Sponsored by..

Friday 4 May 2012

USPS Spam / computerpills.net

This fake USPS spam leads to malware on computerpills.net:

Date:      Fri, 4 May 2012 08:50:52 -0500
From:      "Cathryn Small" [USPS_Shipping_Support@usps.com]
Subject:      Your USPS shipment postage labels receipt.

Acct #: 0443907

Dear client:

This is an email confirmation for your order of 3 online shipping label(s) with postage. Your credit card will be charged the following amount:

Transaction ID: #1537194
Print Date/Time: 03/15/2012 02:30 PM CST
Postage Amount: $43.70
Credit Card Number: XXXX XXXX XXXX XXXX

Priority Mail Regional Rate Box B # 5153 9371 4727 8289 2238 (Sequence Number 1 of 1)


If you need further information, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .

You can refund your unused postage labels up to 14 days after the issue date by logging on to your Click-N-Ship Account.

Thank you for choosing the United States Postal Service

Click-N-Ship: The Online Shipping Solution

Click-N-Ship has just made on line shipping with the USPS even better.

New Enhanced International Label and Customs Form: Updated Look and Easy to Use!

* * * * * * * *

This is a post-only message

The malicious payload is an exploit kit at computerpills.net/main.php?page=beb0bb4c8ebd96e5 hosted on (OVH, UK) which is the same server used in this attack, the payload looks to be the same as the one used in this other attack, with a very low detection rate at VirusTotal of just 3/42.


martijn said...


I linked to your blog from the @virusbtn account, as I have done in the past. Someone pointed out that you include literal malicious URLs in your posts and, although they are not clickable, someone could 'accidentally' copy/paste them (perhaps because they misunderstand your blog post) and then get infected. Would it be an idea to either hide part of the URL, or display it in such a way that it's very difficult to copy/paste it in a browser?

Thanks - Martijn

martijn said...
This comment has been removed by the author.
Kafeine said...

Thx. Here URL are really welcome !

I think to make everyone happy, you should add an iframe leading to a BH EK forcing Java update in silent mode ;)