Sponsored by..

Tuesday 13 November 2012

"Your flight" spam / monacofrm.ru

These spam email messages lead to malware on monacofrm.ru:

From: sales1@victimdomain.com [mailto:sales1@victimdomain.com]
Sent: 13 November 2012 04:04
Subject: Fwd: Your Flight A874-64581

Dear Customer,

FLIGHT NR: 1173-8627
DATE/TIME : JAN 27, 2013, 19:15 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 520.40 USD

Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.


NAOMI PATTON,

==========

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 13 November 2012 05:18
Subject: Re: Fwd: Your Flight A943-6733

Dear Customer,

FLIGHT NR: 360-6116
DATE/TIME : JAN 26, 2013, 14:12 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 997.25 USD

Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.



Adon Walton,

==========

Date:      Tue, 13 Nov 2012 08:20:21 +0400
From:      accounting@victimdomain.com
Subject:      Re: Your Flight A230-63955
Attachments:     FLIGHT_TICKET_A04897499.htm

Dear Customer,



FLIGHT NR: 43070-0328

DATE/TIME : JAN 24, 2013, 12:19 PM

ARRIVING AIRPORT: SAN-DIEGO AIRPORT

PRICE : 323.97 USD



Your bought ticket is attached to the letter as a scan document .

To use your ticket you should print it.



SHERILYN BREWER,

==========

Date:      Tue, 13 Nov 2012 02:14:56 +0700
From:      LinkedIn Password [password@linkedin.com]
Subject:      Re: Your Flight A13-6235
Attachments:     FLIGHT_TICKET_A56970327.htm

Dear Customer,



FLIGHT NR: 7504-638

DATE/TIME : JAN 20, 2013, 18:10 PM

ARRIVING AIRPORT: SAN-DIEGO AIRPORT

PRICE : 089.74 USD



Your bought ticket is attached to the letter as a scan document .

To use your ticket you should print it.

ROSANA Gallo,

The malicious payload is at [donotclick]monacofrm.ru:8080/forum/links/column.php  hosted on the following IPs:

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
216.24.194.66 (Psychz Networks, US)

The Mongolian and Malaysian IPs have been used several times for malware attacks, 216.24.194.66 looks like a new one. Blocking them all would probably be prudent.

Added:

There's a Wire Transfer spam using the same payload too:

From: Amazon.com [mailto:account-update@amazon.com]
Sent: 13 November 2012 08:08
Subject: Fwd: Re: Wire Transfer Confirmation

Dear Bank Account Operator,

WIRE TRANSFER: FED8979402863338715
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.

No comments: