Sponsored by..

Monday 26 August 2013

UPS Spam / UPS Invoice 74458652.zip

This fake UPS invoice has a malicious attachment:

From:      "UPSBillingCenter@ups.com" [UPSBillingCenter@ups.com]
Subject:      Your UPS Invoice is Ready


New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center. Download the attachment. Invoice will be automatically shown by double click.
Attached is a file UPS Invoice 74458652 which in turn contains a file called UPS Invoice {DIGIT[8]}.exe  which presumably isn't meant to be named like that..

The VirusTotal detection rate is a so-so 18/46. The Malwr analysis is that this is a trojan downloader that attempts to download bad things from the following locations:
[donotclick]gordonpoint.org/forum/viewtopic.php
[donotclick]mierukaproject.jp/PjSE.exe
[donotclick]programcommunications.com/WZP3mMPV.exe
[donotclick]fclww.com/QdytJso0.exe
[donotclick]www.lajen.cz/tPT8oZTB.exe

The VirusTotal detection rate for the downloaded file is not great at just 9/46.

The domain gordonpoint.org is a hijacked GoDaddy domain on 74.207.229.45 (Linode, US) along with several other hijacked domains which are listed below in italics.

Recommended blocklist:
74.207.229.45
gordonpoint.org
hitechcreature.com
industryseeds.ca
infocreature.com
itanimal.com
itanimals.com
jngburgerjoint.ca
jngburgerjoint.com
johnmejalli.com

mierukaproject.jp
programcommunications.com
fclww.com
www.lajen.cz

Friday 23 August 2013

Wells Fargo spam / WellsFargo_08232013.exe

This fake Wells Fargo spam has a malicious attachment:

Date:      Fri, 23 Aug 2013 09:43:44 -0500 [10:43:44 EDT]
From:      Morris_Osborn@wellsfargo.com

Please review attached documents.

Morris_Osborn
Wells Fargo Advisors
817-718-8096 office
817-610-5531 cell Morris_Osborn@wellsfargo.com

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
In this case there is an attachment WellsFargo.victimname.zip which contains a malicious executable WellsFargo_08232013.exe (note the date is encoded into the filename). The VirusTotal detection rate is just 4/45, but the file itself is unusually small (just 21Kb unzipped, 8Kb zipped) when I would normally expect to see the executable closer to 100Kb for this sort of malware.

What does it do? Well, the automated reports show it rummaging through various browser and address book data, and the ThreatTrack report [pdf] shows a DNS lookup of the domain huyontop.com plus what appears to be some peer-to-peer activity. Malwr, Comodo CAMAS and Anubis are somewhat less enlightening.

The WHOIS details for the domain huyontop.com appear to be valid (I won't list them here, look them up if you want), however it was only registered a few days ago. I can't tell you exactly what it is doing, but I would treat huyontop.com as being potentially malicious and block it if you can.

Thursday 22 August 2013

"Remittance Docs 2982780" spam / Docs_08222013_218.exe

This fake Chase spam has a malicious attachment:

Date:      Thu, 22 Aug 2013 10:00:33 -0600 [12:00:33 EDT]
From:      Jed_Gregory [Jed_Gregory@chase.com]
Subject:      Remittance Docs 2982780

Please find attached the remittance 2982780.                                             
                                                            If you are unable to open the
attached file, please reply to this email        with a contact telephone number. The
Finance Dept will be in touch in          due course. Jed_Gregory
Chase Private Banking      Level III Officer
3 Times Square
New York, NY 10036
T. 212.525.8865
F. 212.884.2034
The attachment is in the format Docs_victimdomain.com.zip which contains an executable Docs_08222013_218.exe (note that the date is encoded into the file). The VirusTotal detection rate for this is a moderate 16/46. The Malwr analysis shows that this is a Pony/Gate downloader which attempts to connect to the following URLs:
[donotclick]watch-fp.ca/ponyb/gate.php
[donotclick]www.jatw.pacificsocial.com/VSMpZX.exe
[donotclick]richardsonlookoutcottages.nb.ca/Q5Vf.exe
[donotclick]idyno.com.au/kvdhx2.exe

The downloader then downloads a second part with a much lower detection rate of 6/46. This appears to be a Zbot variant, and the Malwr analysis for that component is here.

The Pony/Gate component is hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) and is a hijacked GoDaddy domain, one of several on that server and listed below in italics.

Recommended blocklist:
72.5.102.146
dennissellsgateway.com
justinreid.us
successchamp.com
thenatemiller.biz
thenatemiller.co
thenatemiller.info
thenatemiller.net
thenatemiller.org
watch-fp.biz
watch-fp.ca
watch-fp.com
watch-fp.info
watch-fp.mobi
waterwayrealtyteam.us

jatw.pacificsocial.com
richardsonlookoutcottages.nb.ca
idyno.com.au



Discover card "Your account login information updated" spam / abemuggs.com

This fake Discover card spam leads to malware on abemuggs.com:

Date:      Thu, 22 Aug 2013 16:14:59 +0000 [12:14:59 EDT]
From:      Discover Card [no-reply@facebook.com]
Subject:      Your account login information updated

Discover
Access My Account
   
ACCOUNT CONFIRMATION    Statements | Payments | Rewards   
Your account login information has been updated.

Dear Customer,

This e-mail is to confirm that you have updated your log-in information for Discover.com. Please remember to use your new information the next time you log in.

Log In to review your account details or to make additional changes.

Please Note: If you did not make this request, please contact us immediately at 1-800-DISCOVER (1-800-347-2683).
   
Sign up    

Don't miss out—sign up to get exclusive offers via e-mail from Discover.

Sign Up
   
Facebook    Twitter    I Love Cashback Bonus Blog    Mobile

   
Add discover@service.discover.com to your address book to ensure delivery of these e-mails.
See ways to help identify authentic Discover e-mails by visiting our email security page.

    IMPORTANT INFORMATION

This e-mail was sent to [redacted].

You are receiving this Discover e-mail as a confirmation of your account activity.

Log in to update your e-mail address or view your account e-mail preferences.

If you have any questions about your account, please log in to contact us securely and we will be happy to assist you.

Please do not reply to this e-mail as we are not able to respond to messages sent to this address.

DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.

Discover Products Inc.
P.O. Box 30666
Salt Lake City, UT 84130
©2012 Discover Bank, Member FDIC

TRUPCHNG_A1_A1_A1


The link in the email uses the Twitter redirection service to go to [donotclick]t.co/9PsnfeL8hh then [donotclick]x.co/1neIk then [donotclick]activegranite.com/vocatives/index.html and finally to a set of three scripts as follows:
[donotclick]02aa198.netsolhost.com/frostbite/hyde.js
[donotclick]96.9.28.44/dacca/quintilian.js
[donotclick]cordcamera.dakisftp.com/toothsome/catch.js

From this point the victim ends up at the malicious payload at [donotclick]abemuggs.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.253.139 (Linode, US).

At the moment, I can only see abemuggs.com active on 74.207.253.139, however other domains in the same GoDaddy account may be hijacked as well. If you see unexpected traffic going to the following domains then it may be malicious:
abemuggs.com
abesmugs.com
abemugs.com
andagency.com
mytotaltitle.com

I would strongly recommend the following blocklist:
74.207.253.139
96.9.28.44
abemuggs.com
02aa198.netsolhost.com
cordcamera.dakisftp.com

Wednesday 21 August 2013

Facebook spam / thenatemiller.co

This fake Facebook spam leads to malware on thenatemiller.co:

Date:      Wed, 21 Aug 2013 22:05:38 +0530 [12:35:38 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password

facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
Nothing good will come from clicking the link. First victims go to a legitimate but hacked site that attempts to load the following three scripts:
[donotclick]gemclinicstore.com/admitted/tintinnabulations.js
[donotclick]mathenyadvisorygroup.com/toffies/ceiling.js
[donotclick]www.it-planet.gr/schlepped/suitor.js

From there the victim is directed to a malware landing page at [donotclick]thenatemiller.co/topic/able_disturb_planning.php (.co, not .com) which is a hijacked GoDaddy domain hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with several other hijacked domains (listed below in italics).

Recommended blocklist:
72.5.102.146
successchamp.com
dennissellsgateway.com
thenatemiller.co
thenatemiller.info
justinreid.us
waterwayrealtyteam.us
thenatemiller.biz

gemclinicstore.com
mathenyadvisorygroup.com
www.it-planet.gr

Laughable advanced fee fraud scam promises $2.5

Two-and-a-half bucks? I think I'll pass.
From:     Mr Anthony Freed [johnewele12@cantv.net]
Reply-to:     dhlcorriadeliveryservice@live.com
Date:     20 August 2013 21:13
Subject:     Attention please!!!

Attention please!!!

We have registered your ATM CARD of (US $2.5) with DHL Express Courier Company with registration code of ( 9665776) please Contact with your delivery
information:
DHL OFFICE:
Name Dr:Mark Jonson.
E-mail: dhlcorriadeliveryservice@live.com //officedhldelivery service
Tel:+229 98270349.

We have paid for the Insurance & Delivery fee.The only fee you have to pay is their Security fee only.Please indicate the registration Number of ( 22-82797457 )and ask Him how much is their Security fee so that you can pay it.
Best Regards.
Rev.Anthony Fred
I don't think I've seen an Advanced Fee Fraud spam so full of fail for a long time..

Facebook spam / dennissellsgateway.com

This fake Facebook spam leads to malware on dennissellsgateway.com:

Date:      Tue, 20 Aug 2013 15:28:11 -0500 [16:28:11 EDT]
From:      Facebook [no-reply@facebook.com]
Subject:      Gene Maynard wants to be friends with you on Facebook.

facebook
   
Gene Maynard wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
       
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

This is a "ThreeScripts" attack, with the link first going to a legitimate hacked site and then through one of the following three scripts:
[donotclick]ftp.crimestoppersofpinellas.org/jonson/tried.js
[donotclick]italiangardensomaha.com/moocher/pawned.js
[donotclick]www.it-planet.gr/schlepped/suitor.js

From there, the victim ends up on a hijacked GoDaddy domain with a malicious payload at [donotclick]dennissellsgateway.com/topic/able_disturb_planning.php on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with some other hijacked domains (listed in italics below).

Recommended blocklist:
72.5.102.146
dennissellsgateway.com
justinreid.us
waterwayrealtyteam.us

www.it-planet.gr
italiangardensomaha.com
ftp.crimestoppersofpinellas.org

Update:
Another spam is circulating with a different pitch, but the same malicious payload:

Dear Customer,

The following is your Credit Card settlement report for Monday, August 19, 2013.
Transaction Volume Statistics for Settlement Batch dated 19-Aug-2013
Batch ID: 108837538
Business Day: 19-Aug-2013
Net Batch Total: 3704.75 (USD)
Number of Charge Transactions: 1
Amount of Charge Transactions: 3704.75
Number of Refund Transactions: 5
Amount of Refund Transactions: 315.74
You can download your full report at https://account.authorize.net/login/protected/download/settlementreport/

To view details for a specific transaction, please log into the Merchant Interface.

1.Click "Reports" from the main menu
2.Select "Transaction Details by Settlement Date"
3.Select "Settled Transactions" from the Item Type drop-down box.
4.Select the Settlement Date for the batch you would like to view from the "Date" drop-down box
5.Click "Run Report"
6.In the results, click on any transaction ID to view specific details for that transaction.

If you have any questions regarding this settlement report, please contact us by Secure Mail or you can call Customer Support at 1-877-447-3938.

Thank You,
Authorize.Net
*** You received this email because you chose to be a Credit Card Report
recipient. You may change your email options by logging into the Merchant
Interface. Click on Settings and Profile in the Main Menu, and select
Manage Contacts from the General section. To edit a contact, click the
Edit link next to the contact that you would like to edit. Under Email
Types, select or deselect the Email types you would like to receive. Click
Submit to save any changes. Please do not reply to this email.



Monday 19 August 2013

"You have received a secure message" spam / securedoc.zip

This fake Citi spam contains a malicious attachment:

Date:      Mon, 19 Aug 2013 20:24:27 +0000 [16:24:27 EDT]
From:      "secure.email@citi.com" [secure.email@citi.com]
Subject:      You have received a secure message

You have received a secure message
Read your secure message by opening the attachment, securedoc. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
First time users - will need to register after opening the attachment.
About Email Encryption - http://www.citi.com/citi/citizen/privacy/email.htm

Attached is a file securedoc.zip which in turn contains a malicious executable securedoc.exe which has a very low detection rate at VirusTotal of just 2/46. The Malwr analysis (and also ThreatExpert) shows that the file first connects to [donotclick]frankcremascocabinets.com/forum/viewtopic.php (a hijacked GoDaddy domain on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines) as seen before here, and it then tries to downoad additional components from:

[donotclick]lobbyarkansas.com/0d8H.exe
[donotclick]ftp.ixcenter.com/GMMo6.exe
[donotclick]faithful-ftp.com/kFbWXZX.exe

This second part has another very low VirusTotal detection rate of just 3/46. Malwr gives an insight into what the binary is doing, or alternatively you can look at the Comodo CAMAS report or ThreatExpert report

Recommened blocklist:
184.95.37.96/28
frankcremascocabinets.com
giuseppepiruzza.com
gordonpoint.biz
gordonpoint.info
hitechcreature.com
frankcremasco.com
lobbyarkansas.com
ftp.ixcenter.com
faithful-ftp.com

"You requested a new Facebook password" spam / frankcremascocabinets.com

This fake Facebook spam follows on from this one, but has a different malicious landing page at frankcremascocabinets.com:

From:     Facebook [update+hiehdzge@facebookmail.com]
Date:     19 August 2013 17:38
Subject:     You requested a new Facebook password

facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
The link in the email goes to a legitimate hacked site which then tries to load one or more of the following three scripts:
[donotclick]ftp.hotwindsaunausa.com/clingy/concord.js
[donotclick]katchthedeal.sg/stilling/rifts.js
[donotclick]ftp.navaglia.it/gazebo/cowboys.js

The victim is then directed to a malware payload at [donotclick]frankcremascocabinets.com/topic/able_disturb_planning.php hosted on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines). This domain is a hijacked GoDaddy domain and there are several others on the same server (listed below in italics).

Recommended blocklist:
184.95.37.96/28
ftp.hotwindsaunausa.com
katchthedeal.sg
ftp.navaglia.it
giuseppepiruzza.com
frankcremascocabinets.com
gordonpoint.biz
hitechcreature.com

frankcremasco.com

Facebook spam / hubbywifewines.com

This fake Facebook spam leads to malware on hubbywifewines.com:

Date:      Mon, 19 Aug 2013 16:20:06 +0200 [10:20:06 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password


facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted].net at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
The link in the email goes to a legitimate hacked site and then loads one or more of these three scripts:
[donotclick]ftp.hotwindsaunausa.com/clingy/concord.js
[donotclick]katchthedeal.sg/stilling/rifts.js
[donotclick]ftp.navaglia.it/gazebo/cowboys.js

The victim is then forwarded to a malware landing page using a hijacked GoDaddy domain at [donotclick]hubbywifewines.com/topic/able_disturb_planning.php hosted on 72.5.102.192 (Nuclear Fallout Enterprises, US) along with another hijacked domain of hubbywifefoods.com.

Recommended blocklist:
72.5.102.192
hubbywifewines.com
hubbywifefoods.com
ftp.hotwindsaunausa.com
katchthedeal.sg
ftp.navaglia.it



MONK / Monarchy Resources, Inc pump-and-dump spam

Another day, another pump-and-dump spam run, this time being sent to randomly generated email addresses promoting MONK (Monarchy Resources, Inc). Here are some examples:

Subject: Pick Of The Week... Do Not Miss Out This Time!
Make easy $15'000 Monday!!! Hello, want to receive $15'000 by
next Friday? You would receive lot more if you get this hot
stock on Monday. The stock symbol is: M_O N_K. It's Monarchy
Resources, Inc.. It sells under 48 cents, but it should
see $1'80 shortly! Purchase shares of M_O N_K on Aug, 19
below 48 cents and multiply your cash! It could be
awesome to get $15'000 by Friday. And it's very easy to
receive. On Monday, Aug 19, 2013 order 43'000 shares of M_O
N_K and get over $15'000 by Friday

Subject: Hot Investor News
Pocket your $17'000 now! Howdy, need to pocket $17'000 by this Saturday? You
will get lots more if you purchase this premium stock on Monday. The stock
symbol is: M_ONK. It's MONARCHY RESOURCES INC.. It sits below 42 cents,
but it should see $1'20 promptly! Purchase shares of M_ONK on Mon, Aug
19th, 2013 under 42 cents and multiply your investment. It will be
amazing to earn $17'000 by Saturday. And its very easy to get! On Aug, 19th
order 29'000 shares of M_ONK and receive over $17'000 by Saturday!!!

Subject: Walgreens News!!!
Make easy $12'000 now! Hello, ready to pocket $12'000 by next
Saturday? You would receive lots more if you order this
undervalued stock on Monday. The company symbol is: M O N K.
It's Monarchy Resources, Inc. It goes under 40 cents, but
it could settle $1.90 promptly! Get shares of M O N K on
Monday, Aug 19th, 2013 under 40 cents and quadruple your
investment. It can be amazing to earn $12'000 by Saturday. And
its very easy to do! On Aug, 19 trade 21'000 shares of M O N K
and get over $12'000 by Saturday.

Subject: Profile Alert
Earn fast $13'000 now! Hello, ready to pocket $13'000 by this Thursday?
You can make lot more if you get this new stock on Monday. The stock
symbol is: M_O N_K. Its MONARCHY RESOURCES, INC. It goes under 30
cents, but it should see $1.55 shortly! Get shares of M_O N_K on
Monday, Aug 19 under 30 cents and quadruple your portfolio. It
could be cool to make $13'000 by Thursday. And it's very easy to do! On
Mon, August 19th, 2013 buy 35'000 shares of M_O N_K and pocket over
$13'000 by Thursday!

The spam that I have seen appears to originate primarily from IP addresses in India.

So, what's up with MONK? The stock has only been trading since June and most of that time it has been at around the $1.00 level. At the beginning of August the price dropped to $0.40 and then $0.20 per share (dropping for one point to just $0.10), losing more than 75% of its value since launch (see the stock chart here).


On 16th August there was a flurry of activity as 209,400 shares were bought at around the $0.20 or somewhat under that. Usually this is the spammers taking up a position in the company that they are about to spam. On the next day (a Saturday) the pump-and-dump spam started. So far today about 450,000 shares have been traded, apparently giving the stock a bit of a bump as whoever has hired the spammers tries to cash out.

As with all pump-and-dump spams, the only people making money out of it are the scammers who run it. Any investor who tries to try to invest in these it likely to lose some or all of their investment. Avoid

Malekal.com Joe Job part II

There has been a Joe Job being run against Malekal.com for some time now. However, the joe job has now morphed and includes a reference to this blog (which is kind of annoying).

Date:      Sun, 18 Aug 2013 14:35:33 +0300 [08/18/13 07:35:33 EDT]
Subject:      Email SPAM for malekal.com

Theses emails SPAM are sent from a botnet (check the mails headers), im not
responsible of theses spam emails.
Someone is probably trying to get the site blacklisted or to get bad reputation
(called this "a Joe Job" - see :
http://blog.dynamoo.com/2013/08/malekalcom-joe-job.html )

The responsible is " Reveton Guy ", try to get revenge after a mass shutdown of
their malvertising :

http://www.malekal.com/2013/07/30/en-juicyads-reveton-malvertising/
http://www.malekal.com/2013/07/28/en-plugrush-reveton-malvertising/
http://www.malekal.com/2013/07/26/en-reveton-adxpansion-com-malvertising/

The August 11, they tried to get my website blacklisted using hacked website :
http://www.malekal.com/2013/08/12/en-reveton-go-now-by-hacked-website/
This is rather more subtle than the previous Joe Job, as it appears to be from the Malekal administrator themselves. However, it is being sent by a botnet (probably the same botnet sending the original spam) and is just another way to cause trouble.

These spam emails are tightly targeted to addresses that are most likely to make complaints. If you are going to report these, then I'd appreciate it if you would report the sending IP only rather than just copy-and-pasting all the links in.

Friday 16 August 2013

"California Human Right Foundation CHRF USA" scam email

It's hard to say whether or not this scam is simply a version of the advanced fee fraud (you can come to the conference, but there will be fees and hotel charges), or if the idea is that you go down to Senegal and get kidnapped. In any case, this is a scam send to an email address scraped from the web via a hijacked email account in Indonesia. Similar scams have been seen before. Avoid.

From:     Mrs Cira Jonas [dede@yongjin.co.id]
Reply-To:     cirajo101@blumail.org
Date:     16 August 2013 18:06
Subject:     2013 USA (CHRF) CONFERENCE/INVITATION!!!

Dear Colleagues,

On behalf of California Human Right Foundation CHRF USA, It is a great privilege for us to invite you to global Congress meeting against Economic Crisis, Child Protection & HIV/AIDS Treatment, Prostitution, Sex Work and forced Labor. The aims of the conference are to bring together researchers and practitioners in an effort to lay the ground work for future collaborative research, advocacy, and program development as well as to educate social service, health care, and criminal justice professionals on human trafficking and the needs and risks of those victimized by the commercial sex industry.

The global Congress meeting against Economic Crisis, Child Protection & HIV/AIDS Treatment, Prostitution, Sex Work and forced Labor is scheduled to take place from October 20th – 24th 203, in California the United States and in Dakar-Senegal, from October 26th – 30th 2013. The global congress is hosted by the Campaign against Child Labor Coalition and sponsored by (The Bill & Melinda Gates Foundation, The William J. Clinton Foundation and other benevolent donors worldwide.

Note that all interested delegates that requires entry visa to enter the United States to attend this meeting will be assisted by the organization, in obtaining the visa in their passport. Free air round trip tickets to attend this meeting will be provided to all participants. The Workshop welcomes paper presentation from any interested participants willing to present papers during the meeting.

For registration information you are to contact the conference secretariat via  Email: info.secretaryallissa@usa.com


Please share the information with your colleagues.

Sincerely,
Mrs Cira Jonas
E-mail: cirajo101@blumail.org
(M.D) Activities Coordinator

ADP spam / ADP_week_invoice.zip|exe

This fake ADP spam has a malicious attachment:

Date:      Fri, 16 Aug 2013 09:57:59 -0500 [10:57:59 EDT]
From:      "run.payroll.invoice@adp.com" [run.payroll.invoice@adp.com]
Subject:      ADP Payroll INVOICE for week ending 08/16/2013

Your ADP Payroll invoice for last week is attached for your review. If you have any
questions regarding this invoice, please contact your ADP service team at the number
provided on the invoice for assistance.

Thank you for choosing ADP Payroll.
Important: Please do not respond to this message. It comes from an unattended mailbox.
There is an attachment ADP_week_invoice.zip which in turn contains a malicious executable file ADP_week_invoice.exe. The payload is exactly the same as this other malicious spam run which is running in parallel.

"CEO Portal Statements & Notices Event" spam / report_{DIGIT[12]}.exe

This fake Wells Fargo email has a malicious attachment:

Date:      Fri, 16 Aug 2013 09:51:17 -0500 [10:51:17 EDT]
From:      Wells Fargo Event Messaging Admin [ofsrep.ceosmuigw@wellsfargo.com]
Subject:      CEO Portal Statements & Notices Event


Wells Fargo

Commercial Electronic Office (CEO) Portal Statements & Notices Event: Multiple Download Request Available

Your Deposit Adjustment Notices is now available. To access your information please download attached report and open Statements & Notices file.
Date/Time Stamp:    Fri, 16 Aug 2013 09:51:17 -0500
Request Name:    MM3P85NRLOXLOFJ
Event Message ID:    S045-77988311

Please do not reply to this email.

The email has an attachment called report_625859705821.zip which in turn contains an exectuable report_{DIGIT[12]}.exe (which presumably is an error) which has a VirusTotal detection rate of 9/46. The Malwr report shows that this malware does various things, inclding an HTTP request to a hijacked GoDaddy domain at [donotclick]hubbywifeco.com/forum/viewtopic.php hosted on 66.151.138.80 (Nuclear Fallout Enterprises, US) which is shared with another hijacked domain, hubbywifecakes.com.

From there, another executable is downloaded from one of the following locations:
[donotclick]208.106.130.52/39UvZmv.exe
[donotclick]demoscreactivo.com/DKM9.exe
[donotclick]roundaboutcellars.com/Utuw1.exe
[donotclick]bbsmfg.biz/VKPqrms.exe

This executable has an even lower detection rate of just 5/46. You can see the Malwr report for that here.

Blocking EXE-in-ZIP files like this at your perimeter is an excellent idea if you can do it.

Recommended blocklist:
66.151.138.80
hubbywifeco.com
hubbywifecakes.com
208.106.130.52
demoscreactivo.com
roundaboutcellars.com
bbsmfg.biz


Thursday 15 August 2013

"INCOMING FAX REPORT" spam / chellebelledesigns.com

A facsimile transmission. How quaint. Of course, it isn't.. the link in the spam goes to a malicious page on chellebelledesigns.com:

From:     Administrator [administrator@victimdomain]
Date:     15 August 2013 16:08
Subject:     INCOMING FAX REPORT : Remote ID: 1043524020

*********************************************************INCOMING FAX REPORT*********************************************************Date/Time: 07/25/2013 02:12:11 ESTSpeed: 66387 bpsConnection time: 04:06Pages: 0Resolution: NormalRemote ID: 1043524020Line number: 7DTMF/DID:Description: June PayrollClick here to view the file online*********************************************************

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: 07/25/2013 02:12:11 EST
Speed: 66387 bps
Connection time: 04:06
Pages: 0
Resolution: Normal
Remote ID: 1043524020
Line number: 7
DTMF/DID:
Description: June Payroll

Click here to view the file online

********************************************************* 
Note that the spam appears to come "from" the "Administrator" in the victim's own domain. This email address is a forgery, so don't worry about it. If you are daft enough to click the link in the email you go to a legitimate hacked site and then on to one of three scripts:
[donotclick]millionaireheaven.com/mable/rework.js
[donotclick]pettigrew.us/airheads/testier.js
[donotclick]www.situ-ingenieurgeologie.de/tuesday/alleviation.js

from there on, the victim is forwarded to a malicious landing page at [donotclick]chellebelledesigns.com/topic/conclusion-western.php using a hacked GoDaddy domain on 173.246.104.55 (Gandi, US). There are other hijacked GoDaddy domains on the same server (listed in italics below):

Recommended blocklist:
173.246.104.55
1800callabe.com
1866callabe.com
chellebelledesign.com
chellebelledesigns.com

millionaireheaven.com
pettigrew.us
www.situ-ingenieurgeologie.de


Something evil on 162.211.231.16

The server at 162.211.231.16 (IT7 Networks, Canada) is currently being used in injection attacks (example) which have been going on for some time [1] [2] and uses several domains, some of which are listed below.

The WHOIS details for these domains seem to be consistent but are possibly fake:

Registrant ID:CR148448937
Registrant Name:Leonardo Salim Chahda
Registrant Street1:Patron 6755
Registrant Street2:
Registrant Street3:
Registrant City:Capital Federal
Registrant State/Province:Buenos Aires
Registrant Postal Code:1408
Registrant Country:AR
Registrant Phone:+46.444407
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:info@brigitteunderwear.com


All the domains are very recently registered by GoDaddy. The WHOIS details for brigitteunderwear.com (also registered by GoDaddy in 2006) are consistent, but I've seen enough hijacked GoDaddy domains recently to be suspicious that there could be an element of identity theft here, and the named person may well have nothing to do with this attack.

I haven't had time to poke around at the payload too much, but this could well be a good IP to block, or alternatively use the list of domains that I have identified below (it may not be comprehensive, though)

Recommended blocklist:
162.211.231.16
acioepod.biz
acioepod.info
acioepod.org
acioepod.us
adrietod.biz
adrietod.info
adrietod.org
adrietod.us
alienore.biz
alienore.info
alienore.org
alienore.us
alpirute.biz
alpirute.info
alpirute.org
alpirute.us
alpojser.biz
alpojser.info
alpojser.net
alpojser.us
aniopirs.us
bialooes.biz
bialooes.info
bialooes.org
bialooes.us
boriskpr.biz
boriskpr.info
boriskpr.org
boriskpr.us
bugaletir.biz
bugaletir.info
bugaletir.org
bugaletir.us
bugaltoiy.biz
bugaltoiy.info
bugaltoiy.org
bugaltoiy.us
buhortes.biz
buhortes.info
buhortes.org
buhortes.us
caniopeo.us
caoilrsr.biz
caoilrsr.info
caoilrsr.org
caoilrsr.us
ciponeor.biz
ciponeor.info
ciponeor.org
ciponeor.us
deilonei.biz
deilonei.info
deilonei.org
deilonei.us
delovyto.biz
delovyto.info
delovyto.org
delovyto.us
diopoesl.us
diposero.biz
eniroikj.biz
eniroikj.info
eniroikj.org
eniroikj.us
feocipor.biz
feocipor.info
feocipor.org
feocipor.us
foleiord.biz
foleiord.info
foleiord.org
foleiord.us
foliadoe.biz
foliadoe.info
foliadoe.org
foliadoe.us
foprtise.biz
foprtise.info
foprtise.org
foprtise.us
gelaiork.biz
gelaiork.info
gelaiork.org
gelaiork.us
gipoeror.biz
gipoeror.info
gipoeror.org
golerods.biz
golerods.info
golerods.org
golerods.us
imanielo.biz
imanielo.info
imanielo.net
imanielo.us
mokioers.org
nimolpeo.biz
nimolpeo.info
nimolpeo.org
nimolpeo.us
niuritos.biz
niuritos.info
niuritos.org
niuritos.us
okoreiki.biz
okoreiki.info
okoreiki.net
okoreiki.us
openirod.biz
openirod.info
openirod.org
openirod.us
reoiklri.biz
reoiklri.info
reoiklri.org
reoiklri.us
tolikord.biz
tolikord.info
tolikord.org
tolikord.us
viloeirp.biz
viloeirp.org
vilosprs.biz
vilosprs.info
vilosprs.org
vilosprs.us
vokoralr.biz
vokoralr.info
vokoralr.org
vokoralr.us



Wednesday 14 August 2013

ADP spam / hubbywifeburgers.com

This fake ADP spam leads to malware on hubbywifeburgers.com:

Date:      Wed, 14 Aug 2013 08:58:12 -0700 [11:58:12 EDT]
From:      "ADPClientServices@adp.com" [service@citibank.com]
Subject:      ADP Security Management Update

ADP Security Management Update

Reference ID: 39866

Dear ADP Client August 2013

This message is to inform you of the upcoming �Phase 2� enhancement to ADP Security Management (formally ADP Netsecure). This is where you manage your users� access to ADP�s Internet services, and includes the self-service registration process.

Effective August 15th, ADP Security Management will reflect a new user interface. This will include tasks such as Account Maintenance, User Maintenance, and Company Maintenance within Security Management.

Please review the following information:

� Click here to view more details of the enhancements in Phase 2

� Complete the What�s New in Security Management Service here (Expected to take about 15 minutes)

� View the Supported Browsers and Operating Systems, listed here. These are updated to reflect more current versions to ensure proper presentation of the updated user interface. It is important to note that the new ADP Security Management is best accessed using Microsoft Internet Explorer Version 8 or Mozilla Firefox Version 3.6, at minimum.

This email was sent to active users in your company that access ADP Netsecure with a security role of �security master� or �security admin�. You may have other users that also access ADP Netsecure with other security roles. Please inform those users of these enhancements, noting that the above resources will have some functionality that does not apply to their role.

As always, thank you for choosing ADP as your business partner! If you have any questions, please contact your ADP Technical Support organization.

Ref: 0725 MSAMALONIS1@TWNSHP

[This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.]


Cherry Hill Township provides a secure environment for all information concerning our residents and all other business concerns. The information contained in this email is intended only for the individual(s) addressed in the message and may contain privileged and/or confidential information that is exempt from disclosure under applicable law.

Cherry Hill Township provides a secure environment for all information concerning our residents and all other business concerns. The information contained in this email is intended only for the individual(s) addressed in this message and may contain privileged and/or confidential information that is exempt from disclosure under applicable law.


Yeah.. click the link. What could possibly go wrong? Well, first you go to a legitimate hacked site that tried to load one of the following three scripts:

[donotclick]e-equus.kei.pl/perusing/cassie.js
[donotclick]cncnc.biz/pothooks/addict.js
[donotclick]khalidkala.com/immigration/unkind.js

From there, the victim is sent to a malware site that uses a hijacked GoDaddy domain at [donotclick]hubbywifeburgers.com/topic/nearby-promptly.php hosted on 199.195.116.51 (A2 Hosting, US - report here). This IP probably contains other hijacked domains from the same owner.

Recommended blocklist:
199.195.116.51
hubbywifeburgers.com
e-equus.kei.pl
cncnc.biz
khalidkala.com

Gmail Compose.. another app screwed up by Google

If you use Gmail then you've probably seen the "new compose" experience before. And turned it off. Well, Google never listed to feedback now Gmail joins a long list of applications that Google have screwed up, including Blogger, Google Play Music, Google Maps for Android and don't get me started on Google Reader and iGoogle.


The new compose experience attempts to be minimalist, but in reality it's either too small, or too big. If you are reply to a message then you get a tiny box at the bottom of the screen, a long way from the top of the email you are trying to reply to. And all the usual buttons have been hidden away because.. well, goodness only knows. It's a mess.

With these latest bodged updates, I really think that Google is jumping the shark and changing applications for no good reason at all. Android in particular is becoming a disaster area with important apps being screwed up completely. Perhaps it's time to buy a Lumia?

Tuesday 13 August 2013

Bank of American spam / Instructions Secured E-mail.zip

This fake Bank of American spam has a malicious attachment:

Date:      Tue, 13 Aug 2013 09:35:13 -0500 [10:35:13 EDT]
From:      "Alphonso.Wilcox" [Alphonso.Wilcox@bankofamerica.com]
Subject:      Instructions Secured E-mail.pdf

I will be forwarding the application through a secure e-mail. Attached are instructions for you to create a password to open the secure e-mails from us. Just a bit of security for when we transmit confidential information.

Thanks,

Amado.Underwood
Bank of America
Principal Business Relationship Manager
Direct - 915-045-4237 office
Cell - 915-070-4128 cell
Amado.Underwood@bankofamerica.com

This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. 
Attached to the message is a file Instructions Secured E-mail.zip which contains an executable file Instructions Secured E-mail.exe with an icon to make it look like a PDF file.

The detection rate for this initial malware is just 9/45 at VirusTotal.

This is a pony/gate downloader [1] which attempts to download from [donotclick]guterprotectionperfection.com/ponyb/gate.php on 192.81.135.132 (Linode, US). This is the same IP as used in this attack, and it also utilises a hijacked GoDaddy domain.

The download then attempts to download a second stage from the from the following locations [2] (as well as installing all sorts of hooks into your system):
[donotclick]Missionsearchjobs.com/D5F7G.exe
[donotclick]betterbacksystems.com/kvq.exe
[donotclick]www.printdirectadvertising.com/vfMJH.exe
[donotclick]S381195155.onlinehome.us/vmkCQg8N.exe

The second stage has an even lower detection rate of just 3/45. The analyses by Comodo CAMAS and Malwr do give some detail as to how this part infects the target system.

Recommended blocklist:
192.81.135.132
guterprotectionperfection.com
Missionsearchjobs.com
betterbacksystems.com
www.printdirectadvertising.com
S381195155.onlinehome.us

Pharma sites to block

These fake pharma sites and IPs seem related to these malware domains, and follows on from this list last week.

31.184.241.32 (Petersburg Internet Network, Russia)
46.29.18.176 (Sprint SA, Poland)
61.57.103.241 (Taoyuan TBC, Taiwan)
61.133.234.105 (Haidong Telecom, China)
91.199.149.238 (Novosibirsk A3 Ltd, Russia)
91.199.149.239 (Novosibirsk A3 Ltd, Russia)
91.204.162.81 (Network Communication, Poland)
91.204.162.95 (Network Communication, Poland)
91.204.162.96 (Network Communication, Poland)
91.216.163.92 (Informacines Sistemos Ir Technologijos UAB, Lithunia)
185.5.99.145 (Biznes-host.pl, Poland)
185.8.106.161 (HybridServers, Lithunia)
197.231.210.165 (Inspiring Networks LTD, Seychelles)
199.180.100.82 (PEG TECH INC, US)
199.180.100.85 (PEG TECH INC, US)

Recommended blocklist:
31.184.241.0/24
46.29.18.176
61.57.103.241
61.133.234.105
91.199.149.0/24
91.204.162.0/24
91.216.163.92
185.5.99.145
185.8.106.161
197.231.210.165
199.180.100.82
199.180.100.85
0xm0v3t1.mediastoreplus.com
17z2h9ue.mediastoreplus.com
1dsnx7pjs.mediastoreplus.com
2hdija03.mediastoreplus.com
2pillsonline.com
353.mediastoreplus.com
3qtpidpzlw.mediastoreplus.com
4ow5mu5.mediastoreplus.com
53zx71we.mediastoreplus.com
6gi.mediastoreplus.com
7boma.mediastoreplus.com
7umio9jjc.mediastoreplus.com
8hk0oib.mediastoreplus.com
8vi8.mediastoreplus.com
androidrugstoretablet.com
b6m0z.mediastoreplus.com
benedictaselie.com
bidh.ru
biotechealthcarepills.pl
boschmedicaremeds.com
briannecarlotta.com
b-wfkif3p.mediastoreplus.com
canadaipad.com
canadiancanada.com
coopaq.ru
danyetteeaster.com
dehxqc.elut.ru
dieein.com
dietrxhcg.com
dl6xmehg.mediastoreplus.com
drugslnessmedicine.com
drugstorepillsdrugs.com
drugstorepillwalgreens.com
dysm.ru
eyg.mediastoreplus.com
fvecare.com
gtyktdli.com
hece.ru
herbalburdette.com
herbalpillecstasy.com
htta.ru
inningmedicare.com
inningmedicare.pl
jdok.mediastoreplus.com
joam.ru
jsp0.mediastoreplus.com
jvtbkpmtkv.mediastoreplus.com
kaleic.ru
knei.ru
kxh.mediastoreplus.com
l3l1h.mediastoreplus.com
laug.ru
li2.mediastoreplus.com
mbid.ru
medicaidarmedicare.com
medicaretabletandroid.com
medicinetabletsurface.com
medopioid.pl
menono.ru
menutabmed.com
mwpzi.mediastoreplus.com
myviagragenerics.pl
n3zb4o5u9.mediastoreplus.com
nexuslevitra.com
nispw96.mediastoreplus.com
oshu.ru
patientsviagramedicare.com
pharmedtransplant.com
pharmreit.com
pharmysmartrend.com
pilldrugprescription.net
pillsstreetinsider.com
prescriptioncarecenter.com
prescriptionmedicinepatients.com
prescriptionmedwalgreen.com
qgb7zxj.mediastoreplus.com
quzkobeox.com
ruld.ru
rxdrugspills.ru
rxnicu.com
rzu1b.mediastoreplus.com
s5bw.mediastoreplus.com
shelbieleni.com
sieh.ru
skah.ru
tabcialbenghazi.com
tabherbalsummary.com
thegenericsprescription.com
torontocanadapharm.com
torontotab.pl
us0cyezkn.mediastoreplus.com
viagramedicaid.com
viagramedicineveterinary.com
viagramedicineveterinary.pl
vsn268zo3.mediastoreplus.com
w5lpytop.mediastoreplus.com
weightdietpharm.com
welnesslevinikita.com
welnessnsmt.com
wpakq.mediastoreplus.com
wroo.ru
ya3zwmrmgk.mediastoreplus.com
zva4p7457.mediastoreplus.com
zwig.ru

Malware sites to block 13/8/13

These IPs and domains belong to this gang and this list follows on from the one I made last week.

5.39.14.148 (OVH, France)
5.231.57.253 (GHOSTnet, Germany)
15.185.121.30 (HP Cloud Services, US)
24.173.170.230 (Time Warner Cable, US)
37.99.18.145 (2day Telecom, Kazakhstan)
42.121.84.12 (Aliyun Computing Co / Alibaba Advertising Co, China)
50.2.109.148 (Eonix Corporation, US)
50.56.172.149 (Rackspace, US)
59.77.36.225 (CERNET, China)
59.124.33.215 (Chunghwa Telecom, Taiwan)
61.36.178.236 (LG DACOM, Korea)
65.190.51.124 (Time Warner Cable, US)
66.230.163.86 (Goykhman And Sons LLC, US)
68.174.239.70 (Time Warner Cable, US)
74.207.251.67 (Linode, US)
75.147.133.49 (Comcast Business Communcations, US)
78.47.248.101 (Hetzner, Germany)
88.86.100.2 (Supernetwork SRO, Czech Republic)
89.163.170.134 (Unitedcolo, Germany)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Mobiltel EAD, Bulgaria)
95.188.76.14 (Sibirtelecom OJSC, Russia)
95.138.165.133 (Rackspace, UK)
109.107.128.13 (The Blue Zone East, Jordan)
114.112.172.34 (Worldcom Teda Networks Technology, China)
123.202.15.170 (Hong Kong Broadband Network, Hong Kong)
140.113.87.153 (TANET, Taiwan)
140.116.72.75 (TANET, Taiwan)
173.224.211.216 (Psychz Networks, US)
177.53.80.39 (Cordeirópolis Ltda, Brazil)
185.5.54.162 (Interneto Vizija UAB, Lithunia)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
188.132.213.115 (Mars Global Datacenter Services, Turkey)
188.134.26.172 (Perspectiva Ltd, Russia)
190.85.249.159 (Telmex Colombia, Colombia)
190.95.222.196 (Homenet CIA. Ltda / Telconet, Ecuador)
198.211.115.228 (Digital Ocean Inc, US)
199.231.188.226 (Interserver Inc, US)
202.197.127.42 (CERNET, China)
204.124.182.30 (Volumedrive, US)
209.222.67.251 (Razor Inc, US)
212.68.34.88 (Mars Global Datacenter Services, Turkey)
216.158.67.42 (Webnx Inc, US)
217.64.107.108 (Society Of Mali's Telecommunications, Mali)

Recommended blocklist:
5.39.14.148
5.231.57.253
15.185.121.30
24.173.170.230
37.99.18.145
42.121.84.12
50.2.109.148
50.56.172.149
59.77.36.225
59.124.33.215
61.36.178.236
65.190.51.124
66.230.163.86
68.174.239.70
74.207.251.67
75.147.133.49
78.47.248.101
88.86.100.2
89.163.170.134
95.87.1.19
95.111.32.249
95.188.76.14
95.138.165.133
109.107.128.13
114.112.172.34
123.202.15.170
140.113.87.153
140.116.72.75
173.224.211.216
177.53.80.39
185.5.54.162
186.251.180.205
188.132.213.115
188.134.26.172
190.85.249.159
190.95.222.196
198.211.115.228
199.231.188.226
202.197.127.42
204.124.182.30
209.222.67.251
212.68.34.88
216.158.67.42
217.64.107.108
50plus-login.com
abundanceguys.net
acautotentsale.net
allgstat.ru
amnsreiuojy.ru
amods.net
antidoctorpj.com
askfox.net
astarts.ru
autocompletiondel.net
avini.ru
badstylecorps.com
bbmasterbuilders.net
beachfiretald.com
beldenindcontacts.net
blindsay-law.net
bnamecorni.com
boardsxmeta.com
boats-sale.net
breakingtextediti.com
briltox.com
businessdocu.net
buycushion.net
calenderlabor.net
casinocnn.net
cbstechcorp.net
centow.ru
condalinneuwu37.net
condrskajaumaksa66.net
controlsalthoug.com
creativerods.net
credit-find.net
crossplatformcons.com
culturalasia.net
cyberflorists.su
datapadsinthi.net
devicesta.ru
dulethcentury.net
ehnihjrkenpj.ru
endom.net
evishop.net
exhilaratingwiki.net
exnihujatreetrichmand77.net
exowaps.com
fitstimekeepe.net
fivelinenarro.net
flashedglobetrot.pl
frontrunnings.com
frontsidecash.net
frutpass.ru
gatumi.com
gondorskiedelaahuetebanj88.net
gonulpalace.net
gormoshkeniation68.net
gotoraininthecharefare88.net
hdmltextvoice.net
hotkoyou.net
includedtight.com
info-for-health.net
inningmedicare.pl
intcheck.com
jonkrut.ru
kneeslapperz.net
legalizacionez.com
lhobbyrelated.com
liliputttt9999.info
lucams.net
made-bali.net
magiklovsterd.net
medusascream.net
micnetwork100.com
microsoftnotification.net
mifiesta.ru
mirris.ru
mobile-unlocked.net
moonopenomy.com
motobrio.net
musicstudioseattle.net
namastelearning.net
neplohsec.com
nightclubdisab.su
nvufvwieg.com
onsayoga.net
onsespotlight.net
ordersdeluxe.com
organizerrescui.pl
pacifista.ru
palmer-ford.net
partyspecialty.su
pinterest.com.onsayoga.net
prysmm.net
pure-botanical.net
quill.com.account.settings.musicstudioseattle.net
raekownholida.com
relectsdispla.net
restless.su
ringosfulmobile.com
saberig.net
sai-uka-sai.com
scourswarriors.su
sensetegej100.com
sensing-thefuture.com
seoworkblog.net
suburban.su
tagcentriccent.net
tagcentriccent.pl
taltondark.net
templateswell.net
thegalaxyatwork.com
thesecuritylistfx.net
tigerdirect.com.secure.orderlogin.asp.palmer-ford.net
tor-connect-secure.com
u-janusa.net
viperlair.net
vip-proxy-to-tor.com
wildgames-orb.net
workeschaersecure.net
x-pertwindscreens.net
zestrecommend.com
zukkoholsresv.pl

Monday 12 August 2013

Facebook spam / guterhelmet.com

This fake Facebook spam leads to malware on guterhelmet.com:

Date:      Mon, 12 Aug 2013 17:51:17 -0200 [15:51:17 EDT]
From:      Facebook [update+zj433fgc2_aay@facebookmail.com]
Subject:      Willie Powell wants to be friends with you on Facebook.

facebook
   
interesting pages on facebook
mark as favorite web pages that interest you to receive their updates in your news feed.

Willie Powell
Willie Powell
   
Bao Aguliar
Bibi Akel
   
Eleanora Casella
Murray Carsten
   
Jordana Fiqueroa
Jona Fiorelli
   
Leisha Heape
Lacresha Hautala
   
Monnie Carrillo
Missy Carreiro
find more pages
         
go to facebook
the message was sent to {mailto_username}@{mailto_domain}. if you do not want to receive these e-mail. letters from facebook, please give up subscription.
facebook, inc., attention: department 415, po box 10005, palo alto, ca 94303
Is it me, or does everyone look the same?

The link in the email goes through a legitimate hacked site and then on to one of three scripts:
[donotclick]golift.biz/lisps/seventeen.js
[donotclick]fh-efront.clickandlearn.at/parboiled/couplets.js
[donotclick]ftp.elotus.org/products/cleats.js

From there, the victim is redirected to a hijacked GoDaddy domain with a malicious payload at [donotclick]guterhelmet.com/topic/able_disturb_planning.php hosted on 192.81.135.132 (Linode, US) along with a number of other hijacked domains (in italics below)

Recommended blocklist:
192.81.135.132
golift.biz
fh-efront.clickandlearn.at
ftp.elotus.org
guterglove.com
grandrapidsleaffilter.com
greenbayleaffilter.com
guterhelmet.com
guterprosva.com






Saturday 10 August 2013

CNN: " Canadian teenager Rehtaeh Parsons" spam leads to malware

The bad guys don't have much of a sense of shame. This fake CNN email leads to malware on hubbynwifewines.com:

Date:      Sat, 10 Aug 2013 01:33:17 +0330 [18:03:17 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: " Canadian teenager Rehtaeh Parsons"

2 face charges in case of Canadian girl who hanged self after alleged rape
By Stephanie Gallman and Phil Gast, CNN
updated 6:39 AM EDT, Fri August 9, 2013
Canadian teenager Rehtaeh Parsons, who was allegedly gang-raped and bullied, has died, her family said. Parsons, 17, was hospitalized after she tried to hang herself on Thursday, April 4. The high school student from Halifax, Nova Scotia, was taken off life support three days later.

Canadian teenager Rehtaeh Parsons

Two 18-year-old men face child pornography charges in connection with the case of a 17-year-old girl who hanged herself after she was allegedly gang-raped and bullied online, Canadian authorities said Thursday evening.  Full story >>

The link in the email goes through a legitimate but hacked site and ends up running one of three scripts:
[donotclick]1494ccc706155932.lolipop.jp/canard/lockup.js
[donotclick]ftp.adaware.net/earwax/philosophic.js
[donotclick]hargobindtravels.com/coloratura/nesting.js

The victim is then sent to a malware payload site at [donotclick]hubbynwifewines.com/topic/able_disturb_planning.php which is a hacked GoDaddy domain hosted on 72.249.76.197.

Recommended blocklist:
72.249.76.197
1494ccc706155932.lolipop.jp
ftp.adaware.net
hargobindtravels.com
housewalla.com
hubby-wife.com
hubbynwife.com
hubbynwifecakes.com
hubbynwifewines.com
hubbynwifedesigns.com

Thursday 8 August 2013

Citibank spam / Loan_08082013.exe

This fake Citibank spam comes with a malicious attachment:

Date:      Thu, 8 Aug 2013 13:09:04 -0500 [14:09:04 EDT]
From:      Erin_Gay [Erin_Gay@citibank.com]
Subject:      RE: Loan Approved

Your documents are ready , please sign them and email them back.

Thank you

Erin_Gay
Level III Account Management
817-835-6023 office
817-074-9181 cell Erin_Gay@citibank.com

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

The security of personal information about you is our priority. We protect this
information by maintaining physical, electronic, and procedural safeguards that meet
applicable law. We train our employees in the proper handling of personal information.
When we use other companies to provide services for us, we require them to protect the
confidentiality of personal information they receive.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.

The attachment is in the format Loan.recipient-name.zip and contains the executable Loan_08082013.exe (note the date is encoded into the filename).

The initial file is just a trojan downloader. VirusTotal results are 10/45. The Malwr analysis gives some excellent details of what is going in, included attempted downloads from the following locations:
[donotclick]www.arki.com/ponyb/gate.php
[donotclick]ftp.miniaturesbykim.com/fzKU1Y.exe
[donotclick]www.gfchargers.org/iwa4s1.exe
[donotclick]ftp.jason-tooling.com/nhdx.exe
[donotclick]www.rachelcondry.com/nLiZVHtr.exe

This downloads a Zeus variant with a very low detection rate of 4/45. The Malwr analysis for this part shows some apparent peer-to-peer traffic (note some of these IPs are legitimate and belong to Google):
88.84.107.110
184.39.153.172
116.15.200.129
108.210.216.93
79.10.245.249
130.251.186.103
75.32.154.102
50.65.158.6
99.146.98.160
69.246.97.159
76.226.134.206
88.68.122.74
200.91.49.183
157.100.168.252
99.181.10.118
108.234.133.110
108.240.232.212
108.74.172.39
178.238.233.29
69.115.119.227
99.26.122.34
173.194.67.99
23.25.36.93
173.194.67.94
174.96.27.128
2.158.160.98
123.201.22.66
187.214.18.148
174.141.40.194
97.67.116.122
173.209.69.2
103.1.71.126
204.155.62.5
97.96.126.195
208.118.221.212
50.78.124.173

TigerDirect.com spam / palmer-ford.net

This fake TigerDirect.com spam leads to malware on palmer-ford.net:

Date:      Thu, 8 Aug 2013 21:54:14 +0400 [13:54:14 EDT]
From:      "TigerDirect.com" [noreply@tigerdirect.com]
Subject:      Your TigerDirect.com Order I9179488 Shipment Update

ComputersComputer PartsElectronicsTV & VideoCameras & SurveillanceCell Phones
Order Shipped:
   
08/07/2013
Order No.
   
I9179488
Shipment Total:
   
$732.20
Shipment Confirmation

[redacted],

Your order shipped on 08/07/2013 and is on its way to you. Click here to log in to MY ACCOUNT for the latest information on your order.

Below, you’ll find a recap of the shipped item(s):

TRACKING NUMBER(S):
1Z2V811KO067774417
(Note: Tracking information may not be available immediately; it may take up to 1 full business day for packages that have reached the shipper to have activity associated with the tracking number. Shipping confirmations for USPS and international shipments as well as for some special order items will not include a tracking number.)
Shipped Items:
   
Quantity
Lenovo H718 Desktop PC - 2nd Gen. Intel Core i3-1130 3.2GHz, 4GB DDR3, 500GB HDD, DVDRW, Windows 8 64-bit, Keyboard & Mouse, (65412680) (T56-C5300 )
   
   
1
   
   
(Click Image Above To Track Your Order) Allow 24 hours for the tracking # to appear in the Shippers' System.
Manufacturer Tech Support: 1-877-453-6686
Manufacturer Tech URL: www.lenovo.com


Again, for the latest information on your order, please click here to log in to MY ACCOUNT. You can also view your Order History, get Invoice Copies, Return Authorizations, add Product Reviews and much more.

Regards,

TigerDirect.com
Customer Care Team

CHECK OUT THE LATEST DEALS - CLICK HERE

Shipment Information
Abigail Hall
2864 N Bell Rd

Pasadena, SC 72936
Your shipping method varies. Please view the chart below for approximate transit times.

Transit Times
Truck Delivery: 7 - 10 Business Days
EconoShip Delivery: 4 - 9 Business Days
UPS Ground: 2 - 7 Business Days
UPS Second Day: 2 Business Days
UPS Next Day Air: 1 Business Day
US Postal Service: 2-3 Business Day Including Saturdays

Saturdays, Sundays and holidays do not count toward the estimated transit days. Packages that leave our fulfillment center on Saturdays, Sundays or holidays will not actually reach the shipper until Monday or the next business day.

Should you have any additional questions regarding your order, please feel free to visit our customer help pages at http://www.tigerdirect.com/help/.

Should you need to exchange or return a product, please visit http://www.tigerdirect.com/sectors/help/return.asp
   
Other Items to Consider

Home Theater Week

Search over 100,000 Products in Stock...
            Refer-A-Friend            
Deal Alerts via
    Sign up for RSS

TigerDirect.com is not responsible for typographical errors or omissions. This email was sent to dynamoo@spamcop.net in response to Order # I9179488.

Note that TigerDirect.com never sells, rents, or shares your email address For more information, please review the TigerDirect.com Privacy Policy at: http://www.tigerdirect.com/sectors/aboutus/privacy.asp

Call Center Hours of Operation: Mon - Fri: 7am til 1am ET and Sat - Sun: 8am til Midnight ET

For Merchandise Returns: c/o TigerDirect Warehouse - 175 Ambassador Drive, Naperville, IL 60540

Copyright © 2013 - TigerDirect, Inc. 7795 West Flagler Street, Suite 35, Miami, FL 33144 (Corporate Headquarters: No Returns Accepted)
LEGAL NOTICES| PRIVACY POLICY
The email looks pretty convincing:


Clicking on the links in the email takes you to a legitimate hacked site and then on to a malware landing page at [donotclick]www.tigerdirect.com.secure.orderlogin.asp.palmer-ford.net/news/tiger-direct.php (report here) which contains an exploit kit.

Although it looks a bit like the link is actually on the tigerdirect.com site, it is actually hosted on the recently registered domain palmer-ford.net which has characteristically fake WHOIS details that mark it out as belonging to the Amerika gang.

   Administrative Contact, Technical Contact:
   Mills, Lawrence  rexona1948@live.com
   5700 Arlington Ave
   Bronx, NY 10471
   US
   7185432402


The malware domain is hosted on the following IPs along with some other malicious domains:
95.111.32.249 (Mobitel EAD, Bulgaria)
199.231.188.226 (Interserver Inc, US)
216.158.67.42 (Webnx Inc, US)

Recommended blocklist:
95.111.32.249
199.231.188.226
216.158.67.42
50plus-login.com
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
askfox.net
briltox.com
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
cirriantisationsansidd79.net
condalinneuwu37.net
condrskajaumaksa66.net
cyberflorists.su
driversupdate.pw
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihujasebejav15.ru
evishop.net
exnihujatreetrichmand77.net
facebook.com.n.find-friends.oncologistoncology.net
firefoxupd.pw
firerice.com
fulty.net
gnanosnugivnehu.ru
gotoraininthecharefare88.net
klwines.com.order.complete.prysmm.net
liliputttt8888.info
links.emails.bmwusa.com.open.pagebuoy.net
lucams.net
merchantcenter.intuit.com.click-for-click.com
micnetwork100.com
mifiesta.ru
onemessage.verizonwireless.com.verizonwirelessreports.com
onsayoga.net
partyspecialty.su
paypal.com.us.planetherl.net
pinterest.com.onsayoga.net
quill.com.account.settings.managemyaccount.moonopenomy.com
quipbox.com
sai-uka-sai.com
sartorilaw.net
seoworkblog.net
tintencenter.net
verizonwirelessreports.com
vitans.net
www.aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
www.klwines.com.order.complete.prysmm.net
www.linkedin.com.e.v2.kennebunkauto.net
www.paypal.com.us.planetherl.net
www.pinterest.com.onsayoga.net
www.tigerdirect.com.secure.orderlogin.asp.palmer-ford.net
www.verizonwirelessreports.com