Sponsored by..

Friday 4 May 2012

USPS Spam / computerpills.net

This fake USPS spam leads to malware on computerpills.net:

Date:      Fri, 4 May 2012 08:50:52 -0500
From:      "Cathryn Small" [USPS_Shipping_Support@usps.com]
Subject:      Your USPS shipment postage labels receipt.


Acct #: 0443907

Dear client:

This is an email confirmation for your order of 3 online shipping label(s) with postage. Your credit card will be charged the following amount:

Transaction ID: #1537194
Print Date/Time: 03/15/2012 02:30 PM CST
Postage Amount: $43.70
Credit Card Number: XXXX XXXX XXXX XXXX

Priority Mail Regional Rate Box B # 5153 9371 4727 8289 2238 (Sequence Number 1 of 1)

   

If you need further information, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .

You can refund your unused postage labels up to 14 days after the issue date by logging on to your Click-N-Ship Account.

Thank you for choosing the United States Postal Service

Click-N-Ship: The Online Shipping Solution

Click-N-Ship has just made on line shipping with the USPS even better.

New Enhanced International Label and Customs Form: Updated Look and Easy to Use!

* * * * * * * *

This is a post-only message

The malicious payload is an exploit kit at computerpills.net/main.php?page=beb0bb4c8ebd96e5 hosted on 37.59.68.23 (OVH, UK) which is the same server used in this attack, the payload looks to be the same as the one used in this other attack, with a very low detection rate at VirusTotal of just 3/42.

3 comments:

martijn said...

Hi,

I linked to your blog from the @virusbtn account, as I have done in the past. Someone pointed out that you include literal malicious URLs in your posts and, although they are not clickable, someone could 'accidentally' copy/paste them (perhaps because they misunderstand your blog post) and then get infected. Would it be an idea to either hide part of the URL, or display it in such a way that it's very difficult to copy/paste it in a browser?

Thanks - Martijn

martijn said...
This comment has been removed by the author.
Kafeine said...

Thx. Here URL are really welcome !

I think to make everyone happy, you should add an iframe leading to a BH EK forcing Java update in silent mode ;)