Sponsored by..

Thursday 10 January 2013

ADP spam / tetraboro.net and advertizing*.com

This fake ADP spam leads to malware on tetraboro.net. It contains some errors, one of which is the subject line just says "adp_subj" rather than having been filled out properly. The most amusing one is the reference to "business butty" which presumably is some sort of sandwich.

Date:      Thu, 10 Jan 2013 17:48:09 +0200 [10:48:09 EST]
From:      "ADPClientServices@adp.com" [ADPClientServices@adp.com]
Subject:      adp_subj


ADP Urgent Note

Note No.: 33469

Respected ADP Consumer January, 9 2013

Your Processed Payroll Record(s) have been uploaded to the web site:

Click here to Sign In

Please take a look at the following details:

•   Please note that your bank account will be debited within one banking day for the amount(s) specified on the Protocol(s).

� Please don't reply to this message. auomatic informational system not configured to accept incoming mail. Please Contact your ADP Benefits Specialist.

This notification was sent to current clients in your company that approach ADP Netsecure.

As general, thank you for choosing ADP as your business butty!

Ref: 33469

The malicious payload is on [donotclick]tetraboro.net/detects/coming_lost-source.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). A quick look indicates a number of related malicious domains and IPs, including advertizing1.com through to advertizing9.com. All of these should be blocked.

5.135.90.19 (OVH, France - suballocated to premiervps.net, UK)
91.227.220.121 (VooServers, UK)
94.102.55.23 (Ecatel, Netherlands)
119.78.243.16 (China Science & Technology Network, China)
198.144.191.50 (New Wave Netconnect, US)
199.233.233.232 (Quickpacket, US)
203.1.6.211 (China Telecom, China)
222.238.109.66 (Hanaro Telecom, Korea)

Plain list:
advertizing1.com
advertizing2.com
advertizing3.com
advertizing4.com
advertizing5.com
advertizing6.com
advertizing7.com
advertizing8.com
advertizing9.com
cookingcarlog.ne
hotelrosaire.net
richbergs.com
royalwinnipegballet.net
tetraboro.net
5.135.90.19
91.227.220.121
94.102.55.23
119.78.243.16
198.144.191.50
199.233.233.232
203.1.6.211
222.238.109.66

No comments: