Sponsored by..

Monday, 17 June 2013

NewEgg.com spam / profurnituree.com

This fake NewEgg.com spam leads to malware on profurnituree.com:

Date:      Mon, 17 Jun 2013 20:09:35 +0300 [13:09:35 EDT]
From:      Newegg Auto-Notification [indeedskahu02@services.neweg.com]
Subject:      Newegg.com - Payment  Charged


Newegg logo    
My Account     My Account |     Customer Services     Customer Services

Twitter     Twitter     You Tube     You Tube     Facebook     Facebook
click to browse e-Blast     click to browse Shell Shocker     click to browse Daily Deals
Computer Hardware     PCs & Laptops     Electronics     Home Theater     Cameras     Software     Gaming     Cell Phones     Home & Outdoors     Outlet     Marketplace     More
Spend 10-30% LESS next time you shop at Newegg—subscribe to our weekly e-Blast Newsletter!

Customer ID: [redacted]

Thank you for shopping at Newegg.com.

We are happy to inform you that your order (Sales Order Number: 425181429) has been successfully charged to your Credit or Debit Card and order verification is now complete.

If you have any questions, please visit our Contact Us Page.

Once You Know, You Newegg

Your Newegg.com Customer Service Team


ONCE YOU KNOW, YOU NEWEGG. ®
Policy and Agreement | Privacy Policy | Confidentiality Notice
Newegg.com, 9997 Rose Hills Road, Whittier, CA. 90601-1701 | © 2000-2013 Newegg Inc. All rights reserved.

The link goes through a legitimate hacked site and ends up on a malware landing page at [donotclick]profurnituree.com/news/posts_applied_deem.php (report here) although the payload appears to be 404ing (I wouldn't trust that though). The domain is hosted on the following IPs:

124.232.165.112 (China Telecom, China)
186.215.126.52 (Global Village Telecom, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
202.147.169.211 (LINKdotNET Telecom Limited, Pakistan)

The domain registration details are fake and indicate the Amerika gang:

   Administrative Contact:
   LOPEZ, ISSAC                ukcastlee@mail.com
   2683
   CULVER CITY, CA 92407
   US
   5149238099

Below is a partial blocklist which I recommend you use in conjunction with this list.

124.232.165.112
186.215.126.52
190.93.23.10
202.147.169.211
balckanweb.com
buyparrots.net
condalinneuwu5.ru
condalnuas34637.ru
condalnuashyochetto.ru
diamondbearingz.net
eheranskietpj.ru
ejoingrespubldpl.ru
federal-credit-union.com
giwmmasnieuhe.ru
gnunirotniviepj.ru
gstoryofmygame.ru
gurieojgndieoj.ru
jetaqua.com
nipiel.com
oxfordxtg.net
oydahrenlitutskazata.ru
ozonatorz.com
pnpnews.net
profurnituree.com
smartsecurityapp2013.com
teszner.net
theislandremembered.com
trleaart.net
usforclosedhomes.net
ww2.condalinneuwu5.ru
ww2.gnunirotniviepj.ru
zurcherarchitectz.com

Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)