Sponsored by..

Thursday, 21 February 2013

ADP Spam / faneroomk.ru

This fake ADP spam tries (and fails) to lead to malware on faneroomk.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 20 February 2013 20:02
Subject: ADP Immediate Notification

ADP Immediate Notification
Reference #: 001737199

Thu, 21 Feb 2013 02:01:39 +0600
Dear ADP Client

Your Transfer Record(s) have been created at the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please see the following notes:
•    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
•    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.

This note was sent to acting users in your system that approach ADP Netsecure.

As usual, thank you for choosing ADP as your business affiliate!

Ref: 890911798


HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.

The malicious payload is meant to be [donotclick]faneroomk.ru:8080/forum/links/column.php but right at the moment it is not resolving.

We can perhaps do a little digging around to see what's going on here. The WHOIS details show the notorious Russian "Private Person".

whois -h whois.ripn.net faneroomk.ru ...
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain:        FANEROOMK.RU
nserver:       ns1.faneroomk.ru. 41.168.5.140
nserver:       ns2.faneroomk.ru. 110.164.58.250
nserver:       ns3.faneroomk.ru. 210.71.250.131
nserver:       ns4.faneroomk.ru. 203.171.234.53
nserver:       ns5.faneroomk.ru. 184.106.195.200
state:         REGISTERED, NOT DELEGATED, UNVERIFIED
person:        Private Person
registrar:     NAUNET-REG-RIPN
admin-contact: https://client.naunet.ru/c/whoiscontact
created:       2013.02.17
paid-till:     2014.02.17
free-date:     2014.03.20
source:        TCI

Last updated on 2013.02.21 17:16:40 MSK
Anyway. it's probably a good idea to block the domain and those NS IPs. The following IPs and domains are all related:


41.168.5.140
110.164.58.250
184.106.195.200
210.71.250.131
203.171.234.53
faneroomk.ru
fzukungda.ru
famagatra.ru
emmmhhh.ru
errriiiijjjj.ru
faneroomk.ru
ejjiipprr.ru
finalions.ru
fulinaohps.ru
eiiiioovvv.ru


Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)