This fake UPS (or is it USPS?) spam leads to malware on himalayaori.ru. The malicious link is in an attachment called ATT17235668.htm.For some reason the only sample of the spam that I have is horribly mangled:
From: HamzaRowson@hotmail.com [mailto:HamzaRowson@hotmail.com]
Sent: 19 March 2013 23:40
Subject: United Postal Service Tracking Number H1338091657
Your USPS TEAM for big savings! Can't see images? CLICK HERE. UPS UPS SUPPORT 56 Not Ready to Open an Account? The UPS Store® can help with full service packing and shipping.Learn More >> UPS - Your UPS Team Good day, [redacted].
Dear User , Delivery Confirmation: Failed
Track your Shipment now!
With best regards , Your UPS Customer Services. Shipping Tracking Calculate Time & Cost Open an Account @ 2011 United Parcel Service of America, Inc. USPS Team, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved. This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to USPS .us Customer Services marketing e-mail For information on UPS's privacy practices, please refer to UPS Privacy Policy. Your USPS .US, 5 Glenlake Parkway, NE - Atlanta, GA 30325 Attn: Customer Communications Department
Clicking on the attachment sends the intended victim to a malicious web page at [donotclick]himalayaori.ru:8080/forum/links/column.php (report here), in this case via a legitimate hacked site at [donotlick]www.unisgolf.ch/report.htm but that is less important.
himalayaori.ru is hosted on a couple of IPs that look familiar:
50.22.0.2 (SoftLayer, US)
188.165.202.204 (OVH, France)
Recommended blocklist:
50.22.0.2
188.165.202.204
himalayaori.ru
hentaimusika.ru
hiskintako.ru
gxnaika.ru
forumla.ru
gulivaerinf.ru
foruminanki.ru
forumny.ru
No comments:
Post a Comment