Sponsored by..

Wednesday 11 July 2012

UPS Spam / peace-computer.com

This fake UPS spam leads to malware on peace-computer.com:

Date:      Wed, 11 Jul 2012 09:51:41 -0500
From:      "Margret Bellamy" [USPS_Shipping_Services@usps.com]
Subject:      Download your UPS invoices.

This is an automatically generated email Please do not reply to this email address.

Dear UPS Customer,

New invoice(invoices) are available for viewing in UPS billing center. Please note that your UPS invoices should be paid within 14 days to avoid any additional charges.

Please visit the UPS Billing Center to view and pay your invoice.

Find out more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read our official journal

(c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS

The malicious payload is at [donotclick]peace-computer.com/main.php?page=22b33afad06e9ba5
on (ISPsystem, Russia). The following domains and IPs are all connected to this attack:


1 comment:

Carl Hester said...

We found 94 URLs associated with this attack and 5 unique email subjects.

I've posted the URLs here: http://pastebin.com/hHpkCudf

and the Subject lines were:
Download your UPS invoices.
You have outstanding UPS invoices.
Please download and pay your UPS delivery charges.
Your UPS invoices are ready for download.
You have new UPS invoices.

In our case, each of the URLs redirected to a Blackhole exploit kit on