Malware spam: "Opinion: Cyprus banks shut extended to Monday - CNN.com" / salespeoplerelaunch.org

This topically themed (but fake) CNN spam leads to malware on salespeoplerelaunch.org:

Date:      Tue, 19 Mar 2013 10:40:22 -0600
From:      "CNN Breaking News" [BreakingNews@mail.cnn.com]
Subject:      Opinion: Cyprus banks shut extended to Monday - CNN.com

   
Powered by    
* Please note, the sender's email address has not been verified.
   
   
You have received the following link from BreakingNews@mail.cnn.com:    
   
   
Click the following to access the sent link:
   
   
Cyprus banks shut extended to Monday - CNN.com*
   
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
   
   
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here

The malicious payload is at [donotclick]salespeoplerelaunch.org/close/printed_throwing-interpreting-dedicated.php (report here) hosted on 69.197.177.16 (WholeSale Internet, US).

Nameservers are NS1.DNSLVLUP.COM (5.9.212.43, Hetzner / Dolorem Ipsum Management Ltd, Germany) and NS2.DNSLVLUP.COM (66.85.131.123, Secured Servers LLC / Phoenix NAP, US)

Recommended blocklist:
salespeoplerelaunch.org
dnslvlup.com
69.197.177.16
5.9.212.43
66.85.131.123

Malware spam "New Pope Sued For Not Wearing Seat Belt In Popemobile" / webpageparking.net

This pope themed spam leads to malware on webpageparking.net:

Date:      Mon, 18 Mar 2013 20:20:54 +0200
From:      "CNN Breaking News" [BreakingNews@mail.cnn.com]
Subject:      Opinion: New Pope Sued For Not Wearing Seat Belt In Popemobile ... - CNN.com


Powered by    
* Please note, the sender's email address has not been verified.

You have received the following link from BreakingNews@mail.cnn.com:    
       
Click the following to access the sent link:
       
New Pope Sued For Not Wearing Seat Belt In Popemobile ... - CNN.com*
   
   
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
   
   
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here

The link goes through a legitimate hacked site and leads to a malicious payload at [donotclick]webpageparking.net/kill/borrowing_feeding_gather-interesting.php (report here) hosted on:
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMnet, Malaysia)
109.74.61.59 (Ace Telecom KFT, Hungary)
155.239.247.247 (Centurion Telkom, South Africa)

BLOCKLIST:
24.111.157.113
58.26.233.175
109.74.61.59
155.239.247.247
buxarsurf.net
buyersusaremote.net
cyberage-poker.net
fenvid.com
gatovskiedelishki.ru
heavygear.net
hotels-guru.net
openhouseexpert.net
picturesofdeath.net
plussestotally.biz
porftechasgorupd.ru
sawlexmicroupdates.ru
secureaction120.com
secureaction150.com
teenlocal.net

UPDATE: another version of this is doing the rounds with a subject "Opinion: Can New-Pope Benedict be Sued for the Sex Abuse Cases? - CNN.com"

LinkedIn spam / applockrapidfire.biz

This fake LinkedIn spam leads to malware on applockrapidfire.biz:

From: David O'Connor - LinkedIn [mailto:kissp@gartenplandesign.de]
Sent: 18 March 2013 15:34
Subject: Join my network on LinkedIn
Importance: High

LinkedIn
REMINDERS
Invitation reminders:
 From David O\'Connor (animator at ea)

PENDING MESSAGES
There are a total of 9 messages awaiting your response. Go to InBox now.
This message was sent to username@domain.com. Don't want to receive email notifications? Login to your LinkedIn account to Unsubscribe.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. c 2013, LinkedIn Corporation.

The link in the message goes through a legitimate hacked site to a malware landing page on  [donotclick]applockrapidfire.biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php  (report here) hosted on 78.46.222.237 (Hetzner, Germany). applockrapidfire.biz was registered just today to a presumably fake address:

Bernardine McGowan
1639 Heather Sees Way
MUSKOGEE
74401
United States
US
+1.2717159555
bernardine_mcgowan73@gmail.com

URLquery detects traffic to these additional IPs that you might want to block too:
50.22.196.70 (Softlayer / Maxmind LLC, US)
66.85.130.234 (Secured Servers LLC / Phoenix NAP, US)
194.165.17.3 (ADM Service Ltd, Monaco)

The nameservers are NS1.QUANTUMISPS.COM (5.9.212.43: Hetzner, Germany) and NS2.QUANTUMISPS.COM (66.85.131.123: Secured Servers LLC / Phoenix NAP, US).  quantumisps.com was registered to an anonymous person on 2013-03-15.

Minimum blocklist:
78.46.222.237
quantumisps.com
applockrapidfire.biz

Recommended blocklist:
5.9.212.43
50.22.196.70
66.85.130.234
66.85.131.123
78.46.222.237
194.165.17.3
quantumisps.com
applockrapidfire.biz

ADP Package Delivery Confirmation spam / picturesofdeath.net

 This fake ADP spam leads to malware on the jollily-named picturesofdeath.net:

From: ADP Chesapeake Package Delivery Confirmation [mailto:do_not_reply@adp.com]
Sent: 15 March 2013 14:45
Subject: =?iso-8859-1?Q?ADP Chesapeake - Package Delivery Notification
Importance: High

This message is to notify you that your package has been processed and is on schedule for delivery from ADP.

Here are the details of your delivery:
Package Type: QTR/YE Reporting
Courier: UPS Ground
Estimated Time of Arrival: Tusesday, 5:00pm
Tracking Number (if one is available for this package): 1Z023R643116536498

Details: Click here to overview and/or modify order

We will notify you via email if the status of your delivery changes.

--------------------------------------------------------------------------------

Access these and other valuable tools at support.ADP.com:
o Payroll and Tax Calculators
o Order Payroll Supplies, Blank Checks, and more
o Submit requests online such as SUI Rate Changes, Schedule Changes, and more
o Download Product Documentation, Manuals, and Forms
o Download Software Patches and Updates
o Access Knowledge Solutions / Frequently Asked Questions
o Watch Animated Tours with Guided Input Instructions

Thank You,
ADP Client Services
support.ADP.com

--------------------------------------------------------------------------------

This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.

The malicious payload is at [donotclick]picturesofdeath.net/kill/long_fills.php (report here) hosted on:

24.111.157.113 (Midcontinent Media, US)
155.239.247.247 (Centurion Telkom, South Africa)

Blocklist:

advarcheskiedela.ru

arhangelpetrov.ru

fenvid.com

gatovskiedelishki.ru

iberiti.com

metalcrew.net

notsk.com

picturesofdeath.net

porftechasgorupd.ru

roadix.net

sawlexmicroupdates.ru

secureaction120.com

secureaction150.com

LinkedIn spam / teenlocal.net

This fake LinkedIn spam leads to malware on teenlocal.net:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 14 March 2013 16:32
Subject: Frank and Len have endorsed you!

Congratulations! Your connections Frank Garcia and Len Rosenthal have endorsed you for the following skills and expertise:
   
    Program Management
    Strategic Planning

Continue



You are receiving Endorsements emails. Unsubscribe.

This email was intended for Paul Stevens (Chief Financial Officer, Vice President and General Manager, Aerospace/Defense, Pacific Consolidated Industries). Learn why we included this. 2013, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA

The malicious payload is at [donotclick]teenlocal.net/kill/force-vision.php (report here) hosted on:

24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (Telekom Malaysia, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)

Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247
buyersusaremote.net
cyberage-poker.net
hotels-guru.net
teenlocal.net
bbb-complaint.org
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
bbb-accredited.net
metalcrew.net
roadix.net
gatovskiedelishki.ru

RU:8080 and Amerika spam runs

For about the past year I have seen two very persistent spam runs leading to malware, typically themed along the lines of fake emails from the BBB, LinkedIn, NACHA, USPS and ADP.

The most obvious characteristic of one of the spam runs in the use of a malware landing page containing .ru:8080, registered through NAUNET to the infamous "private person". In order to aid researchers, I have labelled this series as RU:8080. You can see some current nastiness in action at Malware Must Die.

But there's a second spam run as well, which appears to be similarly themed but using different servers. In this case, the domains registered are typically .net, .org and .com emails (with .pro and .biz used from time-to-time). These domains are registered with fake names and addresses purporting to be in the US, but indicators show that this spam may well originate from within Russia.

I've labelled this series as Amerika (yes, there was a TV show of the same name) because frankly the domains are about as American as apple pie sharlotka. The Amerika spam run is a little harder to identify, so there may be some errors in it.

I don't have any deep insight into either spam run or the payloads they deliver, but if you are interested in looking more deeply at the patterns then hopefully this will be of some use!

BBB Spam / alteshotel.net and bbb-accredited.net

This fake BBB spam leads to malware onalteshotel.net and bbb-accredited.net:

Date:      Thu, 7 Mar 2013 06:23:12 -0700
From:      "Better Business Bureau Warnings" [hurriese3@bbb.com]
Subject:      BBB details regarding your claim No.

Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©

Thu, 6 March 2013

Your Accreditation Suspended

[redacted]

The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to temporal Abort your accreditation with Better Business Beaureau. The details of the our decision are available for review at a link below. Please pay attention to this issue and inform us about your glance as soon as possible.

We graciously ask you to overview the TERMINATION REPORT to meet on this claim

We awaits to your prompt rebound.

If you think you got this email by mistake - please forward this message to your principal or accountant

Yours respectfully
Hunter Ross
Dispute Advisor
Better Business Bureau

Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 25501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277

This information was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

=========================


Date:      Thu, 7 Mar 2013 21:19:18 +0800
From:      "Better Business Bureau Warnings" [prettifyingde7@transfers.americanpayroll.org]
Subject:      BBB details about your pretense No.

Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©

Thu, 6 March 2013

Your Accreditation Suspended

[redacted]

The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to transient Cancell your accreditation with Better Business Beaureau. The details of the our decision are available visiting a link below. Please pay attention to this question and notify us about your belief as soon as possible.

We graciously ask you to visit the ABUSE REPORT to answer on this appeal

We awaits to your prompt answer.

If you think you got this email by mistake - please forward this message to your principal or accountant

Faithfully yours
Benjamin Cox
Dispute Councilor
Better Business Bureau

Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 24401
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277

This letter was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

One potentially malicious payload is at [donotclick]alteshotel.net/detects/review_complain.php (looks like it might be broken - report here) hosted on:

69.43.161.176 (Parked at Castle Access Inc, US)

The other is at [donotclick]bbb-accredited.net/kill/enjoy-laws-partially-unwanted.php (definitely malicious - report here) hosted on:

64.207.236.198 (EasyTEL, US)
142.11.195.204 (Hostwinds LLC, US)
149.154.68.214 (TheFirst.RU, Russia)

These other domains can be seen on those IPs:
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
metalcrew.net
roadix.net
gatovskiedelishki.ru
conbicormiks.ru

Recommended blocklist:
64.207.236.198
142.11.195.204
149.154.68.214
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
metalcrew.net
roadix.net
gatovskiedelishki.ru
conbicormiks.ru
alteshotel.net
bbb-accredited.net

Delta Airlines spam / inanimateweaknesses.net and complainpaywall.net

This fake Delta Airlines spam leads to malware on inanimateweaknesses.net and complainpaywall.net:

From: DELTA CONFIRMATION [mailto:cggQozvOc@sutaffu.co.jp]
Sent: 04 March 2013 14:27
Subject: Your Receipt and Itinerary

Thank you for choosing Delta. We encourage you to review this information before your trip.
If you need to contact Delta or check on your flight information, go to delta.com/itineraries

Now, managing your travel plans just got easier. You can exchange, reissue and refund electronic tickets at delta.com/itineraries.

Take control and make changes to your itineraries at delta.com/itineraries.

Speed through the airport. Check-in online for your flight.

Check-in

Flight Information
DELTA CONFIRMATION #: D0514B3
TICKET #: 00920195845933
Bkng Meals/ Seat/
Day Date Flight Status Class City Time Other Cabin
--- ----- --------------- ------ ----- ---------------- ------ ------ -------
Mon 11MAR DELTA 372 OK H LV NYC-KENNEDY 820P F 19C
AR SAN FRANCISCO 8211P COACH

Fri 15MAR DELTA 1721 OK H LV LOS ANGELES 1145P V 29A
AR NYC-KENNEDY 812A# COACH

Check your flight information online at delta.com/itineraries

The email contains several links to different hacked sites, which then forward to [donotclick]inanimateweaknesses.net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report  here) or [donotclick]complainpaywall.net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report here) both of which are hosted on 188.93.211.156 (Logol.ru, Russia). In my opinion 188.93.210.0/23 is a bit of a sewer and should be blocked if you can, as there are probably many other malicious sites nearby.


Of note is that the links in the email only seem to work with a correct referrer and user agent. If those are not set, then you will not end up at the malware page.

"Follow this link" spam / sidesgenealogist.org

This rather terse spam appears to leads to an exploit kit on sidesgenealogist.org:

From: Josefina Underwood [mailto:hdFQe@heathrowexpress.com]
Sent: 27 February 2013 16:43
Subject: Follow this link

I have found it http://www.eurosaudi.com/templates/beez/wps.php?v20120226

Sincerely yours,
Sara Walton

The link is to a legitimate hacked site, and in this case it attempts to bounce to [donotclick]sidesgenealogist.org/closest/c93jfi2jf92ifj39ugh2jfo3g.php but at the time of writing the malware site appears to be overloaded. However, we can find an earlier report for the same sever here that indicates an exploit kit.

The malware is hosted on 188.93.210.226 (Logol.ru, Russia). I would recommend blocking the entire 188.93.210.0/23 range to be on the safe side. These other two domains are in the same AS and are currently active:

reinstalltwomonthold.org
nephewremovalonly.org
scriptselse.org
everflowinggopayment.net

US Airways spam / berrybots.net

This very details but fake US Airways spam leads to malware on berrybots.net:

Date:      Wed, 27 Feb 2013 08:09:36 -0500 [08:09:36 EST]
From:      bursarp1@email-usairways.com
Subject:      Your US Airways trip

Confirmation code:   B339AO Date issued:   Tuesday, February 26, 2013 [redacted] Scan at any US Airways kiosk to check in Passenger summary Passenger name Frequent flyer # (Airline) Ticket number Special needs Angel Morris 40614552582 (US)   22401837506661     Robert White   12938253579871      Fly details Download to Outlook Depart:    Philadelphia, PA  (PHL) Chicago, IL (O'Hare)  (ORD) Date: Thursday, February 28, 2013 Flight #/ Carrier Depart Arrive Travel time Meal Aircraft Cabin Seats 8766    09:38 AM   PHL 10:56 AM   ORD 2h 18m A320 Coach 236E 236A Return:    Chicago, IL (O'Hare)  (ORD) Philadelphia, PA   (PHL) Date: Wednesday, March 06, 2013 Flight #/ Carrier Depart Arrive Travel time Meal Aircraft Cabin Seats 4394    11:55 AM   ORD 02:49 PM  PHL 1h 54m A320 Coach 10A 10B   US Airways Total travel cost (2 passengers) 2 Adults   $667.35 USD  Taxes and fees  $95.25 USD  Fare total $754.61 USD    Total   $751.62 USD Charged to ************XXX7 (Credit or Debit Card) Helpful links Manage your reservation Join Dividend Miles Airport information Baggage policies TSA regulations Inflight internet Seated in an exit row? Read about checking in. Bags Pay for your checked bags when you check in online or at the airport! Read more about bags. Carry ons* Carry-on bag Personal item All flights Checked bags (each way/per person)* 1st bag 2nd bag U.S. / Canada / Latin America / Caribbean / Bermuda / South America (except Brazil) Transatlantic Transpacific / Brazil (except Hawaii) *Carry-ons can be up to 40 lbs and up to 45 inches and a personal item is a handbag, briefcase or laptop bag. **1st & 2nd checked bags can be up to 50 lbs and 62 inches except Brazil where you're allowed up to 70 lbs. Europe fees apply for travel to/from Asia through Europe. Baggage fees are non-refundable. 1st, 2nd and 3rd checked bag fees waived Gold, Platinum and Chairman's Preferred members Star Alliance Gold status members 1st and 2nd checked bag fees waived (Overweight / oversize fees still apply) Confirmed First Class and Envoy passengers Active U.S. military with ID on personal travel Active U.S. military with ID and dependents traveling with them on orders Unaccompanied minors (with US Airways unaccompanied minor paid assistance) 1st checked bag fees waived (Overweight / oversize fees still apply) Silver Preferred members Star Alliance Silver status members Other guidelines: Overweight/oversize fees and fees for 3 or more bags apply. Read all baggage policies. If you're traveling with an infant, the child is allowed 1 fully collapsible stroller or 1 child restraint device or car seat (no charge). If you're traveling internationally with an infant in lap, your child is also allowed 1 checked bag (checked bag fees apply - max 62 in/157 cm and 50 lbs/23 kg). If one or more of your flights is on a partner airline, please check with the other airline for information on optional fees. Terms & conditions Ticket is non-transferable. You must contact US Airways on or before your scheduled departure to cancel any or all of your flights. If you don't, your entire itinerary will be cancelled and there may be no remaining value to use toward another ticket. Any change to this reservation, including flights, dates, or cities, is subject to a fee per passenger (according to the rules of the original fare). The new itinerary will be priced at the lowest available published fare at the time of change, which may result in a fare increase. Ticket expires one year from original date of issue. Unflown value expires one year from original date of issue. Read more about all US Airways taxes and fees. You have 24 hours to cancel your reservation for a full refund. Please view this link. Checked baggage fees may apply. Air transportation on US Airways is subject to the US Airways Contract of Carriage. View this document in PDF format. Security regulations may require us to disclose to government agencies the data you provide to us in connection with this reservation. Changes to the country of origin are not permitted, except for changes between the United States and U.S. territories. Send US your compliments and/or complaints.

We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com. Please do not reply to this email, it is not monitored. If you'd like to contact us, please visit our website.

Picture version (click to enlarge):

The malicious payload is at [donotclick]berrybots.net/detects/circulation-comparatively.php (report here) hosted on:118.97.77.122 (PT Telkon, Jakarta)
147.91.83.31 (AMRES, Serbia)
195.88.139.78 (Neiron Systems, Ukraine)

Recommended blocklist:
118.97.77.122
147.91.83.31
195.88.139.78
greatfallsma.com
lazaro-sosa.com
yoga-thegame.net
dekolink.net
saberdelvino.net
berrybots.net

Facebook spam / lazaro-sosa.com

This fake Facebook spam leads to malware on lazaro-sosa.com:

Date:      Tue, 26 Feb 2013 14:26:20 +0200
From:      "Facebook" [twiddlingv29@informer.facebook.com]
Subject:      Brian Parker commented your photo.

facebook
   
Brian Parker commented on Your photo.
Reply to this email to comment on this photo.
See Comment
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.

Facebook, Inc., Attention: Department 415, PO Box 10001, Palo Alto, CA 90307

The malicious payload is at [donotclick]lazaro-sosa.com/detects/queue-breaks-many_suffering.php (report here) hosted on:

118.97.77.122 (PT Telkom, Indonesia)
147.91.83.31 (AMRES, Serbia)

Blocking these IPs is probably prudent.

LinkedIn spam / greatfallsma.com and yoga-thegame.net

This "accidental" LinkedIn spam is a fake and leads to malware on greatfallsma.com:

From: LinkedIn [mailto:papersv@informer.linkedin.com]
Sent: 22 February 2013 15:58
Subject: Reminder about link requests pending

See who connected with you this week on LinkedIn
Now it's easy to connect with people you email
Continue
 
This is an accidental LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
 
© 2013, LinkedIn Corporation. 2089 Stierlin Ct, Mountain View, CA 99063

Another example:

Date:      Fri, 22 Feb 2013 18:21:25 +0200
From:      "LinkedIn" [noblest00@info.linkedin.com]
Subject:      Reminder about link requests pending

�����

[redacted]
See who requested link with you on LinkedIn

Now it's easy to connect with people you email
Continue
   
This is an casual LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
� 2013, LinkedIn Corporation. 2073 Stierlin Ct, Mountain View, CA 98043

The malicious payload is at [donotclick]greatfallsma.com/detects/impossible_appearing_timing.php (report here) hosted on:

50.7.251.59 (FDC Servers, Czech Republic)
176.120.38.238 (Langate, Ukraine)

These are the same two servers used in this attack, blocking them would probably be a good idea.

UPDATE: the malicious domain yoga-thegame.net is also on the same servers (report here)

"Data Processing" spam / dekolink.net

This fake "Data Processing" spam leads to malware on dekolink.net:

Date:      Fri, 22 Feb 2013 08:06:43 -0500
From:      "Data Processing Service" [customersupport@dataprocessingservice.com]
Subject:      ACH file ID '768.579

Files Processing Service

SUCCESS Note
We have successfully handled ACH file 'ACH2013-02-20-5.txt' (id '768.579') submitted by user '[redacted]' on '2013-02-20 1:14:30.7'.
FILE SUMMARY:

Item count: 79

Total debits: $28,544.53

Total credits: $28,544.53

For more info click here

The malicious payload is at [donotclick]dekolink.net/detects/when-weird-contrast.php (report here) hosted on the following servers:

50.7.251.59 (FDC Servers, Czech Republic)
176.120.38.238 (Langate, Ukraine)

Verizon Wireless spam / participamoz.com

This fake Verizon Wireless spam leads to malware on participamoz.com:

Date:      Wed, 20 Feb 2013 23:24:49 +0400
From:      "AccountNotify@verizonwireless.com" [cupcakenc0@irs.gov]
Subject:      Verizon wireless online bill.

Important account information from Verizon Wireless
Your current bill for your account ending in XXXX-XX001 is now available online in My Verizon
Total Balance Due: $48.15
Scheduled Automatic Payment Date: 02/25/2012
Mind that payments and/or adjustments made to your account after your bill was generated will be deducted from your automatic payment amount.

> Review and Pay Your Bill

Thank you for choosing Verizon Wireless.

My Verizon is also available 24/7 to assist you with:
Vrowsing your usage
Updating your plan
Adding Account Members
Paying your bill
Finding accessories for your devices
And much, much more...

2011 Verizon Wireless
Verizon Wireless | One Verizon Way | Mail Code: 190WVB | Basking Ridge, NJ 07990
We respect your privacy. Please review our privacy policy for more information

If you are not the intended recipient and feel you have received this email in error; or if you
would like to update your customer notification preferences, please click here.

The malicious payload is at [donotclick]participamoz.com/detects/holds_edge.php (report here) hosted on:
161.200.156.200 (Chulanet, Thailand)
173.251.62.46 (MSP Digital / Cablevision, US)

The following IPs and domains are connected should be treated as malicious:
161.200.156.200
173.251.62.46
prosctermobile.com
aftandilosmacerati.com
pardontemabelos.com
participamoz.com

   

"Cum Avenue" IRS Spam / azsocseclawyer.net

This fake IRS spam (from an office on "Cum Avenue"!) actually leads to malware on azsocseclawyer.net:

Date:      Fri, 15 Feb 2013 09:47:25 -0500
From:      Internal Revenue Service [ahabfya196@etax.irs.gov]
Subject:      pecuniary penalty for delay of tax return filling

Herewith we are informing you that you are required to pay a surcharge for not filling the income tax return prior to January 31.

Please note that IRS Section 7117-F-8 specifies a money penalty of $2.000 for each Form 479 that is filled later than deadline for filling the income tax return or does not contain the exhaustive information described in 7117-F-8.

You will be released from the pecuniary penalty when the taxpayer shows that the failure to file was caused by substantial reason.

Please visit official website for more information


Internal Revenue Services United States, Department of Treasury
Ap #822-9450 Cum Avenue
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.

The malicious payload is at [donotclick]azsocseclawyer.net/detects/necessary_documenting_broadcasts-sensitive.php (report here) hosted on:

77.241.192.47 (VPSNET, Lithunia)
175.121.229.209 (Hanaro Telecom, Korea)

The following domains are currently visible on those IPs are should be regarded as malicious:
albaperu.net
azsocseclawyer.net
derdondetes.com
dressaytam.net
estudienteyo.com
extuderbest.com
madcambodia.net
micropowerboating.net
mochentopen.com
theatreli.net
thedigidares.net

NACHA spam / thedigidares.net

This fake NACHA spam leads to malware on thedigidares.net:

Date:      Wed, 13 Feb 2013 12:10:27 +0000
From:      " NACHA" [limbon@direct.nacha.org]
Subject:      Aborted transfer

Canceled transaction
The ACH process (ID: 648919687408), recently sent from your bank account (by you), was canceled by the other financial institution.

Transaction ID:     648919687408
Cancellation Reason     Review additional info in the statement below
Transaction Detailed Report     Report_648919687408.xls (Microsoft/Open Office Word Document)


13150 Sunrise Street, Suite 100 Herndon, VA 20174 (703) 561-1200

� 2013 NACHA - The Electronic Payments Association

The malicious payload is at [donotclick]thedigidares.net/detects/irritating-crashed-registers.php (report here) hosted on:

134.74.14.98 (City College of New York, US)
175.121.229.209 (Hanaro Telecom, Korea)



The following IPs and domains are linked and should be blocked:
134.74.14.98
175.121.229.209
albaperu.net
capeinn.net
thedigidares.net
madcambodia.net
micropowerboating.net
dressaytam.net
acctnmrxm.net
albaperu.net
live-satellite-view.net
dressaytam.net

BBB Spam / madcambodia.net

This fake BBB spam leads to malware on madcambodia.net:

Date:      Fri, 8 Feb 2013 11:55:55 -0500 [11:55:55 EST]
From:      Better Business Bureau [notify@bbb.org]
Subject:      BBB  details about your  cliente's pretense ID 43C796S77

Better Business Bureau ©
Start With Trust ©

Thu, 7 Feb 2013

RE: Issue No. 43C796S77

[redacted]

The Better Business Bureau has been booked the above mentioned claim letter from one of your purchasers in respect of their business contacts with you. The detailed description of the consumer's concern are available for review at a link below. Please pay attention to this subject and let us know about your judgment as soon as possible.

We pleasantly ask you to visit the GRIEVANCE REPORT to reply on this claim.

We awaits to your prompt response.

Best regards
Luis Davis
Dispute Advisor
Better Business Bureau

Better Business Bureau
3073  Wilson Blvd, Suite 600  Arlington, VA 23501
Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277


This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The malicious payload is at [donotclick]madcambodia.net/detects/review_complain.php (report here) hosted on:

175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)

The following domains appear to be active on these IPs:
madcambodia.net
acctnmrxm.net
capeinn.net
starsoftgroup.net
live-satellite-view.net
morepowetradersta.com

FFIEC spam / live-satellite-view.net

This spam attempts to load malware from live-satellite-view.net, but fails because at the moment the domain isn't registered. However, you can expect them to try again.. so watch out for emails like this.

From: FFIEC [mailto:complaints@ffiec.gov]
Sent: 06 February 2013 16:17
Subject: FFIEC Occasion No. 77715


This summons is meant to make advise of file # 77715 which is opened and under interrogative with FFIEC following a accusation of your Financial Institution regarding suspect financial activity on your account.   
A hard copy of this judicial process will be delivered to your business address.
Our institution will forward information to competent government agencies following this accusation.
Information and contacts regarding your Occasion file # can be found at
   Occasion Number: 77715             
Observed by
 Federal Financial Institution Examination Council
   Emily Gray

The attempted download is from [donotclick]live-satellite-view.net/detects/advanced_selected_determines_comparison.php although it fails to resolve. Perhaps the registrar nuked the domain? However, it is possible to tell that the nameservers were ns1.http-page.net and ns2.http-page.net, and up investigate it turns out that all the following IPs and domains are related and should be treated as malicious:
7.129.51.158
31.170.106.17
74.4.6.128
98.144.191.50
175.121.229.209
198.144.191.50
208.117.43.145
222.238.109.66
able-stock.net
capeinn.net
duriginal.net
euronotedetector.net
gonita.net
gutprofzumbns.com
http-page.net
live-satellite-view.net
morepowetradersta.com
ocean-movie.net
starsoftgroup.net
vespaboise.net

"Most recent events on Facebook" spam / gonita.net

This fake Facebook spam leads to malware on gonita.net:

Date:      Mon, 28 Jan 2013 17:30:50 +0100
From:      "Facebook" [addlingabn2@bmatter.com]
Subject:      Most recent events on Facebook

facebook   
Hi [redacted],
You have disabled your Facebook account. You can reveal your account whenever you wish by logging into Facebook with your old login email address and password. After that you will be able to enjoy the site in the same way as before.
Kind regards,
The Facebook Team
   
Log in to Facebook and start connecting
Sign in

Please use the link below to resume your account :
http://www.facebook.com/resume/
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 419 P.O Box 10007 Palo Alto CA 94301

The malicious payload is at [donotclick]gonita.net/detects/sign_on_to_resume.php (report here) hosted on the well-known IP of 222.238.109.66 (Hanaro Telecom, Korea).

The following malicious domains are active on the same IP:
morepowetradersta.com
kendallvile.com
alphabeticalwin.com
ehadnedrlop.com
postofficenewsas.com
prepadav.com
masterseoprodnew.com
vespaboise.net
duriginal.net
shininghill.net
euronotedetector.net
fx-points.net
africanbeat.net
ensconcedattractively.biz
gonita.net