Sponsored by..

Monday, 28 October 2013

American Express "Fraud Alert" spam / steelhorsecomputers.net

This fake Amex spam leads to malware on steelhorsecomputers.net:

       
From:     American Express [fraud@aexp.com]
Date:     28 October 2013 14:14
Subject:     Fraud Alert : Irregular Card Activity


Irregular Card Activity
                   
               
Dear Customer,

We detected irregular card activity on your American Express

Check Card on 28th October, 2013.

As the Primary Contact, you must verify your account activity before you can
continue using your card, and upon verification, we will remove any restrictions
placed on your account.

To review your account as soon as possible please.

Please click on the link below to verify your information with us:

https://www.americanexpress.com/

If you account information is not updated within 24 hours then your ability
to access your account will be restricted.

We appreciate your prompt attention to this important matter.


© 2013 American Express Company. All rights reserved.        

AMEX Fraud Department


The link in the email goes through a legitimate but hacked site and then runs of of the following three scripts:
[donotclick]kaindustries.comcastbiz.net/imaginable/emulsion.js
[donotclick]naturesfinest.eu/eroding/patricians.js
[donotclick]winklersmagicwarehouse.com/handmade/analects.js

From there, the victim is sent to a malware landing page at [donotclick]steelhorsecomputers.net/americanexpress/ which is a hijacked GoDaddy domain hosted on 96.126.102.8 (Linode, US). There are other hijacked GoDaddy domains too, listed below in italics.

Recommended blocklist:
96.126.102.8
8353333.com
chrisfrillman.com
steelhorsecomputers.net
steelhorsecomputers.com

kaindustries.comcastbiz.net
naturesfinest.eu
winklersmagicwarehouse.com

           
                   
       

No comments: