Sponsored by..

Thursday 25 July 2013

"INCOMING FAX REPORT" spam / 2013vistakonpresidentsclub.com

This fake fax report spam (apparently from the Administrator at the Victim's domain) leads to malware on 2013vistakonpresidentsclub.com:

Date:      Thu, 25 Jul 2013 10:32:10 -0600 [12:32:10 EDT]
From:      Administrator [administrator@victimdomain]
Subject:      INCOMING FAX REPORT : Remote ID: 1150758119

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: 07/25/2013 02:15:22 CST
Speed: 23434 bps
Connection time: 09:04
Pages: 8
Resolution: Normal
Remote ID: 1150758119
Line number: 2
DTMF/DID:
Description: June Payroll

Click here to view the file online

********************************************************* 
The link in the spam leads to a legitimate hacked site and then on to one or more of these three intermediary scripts:

[donotclick]1954f7e942e67bc1.lolipop.jp/denominators/serra.js
[donotclick]internationales-netzwerk-portfolio.de/djakarta/opel.js
[donotclick]www.pep7.at/hampton/riposts.js

From there, the victim is sent to a malware landing page at [donotclick]2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php which was hosted on 162.216.18.169 earlier to day (like this spam) and was presumably a hijacked GoDaddy domain. I can't tell for certain if this site is clean now or not, but it seems to be on 184.95.37.110 which is a Jolly Works Hosting IP, which has been implicated in malware before. I would personally block 184.95.37.96/28 to be on the safe side.

1 comment:

Ken H said...

This spam made it through the gmail spam filters. I am reluctant to report it as spam - because itseems to come from my domain. I just deleted it. Is there anything else that can be done to stop this?