Sponsored by..

Wednesday 16 January 2013

American Express spam / dozakialko.ru

This fake AmEx spam leads to malware on dozakialko.ru:

Sent: 16 January 2013 02:22
Subject: American Express Alert: Your Transaction is Aborted

 Your Wed, 16 Jan 2013 01:22:07 -0100 Incoming Transfer is Terminated



Valued, $5203

Your American Express Card account retired ZUE36213 with amount of 5070 USD.
Transaction Time:Wed, 16 Jan 2013 01:22:07 -0100
Payment Due Date:Wed, 16 Jan 2013 01:22:07 -0100

One small way to help the environment - get paperless statements
Review billing
statement
Issue a payment
Change notifications
options


You currently reading the LIMITED DATA version of the Statement-Ready Information.
Switch to the DETAILED DATA version.

Thank you for your Cardmembership.


Sincerely,

American Express Information center
________________________________________
The malicious payload is at [donotclick]dozakialko.ru:8080/forum/links/column.php (report here) hosted on the following IPs:

89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)

Plain list of IPs and related domains for copy-and-pasting:
89.111.176.125
91.224.135.20
212.112.207.15
dekamerionka.ru
dmssmgf.ru
dmpsonthh.ru
dmeiweilik.ru
belnialamsik.ru
demoralization.ru
dumarianoko.ru
dimanakasono.ru
bananamamor.ru
dozakialko.ru



1 comment:

unixfreaxjp said...

Hello Conrad, I made full analysis of the malware downloaded via this spam. It is indeed strong-related to the American Express as phishing scheme.

I posted it in #MalwareMustDie blog in here: http://malwaremustdie.blogspot.jp/2013/01/cridex-fareit-infection-analysis.html

I hope it is useful for the blocking purpose, since the Cridex was actually dropping Fareit Trojan which having different CnC and Phishing Admin Panel portal.

Rgds always!

#MalwareMustDie!