Sponsored by..

Showing posts with label Amazon. Show all posts
Showing posts with label Amazon. Show all posts

Thursday 6 December 2012

Amazon spam / evokeunreasoning.pro

A few different variants of this today, all pretending to be from Amazon and leading to malware on evokeunreasoning.pro:


Date:      Thu, 6 Dec 2012 17:32:38 +0200
From:      "Amazon . com" [digital-notifier@amazon.com]
Subject:      Your Amazon.com order receipt.

    Click here if the e-mail below is not displayed correctly.
   
Follow us:                    
   
   
Your Amazon.com                         Today's Deals                 See All Departments    


Dear Amazon.com Member,    
       

Thanks for your order, [redacted]!

Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.

Order Overview:

E-mail Address: [redacted]
Billing Address:
1113 4th Street
Fort North NC 71557-2319,,FL 67151}
United States
Phone: 1-491-337-0438

Order Grand Total: $ 50.99
   
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More

Order Summary:
Details:
Order #:     C47-8578330-3362713
Subtotal of items:     $ 50.99
    ------
Total before tax:     $ 50.99
Tax Collected:     $0.00
    ------
Grand Total:     $ 50.00
Gift Certificates:     $ 0.99
    ------
Total for this Order:     $ 50.99
       
       
   
Find Great Deals on Millions of Items Storewide
We hope you found this message to be useful. However, if you'd rather not receive future e-mails of this sort from Amazon.com, please opt-out here.

� 2012 Amazon.com, Inc. or its affiliates. All rights reserved. Amazon, Amazon.com, the Amazon.com logo and 1-Click are registered trademarks of Amazon.com, Inc. or its affiliates. Amazon.com, 475 Larry Ave. N., Seattle, MI 83304-6203. Reference: 61704824

Please note that this message was sent to the following e-mail address: [redacted]


The malicious payload is at [donotclick]evokeunreasoning.pro/detects/slowly_apply.php but at the time of writing the domain does not seem to be resolving.

Wednesday 17 October 2012

Amazon.com spam / sdqhfckuri.ddns.info and ultjiyzqsh.ddns.info

This fake Amazon.com spam leads to malware on sdqhfckuri.ddns.info and ultjiyzqsh.ddns.info:

From: Amazon.Com [mailto:pothooknw@tcsn.net]
Sent: 17 October 2012 06:54
Subject: Your Amazon.com order of "Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch" has shipped!
Importance: High


Gift Cards
|     Your Orders
|     Amazon.com


Shipping Confirmation
Order #272-3140048-4213404


Hello,
Thank you for shopping with us. We thought you'd like to know that we shipped your gift, and that this completes your order. Your order is on its way, and can no longer be changed. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.

Your estimated delivery date is:
Tuesday, October 9, 2012


Your package is being shipped by UPS and the tracking number is 1ZX305712324670208. Depending on the ship speed you chose, it may take 24 hours for your tracking number to return any information.

Shipment Details

Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch
Sold by Amazon.com LLC (Amazon.com)     $109.95

Item Subtotal:     $109.95
Shipping & Handling:     $0.00
Total Before Tax:     $109.95
Shipment Total:     $109.95
Paid by Visa:     $109.95

Returns are easy. Visit our Online Return Center.
If you need further assistance with your order, please visit Customer Service.

We hope to see you again soon!
Amazon.com

This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.
The malicious payload is at [donotclick]sdqhfckuri.ddns.info/links/calls_already_stopping.php or [donotclick]ultjiyzqsh.ddns.info/links/calls_already_stopping.php hosted on 37.230.117.4 (The First CJSC, Russia).

Added: snfgrhoykdcb.ddns.info and jdrxnlbyweco.ddns.info are also being used in this attack, although it they do not resolve at present.

Blocking .ddns.info and .ddns.name domains will probably not spoil your day. Blocking the 37.230.116.0/23 range might not either.

Some other subjects seen:
Your Amazon.com order of "Citizen Men's BL2774-05L Eco-Drive Perpetual Calendar Chronograph Watch" has shipped!
Your Amazon.com order of "Casio Men's PAG165-0CR Pathfinder Triple Sensor Multi-Function Sport Watch" has shipped!
Your Amazon.com order of "G-Shock GA-386-1A8 Big Combi Military Series Watch" has shipped!
our Amazon.com order of "Fossil Men's FS2362 Black Silicone Bracelet Black Analog Dial Chronograph Watch" has shipped!
Your Amazon.com order of "Timex Ironman Men's Road Trainer Heart Rate Monitor Watch, Black/Orange, Full Size" has shipped!

Thursday 27 September 2012

Amazon.com spam / uenwxgvrymch.net

This Amazon.com spam leads to malware on uenwxgvrymch.net:

From: Gabriel Roach [mailto:plectrumsiy0@independentreporters.com]
Sent: 27 September 2012 13:19
To: UK HPEA 2
Subject: Your Amazon.com order of "Fossil Men's FS9367 Black Silicone Bracelet Black Analog Dial Chronograph Watch" has shipped!

Hello,

Shipping Confirmation
Order # 675-5092359-2844093

Your estimated delivery date is:
Friday, August 3 2012

Track your package Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.

Shipment Details

Fossil Men's FS9367 Black Silicone Bracelet Black Analog Dial Chronograph Watch $109.95
Item Subtotal: $109.95
Shipping & Handling: $0.00
Total Before Tax: $109.95
Shipment Total: $109.95
Paid by Visa: $109.95

You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.

Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service.

We hope to see you again soon!
Amazon.com
===

The malicious payload is at [donotclick]uenwxgvrymch.net/links/claims_separate-learns_buy.php?ioufk=353302063538093336083737030a0a040309020703383305030a060906350a0a&pgaxszhs=39&meus=0a340b37043808020237&wzirxo=0a000300040002 (report here) which is hosted on the same IP address as this attack.

Amazon.com spam / ciafgnepbs.ddns.ms

This fake Amazon.com spam leads to malware on ciafgnepbs.ddns.ms:

From: Viola Chatman [mailto:parchesei642@foxvalley.net]
Sent: 27 September 2012 12:10
Subject: Your Amazon.com order of "Casio Men's PRW7035T-6CR Pathfinder Triple Sensor Tough Solar Digital Multi-Function Titanium Pathfinder Watch" has shipped!

Hello,

Shipping Confirmation
Order # 749-1221929-9346291

Your estimated delivery date is:
Friday, August 3 2012

Track your package Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.

Shipment Details

Casio Men's PRW7035T-6CR Pathfinder Triple Sensor Tough Solar Digital Multi-Function Titanium Pathfinder Watch $139.95
Item Subtotal: $139.95
Shipping & Handling: $0.00
Total Before Tax: $139.95
Shipment Total: $139.95
Paid by Visa: $139.95

You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.

Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service.

We hope to see you again soon!
Amazon.com


The malicious payload is at [donotclick]ciafgnepbs.ddns.ms/links/claims_separate-learns_buy.php hosted on 62.109.23.82 (TheFirst-RU, Russia), the suspect domain ynrteqhsobjv.dnset.com  is also on the same server, blocking that IP address would protect against other malicious sites on the same server.

You might also want to consider blocking all ddns.ms and dnset.com domains, although this type of Dynamic DNS domain does have its uses, I personally believe that the dangers of mis-use outweigh the benefits.

Monday 24 September 2012

Amazon.com spam / pallada-cruise.net

This fake Amazon spam leads to malware on pallada-cruise.net:

From:     Belinda Gallagher vigilancejy586@williamsguitarcompany.com
To:     [redacted]
Date:     24 September 2012 18:44
Subject:     Your Order Shipped Now

Amazon    
Your Orders &nbsp| Your Account | Amazon.com
Order Confirmation
Order #002-3989927-06014360

Greetings [redacted],

Thank you for shopping with us. Wethought you'd like to know that our shop shipped your item, and that this completes your order.. If you need to return an good from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated delivery date is:

Friday, September 21, 2012

Why tracking information may not be available?
    Your order was shipped to:

[redacted]
006 S Academy St, App. 1D
S Paolo, DC
United States

This shipment have no an associated delivery tracking No..

Shipment Details
   

LG 42LW5302, SV 46-Inch 720p 120 Hz Cinema 3D LCD HDTV with 3D Blu-ray Player and Four Pairs of 3D Glasses
Sold by onner
Condition: not-used before
    $612.35
Item Subtotal:     $612.35
Shipping & Handling:     $20.43
Total Before Tax:     $612.35
Shipment Total:     $612.35
Paid by MC:     $612.35

Returns are easy. Visit our ON-line Return Center.
If you need further assistance with your order, please visit Merchant Contact Form.

We hope to see you again soon!
Amazon.com

Unless otherwise noted, items are sold by Amazon LLC. Learn more about tax and item provider information.

This email was sent from a notification-only address that cannot accept incoming email. Please don't reply to this message.

The malicious payload (probably a Blackhole 2 exploit kit) is at [donotclick]pallada-cruise.net/detects/plain-keyboard_beginning-monitor.php hosted on 203.91.113.6 (G Mobile, Mongolia), an IP address that has been very active in spreading badness and which you should block if you can.

Thursday 20 September 2012

Amazon.com spam / webgrafismo.net and 203.91.113.6


This fake Amazon.com spam leads to malware on webgrafismo.net:


Date:      Fri, 21 Sep 2012 03:44:47 +0800
From:      "Adolfo Bruno" [debitst54@uky.edu]
Subject:      Your HD TV Delivered Yesterday

  
Your Orders | Your Account | Amazon.com
Shipping Confirmation
Order #002-9587043-55406590

Greetings [redacted],

Thank you for shopping with us. Wethought you'd like to know that amazon shipped your item, and that this completes your order.. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated shipment delivery date is:

Friday, September 21, 2012

Why tracking information may be unavailable?
    Your order was sent to:

[redacted]
572 9th Ave, App. 2D
S Paolo, TX
United States

This shipment does not have an associated delivery tracking No..

Conveyance Data
  

Sharp XVT3D32, SV 46-Inch 1080p 1000 Hz Cinema 3D LED-LCD HDTV with 3D Blu-ray Player and Two Pairs of 3D Glasses
Sold by secondipity
Condition: used - acceptable
    $740.43
Item Subtotal:     $740.43
Shipping & Handling:     $22.40
Total Before Tax:     $740.43
Shipment Total:     $740.43
Paid by Maestro:     $740.43

Returns are easy. Visit our ON-line Return Center.
If you need urgent assistance with your order, please visit Merchant Contact Form.

We hope to see you again soon!
Amazon.com

Unless otherwise noted, items are sold by Amazon LLC. Learn more about tax and seller information.

This email was sent from a notification-only address that cannot accept incoming email. Please don't reply to this message.

==========

Date:      Thu, 20 Sep 2012 20:51:04 +0100
From:      "Ned@mc2school.org" [Ned@ataonline.com.tr]
Subject:      Re: HDTV Shipped Yesterday

Your Orders | Your Account | Amazon.com                                          
Order Processing Confirmation                                          
Order #002-1662198-01565354                                                                      
Greetings [redacted],

Thank you for shopping with us. Wethought you'd like to know that amazon shipped your item, and that this completes your order.. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated  shipment date is:

Friday, September 21, 2012

Why tracking information may  be not available?
        Your order  was delivered to:

[redacted]
148 S Academy Dr, App. 1D
Albuquerque, KY
United States

This shipment does not have an associated delivery  tracking number.                          

Order                                   

Sony  XVT3D15, SV 42-Inch 1080p 600 Hz Cinema 3D  LCD HDTV  with 3D Blu-ray Player and  Two Pairs of 3D Glasses
Sold by  onner
Condition:  used-new
        $594.65
Item Subtotal: $594.65
Shipping & Handling:   $22.34
Total Before Tax:      $594.65
Shipment Total:        $594.65                                            
Paid by  Discover:     $594.65                                                          
Returns are easy. Visit our ON-line Return Center.
If you need  urgent assistance with your order, please visit Merchant Contact Form.

We hope to see you again soon!
Amazon.com

Unless otherwise noted, items are sold by Amazon LLC. Learn more about tax and shop information.

This email was sent from a notification-only address that cannot accept incoming email. Please don't reply to this message.                     
                                                                                         
The malicious payload is at [donotclick]webgrafismo.net/detects/rates-event_convinced-sent.php hosted on a known bad IP address of 203.91.113.6 (G Mobile, Mongolia). The exploit kit is probably Blackhole 2 given it's characteristics.



If you can block this IP address then I strong advise it. Other malicious sites on the same IP include.

penel-opessong.com
sncahmn.com
xlzones.com
virtual-geocaching.net
afgreenwich.net
cedarbuiltok.net
sowendo.net
thebummwrap.net
allmn-leicncester.net
bode-sales.net
webgrafismo.net