Sponsored by..

Showing posts with label AOL. Show all posts
Showing posts with label AOL. Show all posts

Friday 17 May 2013

"Referral link" spam / rockingworldds.net and parishiltonnaked2013.net

This spam comes from a hacked AOL email account and leads to malware on 62.76.190.11:

From: [AOL sender]
Sent: 17 May 2013 14:12
To: [redacted]
Subject: [AOL screen name]

Subject :RE(8)
Sent: 5/17/2013 2:11:53 PM
referral link
http://printcopy.co.za/elemqi.php?whvbcfm
The link goes through a legitimate hacked site and in this case ends up at [donotclick]rockingworldds.net/sword/in.cgi?6 (report here) which either redirects to a weight loss spam site or alternatively a malware landing page at [donotclick]parishiltonnaked2013.net/ngen/controlling/coupon_voucher.php (report here) which appears to load the BlackHole Exploit Kit. Both these sites are hosted on 62.76.190.11  (Clodo-Cloud / IT House, Russia).

That server contains a number of other suspect domains that I would suggest that you add to your blocklist:
62.76.190.11
bestukdeals2013.net
catpowers.org
gabbingdeals.com
moonflyerss.com
moonflyerss.net
moonflyerss.org
parishiltonnaked2013.com
parishiltonnaked2013.net
parishiltonnaked2013.org
rockelssens.com
rockelssens.net
rockelssens.org
rockingworldds.com
rockingworldds.net
rockingworldds.org
stofennerson.com
stofennerson.net
stonehengeexposed.com
stonehengeexposed.org
weightlosssystemonline.com

I have several IPs blocked in the 62.76.184.0/21 range, you may want to consider blocking the entire lot if you don't have any reason to send web traffic to Russia.