Sponsored by..

Thursday 25 July 2013

"INCOMING FAX REPORT" spam / 2013vistakonpresidentsclub.com

This fake fax report spam (apparently from the Administrator at the Victim's domain) leads to malware on 2013vistakonpresidentsclub.com:

Date:      Thu, 25 Jul 2013 10:32:10 -0600 [12:32:10 EDT]
From:      Administrator [administrator@victimdomain]
Subject:      INCOMING FAX REPORT : Remote ID: 1150758119


Date/Time: 07/25/2013 02:15:22 CST
Speed: 23434 bps
Connection time: 09:04
Pages: 8
Resolution: Normal
Remote ID: 1150758119
Line number: 2
Description: June Payroll

Click here to view the file online

The link in the spam leads to a legitimate hacked site and then on to one or more of these three intermediary scripts:


From there, the victim is sent to a malware landing page at [donotclick]2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php which was hosted on earlier to day (like this spam) and was presumably a hijacked GoDaddy domain. I can't tell for certain if this site is clean now or not, but it seems to be on which is a Jolly Works Hosting IP, which has been implicated in malware before. I would personally block to be on the safe side.

1 comment:

Ken H said...

This spam made it through the gmail spam filters. I am reluctant to report it as spam - because itseems to come from my domain. I just deleted it. Is there anything else that can be done to stop this?