Dynamoo's Blog

Thursday, 2 February 2012

NACHA Spam / hakkabout.com and kansamentos.com

More NACHA spam with a malicious payload..

Date:     Thu, 1 Feb 2012 13:05:58 +0100
From:     risk@nacha.org
Subject:     Rejected ACH payment

The ACH transfer (ID: 424339813641), recently sent from your bank account (by you or any other person), was canceled by the other financial institution.

Canceled transfer
Transaction ID:    424339813641
Reason for rejection    See details in the report below
Transaction Report    report_424339813641.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

The link redirects through a couple of legitimate hacked sites and ends up on hakkabout.com/search.php?page=73a07bcb51f4be71 on 96.126.117.251 (Linode, US). According to Wepawet, a subsequent download is attempted from kansamentos.com/forum/index.php?showtopic=192151 on 66.151.138.179 (Nuclear Fallout Enterprises, US). Blocking those two IPs is probably a good idea, although it isn't the first time that Linode or Nuclear Fallout Enterprises have hosted malware recently and it may not be the last.

Wednesday, 1 February 2012

NACHA Spam / sulusify.com

More NACHA spam leading to a malicious payload..

Date:     Wed, 31 Jan 2012 10:43:44 +0200
From:     transactions@nacha.org
Subject:     ACH payment canceled

The ACH transfer (ID: 64930940909169), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

Canceled transfer
Transaction ID:     64930940909169
Reason of rejection     See details in the report below
Transaction Report     report_64930940909169.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

In this case, the malware is at sulusify.com/search.php?page=73a07bcb51f4be71 (it goes through a couple of redirectors first). A Wepawet report is here.

This is on 209.59.221.65 which is the Endurance International Group.. again. There are several malicious IPs in the 209.59.192.0/19 range now, perhaps indicating a deeper problem with this host.

Tuesday, 31 January 2012

NACHA Spam / sulusate.com

More NACHA spam leading to a malicious payload:

Date: 31 January 2012 22:55
Subject: ACH transaction fault

The ACH transaction ID: 415864020375, that had been effectuated from your banking account lately, was rejected by the the bank of the recipient.

ACH transfer declined
Transaction ID:     415864020375
Details:     please see the report below for details
Transaction Report     report_415864020375.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

This leads to a malicious payload at sulusate.com/search.php?page=977334ca118fcb8c, hosted on 209.59.220.98 (Endurance International Group, US). A Wepawet report for the malicious page is here.

Blocking the IP will prevent other malicious sites on the same server from doing their stuff. Endurance International has hosted several such malicious sites recently.

NACHA Spam / matoreria.com

Another NACHA spam run leading to a malicious payload..

Date:     Tue, 30 Jan 2012 11:02:13 +0000
From:     info@nacha.org
Subject:     Your ACH transaction

The ACH transaction (ID: 8519169560300), recently initiated from your bank account (by you or any other person), was canceled by the other financial institution.

Canceled transfer
Transaction ID:     8519169560300
Rejection Reason     See details in the report below
Transaction Report     report_8519169560300.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

The payload is on matoreria.com/search.php?page=73a07bcb51f4be71 hosted on 66.150.164.137 (Nuclear Fallout Enterprises, Seattle). We've seen this ISP before. At the moment the payload seems not to be working properly.

Blocking access to the IP address will also block access to any other malicious sites on the same server.

Sunday, 29 January 2012

Fake jobs: euro@ultraups.com

The "Lapatasker" money mule recruiters have been fairly quiet for a while, but here is a new one:

From: Barrmanager@pacbell.net maurogonzal22@gmail.com
Date: 28 January 2012 01:39
Subject: Parttime Job

Compliments

I am the personnel department manager and I am appealing to you in the name of the large-scale and first-rate partnership.

Our company is met in many departments, such as:
- property
- bank account operations
- transportation and logistics
- private enterprise service
- etc.

We need a person to fill the vacancy of a regional manager in Europe:
- salary 2.600 euro + bonus
- 2 - 3 working hours per day
- individual time-table

If our offer is interesting for you email us the required information:
e u r o @ u l t r a u p s . c o m (Please Delete Spaces In Email Address Before Mailing Us)
Full name:
Country:
City
E-mail:
Contact phone number:

Attention! We need just the people residing in EU.

Please, write your Telephone Number and our manager will contact with you and answer all your questions.

The "jobs" offered are illegal activities such as money laundering, so signing up to them could land you in serious trouble with law enforcement and seriously out of pocket.

The domain was registered a while ago, probably with fake registrant details:
    Alexis Putt
    Email: alexisputt@yahoo.co.uk
    Organization: Alexis Putt
    Address: St Katharine's Way 12
    City: London
    State: London
    ZIP: E1W 1DD
    Country: GB
    Phone: +44.0113343341

If you have any more example emails, please consider sharing them in the comments.

Friday, 27 January 2012

Oh yeah..

..chicka chickaaah!

"INTUIT INC" malicious spam and {int_link} fail

A new version of a familiar spam that is meant to have a malicious payload:

Date:     Thu, 25 Jan 2012 20:43:03 +0100
From:     "INTUIT INC." [onlinebanking@ealerts.bankofamerica.com]
Subject:     Your tax information needs verification.

Dear Sir/Madam,

In our continuing effort to assure that exact information is being kept up on our systems, as well as to provide you better quality of service; INTUIT INC. has taken part in the Internal Revenue Service [IRS] Name and TIN Matching Program.

We have found out, that your name and/or Employer Identification Number, that is indicated on your account is different from the information on file with the IRS.

In order to check and update your account, please enter the secure section.

Yours sincerely,
INTUIT INC.

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

OK, the sharp eyed amongst you will have noticd that "INTUIT" and "bankofamerica.com" are two different entities. What you can't see is that the moron spammer has sent out all the links pointing to just http://{int_link}/ rather than remembering to include the spam URL. No doubt the next version of this will have a malicious payload, so take care.

Thursday, 26 January 2012

Some malware sites to block 26/1/12

Some more malware sites to block, being used in current spam runs to distribute the blackhole exploit kit. Block the domains and IPs if you can.

Eonix, Canada
173.213.93.203
clostescape.com

Zerigo, US
173.248.190.37
chilleloot.com

Colo4Dallas, US
174.136.0.87
chillegraph.com
chilleline.com

Ixvar, Canada
174.142.247.164
clostery.com

Hostforweb, US
205.234.187.6
sulusient.com

Networld Internet, US
207.210.96.45
clostehold.com
72.249.126.223
chillemap.com

Confluence Networks, BVI
208.91.197.27 (parked)
closteyard.com

Endurance International, US
209.59.220.57
closteland.com
closterange.com
209.59.220.65
sulusity.com
209.59.220.202
chillency.com
209.59.221.158
closteation.com

Nuclear Fallout Enterprises, US
66.150.164.192
chilletect.com
74.91.119.202
sulusality.com

Linode, US
69.164.199.231
chillepay.com
96.126.96.123
chillechart.com
96.126.102.252
sulusium.com

Not resolving
chillebucks.com
chillecash.com
chillefunds.com
chillestruct.com
sulusius.com
sulusize.com

NACHA Spam / chillechart.com and chillepay.com

More fake NACHA spam leading to malware, this time the malicious payload is at chillechart.com on 96.126.96.123 (Linode, New Jersey).

Date:     Thu, 25 Jan 2012 10:40:06 +0100
From:     "alerts@nacha.org" [alerts@nacha.org]
Subject:     Your pending ACH debit transfer

Dear Account Holder,

This message includes an important notice about the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction #:    766253676295142
Transaction status:    pending

In order to resolve this matter, we prompt you to check the details of your transaction using the link below.

Faithfully yours,
Stephanie Barrera
Accounting Department

This follows the same pattern we have seen over the past few days. A Wepawet report for the malicious page is here. Blocking the IP address rather than the domain should block any other malicious sites on the server.

Update: chillepay.com is also being used in this spam run, hosted on 69.164.199.231 (also Linode)

Wednesday, 25 January 2012

Lazy BBB / "ACH transfer pending" spam, chillestruct.com and closteation.com

Here's a lazy spam about an "ACH transfer" that appears to come from the BBB, because the spammers have mixed up the campaigns.

Date:     Wed, 24 Jan 2012 13:31:58 +0100
From:     "manager@bbb.org" [manager@bbb.org]
Subject:     ACH transfer pending

Dear Sir or Madam,

This message includes a notification about the ACH debit transfer sent on your behalf, that was held by our bank:

Transaction ID: 471209863177939
Transaction status: pending

In order to resolve this matter, please review the transaction details using the link below as soon as possible.

Yours faithfully,
Kathy Quirk
Accounting Department

The link in the spam routes through a couple of hacked sites to a malicious payload at chillestruct.com on 173.248.190.37 (Zerigo Inc, California) and closteation.com on 209.59.221.158 (Endurance International, Massachusetts). Wepawet reports are here and here.

Blocking the IPs will prevent any other malicious sites on those servers from causing problems.