Sponsored by..

Wednesday, 2 October 2013

Fake Staples spam leads to malware on tootle.us

This fake Staples spam leads to malware on a site called tootle.us:

Date:      Wed, 2 Oct 2013 08:40:11 -0500 [09:40:11 EDT]
From:      support@orders.staples.com
Subject:      Staples order #: 1353083565
           

Thank you for shopping Staples.
Here's what happens next:
Order No.:1353083565
   
Customer No.:1278823232     Method of Payment:Credit or Debit Card
Track order: Track your order
Delivery Address:
Caleb Lewis
41 COMMERCE ST
GREENFIELD WA 092980135    
           
    Item1     Qty.     Subtotal
    DELL 1320 BLACK TONER
Item No.:744319Price:$60.38/each
Expected delivery:10/4/2013byUPS     2     $125.26
    Item2     Qty.     Subtotal
    DELL RY854 CYAN TONER
Item No.:717860Price:$61.87/each
Expected delivery:10/4/2013byUPS     2     $124.03
       
Subtotal::     $243.59    
Delivery:     FREE    
Tax:     $17.66    
Total:     $250.35    

    Your order is subject to review and the expected delivery date(s) noted above are pending credit or check approval.
    Won't be there to sign for your order from 9 am to 5 pm, Monday - Friday. Print ourDriver Release. Some residential orders may be delivered by UPS as late as 7 pm.
    Questions about your order? Call us at 1-800-3STAPLE (1-800-378-2753) or email us atsupport@orders.staples.com. You can also fax us at 1-800-333-3199.
    See our return policy.
    Our prices vary from store prices. Not responsible for typographical errors. Not all items are available. We reserve the right to limit quantities, including the right to prohibit sales to resellers.
    Thanks for shopping Staples.

[snip]
The link in the email goes to a legimate (but hacked site) and then attempt to load one of the following three scripts:
[donotclick]algmediation.org/inventory/symphony.js
[donotclick]apptechgroups.net/katharine/bluejacket.js
[donotclick]ctwebdesignshop.com/marquetry/bucket.js


From there the victim is redirected to a malware landing page at [donotclick]tootle.us/topic/latest-blog-news.php hosted on 23.92.22.75 (Linode, US) which is yet another hijacked GoDaddy domain (there are some more on this server, listed below in italics).


Recommended blocklist:
23.92.22.75
tootle.us
tungstenrents.com
tweetbyte.com

algmediation.org
apptechgroups.net
ctwebdesignshop.com

No comments: