Date: Thu, 20 Dec 2012 20:50:17 -0200
From: "SecureMessage System" [2F5DEE622@hungter.com]
Subject: New message
Click here to view the online version.
New private message from Terra Fisher received.
Total unread messages: 5
[ Read now ]
� Copyright 2012 SecureMessage System. All rights reserved.
If you would like to update your profile or unsubscribe, please click here.
PLEASE DO NOT REPLY TO THIS MESSAGE.
If you require Technical Support, please check Support Center for information.
-------------------------
Date: Thu, 20 Dec 2012 20:36:14 -0200
From: "Secure Message" [82E8ACBD@lipidpanel.com]
Subject: New message
Click here to view the online version.
New private message from Josefina Albert received.
Total unread messages: 3
[ Read now ]
� Copyright 2012 SecureMessage System. All rights reserved.
If you would like to update your profile or unsubscribe, please click here.
PLEASE DO NOT REPLY TO THIS MESSAGE.
If you require Technical Support, please check Support Center for information.
In these cases, the targets URLs are [donotclick]site-dating2012.asia/link.php and [donotclick]site-dating2012.asia/link.php both hosted on 46.249.42.161 (Serverius Holding, Netherlands) and pretty much the same as the ones found a couple of days ago hiding out on 46.249.58.211(also at Serverius Holding).
These look like dating URLs, so you might assume that they are either a) a legitimate dating site or b) just some dating spam rather than malware. In any case, appearances are deceptive and it leads to fake AV site that seems to be very similar to this one. The deception goes a little deeper, because the link.php pages even forward through a fake affiliate-style link such as [donotclick]best-dating2010.info/?affid=00110&promo_type=5&promo_opt=1 before they get to the fake anti-virus page.
The site also contains an apparent Java exploit that loads in from libertymonings.info on 84.200.77.218 (Misterhost, Germany) which was also used in this attack. The malicious code is found at the page [donotclick]libertymonings.info/index/zzz/?a=YWZmaWQ9MDAxMTA= which attempts to download a Java exploit from [donotclick]libertymonings.info/analizator_data/ztsvgnvlmhe-a.qsypes.jar which is pretty thinly detected according to VirusTotal.
The following IPs and domains are all related and should be blocked if you can:
46.249.42.161
46.249.58.211
84.200.77.218
adeptsponsorlin.info
bestdating2012.asia
bestdating2012.info
best-dating-2012.info
bitnovembersgate.com
bursttsnetsbest.net
carswhilestaff.net
clemationsbloglogs.com
clemationslogs.com
cooldating2012.info
dating-2012.info
dating-2013.asia
datingbest2012.asia
datingbest2012.info
datingcool-2010.asia
datingcool2011.asia
datingcool2012.asia
datingcool2012.info
domainsjinniks.org
domainsqiprnodes.info
domainsreidstable.net
domainssguibulk9r.net
domainssguibulkniner.com
domainssidorsneeds.net
domainssinglgirs.com
domainssinglsdoms.com
domainssinglsnetss.info
domainssinglssunss.net
domainsstressadd.net
domainsstringho5.info
domainsstringho5.org
domainswithhelthhi.info
domainswithhelthhi.net
domssvorastwo.info
domssvorastwo.net
fresh-dating-2010.info
freshdating2012.info
fresh-dating-2013.info
gamesduoswin9.net
great-dating2010.asia
greatdating2012.asia
greatdating-2012.asia
greatdating2012.info
greatdating-2012.info
great-dating-2012.info
greatdating-2013.info
importslatenot.info
innersdomainsinser.com
latestdating2012.asia
latestdating2012.info
latestdating2013.info
left4deadfi3.info
left4deadfi3.net
libertymonings.info
libsgiftnet.info
libsgiftnet.org
loadsgamescraft.info
lomnetingstar.com
lubertylibcenterns.info
mobimemcashnesh.com
mobimemcashnesh.net
moderndating2010.asia
moderndating2012.asia
moderndating2013.info
mombersneftlife.net
monchianolist.info
morrisgussmir.net
my-dating2012.info
mydating2013.asia
mydating2013.asia
namessguibulk.net
namesstressadd.com
netsplacesformss.info
new-dating-2012.info
new-dating2013.asia
newdatingafter2010.asia
newdatingafter2012.info
newdatingafter2013.info
newdatingworld2012.asia
newdatingworld2012.info
newmeeting2010.asia
newmeeting2012.asia
newmeeting2012.info
oldspacesnets.net
omnihiteuropapluss.info
oregonsitynet.net
searchersnextdoms.info
searchersnextdoms.net
searchersstippich.info
shareself.info
site-dating-2012.asia
sitedating2012.info
site-dating2012.info
site-dating-2012.info
stathemliberiy.net
www.datingbest2012.info
x-dating2012.info
x-dating2013.asia
No comments:
Post a Comment