Sponsored by..

Friday, 9 December 2011

Malware: Your Amazon.com order of "Omron FXB-414M Fat Loss ..." has shipped! / ageoloft.info, floreli.info and certerpen.info

This malware spam leads via a legitimate hacked site to floreli.info or ageoloft.info or certerpen.info, although there are probably more. If you have the names of other payload domains please consider add ingthem in the Comments. Both these sites are hosted on 91.195.11.42.

From: Issac Britt [mailto:delphiniumsfte62@retela.co.jp]
Sent: 09 December 2011 14:05
Subject: Your Amazon.com order of "Omron FXB-414M Fat Loss ..." has shipped!

Hello,

Shipping Confirmation
Order # 649-2723315-2651369

Your estimated delivery date is:
Tuesday, December 13, 2011

Track your package Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.

Shipment Details

Omron FXB-414M Fat Loss Monitor, Black $149.95
Item Subtotal: $149.95
Shipping & Handling: $0.00
Total Before Tax: $149.95
Shipment Total: $149.95
Paid by Visa: $149.95

You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.

Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service.

We hope to see you again soon!
Amazon.com

The payload is on floreli.info/main.php?page=525447c096f8efbf or ageoloft.info/main.php?page=525447c096f8efbf and consists of the blackhole exploit kit leading to the Cridex Trojan.

Blocking the range 91.195.10.0/23 (UkrStar ISP, Ukraine) a good proactive move as several malware attacks have been hosted there in the past few days.

Domains spotted so far:
ageoloft.info
floreli.info
certerpen.info


Some sample email subjects:
Your Amazon.com order of "Omron BTS-829C Fat Loss ..." has shipped!
Your Amazon.com order of "Omron DRM-151A Fat Loss ..." has shipped!
Your Amazon.com order of "Omron FXB-414M Fat Loss ..." has shipped!
Your Amazon.com order of "Omron KGZ-387E Fat Loss ..." has shipped!
Your Amazon.com order of "Omron PNB-885D Fat Loss ..." has shipped!
Your Amazon.com order of "Omron PNH-875H Fat Loss ..." has shipped!
Your Amazon.com order of "Omron REM-787E Fat Loss ..." has shipped!
Your Amazon.com order of "Omron QYM-632R Fat Loss ..." has shipped!
Your Amazon.com order of "Omron UHA-584I Fat Loss ..." has shipped!

9 comments:

Stef said...

Thank you! Quick action saved my butt...

SYSAdmin said...

I just got hit with this campaign and blocked it, I will check your site more often!

Thanks for having informative information on these idiots who send this garbage.

Todd Booher said...

Were seeing this as well with additionl URL:

instants-clic.com

John said...

Mine said:
Omron YVD-993L Fat Loss Monitor, Black $119.95

The links appeared to go to a hardcoreintelligence.nl site.

SYSAdmin said...

I have blocked this and now they are coming again but it is being trash canned.

SYSAdmin said...

It would be nice to BAN other countries from ARIN.

SYSAdmin said...

GREAT info on this site for those System Admins who manage email and spam appliances I have added the ranges to be blocked.

Another GREAT website is:

http://www.countryipblocks.net/

You can block the ROUGE countries from your servers at least. It is difficult to do this from spam appliances because you will block legitimate email from customers.

default said...

We're seeing this as well. One came through UT servers.

Payload:
www.idees-kdo.fr
phoenix-entertainment.be

DasTiger said...

Attention: I received on June 23 the following:
Hi,
I from Ukraine.
Your can look my photo in attachment.
I wait your answer.
It came with an attachment IMG_0389(copy).JPG.ZIP of 276 Kb...
Men be aware... (Women are less gullible...)