Sponsored by..

Tuesday 6 November 2012

Apple "Account Info Change" spam / welnessmedical.com

Not malware this time, but Pharma spam.. the links in this fake Apple message lead to welnessmedical.com.


From: Apple [mailto:appleid@id.arcadiadesign.it]
Sent: Tue 06/11/2012 18:30
Subject: Account Info Change

Hello,

The following information for your Apple ID [redacted] was updated on 11/06/2012:

Date of birth
Security question(s) and answer(s)

If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately by going to iforgot.apple.com.

To review and update your security settings, sign in to appleid.apple.com.

This is an automated message. Please do not reply to this email. If you need additional help, visit Apple Support.

Thanks,
Apple Customer Support



TM and copyright © 2012 Apple Inc. 1 Infinite Loop, MS 96-DM, Cupertino, CA 95014.
All Rights Reserved / Keep Informed / Privacy Policy / My Apple ID 


The fake pharma site (welnessmedical.com) is hosted on 84.22.127.43 along with a bunch of other ones, plus some additional sites one IP over at 84.22.127.44:

medmedsepub.com
newpharmsale.com
virustrapill.com
medicalmedprescription.com
medpillprescription.com
walgreensprescription.com
pilldrugstoregroup.com
medicineonlinephysic.ru
zkflwf.ru
ytti.ru
healthtabstablets.ru
healthcaremedstablets.ru
fitnesspillspharmacy.ru
mycareviagra.pl
diseasepillsmedicine.com
medicareryan.com
cialiswiladen.com
pharmvitamins.com
crashtab.net
healthtabsdrugstore.ru
ghem.ru
jium.ru
epoo.ru
ghas.ru
buymedicinepharmacy.ru
pillpillspharmacy.ru
onlinepharmabuy.ru

Oddly, 84.22.127.43 doesn't seem to be registered at RIPE. No matter, we know who the owner of 84.22.127.0 is:

inetnum:         84.22.127.0 - 84.22.127.7
netname:         A84-22-127-0
descr:           BLACK OPERATIONS
admin-c:         CBMT1-RIPE
tech-c:          CBMT1-RIPE
country:         NL
status:          ASSIGNED PA
mnt-by:          MNT-CB3ROB
mnt-lower:       MNT-CB3ROB
mnt-routes:      MNT-CB3ROB
source:          RIPE # Filtered

role:            Ministery of Telecommunications
address:         One CyberBunker Avenue
address:         CB-31337
address:         CyberBunker-1
address:         Republic CyberBunker
mnt-by:          MNT-CB3ROB
admin-c:         CBMT1-RIPE
tech-c:          CBMT1-RIPE
nic-hdl:         CBMT1-RIPE
source:          RIPE # Filtered

route:          84.22.96.0/19
descr:          R84-22-96-0
origin:         AS34109
mnt-by:         MNT-CB3ROB
source:         RIPE # Filtered


It's our old friends Cyberbunker again, who have registered the block with fake details. How RIPE lets them get away with this I don't know. If you can, I recommend blocking the entire 84.22.96.0/19 range as almost everything here is pretty seedy. You can read more about Cyberbunker's very dark grey hat activities over at Wikipedia if you want more information.

No comments: