Thursday, 16 May 2013

Walmart.com spam / bestunallowable.com

This fake Walmart spam leads to malware on bestunallowable.com:

From:     Wallmart.com [deviledm978@news.wallmart.com]
Date:     16 May 2013 14:02
Subject:     Thanks for your Walmart.com Order 3795695-976140

Walmart    
Visit Walmartcom  |     Help  |     My Account  |     Track My Orders

[redacted]
Thanks for ordering from Walmart.com. We're currently processing your order.
Items in your order selected for shipping

• You'll receive another email, with tracking information, when your order ships.

• If you're paying by credit card or Bill Me Later®, your account will not be charged until your order ships. If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available. All other forms of payment are charged at the time the order is placed.
Shipping Information
      Ship to Home    
   

Hannah Johnson
1961 12 Rd
Orange, NC 68025-3157
USA
   

Walmart.com     Order Number: 3795695-976140
Ship to Home - Standard
Items     Qty     Arrival Date     Price
Philips UN65EH9060 50" 1080p 60Hz Class LED (Internet Connected) 3D HDTV     1     Arrives by Tue., May 21
Eligible for Free Standard Shipping to Home.     $898.00
Subtotal:     $898.00
Shipping:     Free
Tax:     $62.86
See our Returns Policy or
contact Customer Service     Walmart.com Total:     $960.86
Order Summary
Order Date:     05/15/2013
Subtotal:     $898.00
Shipping:     Free
Tax:     $62.86
Order Total:     $960.86
Credit card:     $960.86
       
Billing Information
Payment Method:
Credit card
If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
Thanks,

Your Walmart.com Customer Service Team
www.walmart.com


Rollbacks     Sign Up for Email Savings and Updates
Have the latest Rollbacks, hot new releases, great gift ideas and more sent right to your inbox!
   
©Walmart.com USA, LLC, All Rights Reserved.

 The link goes through a legitimate hacked site and ends up on a malware page at [donotclick]bestunallowable.com/news/ask-index.php (report here) hosted on:

108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)

The WHOIS details are characterstic of the Amerika gang:
   Administrative Contact:
   McDonough, Tara  ukcastlee@mail.com
   38 Wee Burn Lane
   DARIEN, CO 06820
   US
   2036566697

Blocklist (including nameservers):
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
bestunallowable.com
biati.net
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
icensol.net
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
outlookexpres.net
peertag.com
pinformer.net
priorityclub.pl
recorderbooks.net
smartsecurity-app.com
twintrade.net
virgin-altantic.net
zonebar.net

5 comments:

Gwenwyn Brightwood said...

Our company got a couple of the same thing linking to these sites:

hypnose-reussite.com
bodysoulnn.ru

Same amount, same exact wording, excepting different names and addresses. Every single one is for the same 'total.'

Conrad Longmore said...

@Gwenwyn, the URL in the email is always a legitimate hacked site which leads to a redirector which *then* bounces the victim to the payload site. It's a clever trick as it helps to bypass URL-based spam filtering.

Darryl LaRocque said...

don't click on anything. If you are concerned go to your browser and enter the actual website.

Darryl LaRocque said...

don't click on anything. if you are concerned go directly to the website manually in your browser. Hyperlinks are not always what they claim to be.

A said...

Does anyone know the extent of damage this thing does if you click the link and receive the payload? It seems to be changing some settings in IE, but beyond that I can't tell if anything else is going on.