Sponsored by..

Thursday, 1 December 2011

Spammers are stupid

What's wrong with this spam?

Date:      Thu, 1 Dec 2011 17:55:30 +0900
From:      "LinkedIn" [linkedin@em.linkedin.com]
To:      Victim
Subject:      So now you're on LinkedIn: What's next?

The ACH transaction (ID: 730771521612), recently sent from your checking account (by you or any other person), was canceled by the other financial institution.
Rejected transfer
Transaction ID:     730771521612
Reason of rejection     See details in the report below
Transaction Report     report_730771521612.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

© 2011 NACHA - The Electronic Payments Association

Yup.. the headers are for a LinkedIn themed spam, the body is a NACHA themed one with a link to a malicious file. The bad guys are sending out so many of these that they must be getting confused.

The link goes through a number of legitimate hacked sites and eventually ends up at biggestamigo.com on 92.55.144.82 in Romania (I would recommend blocking the whole 92.55.144.0/24 block at least, or even 92.55.144.0/21 if you want to be on the safe side). The payload looks like a typical exploit kit.

No comments: