Thursday, 15 August 2013

"INCOMING FAX REPORT" spam / chellebelledesigns.com

A facsimile transmission. How quaint. Of course, it isn't.. the link in the spam goes to a malicious page on chellebelledesigns.com:

From:     Administrator [administrator@victimdomain]
Date:     15 August 2013 16:08
Subject:     INCOMING FAX REPORT : Remote ID: 1043524020

*********************************************************INCOMING FAX REPORT*********************************************************Date/Time: 07/25/2013 02:12:11 ESTSpeed: 66387 bpsConnection time: 04:06Pages: 0Resolution: NormalRemote ID: 1043524020Line number: 7DTMF/DID:Description: June PayrollClick here to view the file online*********************************************************

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: 07/25/2013 02:12:11 EST
Speed: 66387 bps
Connection time: 04:06
Pages: 0
Resolution: Normal
Remote ID: 1043524020
Line number: 7
DTMF/DID:
Description: June Payroll

Click here to view the file online

********************************************************* 
Note that the spam appears to come "from" the "Administrator" in the victim's own domain. This email address is a forgery, so don't worry about it. If you are daft enough to click the link in the email you go to a legitimate hacked site and then on to one of three scripts:
[donotclick]millionaireheaven.com/mable/rework.js
[donotclick]pettigrew.us/airheads/testier.js
[donotclick]www.situ-ingenieurgeologie.de/tuesday/alleviation.js

from there on, the victim is forwarded to a malicious landing page at [donotclick]chellebelledesigns.com/topic/conclusion-western.php using a hacked GoDaddy domain on 173.246.104.55 (Gandi, US). There are other hijacked GoDaddy domains on the same server (listed in italics below):

Recommended blocklist:
173.246.104.55
1800callabe.com
1866callabe.com
chellebelledesign.com
chellebelledesigns.com

millionaireheaven.com
pettigrew.us
www.situ-ingenieurgeologie.de


No comments: