Sponsored by..

Wednesday 10 July 2013

Visa spam / estateandpropertty.com and clik-kids.com

This fake Visa spam attempts to lead to malware on estateandpropertty.com:

Date:      Wed, 10 Jul 2013 13:20:38 -0300 [12:20:38 EDT]
From:      Visa [policemank3@newsletters.visabusinessnewsmail.org]
Reply-To:      flintierv34@complains.visabusinessnewsmail.org
Subject:      Update Your Business Visa Card Information


Your Visa Business card has been limited. Please update your information to reactivate your account.

Please proceed the link: http://visabusiness.com/fraud/warning_mail=81413185766854518964...96368, update necessary information and view further information that caused us to set a limit.
Your Case ID is: NW61826321176497

Look for unexpected charges or questionable activity, and if you see anything suspicious,don't wait to act.

This added security is to prevent any additional fraudulent charges from taking place on your account.


Notice: This Visa communication is furnished to you solely in your capacity as a customer of Visa Inc. (or its authorized agent) or a participant in the Visa payments system. By accepting this Visa communication, you acknowledge that the information contained herein (the "Information") is confidential and subject to the confidentiality restrictions contained in Visa's operating regulations, which limit your use of the Information. You agree to keep the Information confidential and not to use the Information for any purpose other than in your capacity as a customer of Visa Inc. or a participant in the Visa payments system. The Information may only be disseminated within your organization on a need-to-know basis to enable your participation in the Visa payments system.

Please be advised that the Information may constitute material nonpublic information under U.S. federal securities laws and that purchasing or selling securities of Visa Inc. while being aware of material nonpublic information would constitute a violation of applicable U.S. federal securities laws. This information may change from time to time. Please contact your Visa representative to verify current information. Visa is not responsible for errors in this publication. The Visa Non-Disclosure Agreement can be obtained from your Visa Account Manager or the nearest Visa Office.

This message was sent to you by Visa, P.O. Box 8999, San Francisco, CA 94128. Please click here to unsubscribe. 
The link in the email goes through a legitimate hacked site and then attemped t to go to a malware page at [donotclick]estateandpropertty.com/news/visa-report.php (report here) but it appears the registrar has nuked the domain, so the spammers have switched the link to [donotclick]clik-kids.com/news/visa-report.php (report here) instead. IPs involved are:

46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
77.240.118.69 (Acens Technlogies, Spain)
150.244.233.146 (Universidad Autonoma De Madrid, Spain)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)

Recommended blocklist:
46.45.182.27
77.240.118.69
150.244.233.146
203.236.232.42
209.222.67.251
afabind.com
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
aniolyfarmacij.com
astarts.ru
autorize.net.models-and-kits.net
beachfiretald.com
beatenunwield.com
bnamecorni.com
brandeddepend.com
centow.ru
chinadollars.net
clik-kids.com
com.amazon.com.first4supplies.net
condalinneuwu5.ru
condalnua745746.ru
datapadsinthi.net
delines.ru
eftps.gov.charismasalonme.net
ehnihenransivuennd.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
eliroots.ru
estateandpropertty.com
filmstripstyl.com
fulty.net
gentonoesleep.com
getstatsp.ru
gnanisienviwjunlp.ru
gondamtvibnejnepl.net
grivnichesvkisejj50.ru
hdmltextvoice.net
hingpressplay.net
joinproportio.com
jonkrut.ru
m.krasalco.com
magiklovsterd.net
meynerlandislaw.net
nvufvwieg.com
offeringshowt.com
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
privat-tor-service.com
quipbox.com
relationshipa.com
relectsdispla.net
reports0701.net
reveck.com
salesplaytime.net
sartorilaw.net
sendkick.com
smartsecurity-app.com
spanishafair.com
streetgreenlj.com
tor-connect-secure.com
tstatbox.ru
vip-proxy-to-tor.com
zestrecommend.com

No comments: