Date: Wed, 25 Sep 2013 09:37:48 -0600 [11:37:48 EDT]The attachment is Invoice_3056472.zip which in turn contains a malicious file Invoice_092513.exe which has a pretty low VirusTotal detection rate of just 4/48.
From: Lewis Muller [Lewis.Muller@intuit.com]
Subject: FW: Invoice 3056472
Your invoice is attached.
Sincerely,
Lewis Muller
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
The information contained in this message may be privileged, confidential and protected
from disclosure. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended recipient, you
are hereby notified that any dissemination, distribution or copying of this communication
is strictly prohibited. If you have received this communication in error, please notify
your representative immediately and delete this message from your computer.
Automated analysis [1] [2] [3] [4] shows the usual sort of badness, including a call home to gidleybuilders.com on 78.157.201.219 (UK Dedicated Servers Ltd, UK) which we also saw being used in an attack last week. Two compromised domains in a week seems a bit more than a coincidence. For information only, the following legitimate domains are also on that same server:
allcool.co.uk
ashmanufacturing.co.uk
ashmanufacturing.com
ashmanufacturing.net
ashmanufacturing.org
awcoomer.com
beingwell.me
bhmlondon.com
bigtinbox.com
buckmastergames.co.uk
buffey.co.uk
colemansfarm.co.uk
connect4commercial.com
connect4recruitment.com
flestates.co.uk
geocom.co.uk
gidleybuilders.com
graysaccountant.com
intoirelandtravel.com
matthewtomich.com
onlinestoregroup.com
paddlers.co.uk
pedalads.co.uk
pedalads.net
photoaweek.com
pickout.co.uk
richardgidley.com
smudgeinc.co.uk
sofmagazine.com
swim24.com
wakeham.co.uk
wakehamgroup.com
wakehamphotographic.com
westside-village.com
No comments:
Post a Comment