Sponsored by..

Tuesday 9 July 2013

"Payment File Successfully Processed" spam / autorize.net.models-and-kits.net

This spam leads to malware on autorize.net.models-and-kits.net:

Date:      Tue, 9 Jul 2013 15:36:42 -0500
From:      batchprovider@eftps.gov
Subject:      Payment File Successfully Processed

*** PLEASE DO NOT REPLY TO THIS MESSAGE***

Dear Batch Provider,

This message is being sent to inform you that your payment file has successfully processed. 2013-07-09-12.08.00.815358

Detailed information is available by logging into the Batch Provider software by clicking this link and performing a Sync request.
Thank You,
EFTPS

Contact Us: EFTPS Batch Provider Customer Service
at this link
A sender's email address of batchprovider@email.eftpsmail.gov is seen in another sample. The link goes through a legitimate hacked site and ends up an a malware laden page at [donotclick]autorize.net.models-and-kits.net/news/shortest-caused-race.php (report here) hosted on:

77.240.118.69 (Acens Technlogies, Spain)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
151.155.25.111 (Novell Inc, US)
202.28.69.195 (UniNet, Thailand)

All these IPs and more can be found in this recommended blocklist. Out of these four IPs we can see the following malicious domains which should also be blocked if you can't block the IPs themselves..

77.240.118.69
103.9.23.34
151.155.25.111
202.28.69.195
afabind.com
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
aniolyfarmacij.com
autorize.net.models-and-kits.net
charismasalonme.net
chinadollars.net
com.amazon.com.first4supplies.net
condalinneuwu5.ru
condalnua745746.ru
eftps.gov.charismasalonme.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
first4supplies.net
fulty.net
gnanisienviwjunlp.ru
gondamtvibnejnepl.net
grivnichesvkisejj50.ru
m.krasalco.com
meynerlandislaw.net
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
quipbox.com
reports0701.net
reveck.com
sartorilaw.net
sendkick.com
smartsecurity-app.com
spanishafair.com
vahvahchicas.ru

Update: a different spam is also circulating with the same payload:


Date:      Tue, 9 Jul 2013 06:56:26 -0800
From:      "Authorize . Net" [emailreceipts@news.authorizemail.net]
Subject:      Successful Credit Card Settlement Report.

Your Authorize.Net ID is: 1263577
Dear [redacted],

The following is your Credit Card settlement report for Sunday, July 09, 2013.

Transaction Volume Statistics for Settlement Batch dated 9-Jul-2013 11:0:55 PDT:
Batch ID: 668271114
Business Day: 09-Jul-2013
Net Batch Total: 9,917.74 (USD)
Number of Charge Transactions: 99
Amount of Charge Transactions: 9,917.74
Number of Refund Transactions: 7
Amount of Refund Transactions: 105.64

Warning! Your Batch limits for July exceeded!
To view details, please click here to log into the Merchant Interface.

If you have any questions regarding this settlement report, please contact your bank or you can contact Customer Support at this link.

Thank You,
Authorize.Net

*** You received this email because you chose to be a Credit Card Report recipient. You may change your email options by logging into the Merchant Interface. Click on Settings and Profile in the Main Menu, and select Manage Contacts from the General section. To edit a contact, click the Edit link next to the contact that you would like to edit. Under Email Types, select or deselect the Email types you would like to receive. Click Submit to save any changes. Please do not reply to this email.



No comments: