Sponsored by..

Wednesday, 17 April 2013

CNN.com Boston Marathon spam / thesecondincomee.com

This Boston Marathon themed spam leads to malware on thesecondincomee.com:

Example 1:

Date:      Wed, 17 Apr 2013 10:32:18 -0600 [12:32:18 EDT]
From:      CNN Breaking News [BreakingNews@mail.cnn.com]
Subject:      Opinion: Boston Marathon Explosions - Obama Benefits? - CNN.com   
     
CNN.com    
Powered by    
* Please note, the sender's email address has not been verified.
            
You have received the following link from BreakingNews@mail.cnn.com:    
           
Click the following to access the sent link:
            
Boston Marathon Explosions - Obama Benefits? - CNN.com*
                 
SAVE THIS link     FORWARD THIS link
           
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
     
     
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here

Example 2:

Date:      Wed, 17 Apr 2013 22:32:56 +0600
From:      behring401@mail.cnn.com
Subject:      Opinion: Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com
   
Powered by    
* Please note, the sender's email address has not been verified.
   
You have received the following link from BreakingNews@mail.cnn.com:    
   
Click the following to access the sent link:
   
Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com*
   
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
       
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here


The malicious payload is at [donotclick]thesecondincomee.com/news/agency_row_fixed.php hosted on:
94.249.206.117 (GHOSTnet, Germany)
155.239.247.247 (Centurion Telkom, South Africa)
173.234.239.60 (Nobis Technology Group, US)

The recommended blocklist is the same as used in this earlier attack.
65.34.160.10
94.249.206.117
155.239.247.247
173.234.239.60
airtrantran.com
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko.ru
conficinskiy.ru
confideracia.ru
coretec.pl
cormoviesutki.ru
dailypost.pl
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
dyntic.com
elmara.ru
excuticoble.ru
fenvid.com
freedblacks.net
fxtv.pl
gardeningexplains.biz
gatoversignie.ru
hurienothing.ru
independinsy.net
janefgort.net
klosotro9.net
miniscule.pl
nulio.ru
programcam.ru
ricepad.net
seantit.ru
securitysmartsystem.com
techzoom.pl
thesecondincomee.com

No comments: