Sponsored by..

Tuesday 27 November 2012

"Copies of Policies" spam / ganiopatia.ru

This spam leads to malware on ganiopatia.ru:


Date:      Mon, 26 Nov 2012 02:31:10 -0500
From:      sales1@victimdomain.com
Subject:      RE: ALINA - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,
and a copy of the most recent schedule.

ALINA Prater,

==========


Date:      Mon, 26 Nov 2012 02:26:33 +0300
From:      ALISHIADBSukwQEf@aol.com
Subject:      RE: ALISHIA - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,

and a copy of the most recent schedule.

ALISHIA Gee,

==========

From: accounting@victimdomain.com
Sent: 26 November 2012 08:42
Subject: RE: MARCELLE - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,

and a copy of the most recent schedule.

MARCELLE SPENCE,

==========

From: accounting@victimdomain.com
Sent: 26 November 2012 07:54
Subject: RE: KASSIE - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,
and a copy of the most recent schedule.

KASSIE ROMANO,


The malicious payload is at [donotclick]ganiopatia.ru:8080/forum/links/column.php hosted on the following IPs:

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)

Note that ganalionomka.ru  is also on the same cluster of servers and will also be malicious. These IP addresses have been used for malware several times, blocking access to them would be a good idea.

No comments: