Sponsored by..

Monday, 4 March 2013

dealerbid.co.uk spam

This spam uses an email address ONLY used to sign up for dealerbid.co.uk

From:     HM Revenue & Customs [enroll@hmrc.gov.uk]
Date:     4 March 2013 13:37
Subject:     HMRC Tax Refund ID: 3976244

Dear Taxpayer,

After the last annual calculations of your fiscal activity we have discovered that you are eligible to receive a tax refund of 377.50 GBP. Kindly complete the tax refund request and allow 2-3 working days to process it.

 A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. Please click on the attached file in order to access the form for your tax refund.

 Currently we are only able to process tax refunds through "LloydsTSB". Alternatively, you can wait for the next few weeks to apply for a full refund through additional financial institutions(Banks).

Kind regards,

 Paul McWeeney
 Head of Consumer Sales and Service

The email got horribly mangled on the way and luckily whatever payload came with it is buggered. Of interest though, the email originates from 78.136.27.79 which is home to the following websites:

everybodyonline.co.uk
uk-car-discount.co.uk

The email address has been stolen from one UK motoring related site, and the spam sent through the hacked server of another UK motoring site. That's a peculiar coincidence, although I do not believe that those site operators are responsible for this spam run.

It looks like I am not the only person to notice this same problem..

UPDATE 1: dealerbid.co.uk are investigating this issue.
UPDATE 2: it happened again.
UPDATE 3: there's no evidence of malware on 78.136.27.79, everybodyonline.co.uk or uk-car-discount.co.uk as far as I can see. I guess it may have been an open relay. If you are blacklisting these for malware that I suggest you un-blacklist them. (2013-09-25)

No comments: