This fake fax spam appears to come from the Administrator at the victim's domain: Date: Wed, 18 Sep 2013 15:01:42 -0500 [16:01:42 EDT]
From: Administrator [administrator@victimdomain]
Subject: INCOMING FAX REPORT : Remote ID: 8775654573
*********************************************************
INCOMING FAX REPORT
*********************************************************
Date/Time: 09/18/2013 05:11:15 EST
Speed: 39287 bps
Connection time: 02:07
Pages: 2
Resolution: Normal
Remote ID: 8775654573
Line number: 1
DTMF/DID:
Description: August Payroll
Click here to view the file online
*********************************************************
The link in the email goes to a legitimate but hacked site and then tries to load one of the following three scripts:
[donotclick]0068421.netsolhost.com/partisanship/poached.js
[donotclick]ade-data.com/exuded/midyear.js
[donotclick]fangstudios.com/macedonian/piles.js
In turn, these try to direct the visitor to a malware landing page at [donotclick]lesperancerenovations.com/topic/seconds-exist-foot.php which is a hijacked GoDaddy domain hosted on 174.140.169.145 (DirectSpace, US) along with several other hijacked GoDaddy domains listed below in italics.
Recommended blocklist:
174.140.169.145
lesperancerenovations.com
louievozza.com
louvozza.com
lv-contracting.com
lvconcordecontracting.com
saltlakecityutahcommercialrealestate.com
0068421.netsolhost.com
ade-data.com
fangstudios.com
2 comments:
thanks for that i almost opened it but i thought i should google in just in case
Happend again and now I got emails in german and english.
Post a Comment