Sponsored by..

Monday, 22 December 2014

"Tiket alert" spam. Tiket? Really?

Sometimes the spammers don't really try very hard. Like they have to make a quota or something. A "Tiket alert" from the FBI.. or is it FBR? Really?

From:    FBR service [jon.wo@fbi.com]
Date
:    22 December 2014 at 18:29
Subject:    Tiket alert

Look at the link file for more information.

http://mitsuba-kenya.com/ticket/fsb.html

Assistant Vice President, FBR service
Management Corporation
I have seen another version of this where the download location is negociomega.com/ticket/fsb.html. Clicking on the link downloads a file ticket8724_pdf.zip which in turn contains a malicious executable ticket8724_pdf.exe.

This has a VirusTotal detection rate of 2/54. Between that VirusTotal analysis and the Anubis analysis we can see that the malware attempts to phone home to:

http://202.153.35.133:42463/2212us12//0/51-SP3/0/
http://202.153.35.133:42463/2212us12//1/0/0/
http://moorfuse.com/images/unk12.pne


202.153.35.133 is Excell Media Pvt Ltd, India.

Recommended blocklist:
202.153.35.133
moorfuse.com
mitsuba-kenya.com
negociomega.com

1 comment:

Mike said...

sadly, people still click it...