Sponsored by..

Wednesday 1 October 2014

uktservices.com "Booking Cancellation" spam / 37.235.56.121

I just had a mass of these purporting to be from uktservices.com ("UK Travel Services"), but in fact it is a forgery and does not come from them at all - they are not responsible for sending the spam and their systems have not been compromised.

From:     email@uktservices.com
Date:     1 October 2014 14:01
Subject:     Booking Cancellation

Hello.

Your booking at 13:15 on 1st Oct 2014 has been Cancelled.

Here is a link to your updated bookings view:

< href="[redacted] ">http://www.uktservices.com/system/drivers/jobs/51/66c3a53705f1ea2c5b8a11c94c29c6328599a0fc
All the emails are somewhat mangled, but the first link in the email (not the uktservices.com link) goes to what appears to be an exploit kit:

The links in the emails I have seen so far go to:

[donotclick]vinafruit.com/ongo.html
[donotclick]famdebaere.eu/ongo.html
[donotclick]ebook-55.ebook-55.com/ongo.html
[donotclick]farahenterprises.com/ongo.html


In all cases, those pages forward to a malicious page at:

[donotclick]37.235.56.121:8080/njslfxqqw9

The IP of 37.235.56.121 belongs to EDIS GmbH in Austria, and I suspect it has been hacked through an insecure Joomla installation.

I haven't been able to identify which exploit kit it is as it it has been hardened against analysis, but you can guarantee that this is malicious in some way or another.

No comments: