Sponsored by..

Thursday 21 March 2013

"Scan from a Hewlett-Packard ScanJet" spam / hillaryklinton.ru

This fake printer spam leads to malware on the amusingly-named hillaryklinton.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Password
Sent: 21 March 2013 06:56
Subject: Scan from a Hewlett-Packard ScanJet #269644

Attached document was scanned and sent
to you using a Hewlett-Packard HP Officejet 6209P.

Sent by: SANDIE
Images : 1
Attachment Type: .HTM [INTERNET EXPLORER]

Hewlett-Packard Officejet Location: machine location not set
In this case there is an attachment called Scanned_Document.htm which leads to a malicious payload at [donotclick]hillaryklinton.ru:8080/forum/links/column.php (report here) hosted on:

50.22.0.2 (SoftLayer, US)
62.75.157.196 (Inergenia, Germany)
109.230.229.156 (High Quality Server, Germany)

Blocklist:
50.22.0.2
62.75.157.196
109.230.229.156
foruminanki.ru
forumla.ru
forumny.ru
gulivaerinf.ru
gxnaika.ru
hanofk.ru
heelicotper.ru
hifnsiiip.ru
hillaryklinton.ru
himalayaori.ru
humalinaoo.ru



No comments: