Sponsored by..

Wednesday 12 June 2013

Fedex spam / oxfordxtg.net

This fake FedEx spam leads to malware on oxfordxtg.net:

Date:      Thu, 13 Jun 2013 01:18:09 +0800 [13:18:09 EDT]
From:      FedEx [wringsn052@emc.fedex.com]
Subject:      Your Fedex invoice is ready to be paid now.

FedEx(R)     FedEx Billing Online - Ready for Payment

        fedex.com        
       
Hello [redacted]
You have a new outstanding invoice(s) from FedEx that is ready for payment.

The following ivoice(s) are to be paid now :

Invoice Number
 5135-13792

To pay or review these invoices, please sign in to your FedEx Billing Online account by clicking on this link: http://www.fedex.com/us/account/fbo

Note: Please do not use this email to submit payment. This email may not be used as a remittance notice. To pay your invoices, please visit FedEx Billing Online, http://www.fedex.com/us/account/fbo

Thank you,
Revenue Services
FedEx


    This message has been sent by an auto responder system. Please do not reply to this message.

The content of this message is protected by copyright and trademark laws under U.S. and international law.
Review our privacy policy. All rights reserved.

The link in the email goes through a legitimate hacked site and ends up on a malware payload page at [donotclick]oxfordxtg.net/news/absence_modern-doe_byte.php (report here) hosted on:

124.42.68.12 (Langfang University, China)
190.93.23.10 (Greendot, Trinidad and Tobago)

The following partial blocklist covers these two IPs, but I recommend you also apply this larger blocklist of related sites as well.
124.42.68.12
190.93.23.10
biati.net
condalinneuwu5.ru
condalnuas34637.ru
condalnuashyochetto.ru
cunitarsiksepj.ru
eheranskietpj.ru
ejoingrespubldpl.ru
gnunirotniviepj.ru
gstoryofmygame.ru
icensol.net
janefgort.net
jetaqua.com
klosotro9.net
mortolkr4.com
myhispress.com
nipiel.com
onlinedatingblueprint.net
oxfordxtg.net
oydahrenlitutskazata.ru
pnpnews.net
smartsecurityapp2013.com
trleaart.net
twintrade.net
usforclosedhomes.net


No comments: