This fake Craiglist spam leads to malware on fionadix.ru:Date: Tue, 30 Oct 2012 06:26:07 +0600
From: Tai Seals [AntonyHaugland@fibermail.hu]
Subject: POST/EDIT/DELETE : "tattoos tattoos tattoos" (talent)
IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!
FOLLOW THE WEB ADDRESS BELOW TO:
PUBLISH YOUR AD
EDIT (OR CONFIRM AN EDIT TO) YOUR AD
VERIFY YOUR EMAIL ADDRESS
DELETE YOUR AD
If not clickable, please copy and paste the address to your browser:
Click here
PLEASE KEEP THIS EMAIL - you may need it to manage your posting!
Your posting will expire off the site 7 days after it was created.
Thanks for using craigslist!
==========
Date: Tue, 30 Oct 2012 06:23:41 -0500
From: LinkedIn Connections [connections@linkedin.com]
Subject: POST/EDIT/DELETE : "Appliance repair" (financial)
IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!
FOLLOW THE WEB ADDRESS BELOW TO:
PUBLISH YOUR AD
EDIT (OR CONFIRM AN EDIT TO) YOUR AD
VERIFY YOUR EMAIL ADDRESS
DELETE YOUR AD
If not clickable, please copy and paste the address to your browser:
Click here
PLEASE KEEP THIS EMAIL - you may need it to manage your posting!
Your posting will expire off the site 7 days after it was created.
Thanks for using craigslist!
The malicious payload is at [donotclick]fionadix.ru:8080/forum/links/column.php (report here) hosted on some familiar IPs:
68.67.42.41 (Fibrenoire, Canada)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, United States)
Additional name server IPs:
50.22.102.132 (Softlayer, United States)
62.76.186.190 (Clodo-Cloud, Russia)
84.22.100.108 (Cyberbunker, Netherlands)
213.251.171.30 (OVH, France)
Plain list for copy-and-pasting:
50.22.102.132
62.76.186.190
68.67.42.41
84.22.100.108
203.80.16.81
209.51.221.247
213.251.171.30
manekenppa.ru
kiladopje.ru
lemonadiom.ru
finitolaco.ru
fidelocastroo.ru
ponowseniks.ru
dianadrau.ru
windowonu.ru
panalkinew.ru
fionadix.ru
No comments:
Post a Comment