Date: Sat, 22 Dec 2012 16:55:38 +0300
From: "Secure.Message" [FAA55EEEE@valencianadeparketts.es]
Subject: New message received
Click here to view the online version.
Hello [redacted],
You have 5 new messages.
Read now
� Copyright 2012 SecurePrivateMessage. All rights reserved.
If you would like to update your profile or unsubscribe, please click here.
PLEASE DO NOT REPLY TO THIS MESSAGE.
If you require Technical Support, please check Support Center for information.
Unlike most recent campaigns where the first link in the email is a legitimate but hacked site, this one links directly to a malware server at [donotclick]undering.asia/link.php?login.aspx=[emailaddress]&id=[redacted] with a link that features the email address as part of the URL (presumably to confirm that the address is live). The next step is a redirector link at [donotclick]undering.asia/?affid=00110&promo_type=5&promo_opt=1 which loads a fake anti-virus page, and then it attempts to download a Java exploit from [donotclick]siteswillsrockf.com/?a=YWZmaWQ9MDAxMTA=
undering.asia is hosted on 46.249.42.161, and siteswillsrockf.com on 46.249.42.168. Seeing two malicious sites so closely together indicates that there is a problem with the netblock, so having a closer look at those IPs shows:
inetnum: 46.249.42.0 - 46.249.42.255
netname: CUST339-170918-147
descr: Customer ip range
remarks: Please send email to "cust339@serverius.eu" for complaints
remarks: regarding portscans, DoS attacks and spam.
country: NL
admin-c: CUST339
tech-c: CUST339
status: ASSIGNED PA
mnt-by: serverius-mnt
source: RIPE # Filtered
person: Customer No339
remarks: This IP space is used by a Serverius datacenter customer.
address: www.serverius.com
phone: +31 (0)88 73 78 374
nic-hdl: CUST339
mnt-by: SERVERIUS-mnt
source: RIPE # Filtered
route: 46.249.32.0/19
descr: Serverius Route Object
origin: AS50673
mnt-by: SERVERIUS-MNT
source: RIPE # Filtered
The block 46.249.42.0/24 seems to have been suballocated to an unidentified customer of Serverius who have a long history of badness in their IP ranges. Based on this, I would suggest that you add the 46.249.42.0/24 range to your blocklist to prevent other unidentified malicious servers in this block from being a problem.
There are lots of other suspect domains on these two IPs as well:
46.249.42.161
new-dating-2010.asia
bestdating-2010.asia
datingcool-2010.asia
great-dating2010.asia
freshdating2010.asia
moderndating2010.asia
newmeeting2010.asia
newdatingafter2010.asia
datingbest2010.asia
datingcool2011.asia
datingbest2011.asia
site-dating-2012.asia
great-dating-2012.asia
best-dating-2012.asia
greatdating-2012.asia
newdatingworld2012.asia
site-dating2012.asia
great-dating2012.asia
best-dating2012.asia
freshdating2012.asia
cooldating2012.asia
moderndating2012.asia
greatdating2012.asia
bestdating2012.asia
latestdating2012.asia
newmeeting2012.asia
datingcool2012.asia
newdatingafter2012.asia
datingbest2012.asia
dating-2013.asia
new-dating2013.asia
x-dating2013.asia
my-dating2013.asia
mydating2013.asia
matic.asia
puzdoc.asia
feebled.asia
collected.asia
huckleland.asia
quisible.asia
juggle.asia
evasive.asia
dishing.asia
skylarking.asia
fooling.asia
banning.asia
honing.asia
undering.asia
muleteering.asia
genering.asia
abjecting.asia
concreting.asia
retorting.asia
legmen.asia
disten.asia
firmation.asia
audration.asia
outgo.asia
irrito.asia
gentleship.asia
fastender.asia
rapier.asia
safekeeper.asia
sourer.asia
mangles.asia
samenesses.asia
deodorless.asia
pulsiveness.asia
initialist.asia
malcy.asia
belably.asia
spacingly.asia
campingly.asia
wimpingly.asia
playingly.asia
grottory.asia
tipsy.asia
fresh-dating-2010.info
new-dating-2010.info
greatdating-2010.info
bestdating-2010.info
datingcool-2010.info
datingbest-2010.info
site-dating2010.info
great-dating2010.info
best-dating2010.info
sitedating2010.info
fresh-dating-2013.ru
new-dating-2013.ru
greatdating-2013.ru
bestdating-2013.ru
datingcool-2013.ru
datingbest-2013.ru
site-dating2013.ru
great-dating2013.ru
best-dating2013.ru
sitedating2013.ru
46.249.42.168
siteswillsrockf.com
moniretsstates.info
monicats5b.net
audiodevelop.net
organizationmeens.net
finderpolicy.net
No comments:
Post a Comment