Fake Amazon spam uses email address harvested from Comparethemarket.com

This fake Amazon spam was sent to an email address only used for the UK price comparison site Comparethemarket.com.

From:     Amazon.com [ship-confirm@amazon.com]
Reply-To:     "Amazon.com" [ship-confirm@amazon.com]
Date:     3 October 2013 15:43
Subject:     Your Amazon.com order of "Canon EOS 60D DSLR..." has shipped!

 Amazon.com        
Kindle Store
     |  Your Account  |  Amazon.com
Order Confirmation
Order #159-2060285-0376154
[redacted]

Thank you for shopping with us. We’d like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order or make any changes to it, please visit Your Orders on Amazon.com.

Your estimated delivery date is:
Thursday, Oct 3, 2013 -
Friday, Oct 4, 2013

Your shipping speed:
Next Day Air
Your Orders    

Your order was sent to:
Evan Young
1235 Sunset Dr
San Paolo, NE 69700-0290
United States
Order Details
Order #159-2060285-0376154
Placed on Wensday, May 29, 2013
    Canon EOS 60D DSLR 22.3 MP Full Frame CMOS with 1080p Full-HD Video Mode Digital SLR Camera (Body)
Electronics
In Stock
Sold by Electronic Express, Inc.
    Facebook     Twitter     Pinterest
    $1,397.99
Item Subtotal:     $1,397.99
Shipping & Handling:     $0.00

Total Before Tax:     $1,397.99
Estimated Tax:     $0.00

Order Total:     $1,397.99

To learn more about ordering, go to Ordering from Amazon.com.
If you want more information or need more assistance, go to Help.

Thank you for shopping with us.
Amazon.com
DVD
   
Books

Unless otherwise noted, items are sold by Amazon.com LLC and taxed if shipped to Kansas, North Dakota, New York, Kentucky or Washington. If your order contains one or more items from an Amazon.com partner it may be subject to state and local sales tax, depending on the state to which the item is being shipped. Learn more about tax and seller information.

This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message. 

How the email address was extracted from Comparethemarket.com is not known.

The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:

[donotclick]berkahabadi.de/unclear/unsettle.js
[donotclick]sigmarho.zxq.net/ragas/sextant.js
[donotclick]wni9e7311.homepage.t-online.de/creel/eccentrically.js


This redirects the victim to a malware page at [donotclick]globalrealty-nyc.info/topic/latest-blog-news.php which is a hijacked GoDaddy domain hosted on 96.126.103.252 (Linode, US). THis is currently the only domain that I can detect on this computer, but the usual pattern is that there will be several others so blocking that IP address would be prudent.

Recommended blocklist:
96.126.103.252
globalrealty-nyc.info
berkahabadi.de
sigmarho.zxq.net
wni9e7311.homepage.t-online.de

Malware sites to block 6/8/13

Following on from last week's list, this week seems to see a smaller number of servers and malicious domains from this crew.

5.175.191.124 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
41.196.17.252 (Link Egypt, Egypt)
54.218.249.132 (Amazon AWS, US)
59.124.33.215 (Chungwa Telecom, Taiwan)
61.36.178.236 (DACOM Corp, Korea)
68.174.239.70 (Time Warner Cable, US)
78.47.248.101 (Hetzner, Germany)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
114.112.172.34 (Worldcom Teda Networks Technology Co. Ltd, China)
140.116.72.75 (TANET, Taiwan)
182.72.216.173 (Cusdelight Consultancy SE, India)
190.85.249.159 (Telmex Colombia, Colombia)
202.197.127.42 (CERNET, China)
208.115.237.88 (Limestone Networks / 123Systems Solutions, US)
217.64.107.108 (Society Of Mali's Telecommunications, Mali)

5.175.191.124
24.173.170.230
41.196.17.252
54.218.249.132
59.124.33.215
61.36.178.236
68.174.239.70
78.47.248.101
95.87.1.19
114.112.172.34
140.116.72.75
182.72.216.173
190.85.249.159
202.197.127.42
208.115.237.88
217.64.107.108
abundanceguys.net
amods.net
annot.pl
autocompletiondel.net
avini.ru
badstylecorps.com
beachfiretald.com
cbstechcorp.net
crossplatformcons.com
datapadsinthi.net
dulethcentury.net
endom.net
exhilaratingwiki.net
exowaps.com
explicitlyred.com
fivelinenarro.net
flashedglobetrot.pl
frontrunnings.com
hdmltextvoice.net
housesales.pl
ignitedannual.com
includedtight.com
jdbcandschema.su
lhobbyrelated.com
magiklovsterd.net
onsespotlight.net
operapoland.com
ordersdeluxe.com
organizerrescui.pl
playtimepixelating.su
prgpowertoolse.su
relectsdispla.net
ringosfulmobile.com
scourswarriors.su
sludgekeychai.net
streetgreenlj.com
tagcentriccent.net
tagcentriccent.pl
wildgames-orb.net
zestrecommend.com
zukkoholsresv.pl

sendgrid.me / amazonaws.com spam

This spam is unusual in that it comes through an apparently genuine commercial email provider (sendgrid.me) and leads to malware hosted on Amazon's cloud service, amazonaws.com. There is no body text in the spam, just an image designed to look like a downloadable document.

from:     [victim] via sendgrid.me
date:     8 July 2013 19:08
subject:     Urgent 6:08 PM 244999
Signed by:     sendgrid.me

The email appears to originate from 138.91.78.32 which is a Microsoft IP, so that part of the mail header might be faked. It certainly comes through 208.117.55.132 (o1.f.az.sendgrid.net)

The text at the bottom says "Please find attached the document." but actually leads to a malicious executable at [donotclick]s3.amazonaws.com/ft556/Document_948357853____.exe [https] (VirusTotal report) which then downloads a further executable from [donotclick]s3.amazonaws.com/mik49/ss32.exe [http] (VirusTotal report) which installs itself into C:\Documents and Settings\Administrator\Application Data\ss32.exe.

ThreatExpert reports that the downloader (the first executable) is hardened against VM-based analysis:

Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine).

Anubis, Comodo CAMAS, Malwr and ThreatTrack give various clues as to what the downloader is doing.

The second part (ss32.exe) attempts to lookup a server called mssql.maurosouza9899.kinghost.net 177.185.196.130 (IPV6 Internet Ltda, Brazil) according to CAMAS and Anubis identifies an attempted connection to bit.ly/15aDtjB  which attempts to connect to an unregistered domain of www.mdaijdasid.com (report here). Malwr gives some further information on system changes as does ThreatTrack. ThreatExpert reports seeing Themida again.

Quite what the second part of the malware does is unclear, and it may simply be that the mdaijdasid.com hasn't been registered quite yet but will be later. VirusTotal does report some other badness on 177.185.196.130 so this is probably worth blocking.

Recommended blocklist:
177.185.196.130
mssql.maurosouza9899.kinghost.net
mdaijdasid.com
s3.amazonaws.com/mik49/
s3.amazonaws.com/ft556/
bit.ly/15aDtjB

Amazon.com spam / goldcoinvault.com

This fake Amazon.com spam leads to malware on goldcoinvault.com:

Date:      Tue, 11 Jun 2013 14:25:21 -0600 [16:25:21 EDT]
From:      "Amazon.com Customer Care Service" [payments-update@amazon.com]
Subject:      Payment for Your Amazon Order # 104-884-8180383

Regarding Your Amazon.com Order

Order Placed: June 11, 2013 Amazon.com order number: 104-884-8180383 Order Total: $2761.86 Sony VAIO E Series SVE11135CXW 11.6-Inch Laptop (White) Sony KDL50EX645 50-Inch 1080p 120HZ Internet Slim LED HDTV (Black) Sony DSC-H200 Digital Camera with 3-Inch LCD (Black) Payment Problem We're writing to let you know that we are having difficulty processing your payment for the above transaction. To protect your security and privacy, your issuing bank cannot provide us with information regarding why your credit card was declined. However, we suggest that you double-check the billing address, expiration date and cardholder name that you entered; if entered incorrectly these will sometimes cause a card to decline. There is no need to place a new order as we will automatically try your credit card again. There are a few steps you can take to make the process faster: 1. Verify the payment information for this order is correct (expiration date, billing address, etc). You can update your account and billing information at : https://www.amazon.com/gp/css/summary/edit.html?ie=UTF8&orderID=104-884-8180383 2. Contact your issuing bank using the number on the back of your card to learn more about their policies. Some issuers put restrictions on using credit cards for electronic or internet purchases. Please have the exact dollar amount and details of this purchase when you call the bank. If paying by credit card is not an option, buy Amazon.com Gift Card claim codes with cash from authorized resellers at a store near you. Visit www.amazon.com/cashgcresellers to learn more. Thank you for shopping at Amazon.com. Sincerely, Amazon.com Customer Service http://www.amazon.com Please note: This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message..

To view more details click Order Summary.
Please note: This is not a VAT invoice.

Conditions of Use | Privacy Notice 1996-2013, Amazon.com, Inc. or its affiliates
The link in the email goes through a legitimate hacked site to an intermediate page with the following redirectors:
[donotclick]ftp.blacktiedjent.com/mechanic/vaccinated.js
[donotclick]piratescoveoysterbar.com/piggybacks/rejoiced.js
[donotclick]nteshop.es/tsingtao/flanneling.js

..from there it hits the main malware payload site at [donotclick]goldcoinvault.com/news/pictures_hints_causes.php (report here) hosted on goldcoinvault.com which is a hacked GoDaddy domain hijacked to point at 173.255.213.171 (Linode, US). This same server is very active and has been spotted here and here, also using hacked GoDaddy domains, but right at the moment the malware page appears to be 403ing which is good.

These following domains appear to be pointing to that server:
ccrtl.com
chrisandannwedding.com
chriscarlson.com
eaglebay5.com
eaglebay-eb5.com
freepokermoney.com
goldcoinvault.com
gosuccessmode.com
hraforbiz.com
margueritemcenery.com
mceneryfinancial.com
megmcenery.com
page10development.com
shrinerapparel.com
shrinersapparel.com
shrinersapparel.net
supportquilting.com
taxfreeincomenow.com
taxfreeincomenow.info
taxfreeincomenow.net
taxfreeincomenow.org
tmgfinancial.org
tmginsurance.org
uniformexpert.com
uniformexperts.com
uniformoutfitter.net
uniformoutfitters.net
wcaband.org

Amazon.com 55 inch TV spam / ozonatorz.com

This earlier spam run about various brands of 55 inch TVs from Amazon has been updated and is now directing victims to a malware landing page on the domain ozonatorz.com:

From: auto-confirm@emlreq.amazon.com [mailto:bald4@customercare.amazon.com]
Sent: 29 May 2013 17:06
To: [redacted]
Subject: Amazon.com order of Akai NPK55KR9070 55-Inch

Kindle Store | Your Account | Amazon.com Order Confirmation Order #175-7801666-2934626 [redacted] Thank you for shopping with us. Wed like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order or make any changes to it, please visit Your Orders on Amazon.com. Your estimated delivery date is: Thursday, May 30, 2013 - Friday, May 31, 2013 Your shipping speed: Next Day Air Your order was sent to: Benjamin Phillips 2724 3rdCotton Avenue Cohoes, CA 62229-6646 United States Order Details Order #175-7801666-2934626 Placed on Wensday, May 29, 2013 Akai NPK55KR9070 55-Inch 1080p 120Hz LED 3D HDTV (Silber) Electronics In Stock Sold by MODIA $979.98 Item Subtotal: $979.98 Shipping & Handling: $0.00 Total Before Tax: $979.98 Estimated Tax: $0.00 Order Total: $979.98 To learn more about ordering, go to Ordering from Amazon.com. If you want more information or need more assistance, go to Help. Thank you for shopping with us. Amazon.com Unless otherwise noted, items are sold by Amazon.com LLC and taxed if shipped to Kansas, North Dakota, New York, Kentucky or Washington. If your order contains one or more items from an Amazon.com partner it may be subject to state and local sales tax, depending on the state to which the item is being shipped. Learn more about tax and seller information. This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.

The malicious payload is on [donotclick]ozonatorz.com/news/basic_dream-goods.php (report here) hosted on:
41.89.6.179 (Kenya Education Network, Kenya)
141.28.126.201 (Hochschule Furtwangen, Germany)
177.5.244.236 (Brasil Telecom, Brazil)
208.68.36.11 (Digital Ocean, US)

These IPs form part of a much larger network of malicious sites listed here, but if we concentrate of these IPs only we get the following blocklist:
41.89.6.179
141.28.126.201
177.5.244.236
208.68.36.11
aviachecki.ru
avtotracki.ru
balckanweb.com
biati.net
buyparrots.net
federal-credit-union.com
giwmmasnieuhe.ru
icensol.net
mydkarsy.com
nvufvwieg.com
ozonatorz.com
rusistema.ru
smartsecurityapp2013.com
techno5room.ru
testerpro5.ru
trackerpro5.ru
twintrade.net
zeouk-gt.com

55-Inch TV Amazon.com spam / federal-credit-union.com

This fake Amazon.com spam leads to malware on federal-credit-union.com:


From:     auto-confirm@email.amazon.net [loyolay3@emalsrv.amazonmail.com]
Reply-To:     "auto-confirm@email.amazon.net" [loyolay3@emalsrv.amazonmail.com]
Date:     29 May 2013 16:55
Subject:     Amazon.com order of Samsung UN554X6050 55-Inch

Kindle Store  |  Your Account  |  Amazon.com Order Confirmation Order #134-8080453-8538443

[redacted] Thank you for shopping with us. We’d like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order or make any changes to it, please visit Your Orders on Amazon.com.

Your estimated delivery date is: Thursday, May 30, 2013 - Friday, May 31, 2013 Your shipping speed: Next Day Air Your order was sent to: Tyler Scott 2516 Columbia Dr Washington, WA 40830-9361 United States

Order Details

Order #134-8080453-8538443 Placed on Wensday, May 29, 2013

Samsung UN554X6050 55-Inch 1080p 120Hz LED 3D HDTV (Dark Grey) Electronics In Stock Sold by World Wide Stereo, Inc. $1,099.99

Item Subtotal: $1,099.99 Shipping & Handling: $0.00 Total Before Tax: $1,099.99 Estimated Tax: $0.00 Order Total: $1,099.99

To learn more about ordering, go to Ordering from Amazon.com. If you want more information or need more assistance, go to Help.

Thank you for shopping with us. Amazon.com

Unless otherwise noted, items are sold by Amazon.com LLC and taxed if shipped to Kansas, North Dakota, New York, Kentucky or Washington. If your order contains one or more items from an Amazon.com partner it may be subject to state and local sales tax, depending on the state to which the item is being shipped. Learn more about tax and seller information. This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.

I have also seen a similar spam with the subject "Amazon.com order of Sharp UN55EH5080 55-Inch" and I guess there are others. The spam goes through a legitimate hacked site and ends up on [donotclick]federal-credit-union.com/news/basic_dream-goods.php (report here). Luckily right at the moment this domain is suspended and won't work, however. There is a very large number of connected domains though which I am compiling a blocklist for and will post later..

Update: some other subjects include "Amazon.com order of Panasonic UN55EH6030 55-Inch" and "Amazon.com order of Akai NPK55KR9070 55-Inch".

Update 2: the malicious landing page has been replaced  with one using the domain ozonatorz.com.

Amazon.com spam / ehrap.net

This fake Amazon spam leads to malware on ehrap.net:

Date:      Tue, 7 May 2013 22:54:26 +0100 [05/07/13 17:54:26 EDT]
From:      "Amazon.com" [drudgingb50@m.amazonmail.com]
Subject:      Your Amazon.com order confirmation.

Thanks for your order, [redacted]!

Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.

Order Information:

E-mail Address:  [redacted]
Billing Address:
216 CROSSING CRK N
GAHANNA
United States
Phone: 1-747-289-5672

Order Grand Total: $ 53.99
   
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More

Order Summary:
Details:
Order #:     I12-4392835-6098844
Subtotal of items:     $ 53.99
    ------
Total before tax:     $ 53.99
Tax Collected:     $0.00
    ------
Grand Total:     $ 50.00
Gift Certificates:     $ 3.99
    ------
Total for this Order:     $ 53.99

The following item is auto-delivered to your Kindle or other device. You can view more information about this order by clicking on the title on the Manage Your Kindle page at Amazon.com.
Mockingjay (The Final Book of The Hunger Games) [Kindle Edition] $ 53.99
Sold By: Random House Digital, Inc.
Give Kindle books to anyone with an e-mail address - no Kindle required!

You can review your orders in Your Account. If you've explored the links on that page but still have a question, please visit our online Help Department.

Please note: This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.

Thanks again for shopping with us.

Amazon.com
Earth's Biggest Selection

Prefer not to receive HTML mail? Click here

The link in the email goes through a legitimate hacked site and ends up on [donotclick]ehrap.net/news/days_electric-sources.php (report here) hosted on (or with nameservers on) the following IPs:
85.41.88.24 (Telecom Italia, Italy)
98.210.212.79 (Comcast, US)
140.121.140.92 (TANet, Taiwan)
178.175.140.185 (Trabia-Network, Moldova)
197.246.3.196 (The Noor Group, Egypt)
216.70.110.21 (Media Temple, US)

The domains involved indicate that this is the gang behind what I call the Amerika series of spam emails.

Blocklist:
85.41.88.24
98.210.212.79
140.121.140.92
178.175.140.185
197.246.3.196
216.70.110.21
airticketscanada.net
contonskovkiys.ru
curilkofskie.ru
ehrap.net
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
mortolkr4.com
peertag.com
smartsecurity-app.com
zonebar.net

Amazon.com spam / salam-tv.com

This fake Amazon email leads to malware on salam-tv.com:

Date:      Tue, 5 Feb 2013 18:32:06 +0100
From:      "Amazon.com Orders" [no-reply@amazon.com]
Subject:      Your Amazon.com order receipt.

    Click here if the e-mail below is not displayed correctly.
   
Follow us:                    
   
   
Your Amazon.com                         Today's Deals                 See All Departments    


Dear Amazon.com Customer,    
       

Thanks for your order, [redacted]!

Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.

Order Details:

E-mail Address: [redacted]
Billing Address:
1170 CROSSING CRK N Rd.
Fort Wayne OH 49476-1748
United States
Phone: 1- 749-787-0001

Order Grand Total: $ 91.99
   
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More

Order Summary:
Details:
Order #:     C59-2302433-5787713
Subtotal of items:     $ 91.99
    ------
Total before tax:     $ 91.99
Tax Collected:     $0.00
    ------
Grand Total:     $ 90.00
Gift Certificates:     $ 1.99
    ------
Total for this Order:     $ 91.99
       
       
   
Find Great Deals on Millions of Items Storewide
We hope you found this message to be useful. However, if you'd rather not receive future e-mails of this sort from Amazon.com, please opt-out here.

� 2012 Amazon.com, Inc. or its affiliates. All rights reserved. Amazon, Amazon.com, the Amazon.com logo and 1-Click are registered trademarks of Amazon.com, Inc. or its affiliates. Amazon.com, 466 Sally Ave. N., Seattle, MA 71168-8282. Reference: 25090571

Please note that this message was sent to the following e-mail address: [redacted]

The malicious payload should be at [donotclick]salam-tv.com/detects/visit_putts.php but at the moment this domain doesn't seem to be resolving properly. A bit of digging around shows that it may be hosted on 198.144.191.50 (Chicago VPS, US) and the following malicious domains can be traced to that IP address:
morepowetradersta.com
capeinn.net
starsoftgroup.net
salam-tv.com