Sponsored by..

Monday 22 October 2012

"Copies of Policies" spam / fidelocastroo.ru

This spam leads to malware on fidelocastroo.ru:

Date:      Mon, 22 Oct 2012 08:05:10 -0500
From:      Twitter [c-FG6SPPPCGK63=D8154Z4.8N4-6042f@postmaster.twitter.com]
Subject:      RE: Charley - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.


Charley HEALY,

The malicious payload is on [donotclick]fidelocastroo.ru:8080/forum/links/column.php hosted on the following IPs:

68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (Interneto Vizija, Lithunia)
190.10.14.196 (RACSA, Costa Rica)
202.3.245.13 (MANA, French Polynesia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, US)

Plain list for copy and pasting:
68.67.42.41
79.98.27.9
190.10.14.196
202.3.245.13
203.80.16.81
209.51.221.247

Blocking these IPs should prevent any other attacks on the same server.


No comments: