Sponsored by..

Wednesday, 18 September 2013

"INCOMING FAX REPORT" spam / lesperancerenovations.com


This fake fax spam appears to come from the Administrator at the victim's domain:

Date:      Wed, 18 Sep 2013 15:01:42 -0500 [16:01:42 EDT]
From:      Administrator [administrator@victimdomain]
Subject:   INCOMING FAX REPORT : Remote ID: 8775654573

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: 09/18/2013 05:11:15 EST
Speed: 39287 bps
Connection time: 02:07
Pages: 2
Resolution: Normal
Remote ID: 8775654573
Line number: 1
DTMF/DID:
Description: August Payroll

Click here to view the file online

*********************************************************


The link in the email goes to a legitimate but hacked site and then tries to load one of the following three scripts:
[donotclick]0068421.netsolhost.com/partisanship/poached.js
[donotclick]ade-data.com/exuded/midyear.js
[donotclick]fangstudios.com/macedonian/piles.js

In turn, these try to direct the visitor to a malware landing page at [donotclick]lesperancerenovations.com/topic/seconds-exist-foot.php which is a hijacked GoDaddy domain hosted on 174.140.169.145  (DirectSpace, US) along with several other hijacked GoDaddy domains listed below in italics.

Recommended blocklist:
174.140.169.145
lesperancerenovations.com
louievozza.com
louvozza.com
lv-contracting.com
lvconcordecontracting.com
saltlakecityutahcommercialrealestate.com

0068421.netsolhost.com
ade-data.com
fangstudios.com

2 comments:

John Teahan said...

thanks for that i almost opened it but i thought i should google in just in case

Axel Zehden said...

Happend again and now I got emails in german and english.