Sponsored by..

Showing posts sorted by relevance for query endurance international. Sort by date Show all posts
Showing posts sorted by relevance for query endurance international. Sort by date Show all posts

Tuesday, 31 January 2012

NACHA Spam / sulusate.com

More NACHA spam leading to a malicious payload:

Date: 31 January 2012 22:55
Subject: ACH transaction fault

The ACH transaction ID: 415864020375, that had been effectuated from your banking account lately, was rejected by the the bank of the recipient.

ACH transfer declined
Transaction ID:     415864020375
Details:     please see the report below for details
Transaction Report     report_415864020375.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

This leads to a malicious payload at sulusate.com/search.php?page=977334ca118fcb8c, hosted on 209.59.220.98 (Endurance International Group, US). A Wepawet report for the malicious page is here.

Blocking the IP will prevent other malicious sites on the same server from doing their stuff. Endurance International has hosted several such malicious sites recently.

Friday, 23 March 2012

"USPS postage labels invoice" spam / indigocellular.com and jadecellular.com

This fake USPS message leads to malware on indigocellular.com:

From:     Elmer Cross USPS_Shipping_Info@usps.com
Date:     23 March 2012 13:42
Subject:     USPS postage labels invoice.

Acct #: 5047483

Dear client:

This is an email confirmation for your order of 1 online shipping label(s) with postage. Your credit card will be charged the following amount:

Transaction ID: #1412337
Print Date/Time: 03/11/2012 02:30 AM CST
Postage Amount: $35.74
Credit Card Number: XXXX XXXX XXXX XXXX

Priority Mail Regional Rate Box B # 0583  1282  5071  3122  8696  (Sequence Number 1 of 1)

   

If you need further assistance, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .

Refunds for unused postage-paid labels can be requested online up to 7 days after the print date by logging on to your Click-N-Ship Account.

Thank you for choosing the United States Postal Service

Click-N-Ship: The Online Shipping Solution

Click-N-Ship has just made on line shipping with the USPS even better.

New Enhanced International Label and Customs Form: Updated Look and Easy to Use!

* * * * * * * *

This is an automatically generated message. Please do not respond 

The malicious payload is on indigocellular.com/showthread.php?t=73a07bcb51f4be71 hosted on 209.59.218.102 (Endurance International, US). Blocking the IP will prevent other malware on the IP from being a threat.

Update: another current version of this spam redirects to jadecellular.com/showthread.php?t=73a07bcb51f4be71 on 72.249.104.75 (Networld Internet, US)

Thursday, 26 January 2012

Some malware sites to block 26/1/12

Some more malware sites to block, being used in current spam runs to distribute the blackhole exploit kit. Block the domains and IPs if you can.

Eonix, Canada
173.213.93.203
clostescape.com

Zerigo, US
173.248.190.37
chilleloot.com

Colo4Dallas, US
174.136.0.87
chillegraph.com
chilleline.com

Ixvar, Canada
174.142.247.164
clostery.com

Hostforweb, US
205.234.187.6
sulusient.com

Networld Internet, US
207.210.96.45
clostehold.com
72.249.126.223
chillemap.com

Confluence Networks, BVI
208.91.197.27 (parked)
closteyard.com

Endurance International, US
209.59.220.57
closteland.com
closterange.com
209.59.220.65
sulusity.com
209.59.220.202
chillency.com
209.59.221.158
closteation.com

Nuclear Fallout Enterprises, US
66.150.164.192
chilletect.com
74.91.119.202
sulusality.com

Linode, US
69.164.199.231
chillepay.com
96.126.96.123
chillechart.com
96.126.102.252
sulusium.com

Not resolving
chillebucks.com
chillecash.com
chillefunds.com
chillestruct.com
sulusius.com
sulusize.com

Wednesday, 27 March 2013

"British Airways E-ticket receipts" spam / illuminataf.ru

This fake airline ticket spam leads to malware on illuminataf.ru:


Date:      Wed, 27 Mar 2013 03:23:05 +0100
From:      "Xanga" [noreply@xanga.com]
Subject:      British Airways E-ticket receipts
Attachments:     E-Ticket-Receipt.htm

e-ticket receipt
Booking reference: JQ15191488
Dear,

Thank you for booking with British Airways.

Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.

Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)


Yours sincerely,

British Airways Customer Services

British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.

British Airways Plc is a public limited company registered in England and Wales. Registered number: 51298446. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.

How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.


If you require further assistance you may contact us

If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.

The attackment E-Ticket-Receipt.htm (which has a poor detection rate) leads to a malicious payload at [donotclick]illuminataf.ru:8080/forum/links/column.php (report here) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
223.4.209.134 (Alibaba (China) Technology Co, China)

Blocklist:
66.249.23.64
69.46.253.241
223.4.209.134
humaniopa.ru
hiskinta.ru
hohohomaza.ru
humarikanec.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
heepsteronst.ru
hjuiopsdbgp.ru
hondatravel.ru
illuminataf.ru
iliminattii.ru

Tuesday, 19 February 2013

UPS Spam / emmmhhh.ru

The spammers sending this stuff out always confuse UPS with USPS, this one is not exception although on balance it is more UPS than USPS.. anyway, it leads to malware on emmmhhh.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Valda Gill via LinkedIn
Sent: 19 February 2013 10:00
Subject: United Postal Service Tracking Nr. H9878032462

You can use UPS .COM to:
 Ship Online
 Schedule a Pickup
 Open a UPS .COM Account


   
Welcome to UPS Team
Hi, [redacted].

DEAR CUSTOMER , We were not able to delivery the post package

PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT.

With best regards , UPS Customer Services.    


    ________________________________________
Copyright 2011 United Parcel Service of America, Inc. Your USPS .us Customer Services, the Your USPS Team brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
Please do not reply directly to this e-mail. USPS .us Customer Services will not receive any reply message. For questions or comments, visit Contact UPS.
We understand the importance of privacy to our customers. For more information, please consult the Your USPS Customer Services Privacy Policy.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.    
There is an attachment UPS_ID5408466.htm which attempts to direct visitors to [donotclick]emmmhhh.ru:8080/forum/links/column.php hosted on:

50.31.1.104 (Steadfast Networks, US)
66.249.23.64 (Endurance International, US)
195.210.47.208 (PS Internet Company, Kazakhstan)

The following IPs and domains are all malicious and should be blocked:
50.31.1.104
66.249.23.64
195.210.47.208
efjjdopkam.ru
eipuonam.ru
ejiposhhgio.ru
ejjiipprr.ru
emaianem.ru
emalenoko.ru
eminakotpr.ru
emmmhhh.ru
enakinukia.ru
epilarikko.ru
epionkalom.ru
esigbsoahd.ru
estipaindo.ru
ewinhdutik.ru
exiansik.ru
exibonapa.ru


Monday, 25 March 2013

"Scan from a HP ScanJet" spam / humaniopa.ru

This fake printer spam leads to malware on humaniopa.ru:

Date:      Mon, 25 Mar 2013 03:57:54 -0500
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      Scan from a HP ScanJet #928909620
Attachments:     Scanned_Document.htm

Attached document was scanned and sent

to you using a Hewlett-Packard HP Officejet 98278P.

Sent by: CHANG
Images : 5
Attachment Type: .HTM [INTERNET EXPLORER]

Hewlett-Packard Officejet Location: machine location not set
The attachment Scanned_Document.htm leads to malware on [donotclick]humaniopa.ru:8080/forum/links/column.php (report here) hosted on:
66.249.23.64 (Endurance International Group, US)
72.11.155.182 (OC3 Networks, US)
72.167.254.194 (GoDaddy, US)
95.211.154.196 (Leaseweb, Netherlands)

Blocklist:
66.249.23.64
72.11.155.182
72.167.254.194
95.211.154.196
hohohomaza.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
humaniopa.ru
humarikanec.ru


Friday, 10 January 2014

Marketing1.net spam

These spammers sent their sales pitch to a random info@ email address on an unused domain I use. And what are they selling? Email marketing lists.. well, if they used their own mailing list for this then it is obviously crap.

From:     Audrey Martin [info@globalcrm-eu.net]
Reply-To:     info@globalcrm-eu.net
Date:     10 January 2014 07:32
Subject:     Happy New Year! - Followup to our last offer

Dear Madam, Dear Sir

Everyone in our team would like you wish you a happy and successful new year 2014! To help make this year even better for you, we have decided to give 20'000 free business contacts to the first 200 people visiting our website this morning! You don't have to buy anything. You can just visit our website and download the free business contacts!

Over the last year, we have helped hundreds of businesses like yours find new customers and achieve growth by using our highly targeted business database on CD. Our database, available for download from our website, is the only one on the market which includes targeted info on over 5 million Businesses in the UK.

Last December, we decided to take our Business Database CD off the market after a last sale because the cost to update the database regularly had become too high and we want to concentrate on the development of new products.

A lot of businesses since then, requested us to renew our last sale after its discontinuation. Not only have we decided to renew our last offer for a period of 8 hours (until 4PM this afternoon) before finally taking the database off the market, but we have decided to give to the first 200 people visiting our website this morning 20'000 free business contacts.

Here is a quick reminder of what is offered in our Business Database CD:

- 5 million Businesses in the UK selectable by Industry/Location/Company Size/Premises type/Job title
- Over 300,000 Businesses with email addresses
- 4 million named Decision Makers available by job function
- Unlimited export to .CSV or Excel
- Updated in October

We have decided to give you a last opportunity to get your hands on the database, as we are convinced it can dramatically help your business. We are offering to the first 100 customers placing their order today before 4PM, an unrestricted version of the database with unlimited export capabilities (as opposed to the standard version which has a limit of 50'000 exports) - and this, for a substantially reduced price of £199 instead of £498!  This will end at 4PM today, so don't miss it because some your competitors won't!


20'000 Free Business Contacts

We are so confident that the extensive data can help your business that we are giving away a free sample with 20'000 Business contacts to the first 200 people visiting our website this morning. This allows you to evaluate the quality of the data before completing your purchase. Visit our website to download the free sample and jumpstart your business!

To download the free sample, to get more infos or place your order, click here to visit our website

To your success in 2014 and beyond,

Audrey Martin
Marketing Solutions

Unsubscribe: Click here if you do not want to receive any further emails from us

This is a service from Marketing Solutions

Powered by Hairyspire

The link in the email goes to a domain globalcrm-eu.net on 217.147.82.106 (Iomart, UK) which is also the server sending the spam. The domain is registered with incomplete WHOIS details to mak the sender's identity. From there the victim is sent to m1databases-uk.net on a shared server at 66.96.161.162 (Endurance International Group, US) also with incomplete WHOIS records until they end up on the main site at marketing1.net hosted at 89.187.86.69 (Coreix, UK). The WHOIS details for this last one are inconclusive:

Domain Name: MARKETING1.NET
Registry Domain ID: 91418733_DOMAIN_NET-VRSN
Creation Date: 2002-10-21 18:13:12Z
Registrar Registration Expiration Date: 2014-10-21 18:13:12Z
Registrar: ENOM, INC.
Registrar Abuse Contact Email: abuse@enom.com
Registrar Abuse Contact Phone: +1.4252744500
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: MARKETING SOLUTIONS
Registrant Organization: -
Registrant Street: 152 CITY ROAD
Registrant City: LONDON
Registrant State/Province: LONDON
Registrant Postal Code: EC1V 2NX
Registrant Country: GB

Registrant Phone: +1.20814497
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext:
Registrant Email: MAIL@MARKETING1.NET
Registry Admin ID: 
Admin Name: MARKETING SOLUTIONS
Admin Organization: -
Admin Street: 152 CITY ROAD
Admin City: LONDON
Admin State/Province: LONDON
Admin Postal Code: EC1V 2NX
Admin Country: GB
Admin Phone: +1.2081449762
Admin Phone Ext: 
Admin Fax: 
Admin Fax Ext:
Admin Email: MAIL@MARKETING1.NET
Registry Tech ID: 
Tech Name: MARKETING SOLUTIONS
Tech Organization: -
Tech Street: 152 CITY ROAD
Tech City: LONDON
Tech State/Province: LONDON
Tech Postal Code: EC1V 2NX
Tech Country: GB
Tech Phone: +1.2081449762
Tech Phone Ext: 
Tech Fax: 
Tech Fax Ext: 
Tech Email: MAIL@MARKETING1.NET
Name Server: NS10.DNSMADEEASY.COM
Name Server: NS11.DNSMADEEASY.COM
Name Server: NS12.DNSMADEEASY.COM
Name Server: NS13.DNSMADEEASY.COM
DNSSEC: unSigned
Last update of WHOIS database: 2013-10-22 09:22:28Z

This address is an accommodation address that serves hundreds of different companies. I cannot find a trace of a company called Marketing1 or Marketing Solutions registered to this address at Companies House.

The marketing1.net website looks slick enough..

But again it give no real indication as to who owns or runs the company anywhere. The only contact details are as follows:

Marketing1
152 City Road
UK - London EC1V 2NX

Tel: +44 208 144 9762
email: contact@marketing1.net
The 89.187.86.69 server also contains a number of other related domains with fake or incomplete WHOIS details:
m1data-eu.net
m1data-global.net
m1databases-eu.net
m1databases.net
m1de-tracking.net
m1deglobal-tracking.net
m1sitetracking-eur.net
marketing1-app.net
marketing1-eu.net
marketing1-eur.net
marketing1-europe.net
marketing1-group.net
marketing1-soft.net
marketing1.net
marketing1base.net
marketing1data.net
marketing1europe.net
marketing1global.net
marketing1globalsite.net
marketing1group-europe.net
marketing1group.net
marketing1site-eu.net
marketing1soft.net
marketing1solutions.net
top-managers.com

You should never buy anything promoted through spam, and it is especially important not to buy email lists in this way. You (as the sender) will end up with the legal liability for anything that you do, but Marketing1 masks whoever is the true owner.. so good luck with ever finding that out (I suspect they are not based in the UK at all). Avoid.

UPDATE 2014-05-09: these grubby spammers are at it again, using the domain m1-datacrmeu.net to mask their true domain. I took a look at these "20'000" free records, and the ones I checked were laughably out-of-date. No wonder the database is so cheap!

Thursday, 5 April 2012

US Airways Spam / 209.59.218.94

Another US Airways spam, malformed this time, pointing to malware on 209.59.218.94.

Date:      Thu, 5 Apr 2012 14:10:48 +0000
From:      "US Airways - Reservations" [usair@myusairways.com]
Subject:      Confirm your US airways online reservation.


you {l2} check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying {l3}). {l4}, all you {l5} to do is print your boarding pass and {l6} to the gate.

confirmation code: {digit}

check-in online: online reservation details
  
flight

{digit}   
departure city and time

washington, dc (dca) 10:00pm

depart date: 4/5/2012   


we are committed to protecting your privacy. your information is kept private and confidential. for information about our privacy policy visit usairways.com.

us airways, 111 w. rio salado pkwy, tempe, az 85281 , copyright us airways , all rights reserved.


The malicious payload is at 209.59.218.94/showthread.php?t=73a07bcb51f4be71 (report here). This is hosted by Endurance International in the US.

Friday, 15 March 2013

RU:8080 Malware sites to block 15/3/13

These seem to be the currently active IPs and domains being used by the RU:8080 gang. Of these the domain gilaogbaos.ru seems to be very active this morning. Block 'em if you can:

5.9.40.136
41.72.150.100
50.116.23.204
66.249.23.64
94.102.14.239
212.180.176.4
213.215.240.24
forumilllionois.ru
foruminanki.ru
forumla.ru
forum-la.ru
forumny.ru
forum-ny.ru
giimiiifo.ru
gilaogbaos.ru
giliaonso.ru
gimiinfinfal.ru
gimilako.ru
gimimniko.ru
giminaaaao.ru
giminalso.ru
giminanvok.ru
giminkfjol.ru
gimiuitalo.ru
guioahgl.ru
guuderia.ru
forumla.ru
gimiiiank.ru
gimiinfinfal.ru
giminaaaao.ru
giminanvok.ru
giminkfjol.ru
guioahgl.ru
giminkfjol.ru
forumla.ru
gimiinfinfal.ru
giminaaaao.ru
giminanvok.ru
giminkfjol.ru
guioahgl.ru

For the record, these are the registrars either hosting the domains or offering support services. It is possible that some have been taken down already.
5.9.40.136 (Hetzner, Germany)
41.72.150.100 (Hetzner, South Africa)
50.116.23.204 (Linode, US)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
212.180.176.4 (Supermedia, Poland)
213.215.240.24 (COLT, Italy)

Monday, 11 March 2013

Wire Transfer spam / gimikalno.ru

This fake wire transfer spam leads to malware on gimikalno.ru:

Date:      Mon, 11 Mar 2013 04:00:22 +0000 [00:00:22 EDT]
From:      Xanga [noreply@xanga.com]
Subject:      Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 16442CU385)

Dear Bank Account Operator,
WIRE TRANSFER: FED62403611378975648
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious payload is at [donotclick]gimikalno.ru:8080/forum/links/column.php (report here) hosted on:

5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)

Blocklist:
5.9.40.136
66.249.23.64
94.102.14.239
212.180.176.4
117.104.150.170
41.72.150.100
gimikalno.ru
guuderia.ru
forum-la.ru
forumla.ru
gimalayad.ru
gosbfosod.ru
ginagion.ru
giliaonso.ru
forumilllionois.ru
forum-ny.ru
forumny.ru
forumkianko.ru

Thursday, 19 January 2012

Wire transfer malicious spam / monikabestolucci.ru:8801 and 78.159.118.226

More malicious spam doing the rounds, but this time it's more complicated than before.

From: accounting@victimdomain.com [mailto:accounting@victimdomain.com]
Sent: 18 January 2012 02:14
Subject: Re: Wire Transfer Confirmation (FED_93711S15719)

Dear Bank Account Operator,
WIRE TRANSACTION: FWD-7563133392175652
CURRENT STATUS: PENDING

Please Review your transaction as soon as possible.

The link goes to a legitimate hacked site containing some heavily obfuscated javascript, in turn this points to monikabestolucci.ru:8801 and then downloads further code from 78.159.118.226/forum/hp.php?i=8 (Netdirect, Germany) - the Wepawet report is here, there also an Anubis report on the binary here.

monikabestolucci.ru is massively multihomed (a raw list is at the end of the post) presumably on legitimate hacked servers.

24.37.34.163 (Videotron, Canada)
46.105.28.61 (OVH Systems, Italy)
50.57.77.119 (Slicehost, Texas)
50.57.118.247 (Slicehost, Texas)
74.207.248.120 (Linode, New Jersey)
74.208.205.185 (1&1, US)
78.47.122.11 (Hetzner, Germany)
80.90.199.196 (Webfusion, UK)
81.31.43.43 (Master Internet, Czech Republic)
82.165.197.58 (1&1, Germany)
83.170.91.152 (UK2.NET, UK)
84.246.210.87 (Infortelecom, Spain)
88.191.97.108 (Dedibox SAS, France)
97.74.87.3 (GoDaddy, Arizona)
124.11.65.210 (TFN, Taiwan)
125.214.74.8 (Web24, Australia)
129.67.100.11 (Oxford University, UK)
173.201.187.225 (GoDaddy, Arizona)
173.230.137.129 (Linode, Florida)
173.255.229.33 (Linode, New Jersey)
174.122.121.154 (ThePlanet, Texas)
209.59.222.145 (Endurance International, Massachusetts)
211.44.250.173 (SK Broadband, Korea)

Blocking these IPs might be a pain, but it would block any other malicious sites on the same servers.

Raw list:
24.37.34.163
46.105.28.61
50.57.77.119
50.57.118.247
74.207.248.120
74.208.205.185
78.47.122.11
80.90.199.196
81.31.43.43
82.165.197.58
83.170.91.152
84.246.210.87
88.191.97.108
97.74.87.3
124.11.65.210
125.214.74.8
129.67.100.11
173.201.187.225
173.230.137.129
173.255.229.33
174.122.121.154
209.59.222.145
211.44.250.173

Tuesday, 24 January 2012

BBB Spam / chillebucks.com, sulusize.com and sulusity.com

More fake BBB spam leading to a malicious payload, this time hosted on the domain sulusize.com on 174.136.4.211 (Colo4, US). The server appears to be a legitimate hacked server, but blocking traffic to that IP is probably a wise idea if you can do it.

Some sample emails (the usual fake BBB approach):

Date:      Tue, 23 Jan 2012 11:51:58 +0100
From:      "BBB" [info@bbb.org]
Subject:      Better Business Bureau service
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 23387543) from your customer with respect to their dealership with you.

Please open the COMPLAINT REPORT below to find the details on this question and suggest us about your position as soon as possible.

We hope to hear from you very soon.

Sincerely,

Rebecca Wilcox

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==============

Date:      Tue, 23 Jan 2012 12:16:00 +0100
From:      "Better Business Bureau" [risk.manager@bbb.org]
Subject:      Re: your customer�s complaint ID 83031311
Attachments:     betterbb_logo.jpg

Hello,

Here with the Better Business Bureau notifies you that we have received a complaint (ID 83031311) from one of your customers in regard to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this question and suggest us about your point of view as soon as possible.

We hope to hear from you very soon.

Regards,

Fernando Grodhaus

Dispute Counselor
Better Business Bureau

The malware tries to download further code from sulusity.com on 209.59.220.65 (Endurance International Group, US).. another one to block. A Wepawet analysis is here.

Update #1:  another version is doing the rounds with the initial malware hosted on chillebucks.com (69.163.37.22, Bula Networks California).

Update #2: The Wepawet analysis indicates that this might do something with the user's Facebook account as well as the usual malware payload.

Friday, 17 May 2013

Newegg.com spam / balckanweb.com

This fake Newegg.com spam leads to malware:

Date:      Fri, 17 May 2013 10:29:20 -0600 [12:29:20 EDT]
From:      Newegg [info@newegg.com]
Subject:      Newegg.com - Payment Charged
Priority:      High Priority 1


Newegg logo    
My Account     My Account |     Customer Services     Customer Services

Twitter     Twitter     You Tube     You Tube     Facebook     Facebook     Myspace     Myspace
click to browse e-Blast     click to browse Shell Shocker     click to browse Daily Deals
Computer Hardware     PCs & Laptops     Electronics     Home Theater     Cameras     Software     Gaming     Cell Phones     Home & Office     MarketPlace     Outlet     More

Customer ID: [redacted]
Account Number: 23711731
Dear Customer,

Thank you for shopping at Newegg.com.

We are happy to inform you that your order (Sales Order Number: 97850177) has been successfully charged to your AMEX and order verification is now complete.

If you have any questions, please use our LiveChat function or visit our Contact Us Page.

Once You Know, You Newegg.

Your Newegg.com Customer Service Team


ONCE YOU KNOW, YOU NEWEGG. Ž
Policy and Agreement | Privacy Policy | Confidentiality Notice
Newegg.com, 9997 Rose Hills Road, Whittier, CA. 90601-1701 | Å  2000-2013 Newegg Inc. All rights reserved.

In the version I have the link doesn't work, but I believe that it goes to [donotclick]balckanweb.com/news/unpleasant-near_finally-events.php (report here) hosted or having nameservers on the following IPs:
5.231.24.162 (GHOSTnet, Germany)
71.107.107.11 (Verizon, US)
108.5.125.134 (Verizon, US)
198.50.169.2 (OVH, Canada)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
209.59.223.119 (Endurance International Group, US)

The domains and IPs indicate that this is part of the "Amerika" spam run.

Blocklist (including nameservers):
5.231.24.162
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
209.59.223.119
balckanweb.com
bestunallowable.com
biati.net
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
icensol.net
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
outlookexpres.net
peertag.com
pinformer.net
priorityclub.pl
recorderbooks.net
smartsecurity-app.com
twintrade.net
virgin-altantic.net
zonebar.net

Thursday, 22 March 2012

LinkedIn Spam / cyancellular.com and browncellular.com

Another load of LinkedIn Spam is doing the rounds, this time the payload is at cyancellular.com/showthread.php?t=73a07bcb51f4be71 hosted on 209.59.217.78 (Endurance International, US) and also browncellular.com/showthread.php?t=d7ad916d1c0396ff hosted on 174.140.168.207 (Directspace, US)


Be on the lookout for other domains of a similar pattern, if you known of more then please consider adding a comment.. thanks!

Update: indigocellular.com is also part of this same pattern.

Monday, 11 March 2013

Wire Transfer spam / giminanvok.ru

Another wire transfer spam, this time leading to malware on giminanvok.ru:

Date:      Mon, 11 Mar 2013 02:46:19 -0300 [01:46:19 EDT]
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      Fwd: Wire Transfer (5600LJ65)

Dear Bank Account Operator,


WIRE TRANSFER: FED694760330367340
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.
The malicious payload is at [donotclick]giminanvok.ru:8080/forum/links/column.php (report pending) hosted on the same IPs used earlier today:
5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)

 I strongly recommend that you block access to these IPs if you can.


Wednesday, 25 January 2012

Lazy BBB / "ACH transfer pending" spam, chillestruct.com and closteation.com

Here's a lazy spam about an "ACH transfer" that appears to come from the BBB, because the spammers have mixed up the campaigns.

Date:      Wed, 24 Jan 2012 13:31:58 +0100
From:      "manager@bbb.org" [manager@bbb.org]
Subject:      ACH transfer pending

Dear Sir or Madam,

This message includes a notification about the ACH debit transfer sent on your behalf, that was held by our bank:

Transaction ID: 471209863177939
Transaction status: pending

In order to resolve this matter, please review the transaction details using the link below as soon as possible.

Yours faithfully,
Kathy Quirk
Accounting Department

The link in the spam routes through a couple of hacked sites to a malicious payload at chillestruct.com on 173.248.190.37 (Zerigo Inc, California) and closteation.com on 209.59.221.158 (Endurance International, Massachusetts). Wepawet reports are here and here.

Blocking the IPs will prevent any other malicious sites on those servers from causing problems.

Wednesday, 6 November 2013

"Invoice 17731 from Victoria Commercial Ltd" spam leads to DOC exploit

This fake invoice email leads to a malicious Word document:

From: Dave Porter [mailto:dave.porter@blueyonder.co.uk]
Sent: 06 November 2013 12:06
To: [redacted]
Subject: Invoice 17731 from Victoria Commercial Ltd

Dear Customer :

Your invoice is attached to the link below:
[donotclick]http://www.vantageone.co.uk/invoice17731.doc
Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Victoria Commercial Ltd
The email originates from bosmailout13.eigbox.net [66.96.186.13] which belongs the Endurance International Group in the US. The malicious .DOC file is hosted at [donotclick]www.vantageone.co.uk/invoice17731.doc which appears to be a hacked legitimate web site.

Detection rates have continued to improve throughout the day and currently stand at 10/47. The vulnerability in use is CVE-2012-0158 / MS12-027. If your Word installation is up-to-date and fully patched then it should block this attack.

A sandbox analysis confirms that it is malicious, in particular it connects to 158.255.2.60 (Mir Telematiki Ltd, Russia) and the following domains:
feed404.dnsquerys.com
feeds.nsupdatedns.com

It is the same attack as described by Blaze's Security Blog and I would advise you to look at that posting for more details. In the meantime, here is a recommended blocklist:
118.67.250.91
158.255.2.60
feed404.dnsquerys.com
feeds.nsupdatedns.com
customer.invoice-appmy.com
customers.invoice-appmy.org
customer.appmys-ups.orgfeed404.dnsquerys.org
feed.queryzdnsz.org
static.invoice-appmy.com
vantageone.co.uk

Wednesday, 22 February 2012

AICPA Spam / favoriteburger.net

Following on from yesterday's AICPA spam run, a new domain is in use for the malicious payload, favoriteburger.net/search.php?page=73a07bcb51f4be71 on 209.59.212.14 (Endurance International Group again). The IP is worth blocking, and you may want to consider blocking larger ranges of this ISP who seem to have a problem with this type of malicious site.

Date:      Tue, 20 Feb 2012 22:31:55 -0300
From:      "Gilbert Ayers"
Subject:      Termination of your accountant license.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Cancellation of CPA license due to tax return fraud allegations

Valued accountant officer,

We have received a notice of your possible assistance in income tax refund fraudulent activity for one of your employers. According to AICPA Bylaw Section 600 your Certified Public Accountant status can be withdrawn in case of the fact of filing of a false or fraudulent income tax return on the member's or a client's behalf.

Please be informed of the complaint below and provide your feedback to it within 14 days. The failure to do so within this term will result in termination of your Accountant status.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

Wednesday, 21 March 2012

"LinkedIn Invitation from your colleague" spam / closteage.com

A fake LinkedIn spam leading to malware hosted at closteage.com:

Date:      Wed, 21 Mar 2012 16:24:04 +0200
From:      "Stacy Goss"
Subject:      LinkedIn Invitation from your colleague


LinkedIn
REMINDERS

Invitation notifications:
? From Kadeem Ruiz (Your Colleague)


PENDING MESSAGES

? There are a total of 3 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. Å  2010, LinkedIn Corporation.
The payload is at closteage.com/showthread.php?t=73a07bcb51f4be71 (report here) hosted on 209.59.217.101 (Endurance International, US). Blocking that IP will block any other malicious sites on the same server.

Monday, 5 March 2012

Intuit spam / cogisunet.com

It's Monday.. so it's malware. This new spam run is supposed to be from Intuit.com, but it actually leads to malware hosted on cogisunet.com.

Date:      Mon, 5 Mar 2012 12:30:31 +0100
From:      "INTUIT INC."
Subject:      Please confirm your Intuit.com invoice.

Dear Sir/Madam:

Thank you for buying your accounting software from Intuit Market. We have received it and will send you an e-mail when your order is processed. If you ordered several items, we may deliver them in more than one shipment (at no extra cost to you) to provide faster processing time.

If you have questions about your order, please call 1-800-955-8890.


ORDER INFORMATION

Please download your full invoice
id #221137087563 information at Intuit small business website.

NEED HELP?

    Email us at mktplace_customerservice@intuit.com.
    Call us at 1-800-955-8890.
    Reorder Intuit Checks Quickly and Easily starting with
    the information from your previous order.

To help us better serve your needs, please take
a few minutes to let us know how we are doing.
Submit your feedback here.

Thanks again for your order,

Intuit Market Customer Service

Privacy , Legal , Contact Us , About Us

You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.

Please note: This e-mail was sent from an auto-notification system that cannot accept incoming email
Please do not reply to this message.

If you receive an email message that appears to come from Intuit but that you suspect is a phishing e-mail, please forward it immediately to spoof@intuit.com. Please visit http://security.intuit.com/ for additional security information.

�2011 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.

The malware is hosted on cogisunet.com/banner.php?aid=73a07bcb51f4be7 on 209.59.213.95 (Endurance International, US). The block 209.59.192.0/19 has a significant problem with malware at the moment, you may want to consider blocking IPs more widely.