Sponsored by..

Wednesday 10 April 2013

ICANN: thanks for the malware spam / mailedspokesperson.biz

This is a pretty straightforward LinkedIn themed spam that leads to malware on mailedspokesperson.biz:

From:     Leonide Saad - LinkedIn [dreamland@beutelschneiderhamburg.de]
Date:     10 April 2013 15:19
Subject:     Join my network on LinkedIn


Invitation reminders:
 From Leonide Saad (Developer at Perot Systems)


 There are a total of 8 messages awaiting your response. Go to InBox now.

This message was sent to username@domain.com. Don't want to receive email notifications? Login to your LinkedIn account to Unsubscribe.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. c 2013, LinkedIn Corporation.
The catch with this is that the email address being used is one used only to file WHOIS Compliance Reports with ICANN. If you file reports of inaccurate WHOIS data, then you need to be aware that by default ICANN will forward your contact details to the bad guys.. you can request that this be suppressed, but using an alias is (ironically) probably the best bet. So in this case, the bad guys have presumably just added the email in the complaint to their spam list..

Anyway, this has a link to a legitimate hacked site and thence on to [donotclick]mailedspokesperson.biz/closest/f2ihoiwegjowiejf230hfaj.php (report here) hosted on (Siteko Ltd / Hetzner Online, Germany). The WHOIS details are characteristic of the Amerika gang:

Registrant ID:            INTEUMYC18TPLDWG
Registrant Name:          Hunter Afkham
Registrant Address1:      181 Sullivan St #4
Registrant City:          New York
Registrant Postal Code:   10012
Registrant Country:       United States
Registrant Country Code:  US
Registrant Phone Number:  +1.7914260046
Registrant Email:         hunter_afkham8428@aristotle.org

There are a couple of other bad looking sites on the same server, so this is my recommended blocklist:

No comments: