Sponsored by..

Tuesday 9 October 2012

Sprint spam / 1.starkresidential.net

This fake Sprint spam leads to malware on 1.starkresidential.net:

Date:      Tue, 09 Oct 2012 22:30:56 +0300
From:      "Sprint" [87A816934@uacvt.org.au]
Subject:      Your Sprint bill online



Please do not reply to this email.     Not seeing the images? View online or go mobile.
                       
   
Bill Period: September 10 - October 9, 2012

Total Due by October 9     $5207

Note: All online payments are made in a secure environment.
   
   
SPRINT NEWS AND NOTICES
This section contains important updates about your Sprint Services, Including Service or Rate Changes, Promotions and Offers.

NEXTEL PRODUCTS: IMPORTANT MESSAGE
Due to the Nextel National Network shutdown on 6/30/13, any Nextel devices sold after 6/1/12 are intended to support existing customers' migration efforts and no minimum Order Terms will apply.

              
© 2012 Sprint. All rights reserved.

The malicious payload is at [donotclick]1.starkresidential.net/links/assure_numb_engineers.php hosted on 74.207.233.58 (Linode, US).

The following malicious sites are also on the same server:
25.allservicemovingandstorage.com
1.browncastro.com
1.browncastro.net

In all cases, these appear to be malicious subdomains of legitimate hacked domains. If you can, you should block traffic to 74.207.233.58 to stop other malicious sites on the same server from being a problem.

No comments: