Sponsored by..

Thursday, 30 May 2013

ADP spam / 4rentconnecticut.com and 174.140.171.233

These fake ADP spams lead to malware on 4rentconnecticut.com:

Date:      Thu, 30 May 2013 12:41:28 -0500 [13:41:28 EDT]
From:      "ADPClientServices@adp.com" [ADPClientServices@adp.com]
Subject:      ADP Funding Notification - Debit Draft

Your Transaction Report(s) have been uploaded to the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.

Thank You,

ADP Benefit Services

====================

Date:      Thu, 30 May 2013 08:45:16 -0800 [12:45:16 EDT]
From:      ADP Inc [ADP_FSA_Services@ADP.com]
Subject:      ADP Invoice Reminder

Your latest ADP Dealer Services Invoice is now available to view or pay online at ADP Online Invoice Management .

To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice Management account.

Total amount due by May 31, 2013

$26062.29

If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.

Questions about your bill?

Contact David Nieto by Secure Mail.

Note: This is an automated email. Please do not reply. 

The link in the email goes to a legitimate hacked site and then tries to load three different scripts, currently:

[donotclick]kalimat.egyta.com/swearer/titan.js
[donotclick]www.asitecsrl.com/servicemen/ethic.js
[donotclick]www.mbbd.it/dzerzhinsky/bewilders.js

From there the victim is directed to the main malware landing page at [donotclick]4rentconnecticut.com/news/cross_destroy-sets-separate.php on 174.140.171.233 (DirectSpace LLC, US). A look at URLquery shows many suspect URLs on this server and VirusTotal also reports several malicious URLs.

It appears that every single domain on this server has been compromsed. Blocking the IP address is the easiest way to mitigate against this problem, but these following domains such all be assumed to be legitimate ones that have been hijacked:

1stchoicehsr.com
4rentanaheim.com
4rentarkansas.com
4rentarlington.com
4rentatlanta.com
4rentaurora.com
4rentbakersfield.com
4rentbaltimore.com
4rentcincinnati.com
4rentcoloradosprings.com
4rentcolumbus.com
4rentconnecticut.com
60minutessexy.com
60secondssexy.com
9602iridium.com
9602sbd.com
aainj.com
askfelix.org
bestskateboard.net
billflemming.com
bondageunlimited.com
bonniemichaels.com
breastcaresupplements.com
bystrictinchallenge.com
celebritwee.com
centurysciences.com
chicagoledsource.com
chitownled.com
compsbook.com
connectionre.com
december2012thefacts.com
desiraephilips.com
deviousgirl.com
deviousmindclothing.com
extrememarriagemakeover.com
firstchoicehsr.com
freyandsonautomotive.co
gilestire.com
glorytogodtires.com
halfromerican.com
halfromerican.net
handiexpertcarcare.com
healthwellnessdeals.com
healthwellnessforum.com
hubbardsauto.net
infocarretera.com
internetmarketingmagicpill.com
investorrichessupport.com
investorwealthacademy.com
iridium9522bmodem.com
iridium9602manual.com
iridium9602price.com
iridium9602sbd.com
iridiumcore9523.com
irishhillstire.com
jasonholmesrealty.com
jjgilestire.com
juniorstire.com
kjinteriorsinc.com
ledillinois.com
linkbuildingbootcamp.com
manisteetire.net
manningstire.com
marinholmes.com
marshalltirecity.com
marysvillecarcare.com
metroimport-tires.com
midlandtireandauto.com
mobileincomeopportunities.com
mobiletextopportunity.com
mobiletextopportunity.net
moonstire.com
msqcconference.org
natestire.com
powersautomotiveshop.com
precisiontunetire.com
premierconstructiongeorgia.com
prideinproperty.com
recoverydepot.net
regaltire.com
richestmaninrelationships.com
rogerclinetire.net
setupmyautoresponder.com
sexymarriagecoaching.com
sexymarriageforum.com
sexymarriagemakeover.com
sexymarriagesecrets.com
sheltontire.com
sherrillfire.org
smokelogix.com
southlyontire.com
spindivas.com
spinpsycho.net
spinpsychoapparel.com
spinpsychoapparel.net
steelbuildingprices.com
stiftelsen-pcn.net
sunless-glow.com
sunnysautocare.com
tandmtire.com
tecumsehtire.com
thejoshbrown.com
thetireoutlet.com
thewealthexplosionsystem.com
tmartapes.com
tracysoldcastle.com
twistedbehavior.com
vulcantire.net
westautorepair.com
woodstireservice.com
yiseoer.com




No comments: