Messages - February 27, 2013
(Links and more info at the cisco URL above.)

 

[AplusWebMaster]

"Follow this link" SPAM ...

FYI...

"Follow this link" SPAM / sidesgenealogist .org
- http://blog.dynamoo.com/2013/02/follow-this-link-spam.html
28 Feb 2013 - "This rather terse spam appears to lead to an exploit kit on sidesgenealogist .org:
From: Josefina Underwood [mailto:hdFQe @heathrowexpress .com]
Sent: 27 February 2013 16:43
Subject: Follow this link
I have found it http ://www.eurosaudi .com/templates/beez/wps.php?v20120226
Sincerely yours,
Sara Walton

The link is to a legitimate hacked site, and in this case it attempts to bounce to [donotclick]sidesgenealogist .org/closest/c93jfi2jf92ifj39ugh2jfo3g.php but at the time of writing the malware site appears to be overloaded. However, we can find an earlier report for the same sever here* that indicates an exploit kit. The malware is hosted on 188.93.210.226 (Logol.ru, Russia**). I would recommend blocking the entire 188.93.210.0/23 range to be on the safe side. These other two domains are in the same AS and are currently active:
reinstalltwomonthold .org
nephewremovalonly .org
scriptselse .org
everflowinggopayment .net "
* http://urlquery.net/report.php?id=1180853
... Blackholev2 url structure detected... Multiple Exploit Kit Payload detection

** https://www.google.com/safebrowsing/diagnostic?site=AS:49352
___

Fake "Contract" SPAM / forumny .ru
- http://blog.dynamoo.com/2013/02/contract-of-09072011-spam-forumnyru.html
28 Feb 2013 - "This contracts-themed spam leads to malware on forumny .ru:
Date: Thu, 28 Feb 2013 11:43:15 +0400
From: "LiveJournal.com" [do-not-reply @livejournal .com]
Subject: Fw: Contract of 09.07.2011
Attachments: Contract_Scan_IM0826.htm
Dear Sirs,
In the attached file I am forwarding you the Translation of the Loan Contract that I have just received a minute ago. I am really sorry for the delay.
Best regards,
SHERLENE DARBY, secretary

The -attachment- Contract_Scan_IM0826.htm leads to malware on [donotclick]forumny .ru:8080/forum/links/column.php (report here*) on:
31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)
Blocklist:
31.200.240.153
83.169.41.58 ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1183959
... suspicious URL pattern
... 31.200.240.153 Blackhole 2 Landing Page
___

Fake job offer
- http://blog.dynamoo.com/2013/02/usanewworkcom-fake-job-offer.html
28 Feb 2013 - "This fake job offer will be some illegal activity such as money laundering or reshipping stolen goods:
Date: Thu, 28 Feb 2013 14:57:55 -0600
From: andrzej.wojnarowski@[victimdomain]
Subject: There is a vacancy of a Regional manager in USA:
If you have excellent administrative skills, working knowledge of Microsoft Office,
a keen eye for detail, well-versed in the use of social networking sites such as Twitter and Facebook,
are organized, present yourself well and are a team player with the ability to work independently,
are reliable and punctual and can understand and execute instructions are determined to work hard and succeed - we need you.
If you are interested in this job, please, send us your contact information:
Full name:
Country:
City:
E-mail:
Please email us for details: Paulette @usanewwork .com

In this case the email originated from 187.246.25.58, a Mega Cable customer in Guadalajara, Mexico. The domain is registered to an address that does not exist (there is no Pratt Avenue in Tukwila):
Sarah Shepard info @usanewwork .com
360-860-3630 fax: 360-860-3321
4478 Pratt Avenue
Tukwila WA 98168
us
The domain was only registered two days ago on 28/2/13. The nameservers ns1.stageportal .net and ns2.stageportal .net are shared by several other domains offering similar fake jobs...
IP addresses involved are:
5.135.90.19 (OVH, France)
69.169.90.62 (Big Brain Host, US)
199.96.86.139 (Microglobe LLC, US)
This job offer is best avoided unless you like prison food..."
(More detail at the dynamoo URL above.)
___

Fake BBB SPAM / forumnywrk .ru
- http://blog.dynamoo.com/2013/02/bbb-spam-forumnywrkru.html
28 Feb 2013 - "This fake BBB Spam leads to malware on forumnywrk .ru:
Date: Thu, 28 Feb 2013 07:29:10 -0500 [07:29:10 EST]
From: LinkedIn Password [password @linkedin .com]
Subject: Urgent information from BBB
Attn: Owner/Manager
Here with the Better Business Bureau notifies you that we have received a complaint (ID 832708632)
from one of your customers with respect to their dealership with you.
Please open the COMPLAINT REPORT below to obtain more information on this matter and let us know of your point of view as soon as possible.
We are looking forward to your prompt reply.
Regards,
VERSIE Stringer

The malicious payload is on [donotclick]forumnywrk .ru:8080/forum/links/column.php hosted on:
31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)
Blocklist:
83.169.41.58
31.200.240.153 ..."
(More detail at the dynamoo URL above.)

 

[AplusWebMaster]

Casino-themed Blackhole sites

FYI...

Casino-themed Blackhole sites
- http://blog.dynamoo.com/2013/03/casino-themed-blackhole-sites.html
1 March 2013 - "Here's a a couple of URLs that look suspicious like a BlackHole Exploit kit, hosted on 130.185.105.74:
[donotclick]888casino-luckystar .net/discussing/sizes_agreed.php
[donotclick]555slotsportal .org/discussing/alternative_distance.php
[donotclick]555slotsportal .net/shrift.php
[donotclick]555slotsportal .net/discussing/alternative_distance.php
[donotclick]555slotsportal .me/discussing/alternative_distance.php
[donotclick]sexstreamsmatez .biz/discussing/alternative_distance.php
You can find a sample report here*... there's nothing of value here and these sites are probably malicious and should be blocked. You might want to consider blocking 130.185.105.0/24 too..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1199381
... Detected BlackHole v2.0 exploit kit URL pattern

:fear:

 

[AplusWebMaster]

Fake Delta/eFax/dealer SPAM ...

FYI...

Fake Delta Airlines SPAM / inanimateweaknesses .net and complainpaywall .net
- http://blog.dynamoo.com/2013/03/delta-airlines-spam-inanimateweaknesses.html
4 March 2013 - "This fake Delta Airlines spam leads to malware on inanimateweaknesses .net and complainpaywall .net:
From: DELTA CONFIRMATION [mailto:cggQozvOc @sutaffu .co.jp]
Sent: 04 March 2013 14:27
Subject: Your Receipt and Itinerary
Thank you for choosing Delta. We encourage you to review this information before your trip.
If you need to contact Delta or check on your flight information, go to delta.com/itineraries
Now, managing your travel plans just got easier. You can exchange, reissue and refund electronic tickets at delta .com/itineraries.
Take control and make changes to your itineraries at delta.com/itineraries.
Speed through the airport. Check-in online for your flight.
Check-in
Flight Information
DELTA CONFIRMATION #: D0514B3
TICKET #: 00920195845933
Bkng Meals/ Seat/
Day Date Flight Status Class City Time Other Cabin
--- ----- --------------- ------ ----- ------------
Mon 11MAR DELTA 372 OK H LV NYC-KENNEDY 820P F 19C
AR SAN FRANCISCO 8211P COACH
Fri 15MAR DELTA 1721 OK H LV LOS ANGELES 1145P V 29A
AR NYC-KENNEDY 812A# COACH
Check your flight information online at delta.com/itineraries

The email contains several links to different hacked sites, which then forward to [donotclick]inanimateweaknesses .net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report here*) or [donotclick]complainpaywall .net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report here**) both of which are hosted on 188.93.211.156 (Logol.ru, Russia). In my opinion 188.93.210.0/23 is a bit of a sewer and should be blocked if you can, as there are probably many other malicious sites nearby.
Of note is that the links in the email only seem to work with a correct referrer and user agent. If those are not set, then you will not end up at the malware page."
* http://urlquery.net/report.php?id=1246850
... Detected BlackHole v2.0 exploit kit URL pattern ... Detected live BlackHole v2.0 exploit kit
** http://urlquery.net/report.php?id=1246854
... Detected BlackHole v2.0 exploit kit URL pattern ... Detected live BlackHole v2.0 exploit kit
___

Fake eFax SPAM / forumla .ru
- http://blog.dynamoo.com/2013/03/efax-spam-forumlaru.html
4 Mar 2013- "This fake eFax spam leads to malware on forumla .ru:
Date: Mon, 4 Mar 2013 08:53:20 +0300
From: LinkedIn [welcome @linkedin .com]
Subject: Efax Corporate
Attachments: Efax_Corporate.htm
Fax Message [Caller-ID: 646370000]
You have received a 57 pages fax at Mon, 4 Mar 2013 08:53:20 +0300, (213)-406-0113.
* The reference number for this fax is [eFAX-336705661].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.

The malicious payload is at [donotclick]forumla .ru:8080/forum/links/column.php (report here*) hosted on 210.71.250.131 (Chungwa Telecom, Taiwan). These other sites are also visible on the same IP:
foruminanki .ru
ny-news-forum .ru
forumilllionois .ru
forum-ny .ru
forumny .ru
forumla .ru"
* http://urlquery.net/report.php?id=1247054
... Detected suspicious URL pattern... Detected live BlackHole v2.0 exploit kit
___

Fake dealerbid .co.uk SPAM
- http://blog.dynamoo.com/2013/03/dealerbidcouk-spam.html
4 March 2013 - "This -spam- uses an email address ONLY used to sign up for dealerbid .co.uk
From: HM Revenue & Customs [enroll @hmrc .gov.uk]
Date: 4 March 2013 13:37
Subject: HMRC Tax Refund ID: 3976244
Dear Taxpayer,
After the last annual calculations of your fiscal activity we have discovered that you are eligible to receive a tax refund of 377.50 GBP. Kindly complete the tax refund request and allow 2-3 working days to process it.
A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. Please click on the attached file in order to access the form for your tax refund.
Currently we are only able to process tax refunds through "LloydsTSB". Alternatively, you can wait for the next few weeks to apply for a full refund through additional financial institutions(Banks).
Kind regards,
Paul McWeeney
Head of Consumer Sales and Service

The email got horribly mangled on the way and luckily whatever payload came with it is buggered. Of interest though, the email originates from 78.136.27.79 which is home to the following websites:
everybodyonline .co.uk
uk-car-discount .co.uk
The email address has been -stolen- from one UK motoring related site, and the spam sent through the hacked server of another UK motoring site. That's a peculiar coincidence, although I do not believe that those site operators are responsible for this spam run. It looks like I am not the only person to notice this same problem*.."
* http://www.reviewcentre.com/Car-Dealers/Dealerbid-www-dealerbid-co-uk-review_1884815
___

Fake Justin Bieber social media claims
- http://www.hoax-slayer.com/bieber-dies-crash-hoax.shtml
March 4, 2013 - "Outline: Message circulating via social media claims that popular young singing star Justin Bieber has died in a car accident...
> http://www.hoax-slayer.com/images/bieber-crash-hoax.jpg
... Many of these false death rumours originate from several tasteless "prank" websites that allow users to create fake news stories detailing the supposed death of various celebrities. Users can generally pick from several "news" templates, add the name of their chosen celebrity and then attempt to fool their friends by sharing the -bogus- story..."
___

Fake Facebook email/SPAM 'Violation of Terms' - Phishing Scam
- http://www.hoax-slayer.com/facebook-page-phishing-scam.shtml
March 4, 2013 - "Outline: Inbox message purporting to be from "Mark Zurckerberg" claims that the user's Facebook Page has violated the Facebook Terms of Service and may be permanently deleted unless the account is verified by clicking a link in the message... There have been a number of variations of these Facebook account phishing scams distributed in recent years. If you receive any message that claims that your Facebook account may be disabled or deleted if you do not verify account details, do not click on any links or attachments that it may contain. It is always safest to login to your Facebook account - and other online accounts - by entering the address into your browser's address bar rather than by following a link."

:fear:

 

[AplusWebMaster]

New Java exploits centered exploit kit

FYI...

New Java exploits centered exploit kit
- http://blog.webroot.com/2013/03/05/cybercriminals-release-new-java-exploits-centered-exploit-kit/
March 5, 2013 - "... its current version is entirely based on Java exploits (CVE-2012-1723 and CVE-2013-0431), naturally, with “more exploits to be introduced any time soon”... More details:
Sample screenshot of the statistics page of the newly released Web malware exploitation kit:
> https://webrootblog.files.wordpress.com/2013/03/web_malware_exploitation_kit_statistics_loads.png
The majority of affected users are U.S.-based hosts, and the majority of infected operating systems are Windows NT 6.1, followed by Windows XP... according to the cybercriminals pitching the kit, they’ve also managed to infect some Mac OS X hosts... competing Web malware exploitation kits tend to exploit a much more diversified set of client-side vulnerabilities, consequently, achieving higher exploitation rates... In the wake of two recently announced Java zero day vulnerabilities, users are advised to disable Java, as well as to ensure that they’re not running any outdated versions of their third-party software and browser plugins."

- http://seclists.org/fulldisclosure/2013/Mar/38
4 Mar 2013 - "... 5 -new- security issues were discovered in Java SE 7..."
___

Fake British Airways SPAM / forum-la .ru
- http://blog.dynamoo.com/2013/03/british-airways-e-ticket-receipts-spam.html
4 March 2013 - "This fake British Airways spam leads to malware on forum-la .ru:
From: LiveJournal.com [do-not-reply @livejournal .com]
Date: 4 March 2013 12:17
Subject: British Airways E-ticket receipts
e-ticket receipt
Booking reference: 9AZ3049885
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services
British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.
British Airways Plc is a public limited company registered in England and Wales. Registered number: 79805156. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.
How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.
If you require further assistance you may contact us
If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.

The email has an attachment named E-Ticket-N93892PK.htm which attempts to direct the victim to a malware page at [donotclick]forum-la .ru:8080/forum/links/column.php (report here*) hosted on:
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)
Blocklist:
198.104.62.49
210.71.250.131
forumla .ru
forumny .ru
forum-la .ru
foruminanki .ru
ny-news-forum .ru
forumilllionois .ru
forum-ny .ru ..."
* http://www.urlquery.net/report.php?id=1251838
... Detected suspicious URL pattern
___

iFrame injections drive traffic to Blackhole exploit kit
- http://nakedsecurity.sophos.com/2013/03/05/rogue-apache-modules-iframe-blackhole-exploit-kit/
March 5, 2013 - "... recent attacks against legitimate websites that are being used to drive unsuspecting user traffic to the Blackhole exploit sites. JavaScript libraries on the legitimate websites are prepended with code... SophosLabs has seen huge volumes of legitimate sites being compromised in this way in recent weeks. In fact, Mal/Iframe-AL has been the most prevalent web threat detected on customer endpoints and web appliances for the past few weeks, accounting for almost 30% of all detected web threats! If we correlate our malicious URL data against the Alexa top million site data, you can see that these Mal/Iframe-AL injections account for almost two-thirds of all popular sites... have been compromised in some way over the past week.
> https://sophosnews.files.wordpress.com/2013/03/al_alexa.png?w=640
... Looking at data collected over the past 14 days (Feb 18th - March 4th 2013), I started off by looking at the host ISPs for the compromised web sites. As you can see below, a good spread of ISPs have been hit (368 in total), with 18 of them accounting for approximately half of all infected sites.
> https://sophosnews.files.wordpress.com/2013/03/al_isps.png?w=640
Looking at the countries hosting the affected web servers shows the expected spread, somewhat reflective of where hosting providers are based.
> https://sophosnews.files.wordpress.com/2013/03/al_country.png?w=640
If we take a look at the web server platform, the compromised sites are almost exclusively running Apache. This is in contrast to the 60% or so we would expect* if the attacks were agnostic to the platform.
> https://sophosnews.files.wordpress.com/2013/03/al_platform.png?w=640
Most of these servers are running CentOS (then Debian then Ubuntu). This last piece of data gives us some clues as to how these attacks are happening. Could it be a rogue Apache module being used to inject the redirect into content as it is delivered from the server? There have been several other recent attacks doing this. Digging around it appears that this is indeed the root cause. The folks over at Sucuri** managed to get hold of the rogue module that was used on one such victim server.
Administrators or owners of sites that have been affected by these attacks should therefore check their Apache configuration as a matter of urgency and look out for unexpected modules being loaded..."
* http://news.netcraft.com/archives/2012/12/04/december-2012-web-server-survey.html

** http://blog.sucuri.net/2013/02/web-...entify-and-remove-corrupt-apache-modules.html
___

Something evil on 5.9.196.3 and 5.9.196.6
- http://blog.dynamoo.com/2013/03/something-evil-on-591963-and-591966.html
5 March 2013 - "Two IPs in the 5.9.196.0/28 block that you probably want to avoid are 5.9.196.3 and 5.9.196.6. The first of these IPs is being used in an injection attack (in this case via [donotclick]frasselt-kalorama .nl/relay.php) leading to two identified malware landing pages:
[donotclick]kisielius.surfwing .me/world/explode_conscious-scandal.jar (report here*)
[donotclick]alkalichlorideasenteeseen.oyunhan .net/world/romance-apparatus_clinical_repay.php (report here**)
Domains visible on 5.9.196.3 include:
alkalichlorideasenteeseen.oyunhan .net
kisielius.surfwing .me
dificilmentekvelijitten.surfwing .me
kisielius.surfwing .me
befool-immatriculation.nanovit .me
locoburgemeester.toys2bsold .com
ratiocination-wselig.smithsisters .us
A few IPs along is 5.9.196.6 which hosts the following domain that also looks highly suspect:
inspegrafstatkakukano.creatinaweb .com
Blocking these domains completely is probably a good idea:
oyunhan .net
surfwing .me
nanovit .me
toys2bsold .com
smithsisters .us
creatinaweb .com
5.9.196.0/28 is a Hetzner IP*** ... I haven't seen anything of value in this /28, blocking it may be prudent."
* http://www.urlquery.net/report.php?id=1248746
... Zip archive data
** http://www.urlquery.net/report.php?id=1265212
... Adobe PDF Memory Corruption
*** https://www.google.com/safebrowsing/diagnostic?site=AS:24940
"... over the past 90 days, 6823 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-03-04, and the last time suspicious content was found was on 2013-03-04..."
___

Fake HP printer SPAM / giliaonso .ru
- http://blog.dynamoo.com/2013/03/scan-from-hewlett-packard-scanjet-spam.html
5 Mar 2013 - "This fake HP printer spam leads to malware on giliaonso .ru:
Date: Tue, 5 Mar 2013 12:53:40 +0500
From: "Classmates . com" [classmatesemail @accounts.classmates .com]
Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet #161051
Attachments: HP_Scan.htm
Attached document was scanned and sent
to you using a HP A-16292P.
SENT BY : Landon
PAGES : 6
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

The attachment leads to malware on [donotclick]giliaonso .ru:8080/forum/links/column.php (report here*) hosted on the following IPs:
46.4.77.145 (Hetzner, Germany)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)
Blocklist:
46.4.77.145
198.104.62.49
210.71.250.131 ..."
* http://urlquery.net/report.php?id=1266289
... Detected suspicious URL pattern... Blackhole 2 Landing Page 210.71.250.131
___

Fake Sendspace SPAM / forumkianko .ru
- http://blog.dynamoo.com/2013/03/sendspace-spam-forumkiankoru.html
5 Mar 2013 - "This fake Sendspace spam leads to malware on forumkianko .ru:
Date: Tue, 5 Mar 2013 06:52:10 +0100
From: AyanaLinney@ [redacted]
Subject: You have been sent a file (Filename: [redacted]-51153.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-01271.pdf, (797.4 KB) waiting to be downloaded at sendspace.(It was sent by DEON VANG).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

The malicious payload is at [donotclick]forumkianko .ru:8080/forum/links/column.php (report here*) hosted on:
46.4.77.145 (Hetzner, Germany***)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)
These IPs are the same as used in this attack**..."
* http://urlquery.net/report.php?id=1267580
... Detected suspicious URL pattern... Blackhole 2 Landing Page 46.4.77.145
** http://blog.dynamoo.com/2013/03/scan-from-hewlett-packard-scanjet-spam.html

*** https://www.google.com/safebrowsing/diagnostic?site=AS:24940

 

[AplusWebMaster]

Fake BT SPAM ...

FYI...

Fake BT SPAM / ginagion .ru
- http://blog.dynamoo.com/2013/03/bt-business-direct-order-spam-ginagionru.html
6 March 2013 - "This fake BT spam leads to malware on ginagion .ru:
From: Bebo Service [mailto:service=noreply.bebo .com@bebo .com] On Behalf Of Bebo Service
Sent: 05 March 2013 21:22
Subject: BT Business Direct Order
Notice of delivery
Hi,
We're pleased to confirm that we have now accepted and despatched your order on Wed, 6 Mar 2013 03:21:30 +0600.
Unless you chose a next day or other premium delivery service option, then in most cases your order will arrive within 1-3 days. If we despatched your order via Letterpost, it may take a little longer.
***Please note that your order may have shipped in separate boxes and this means that separate consignment numbers may be applicable***
We've despatched...
..using the attached shipment details...
Courier Ref Carriage method
Royal Mail FM320725534 1-3 Days
Please note that you will only be able to use this tracking reference once the courier has scanned the parcel into their depot. Please allow 24 hours from the date of this email before tracking your parcel online.
For information on how track your delivery, please follow to attached file.
Important information for Yodel deliveries:
If your consignment number starts with 3S3996956 your delivery will require a signature. If there is no-one at the delivery address to sign for the goods a card will be left containing the contact details of the courier so that you can re-arrange delivery or arrange a collection.

The malicious payload is at [donotclick]ginagion .ru:8080/forum/links/column.php ... hosted on:
41.72.150.100 (Hetzner, South Africa)
117.104.150.170 (NTT, Japan)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
117.104.150.170
212.180.176.4
gosbfosod .ru
giliaonso .ru
forum-ny .ru
ginagion .ru ..."
___

Pizza SPAM / gimalayad .ru
- http://blog.dynamoo.com/2013/03/pizza-spam-gimalayadru.html
6 Mar 2013 - "... This spam actually leads to malware on gimalayad .ru:
Date: Wed, 6 Mar 2013 12:22:04 +0330
From: Tagged [Tagged @taggedmail .com]
Subject: Fwd: Order confirmation
You??™ve just ordered pizza from our site
Pizza Ultimate Cheese Lover's with extras:
Drinks
- Grolsch x 6
- 7up x 3
- Budweiser x 4
- Carling x 2...
If you haven??™t made the order and it??™s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!
If you don??™t do that shortly, the order will be confirmed and delivered to you...
Total Charge: 232.33$
========
Date: Wed, 6 Mar 2013 09:16:56 +0100
From: "Xanga" [noreply @xanga .com]
Subject: Re: Fwd: Order confirmation
You??™ve just ordered pizza from our site
Pizza Ultimate Cheese Lover's with extras:
- Beef
- Pepperoni...
- Extra Sauce
Pizza Italian Trio with extras:
- Beef
- Black Olives...
Drinks
- Simply Orange x 4
- Fanta x 2
- 7up x 2
- Heineken x 2
- Lift x 5
- Pepsi x 4
- Budweiser x 4
Total Charge: 242.67$
If you haven??™t made the order and it??™s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!
If you don??™t do that shortly, the order will be confirmed and delivered to you.
With Respect
PIERO`s Pizzeria

The malicious payload is at [donotclick]gimalayad .ru:8080/forum/links/column.php (report here*) hosted on the same IPs used in this attack:
41.72.150.100 (Hetzner, South Africa)
117.104.150.170 (NTT, Japan)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
117.104.150.170
212.180.176.4 ..."
* http://www.urlquery.net/report.php?id=1289205
... Detected suspicious URL pattern... Blackhole 2 Landing Page 212.180.176.4
___

Fake inTuit email
- http://security.intuit.com/alert.php?a=76
3/06/13 - "People are receiving fake emails with the title 'Please respond - overdue payment.' These mails are coming from auto-invoice @quickbooks .com, which is -not- a legitimate email address. Below is a copy of the email... The email does not contain a link; however, the email has a .zip attachment that contains malware. Do not open the .zip file.

Please find attached your invoices for the past months. Remit the payment by 02/25/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Earline Robles

This is the end of the fake email.
Steps to Take Now:
- Do -not- open the attachment in the email...
- Delete the email..."
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Malicious Attachment E-mail Messages - March 06, 2013
Fake Unpaid Debt Invoice E-mail Messages - March 06, 2013
Fake Overdue Payment Notification E-mail Messages - March 06, 2013
Fake Employee Document Sharing Notification E-mail - March 06, 2013
Fake Money Transfer Notification E-mail Messages - March 06, 2013
Fake UPS Payment Document Attachment E-mail Messages - March 06, 2013
(Links and more info at the cisco URL above.)