Here are two examples of fake Craiglist emails leading to malware on paranoiknepjet.ru. If you have any other samples, then please consider sharing them in the Comments..From: craigslist - automated message, do not reply
Sent: 06 June 2012 14:32
Subject: POST/EDIT/DELETE : "Film maker & Actor/Actress" (crew)
IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!
FOLLOW THE WEB ADDRESS BELOW TO:
• PUBLISH YOUR AD
• EDIT (OR CONFIRM AN EDIT TO) YOUR AD
• VERIFY YOUR EMAIL ADDRESS
• DELETE YOUR AD
If not clickable, please copy and paste the address to your browser:
Click here
PLEASE KEEP THIS EMAIL - you may need it to manage your posting!
Your posting will expire off the site 7 days after it was created.
Thanks for using craigslist!
========================
From: craigslist - automated message, do not reply
Sent: Tue 05/06/2012 21:43
Subject: POST/EDIT/DELETE : "Real professional tattoo work" (cycle)
IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!
FOLLOW THE WEB ADDRESS BELOW TO:
• PUBLISH YOUR AD
• EDIT (OR CONFIRM AN EDIT TO) YOUR AD
• VERIFY YOUR EMAIL ADDRESS
• DELETE YOUR AD
If not clickable, please copy and paste the address to your browser:
Click here
PLEASE KEEP THIS EMAIL - you may need it to manage your posting!
Your posting will expire off the site 7 days after it was created.
Thanks for using craigslist!
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
The link in the email leads to a malicious payload at [donotclick]http://paranoiknepjet.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on some IP addresses we have already seen.
50.57.43.49
50.57.88.200
184.106.200.65
187.85.160.106
I can identify the following domains on those IPs, all of which can be considered to be malicious:
girlsnotcryz.ru
holigaansongeer.ru
immerialtv.ru
insomniacporeed.ru
mazdaforumi.ru
norilsknikeli.ru
opimmerialtv.ru
piloramamoskow.ru
spbfotomontag.ru
uzindexation.ru
Added:another one..
Date: Wed, 6 Jun 2012 02:48:02 +0000
From: "craigslist - automated message, do not reply" [robot@craigslist.org]
Subject: POST/EDIT/DELETE : "we have moving supplies "check us out"" (sublets / temporary)
IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!
FOLLOW THE WEB ADDRESS BELOW TO:
PUBLISH YOUR AD
EDIT (OR CONFIRM AN EDIT TO) YOUR AD
VERIFY YOUR EMAIL ADDRESS
DELETE YOUR AD
If not clickable, please copy and paste the address to your browser:
Click here
PLEASE KEEP THIS EMAIL - you may need it to manage your posting!
Your posting will expire off the site 7 days after it was created.
Thanks for using craigslist!
No comments:
Post a Comment