Sponsored by..

Showing posts with label CNN. Show all posts
Showing posts with label CNN. Show all posts

Friday 6 September 2013

CNN "The United States began bombing" spam / luggagepreview.com

This fake CNN spam leads to malware on luggagepreview.com:

Date:      Fri, 6 Sep 2013 11:30:57 -0600 [13:30:57 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: "The United States began bombing"

The United States began bombing!
By Casey Wian, CNN
updated 9:01 AM EDT, Wed August 14, 2013


(CNN) -- Pentagon officials said that the United States launched the first strikes against Syria. It was dropped about 15 bomn on stalitsu syria Damascus.  Full story >>
Rescuing Hannah Anderson

    Sushmita Banerjee was kidnapped and killed in Afghanistan, police say
    No one has claimed responsibility for her death, but police suspect militants
    Banerjee wrote "A Kabuliwala's Bengali Wife" about her escape from the Taliban

The link in the email is meant to go to [donotclick]senior-tek.com/tenth/index.html but the "Full story" link has a typo in and goes to senior-tekcom/tenth/index.html (without the dot) instead which obviously fails. This site then tries to load these three scripts:
[donotclick]crediamo.it/disburse/ringmaster.js
[donotclick]stages2saturn.com/scrub/reproof.js
[donotclick]www.rundherum.at/rabbiting/irritate.js

From there the visitor is sent to a malicious payload at  [donotclick]luggagepreview.com/topic/able_disturb_planning.php which is a hacked GoDaddy domain hosted on 174.140.171.207 (DirectSpace LLC, US) along with several other hijacked domains listed below in italics.

Recommended blocklist:
174.140.171.207
luggagepoint.de
luggagewalla.com
londonleatherusa.com
luggagejc.com
londonleatheronline.com
luggagecast.com
luggage-tv.com
luggagepreview.com
dyweb.info
yesrgood.info
dai-li.info
expopro.info
crediamo.it
stages2saturn.com
www.rundherum.at

Saturday 10 August 2013

CNN: " Canadian teenager Rehtaeh Parsons" spam leads to malware

The bad guys don't have much of a sense of shame. This fake CNN email leads to malware on hubbynwifewines.com:

Date:      Sat, 10 Aug 2013 01:33:17 +0330 [18:03:17 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: " Canadian teenager Rehtaeh Parsons"

2 face charges in case of Canadian girl who hanged self after alleged rape
By Stephanie Gallman and Phil Gast, CNN
updated 6:39 AM EDT, Fri August 9, 2013
Canadian teenager Rehtaeh Parsons, who was allegedly gang-raped and bullied, has died, her family said. Parsons, 17, was hospitalized after she tried to hang herself on Thursday, April 4. The high school student from Halifax, Nova Scotia, was taken off life support three days later.

Canadian teenager Rehtaeh Parsons

Two 18-year-old men face child pornography charges in connection with the case of a 17-year-old girl who hanged herself after she was allegedly gang-raped and bullied online, Canadian authorities said Thursday evening.  Full story >>

The link in the email goes through a legitimate but hacked site and ends up running one of three scripts:
[donotclick]1494ccc706155932.lolipop.jp/canard/lockup.js
[donotclick]ftp.adaware.net/earwax/philosophic.js
[donotclick]hargobindtravels.com/coloratura/nesting.js

The victim is then sent to a malware payload site at [donotclick]hubbynwifewines.com/topic/able_disturb_planning.php which is a hacked GoDaddy domain hosted on 72.249.76.197.

Recommended blocklist:
72.249.76.197
1494ccc706155932.lolipop.jp
ftp.adaware.net
hargobindtravels.com
housewalla.com
hubby-wife.com
hubbynwife.com
hubbynwifecakes.com
hubbynwifewines.com
hubbynwifedesigns.com

Tuesday 30 July 2013

CNN "Angelina Jolie tops list of highest-paid actresses" spam / deltadazeresort.net

This fake CNN spam leads to malware on deltadazeresort.net:

Date:      Tue, 30 Jul 2013 17:52:54 +0330 [10:22:54 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: Forbes: Angelina Jolie tops list of highest-paid actresses

Forbes: Angelina Jolie tops list of highest-paid actresses
By Sheridan Watson, EW.com
July 29, 2013 -- Updated 2014 GMT (0414 HKT)
Angelina Jolie attends a June 2013 premiere of her fiance Brad Pitt's movie,
Angelina Jolie attends a June 2013 premiere of her fiance Brad Pitt's movie, "World War Z."


(EW.com) -- She might not get paid as much as "Iron Man," but there's no doubt that celestial beauty Angelina Jolie is smiling all the way to the bank.

This year, Jolie topped Forbes' annual list of the highest-paid actresses in Hollywood with an incredibly robust $33 million.

The link in the email goes to a legitimate hacked site and then to one or more of three scripts:

[donotclick]00002nd.rcomhost.com/immanent/surfeit.js
[donotclick]theplaidfox.com/bulbs/falcon.js
[donotclick]sandbox.infotraxdevdocs.com/afforestation/provosts.js

From there the victim is sent to a landing page at [donotclick]deltadazeresort.net/topic/able_disturb_planning.php. At the time of writing this hijacked GoDaddy domain does not resolve, but it was recently hosted on the following IPs alongside these other hacked GoDaddy domains:

66.175.217.235 (Linode, US)
173.246.104.136 (Gandi, US)
deltaboatraces.net
deltaboatworks.net
deltadazeresort.net
deltarentalcenter.net
deltariverhouse.net
deltayachtclub.net

Thursday 25 July 2013

CNN "77 dead after train derails" spam / evocarr.net

This spam mismatches two topics, a train crash in Spain and the birth of a royal baby in the UK, but it leads to malware on evocarr.net:


Date:      Thu, 25 Jul 2013 20:19:44 +0800 [08:19:44 EDT]
From:      77 dead after train derails [BreakingNews@mail.cnn.com>]
Subject:      "Perfect gift for royal baby ... a tree?" -  BreakingNews CNN


77 dead after train derails, splits apart in Spain
By Al Goodman, Elwyn Lopez, Catherine E. Shoichet, CNN July 25, 2013 -- Updated 0939 GMT (1739 HKT)
iReporter: 'It was a horrific scene'
STORY HIGHLIGHTS

    NEW: Train driver told police he entered the bend too fast, public broadcaster reports
    NEW: Regional governor declares 7 days of mourning for the victims, broadcaster says
    Witness: "The train was broken in half. ... It was quite shocking"
    77 people are dead, more bodies may be found, regional judicial official says

Madrid (CNN) -- An express train derailed as it hurtled around a curve in northwestern Spain on Wednesday, killing at least 77 people and injuring more than 100, officials said.� Full Story >>>>

The link in the email goes to a legitimate hacked site which tries to load one or more of the following scripts:

[donotclick]church.main.jp/psychosomatics/rayon.js
[donotclick]video.whatsonstage.com/overstocking/ownership.js
[donotclick]www.fewo-am-speckbusch.de/referees/metacarpals.js

From there the victim is sent to a landing page at [donotclick]evocarr.net/topic/accidentally-results-stay.php hosted on 69.163.34.49 (Directspace LLC, US). The following hijacked GoDaddy domains are on the same IP and can be considered suspect:
evocarr.net
serapius.com
leacomunica.net
mindordny.org
rdinteractiva.com
yanosetratasolodeti.org

Wednesday 24 July 2013

CNN "Perfect gift for royal baby ... a tree?" spam / nphscards.com

This fake CNN spam leads to malware on nphscards.com:

Date:      Wed, 24 Jul 2013 19:54:18 +0400 [11:54:18 EDT]
From:      "Perfect gift for royal baby ... a tree?" [BreakingNews@mail.cnn.com]
Subject:      "Perfect gift for royal baby ... a tree?" -  BreakingNews CNN

CNN
U.S. presidents have spotty record on gifts for royal births
By Jessica Yellin, CNN Chief White House Correspondent
July 24, 2013 -- Updated 0151 GMT (0951 HKT)
Watch this video
Perfect gift for royal baby ... a tree?

STORY HIGHLIGHTS

    Gifts for William and Catherine's baby must honor special U.S.-UK relationship
    William got a gift from Reagans when he was born; brother Harry got nothing
    Truman sent telegram for Charles' birth; Coolidge did even less for queen's birth
    Protocol expert suggests American-made crafts -- but no silver spoons

Washington (CNN)�-- What will the Obamas get the royal wee one? Sources say it's a topic under discussion in the White House and at the State Department.

No baby buggy will do. The president and first lady must find a special gift to honor the special relationship between the United States and the United Kingdom.

Kate and William bring home royal baby boy

The payload work in exactly the same way as this fake Facebook spam earlier today and consists of a hacked GoDaddy domain (nphscards.com) hosted on 162.216.18.169 by Linode.

CNN "Harrison Ford" spam / 173.246.101.146 and fragrancewalla.com

This fake CNN alert leads to malware on fragrancewalla.com:


Date:      Wed, 24 Jul 2013 12:13:04 +0530 [02:43:04 EDT]
From:      "Harrison Ford on 'Ender's Game' controversy: 'Not an issue for me'" [BreakingNews@mail.cnn.com]
Subject:      "Harrison Ford on 'Ender's Game' controversy: 'Not an issue for me'"

CNN
Harrison Ford on 'Ender's Game' controversy: 'Not an issue for me'
By Emily Zemler, Special to CNN
July 21, 2013 -- Updated 1546 GMT (2346 HKT)
Actor Harrison Ford said he wasn't concerned about
Actor Harrison Ford said he wasn't concerned about "Ender's Game" author Orson Scott Card's views on gay marriage.


Editor's note: CNN.com is covering Comic-Con, the international gathering of geek and mainstream pop culture enthusiasts, through Sunday.

San Diego (CNN) -- For actor Harrison Ford, who is starring in a movie adaptation of Orson Scott Card's heralded and popular novel "Ender's Game," statements against same-sex marriage by the science-fiction author "are not an issue for me." FULL STORY

The link in the email goes through a legitimate hacked site, and then tries to run one or all of the following scripts:
[donotclick]ellensplace.lk/orientated/honecker.js
[donotclick]rodeiouniversitario.com.br/vicissitudes/furlong.js
[donotclick]funeralsintexas.com/gazillions/donkey.js

In turn, these scripts direct the victim to a malware landing page at [donotclick]fragrancewalla.com/topic/accidentally-results-stay.php (report here, appears to be 403ing but that could just be an anti-analysis response) hosted on 173.246.101.146 (Gandi, US).

The domain in question appears to be a hacked GoDaddy account, and the following GoDaddy registered domains are also on the same server and should be treated as suspicious:
happykidoh.com
fragrancewalla.com
fragrancessurplus.com

Wednesday 17 April 2013

CNN.com Boston Marathon spam / thesecondincomee.com

This Boston Marathon themed spam leads to malware on thesecondincomee.com:

Example 1:

Date:      Wed, 17 Apr 2013 10:32:18 -0600 [12:32:18 EDT]
From:      CNN Breaking News [BreakingNews@mail.cnn.com]
Subject:      Opinion: Boston Marathon Explosions - Obama Benefits? - CNN.com   
     
CNN.com    
Powered by    
* Please note, the sender's email address has not been verified.
            
You have received the following link from BreakingNews@mail.cnn.com:    
           
Click the following to access the sent link:
            
Boston Marathon Explosions - Obama Benefits? - CNN.com*
                 
SAVE THIS link     FORWARD THIS link
           
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
     
     
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here

Example 2:

Date:      Wed, 17 Apr 2013 22:32:56 +0600
From:      behring401@mail.cnn.com
Subject:      Opinion: Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com
   
Powered by    
* Please note, the sender's email address has not been verified.
   
You have received the following link from BreakingNews@mail.cnn.com:    
   
Click the following to access the sent link:
   
Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com*
   
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
       
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here


The malicious payload is at [donotclick]thesecondincomee.com/news/agency_row_fixed.php hosted on:
94.249.206.117 (GHOSTnet, Germany)
155.239.247.247 (Centurion Telkom, South Africa)
173.234.239.60 (Nobis Technology Group, US)

The recommended blocklist is the same as used in this earlier attack.
65.34.160.10
94.249.206.117
155.239.247.247
173.234.239.60
airtrantran.com
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko.ru
conficinskiy.ru
confideracia.ru
coretec.pl
cormoviesutki.ru
dailypost.pl
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
dyntic.com
elmara.ru
excuticoble.ru
fenvid.com
freedblacks.net
fxtv.pl
gardeningexplains.biz
gatoversignie.ru
hurienothing.ru
independinsy.net
janefgort.net
klosotro9.net
miniscule.pl
nulio.ru
programcam.ru
ricepad.net
seantit.ru
securitysmartsystem.com
techzoom.pl
thesecondincomee.com

Tuesday 19 March 2013

Malware spam: "Opinion: Cyprus banks shut extended to Monday - CNN.com" / salespeoplerelaunch.org

This topically themed (but fake) CNN spam leads to malware on salespeoplerelaunch.org:

Date:      Tue, 19 Mar 2013 10:40:22 -0600
From:      "CNN Breaking News" [BreakingNews@mail.cnn.com]
Subject:      Opinion: Cyprus banks shut extended to Monday - CNN.com

   
Powered by    
* Please note, the sender's email address has not been verified.
   
   
You have received the following link from BreakingNews@mail.cnn.com:    
   
   
Click the following to access the sent link:
   
   
Cyprus banks shut extended to Monday - CNN.com*
   
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
   
   
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here
The malicious payload is at [donotclick]salespeoplerelaunch.org/close/printed_throwing-interpreting-dedicated.php (report here) hosted on 69.197.177.16 (WholeSale Internet, US).

Nameservers are NS1.DNSLVLUP.COM (5.9.212.43, Hetzner / Dolorem Ipsum Management Ltd, Germany) and NS2.DNSLVLUP.COM (66.85.131.123, Secured Servers LLC / Phoenix NAP, US)

Recommended blocklist:
salespeoplerelaunch.org
dnslvlup.com
69.197.177.16
5.9.212.43
66.85.131.123



Monday 18 March 2013

Malware spam "New Pope Sued For Not Wearing Seat Belt In Popemobile" / webpageparking.net

This pope themed spam leads to malware on webpageparking.net:

Date:      Mon, 18 Mar 2013 20:20:54 +0200
From:      "CNN Breaking News" [BreakingNews@mail.cnn.com]
Subject:      Opinion: New Pope Sued For Not Wearing Seat Belt In Popemobile ... - CNN.com


Powered by    
* Please note, the sender's email address has not been verified.

You have received the following link from BreakingNews@mail.cnn.com:    
       
Click the following to access the sent link:
       
New Pope Sued For Not Wearing Seat Belt In Popemobile ... - CNN.com*
   
   
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
   
   
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here

The link goes through a legitimate hacked site and leads to a malicious payload at [donotclick]webpageparking.net/kill/borrowing_feeding_gather-interesting.php (report here) hosted on:
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMnet, Malaysia)
109.74.61.59 (Ace Telecom KFT, Hungary)
155.239.247.247 (Centurion Telkom, South Africa)

BLOCKLIST:
24.111.157.113
58.26.233.175
109.74.61.59
155.239.247.247
buxarsurf.net
buyersusaremote.net
cyberage-poker.net
fenvid.com
gatovskiedelishki.ru
heavygear.net
hotels-guru.net
openhouseexpert.net
picturesofdeath.net
plussestotally.biz
porftechasgorupd.ru
sawlexmicroupdates.ru
secureaction120.com
secureaction150.com
teenlocal.net

UPDATE: another version of this is doing the rounds with a subject "Opinion: Can New-Pope Benedict be Sued for the Sex Abuse Cases? - CNN.com"