Sponsored by..

Showing posts with label Amerika. Show all posts
Showing posts with label Amerika. Show all posts

Monday, 22 July 2013

American Airlines spam / sai-uka-sai.com

This fake American Airlines spam leads to malware on www.aa.com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai.com:

From:     American.Airlines@aa.net
Date:     22 July 2013 17:22
Subject:     AA.com Itinerary Summary On Hold

Dear customer,

Thank you for making your travel arrangements on AA.com! Your requested itinerary is now ON HOLD. Details below.

To ensure that your reservation is not canceled you must complete the purchase of this reservation by clicking the “Purchase” button on this email, or by using the “View/Change Reservations” section on www.aa.com.

left corners         left corners

 

This reservation is on HOLD until July 22, 2013 11:59 PM CDT (Central Daylight Time) .

Record Locator: LEBBGM             Purchase

 

left corners         left corners

Passengers

   Isabella  Green
NOTE: This is not a ticket or electronic receipt
Carrier Flight
Number
Departing Arriving Cabin

Booking Code
Seats Meals
City Date & Time City Date & Time

AMERICAN AIRLINES OPERATED BY AMERICAN EAGLE AIRLINES
2879 SPS Wichita Falls July 24, 2013 10:50 AM DFW Dallas/ Fort Worth July 24, 2013 11:43 AM Economy

M
32A  Food For Purchase 

AMERICAN AIRLINES
1795 DFW Dallas/ Fort Worth July 24, 2013 12:35 PM IAH Houston July 24, 2013 01:43 PM Economy

M
23A 

AMERICAN AIRLINES
1690 IAH Houston July 26, 2013 02:20 PM DFW Dallas/ Fort Worth July 26, 2013 03:35 PM Economy

M
20C 

AMERICAN AIRLINES OPERATED BY AMERICAN EAGLE AIRLINES
3294 DFW Dallas/ Fort Worth July 26, 2013 04:20 PM SPS Wichita Falls July 26, 2013 05:10 PM Economy

M
27B  Food For Purchase 
spacer
  Fare Summary help
Average Fare per Person - 444.00 USD
Passenger Type Used in Pricing Fare per Person Additional Taxes and Fees per Person Total Price
1  Adult 442.90 USD 34.25 USD 490.95 USD
Total Price 495.49 USD
spacer
  Merchandising Summary help
Flight Number Seat Number Seat Price Taxes Total Price
2879 0.00 USD 0.00 USD 0.00 USD
1795 14.00 USD 1.05 USD 15.05 USD
1690 14.00 USD 1.05 USD 15.05 USD
3294 0.00 USD 0.00 USD 0.00 USD
Total Price 30.10 USD
  Purchase
Please note the following:
 • View Fare rules.
 • Fares are only guaranteed up to 24 hours.
 • Additional foreign taxes may apply.
 • Additional fees may also apply for tickets not purchased through AA.com.


This is not the itinerary receipt that is required for identification purposes at the airport check-in. That receipt will be furnished upon purchase of this reservation.

In order to proceed to your gate you must present a government issued photo I.D. and either your boarding pass or a priority verification card at the screening security checkpoint.

If you are not a resident of the U.S., U.K., Canada or select countries in Latin America and the Caribbean, tickets must be purchased at an American Airlines ticketing location/airport, or by calling an American Airlines International Reservations office. Flights booked on carriers other than American Airlines, American Eagle® or AmericanConnection® are on a request basis only.

You've got payment options at AA.com! Make your dream vacation come true with the Fly Now Payment Plan, speed through checkout with PayPal, or use electronic checks to pay directly from your checking account. You can also pay in cash at participating Western Union locations or use a credit/debit card. Available payment options may vary by country.

The link in the email goes through a legitimate hacked site and ends up on a malware landing page at [donotclick]www.aa.com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai.com/news/american-airlines-hold.php (report here) hosted on the following IPs:


50.97.253.162 (Softlayer, US)
95.111.32.249 (Megalan / Mobitel EAD, Bulgaria)
188.134.26.172 (Perspectiva Ltd, Russia)
209.222.67.251 (Razor Inc, US)

The WHOIS details for that domain are the characteristically fake ones associated with this gang:
        Michael Fenwick freehotjob@yahoo.com
        21 Fredricksburg Court
        State College
        PA
        16803
        US
        Phone: +1.8144411445




Recommended blocklist:
50.97.253.162
95.111.32.249
188.134.26.172
209.222.67.251
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
allgstat.ru
autorize.net.models-and-kits.net
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
driversupdate.pw
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihenransivuennd.net
ehnihujasebejav15.ru
eliroots.ru
epackage.ups.com.shanghaiherald.net
ergopets.com
erminwanbuernantion20.net
ermitirationifyouwau30.net
estateandpropertty.com
firefoxupd.pw
firerice.com
fulty.net
gamnnbienwndd70.net
gebelikokulu.net
generationpasswaua40.net
gnanosnugivnehu.ru
gondamtvibnejnepl.net
greenleaf-investment.net
housesales.pl
irs.gov.tax-refunds.ach.treehouse-dreams.net
klwines.com.order.complete.prysmm.net
linkedin.com-update-report.taltondark.net
marriott.com.reservation.lookup.motobrio.net
marriott.com.reservation.lookup.viperlair.net
microsoftnotification.net
mifiesta.ru
motobrio.net
mycanoweb.com
onemessage.verizonwireless.com.verizonwirelessreports.com
package.ups.com.shanghaiherald.net
pagebuoy.net
pass-hc.com
privat-tor-service.com
prysmm.net
quipbox.com
rentipod.ru
safebrowse.pw
sai-uka-sai.com
sartorilaw.net
sendkick.com
shanghaiherald.net
taltondark.net
tax-returns.gov.cpa.state.us.gebelikokulu.net
tor-connect-secure.com
treehouse-dreams.net
tvblips.net
twitter.com.greenleaf-investment.net
verizonwirelessreports.com
viperlair.net
vip-proxy-to-tor.com
vitans.net

Saturday, 20 July 2013

Verizon Wireless "Data Usage Overage Alert" / verizonwirelessreports.com

This fake Verizon email leads to malware on the domain onemessage.verizonwireless.com.verizonwirelessreports.com:

Date:      Fri, 19 Jul 2013 10:48:31 -0500 [11:48:31 EDT]
From:      Verizon Wireless [VZWMail@e-marketing.verizonwireless-mail.net]
Subject:      Data Usage Overage Alert

Important Information About Your Account.      View Online
verizon wireless    Explore    Shop    My Verizon    Support   
                                       
Important Information About Your Data Usage

Your account has used your data allowance for this month and you may now be billed overage charges. Your monthly data allowance will reset on the 20th.

Run an Account Analysis in My Verizon to analyze your recent months' data usage and review your plan options.

Don't forget, you can also manage your alert settings in My Verizon including adding recipients and opting out of specific alerts.
Thank you for choosing Verizon Wireless.
   
Details as of:
[redacted]

07/19/2013 02:15 AM EDT
   
                                       
We respect your privacy. Please review our privacy policy for more information
about click activity with Verizon Wireless and links included in this email.

This email was sent to [redacted];

ID: [redacted]

The link in the email goes through a legitimate hacked site and ends up on a malware landing page at [donotclick]onemessage.verizonwireless.com.verizonwirelessreports.com/news/verizon-bill.php (report here) hosted on:

172.255.106.126 (Nobis Technology Group, US / Creative Factory Beijing, China)
188.134.26.172 (Perspectiva Ltd, Russia)

The domain verizonwirelessreports.com is fake and was recently registered to an anonymous person. However, given the IPs and associated domains then this is clearly the work of this gang
.
Blocklist:
172.255.106.126
188.134.26.172
verizonwirelessreports.com
firerice.com
onemessage.verizonwireless.com.verizonwirelessreports.com
package.ups.com.shanghaiherald.net
epackage.ups.com.shanghaiherald.net
vitans.net
www.klwines.com.order.complete.prysmm.net
prysmm.net
shanghaiherald.net



Thursday, 18 July 2013

K&L Wine Merchants (KLWines.com) spam / prysmm.net

This fake K&L Wine Merchantsm spam email leads to malware on www.klwines.com.order.complete.prysmm.net:


Date:      Thu, 18 Jul 2013 05:57:28 -0800
From:      drowsedl04@inbound.ups.net
CC:     
Subject:      Your K&L order #56920789 is complete

Hello from K&L Wine Merchants -- www.KLWines.com

Just wanted to let you know that your order (#56920789) is complete.

Additional comments for this order: Ship Fri. 7/19

The following items are included in this order:

------------------------------------------------------------------
 Item                               Price Shipped    Subtotal
------------------------------------------------------------------

 2009 Whitehall Lane Napa          $32.99     1        $32.99
     Valley Cabernet Sauvignon

 2007 Friggiali Brunello di        $28.99     2        $57.98
     Montalcino

 2010 Columbia Crest "H3"          $10.99     2        $21.98
     Horse Heaven Hills Washington
     Cabernet Sauvignon

 2010 Seven Hills Columbia         $19.99     1        $19.99
     Valley Cabernet Sauvignon

 2010 Bonaccorsi "Fiddlestix       $44.99     1        $44.99
     Vineyard" Sta. Rita Hills
     Pinot Noir

 2010 Melville "Estate" Santa      $25.99     1        $25.99
     Rita Hills Pinot Noir

 2007 La Fortuna Brunello di       $38.99     1        $38.99
     Montalcino

------------------------------------------------------------------
                Item Subtotal:    $247.91
                          Tax:      $0.00
          Shipping & Handling:     $67.18
                        Total:    $315.09

The shipping method for this order is UPS 2-Day, being sent to:

        Matthew Wright
        4025 sunset city plaza
        garden city, DC 13375 USA
      

The tracking number for this shipment is 1Z474482A140261050.
Please visit the freight carrier's site for exact shipping pickup and dropoff dates, by clicking on the link below. You may have to copy the link and paste it into your browser.
http://wwwapps.ups.com/etracking/tracking.cgi?TypeOfInquiryNumber=T&InquiryNumber1=1Z474482A140261050

To see the latest information about your order, visit "My Account" at http://www.klwines.com/account.asp. "My Account" lets you manage your orders online by giving you the ability to do the following:

* See your order status
* Change your e-mail address or password
* Update your billing and shipping information for future orders

You can also reach "My Account" by clicking on the link on the top of any page on our Web site.

If you need to get in touch with us about your orders, contact us via Contacts page.

Thank you for shopping at klwines.com -- we appreciate your business.

---------------------------------------------------------------------
K&L Wine Merchants
"Internet's Best Wine Site"  -- Money Magazine
questions@klwines.com             http://www.klwines.com/
---------------------------------------------------------------------

The link in the email goes through a legitimate hacked site and ends up on a malware page at [donotclick]www.klwines.com.order.complete.prysmm.net/news/order-information.php (report here) hosted on:


50.97.253.162 (Softlayer, US)
59.126.142.186 (Chungwa Telecom, Taiwan)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)

The fake WHOIS details mark this out as belonging to the Amerika gang.

   Matamoros, Grace  freehotjob@yahoo.com
   6805 Laredo
   Houston, TX 77020
   US
   8322897755

Recommended blocklist:
50.97.253.162
59.126.142.186
203.236.232.42
209.222.67.251
autorize.net.models-and-kits.net
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
ehnihenransivuennd.net
epackage.ups.com.shanghaiherald.net
erawppa.com
ermitirationifyouwau30.net
estateandpropertty.com
firerice.com
fulty.net
gebelikokulu.net
generationpasswaua40.net
gondamtvibnejnepl.net
greenleaf-investment.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
klwines.com.order.complete.prysmm.net
linkedin.com-update-report.taltondark.net
m.krasalco.com
marriott.com.reservation.lookup.motobrio.net
marriott.com.reservation.lookup.viperlair.net
microsoftnotification.net
motobrio.net
mycanoweb.com
pass-hc.com
prysmm.net
quipbox.com
sendkick.com
taltondark.net
tax-returns.gov.cpa.state.us.gebelikokulu.net
treehouse-dreams.net
tvblips.net
twitter.com.greenleaf-investment.net
viperlair.net
vitans.net

Wednesday, 17 July 2013

"Houston Marriott Westchase Reservation Confirmation" spam / marriott.com.reservation.lookup.viperlair.net

This fake Marriott spam leads to malware on marriott.com.reservation.lookup.viperlair.net:


Date:      Wed, 17 Jul 2013 05:12:22 -0800 [09:12:22 EDT]
From:      Marriott Hotels & Resorts Reservation [reservations@clients.marriottmail.org]
Reply-To:      reservations@clients.marriottmail.org
Subject:      Houston Marriott Westchase Reservation Confirmation #86903601

Marriott Hotels & Resorts Houston Marriott Westchase 2900 Briarpark Dr.,
Houston, Texas 77042 USA Phone: 1-713-978-7400 Fax: 1-713-735-2726
   
Reservation for [redacted]

    Confirmation Number: 86903601
    Check-in: Sunday, July 21, 2013 (03:00 PM)
    Check-out: Wednesday, July 24, 2013 (12:00 PM)

    Modify or Cancel reservation    

View View hotel website
Maps Maps & Transportation

Reservation Confirmation
Dear Client,

We are pleased to confirm your reservation with Marriott. Below is a summary of your booking and room information. We look forward to making your stay gratifying and memorable. When you're traveling away from home you can always count on Marriott.

Houston Marriott Westchase

Planning Your Trip

    See what's happening in Houston during your stay
    Check out some of Houston's top attractions

    Book with Hertz: Save up to 35% and Earn 500 Rewards Points
    Book Cars, Tours & More - get great rates on local tours and attractions


Reservation Details

    Confirmation Number: 86903601
    Your hotel: Houston Marriott Westchase
    Check-in: Sunday, July 21, 2013 (03:00 PM)
    Check-out: Wednesday, July 24, 2013 (12:00 PM)
    Room type: Guest room, 1 King or 2 Queen
    Number of rooms: 1
    Guests per room: 1
    Guest name: Jesus Bell
    Reservation confirmed: Wednesday, July 16, 2013 (21:55:00 GMT)
    Guarantee method: Credit card guarantee, VISA

Special request(s):

    •2 Queen Beds, Guaranteed
    •High Floor Room, Request Noted
    •I.D. Required, Request Noted


Summary of Room Charges     Cost per night per room (USD)
Sunday, July 21, 2013 - Wednesday, July 24, 2013 ( 3 nights=20 )     109.43
Govt/military rate, federal government ID required    
Estimated government taxes and fees     18.53
Total for stay (for all rooms)     469.89

    Complimentary on-site parking
    Valet parking, fee: 14 USD daily
    Changes in taxes or fees implemented after booking will affect the total room price.

You may modify or cancel your reservation online (see details below), or call our worldwide telephone numbers.

Contact us if you have questions about your reservation.
Canceling Your Reservation

    You may cancel your reservation for no charge until Friday, July 19, 2013 (1 day[s] before arrival).

    Please note that we will assess a fee of 127.53 USD if you must cancel after this deadline.

    If you have made a prepayment, we will retain all or part of your prepayment. If not, we will charge your credit card.

Modifying Your Reservation

    Please note that a change in the length or dates of your reservation may result in a rate change.
    Please be prepared to show proof of eligibility for your rate (such as a membership card, corporate or government identification card, or proof of your age).

Rewards Account Information
http://www.marriott.com/Images/email/rewards/logos/Silver_28x142.gif
Your Rewards level: Silver
Your Rewards number: 642268841

As a Silver Elite member, you can enjoy the following benefits during your stay (may vary by hotel):
20% Bonus on your Marriott Rewards base points
Priority Late Checkout
Guaranteed Room Type

Sign in to view account

    Sign up for eFolio to receive your hotel bill by email after each stay in the USA and Canada.
    Plan events, earn rewards with Rewarding Events.

50,000 Bonus Points    
50,000 Bonus Points

Earn 50,000 Bonus Points and an Annual Free Night with No Annual Fee the First Year. More Rewards, Faster with the Marriott Rewards Premier Credit Card.

Learn More and Apply

Travel Alerts

    Download the Marriott Mobile App. The Perfect Travel CompanionTM
    Please Note: All Marriott hotels in the USA and Canada, are committed to a smoke-free policy.
    Learn more
    The Responsible Tourist and Traveler
    A practical guide to help you make your trip an enriching experience

Look No Further
You've received the best possible rate - guaranteed.

Privacy, Authenticity and Opting Out

Your privacy is important to us. Please visit our Privacy Statement for full details.

This email confirmation is an auto-generated message. Replies to automated messages are not monitored. Our Internet Customer Care team is available to assist you 24 hours per day, 7 days per week. Contact Internet Customer Care.

Promotional email unsubscribe

If you provided us with your email address for the first time, we will send you a follow-up email to welcome you. We will also send you periodic emails with information about your account balance, member status, special offers and promotions. An opt-out link will be included in each of these emails so that you can change your mind at any time.
If you would prefer to opt out of such emails from Marriott International, Marriott Rewards or The Ritz-Carlton Rewards, you may do so here. In addition, you may unsubscribe from The Ritz-Carlton email community here

Please note: Should you unsubscribe from promotional email, we will continue to send messages for transactions such as reservation confirmation, point redemption, etc.

Confirmation Authenticity

We're sending you this confirmation notice electronically for your convenience. Marriott keeps an official record of all electronic reservations. We honor our official record only and will disregard any alterations to this confirmation that may have been made after we sent it to you.

If you have received this email in error, please let us know.
Terms of Use::Internet Privacy Statement

©1996-2013 Marriott International, Inc. All rights reserved. Marriott proprietary information.


The link in the email goes through a legitimate hacked site and lands on [donotclick]marriott.com.reservation.lookup.viperlair.net/news/marriott-ebill-order-confirmation.php (report here) hosted on  the following IPs:

viperlair.net is registered with fake WHOIS details that mark it out as belonging to the Amerika gang:

      miguel villegas
      15003 Elkhorn Dr
      FONTANA, CA 92336-5517
      US
      Phone: +1.9098998422
      Email: shanghaiherald32@yahoo.com


50.97.253.162 (Softlayer, US)
59.126.142.186 (Chunghwa Telecom, Taiwan)
209.222.67.251 (Razor Inc, US)

Recommended blocklist:
50.97.253.162
59.126.142.186
209.222.67.251
autorize.net.models-and-kits.net
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
ehnihenransivuennd.net
erawppa.com
ermitirationifyouwau30.net
estateandpropertty.com
firerice.com
fulty.net
gebelikokulu.net
generationpasswaua40.net
gondamtvibnejnepl.net
greenleaf-investment.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
linkedin.com-update-report.taltondark.net
marriott.com.reservation.lookup.viperlair.net
microsoftnotification.net
mycanoweb.com
pass-hc.com
quipbox.com
sendkick.com
taltondark.net
tax-returns.gov.cpa.state.us.gebelikokulu.net
treehouse-dreams.net
tvblips.net
twitter.com.greenleaf-investment.net
viperlair.net
vitans.net

Tuesday, 16 July 2013

"Invoice 48920" spam / doc201307161139482.doc

This spam has a malicious word attachment, doc201307161139482.doc which contains an exploit.

From: Carlos Phillips [accounting@travidia.com]
Subject: Invoice 48920

Thanks !!

Greg

Precision Assemblies Products, Inc.Llc.
179 Nesbitt Hills
Holley, NY 51902
(176)-674-6500
nightmarewdp50@travidia.com
Note that the date is included into the filename. The document has an MS12-027 exploit with a VirusTotal detection rate of just 5/47.  In theory, if your copy of Microsoft Word is up-to-date you should be immune to this. VT gives the following checksums:

MD5   935e5cacde136d006ea1bb1201a3e6ef
SHA1   bc876d53ad002f1d6fd994d6717372f374d5e6dc
SHA256   8ae7ae35c37a618031c3ec0702871dc19c817bff4e5cf54f1169182fdc8d878c


The Malwr analysis shows some of the things going on, including network connections to:
mycanoweb.com
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S, Turkey)
50.97.253.162 (Softlayer, US)
59.126.142.186 (Chungwa Telecom, Taiwan)
188.40.92.12 (Hetzner, US)
209.222.67.251 (Razor Inc, US)

classified.byethost11.com
209.190.24.9 (Enet / XLHost, US)

myhomes.netau.net
31.170.160.129 (Main Hosting, US)

UPDATE: The ThreatTrack report [pdf] shows similar characterstics, including an attempted download from [donotclick]mycanoweb.com/report/doc.exe which is a Zbot variant with a low detection rate. (Also see the Anubis, ThreatExpert and Malwr reports for that).

Most of the IPs for mycanoweb.com overlap with these belonging to the Amerika gang. The other two IPs are shared hosting and might block a relatively small number of legitimate sites.. I would lean towards blocking them now and unblock them later it there's a problem.

Recommended blocklist:
mycanoweb.com
classified.byethost11.com
myhomes.netau.net
46.45.182.27
50.97.253.162
59.126.142.186
188.40.92.12
209.222.67.251
209.190.24.9
31.170.160.129

Additional IPs for Zbot component:
182.237.17.180
194.44.219.226
210.56.23.100

Malware sites to block 16/7/13

These domains and IPs are associated with this gang. This time there appear to be some diet pill sites in the mix, these may be spammy or they may be malicious.. I would recommend blocking them all though.

24.173.170.230 (Time Warner Cable, US)
31.145.19.17 (Borusan Telekom / Ericsson, Turkey)
38.96.42.60 (PSInet / WiLogic Inc, US)
41.196.17.252 (Link Egypt, Egypt)
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S, Turkey)
46.246.41.68 (Portlane Networks, Sweden)
46.38.51.162 (TCTEL, Russia)
50.97.253.162 (Softlayer, US)
58.196.7.174 (CERNET, China)
59.124.33.215 (Chungwa Telecom, Taiwan)
59.126.142.186 (Chungwa Telecom, Taiwan)
59.160.69.74 (TATA, India)
61.220.221.92 (HINET / Chungwa Telecom, Taiwan)
64.49.246.226 (Rackspace, US)
69.162.76.10 (Limestone Networks, US)
74.93.56.83 (Comcast Business Communications, US)
77.240.118.69 (Acens Technlogies, Spain)
80.52.135.172 (TPNET, Poland)
81.17.140.138 (Velton.telecom, Ukraine)
82.165.41.13 (1&1, Philippines)
85.17.224.131 (Leaseweb, Netherlands)
85.119.187.145 (UNIWEB, Belgium)
87.236.211.159 (Azar Online, Iran)
88.86.100.2 (Supernetwork, Czech Republic)
89.161.255.30 (Home.pl, Poland)
89.248.161.146 (Ecatel, Netherlands)
95.111.32.249 (Mobitel / Megalan, Bulgaria)
98.192.168.80 (Comcast Communications, US)
103.9.23.34 (TPL Trakker, Pakistan)
108.179.8.103 (Tyco / Cablevision, US)
111.121.193.198 (China Telecom, China)
111.121.193.199 (China Telecom, China)
111.121.193.200 (China Telecom, China)
114.32.97.58 (HINET / Chungwa Telecom, Taiwan)
119.1.109.40 (QianXiNan County, China)
119.1.109.48 (QianXiNan County, China)
119.92.209.120 (Philippine Long Distance Telephone Company, Philippines)
128.252.158.57 (Washington University, US)
138.80.14.27 (Charles Darwin University, Australia)
140.115.43.187 (TANET, Taiwan)
143.239.87.38 (University College Cork, Ireland)
150.244.233.146 (Universidad Autonoma De Madrid , Spain)
151.155.25.109 (Novell, US)
151.155.25.111 (Novell, US)
172.255.106.17 (Nobis Technology Group, US)
173.167.54.139 (Iceweb Storage Corp / Comcast, US)
176.31.46.7 (OVH, France)
180.166.172.122 (China Telecom, China)
184.105.135.29 (Hurricane Electric, US)
188.132.213.115 (Hosting Internet Hizmetleri Sanayi Ve Ticaret Anonim Sirketi, Turkey)
190.85.249.159 (Telmex Colombia, Colombia)
192.241.205.26 (Digital Ocean, US)
193.95.91.78 (Agence Tunisienne Internet, Tunisia)
195.225.58.122 (C&A Connect SRL, Romania)
198.56.238.36 (Enzu Inc, US)
201.163.145.125 (Alestra, S. de R.L. de C.V., Mexico)
202.28.69.195 (UniNet, Thailand)
202.63.210.182 (CubeXS Private Lmited, Pakistan)
203.122.26.124 (Citycom Networks Pvt Ltd, India)
203.235.181.181 (Sejong Telecom, Korea)
203.236.232.42 (KINX, Korea)
207.254.1.17 (Virtacore Systems Inc, US)
208.115.114.68 (Wowrack, US)
209.222.67.251 (Razor Inc, US)
210.200.0.95 (Asia Pacific On-line Services Inc., Taiwan)
212.143.233.159 (013 Netvision Network, Israel)
222.20.90.25 (CERNET, China)

Blocklist:
24.173.170.230
31.145.19.17
38.96.42.60
41.196.17.252
46.45.182.27
46.246.41.68
46.38.51.162
50.97.253.162
58.196.7.174
59.124.33.215
59.126.142.186
59.160.69.74
61.220.221.92
64.49.246.226
69.162.76.10
74.93.56.83
77.240.118.69
80.52.135.172
81.17.140.138
82.165.41.13
85.17.224.131
85.119.187.145
87.236.211.159
88.86.100.2
89.161.255.30
89.248.161.146
95.111.32.249
98.192.168.80
103.9.23.34
108.179.8.103
111.121.193.198
111.121.193.199
111.121.193.200
114.32.97.58
119.1.109.40
119.1.109.48
119.92.209.120
128.252.158.57
138.80.14.27
140.115.43.187
143.239.87.38
148.81.111.91
148.81.111.92
150.244.233.146
151.155.25.109
151.155.25.111
172.255.106.17
173.167.54.139
176.31.46.7
180.166.172.122
184.105.135.29
188.132.213.115
190.85.249.159
192.241.205.26
193.95.91.78
195.225.58.122
198.56.238.36
201.163.145.125
202.28.69.195
202.63.210.182
203.122.26.124
203.235.181.181
203.236.232.42
207.254.1.17
208.115.114.68
209.222.67.251
210.200.0.95
212.143.233.159
222.20.90.25
abundanceguys.net
allgstat.ru
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
americimblog.com
amimeseason.net
androv.pl
aniolyfarmacij.com
antidoctorpj.com
aqua-thermos.com
astarts.ru
auditbodies.net
augel.pl
autocompletiondel.net
autorize.net.models-and-kits.net
autotradeguide.net
avenues.pl
basedbreakpark.su
beachfiretald.com
beatenunwield.com
bebomsn.net
beirutyinfo.com
bestofallforallas.pl
blacklistsvignet.pl
blindsay-law.net
bnamecorni.com
boats-sale.net
brandeddepend.com
brasilmatics.net
businessdocu.net
buty24-cool.com
buycushion.net
cabby.pl
centow.ru
chairsantique.net
charismasalonme.net
childrensuck.net
cirormdnivneinted40.ru
clik-kids.com
com.amazon.com.first4supplies.net
condalinarad72234652.ru
condalinaradushko5.ru
condalininneuwu36.net
condalinneuwu5.ru
condalinrwgw136.ru
condalnua745746.ru
cotime.pl
cpa.state.tx.us.tax-returns.mattwaltererie.net
cryoroyal.net
dasay.pl
datapadsinthi.net
doorandstoned.com
driversupdate.pw
dulethcentury.net
e-citystores.net
editionscode.com
e-eleves.net
effectivenesspre.com
eftps.gov.charismasalonme.net
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihenransivuennd.net
ehnihjrkenpj.ru
eliroots.ru
enchantingfluid.com
ensutringscal.net
enuhhdijsnenbude40.ru
ergopets.com
estateandpropertty.com
exterms.pl
faststream.pl
feminineperceiv.pl
filmstripstyl.com
fincal.pl
first4supplies.net
foremostorgand.su
freakable.net
fulty.net
gamnnbienwndd70.net
gcoordinatind.com
gebelikokulu.net
genie-enterprises.com
gentonoesleep.com
gerlos-hotel.net
getstatsp.ru
ghroumingoviede.ru
gnanosnugivnehu.ru
gondamtvibnejnepl.net
goodread.pl
gotip.pl
grivnichesvkisejj50.ru
guardianforyou.pl
gumfart.ru
hdmltextvoice.net
heidipinks.com
hemorelief.net
highsecure155.com
hingpressplay.net
hospitalinstitutee.com
hotautoflot.com
hotkoyou.net
hotpubblici.com
how-about-we.net
huang.pl
independinsy.net
info-for-health.net
initiationtune.su
insectiore.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
jonkrut.ru
kirki.pl
krasalco.com
ledfordlawoffice.net
letsgofit.net
libulionstreet.su
linefisher.com
linkedin.com-update-report.taltondark.net
m.krasalco.com
made-bali.net
magiklovsterd.net
mantuma.pl
mattwaltererie.net
maxapps.pl
microsoftnotification.net
missdigitalworld.net
models-and-kits.net
modshows.net
morphed.ru
mosher.pl
nailapp.pl
namastelearning.net
ns3.thebodyfatsolutioncb.pl
nvufvwieg.com
offeringshowt.com
ompute.pl
oneday-movie.net
organizerrescui.pl
oupwareplanets.su
oydahrenlitu346357.ru
pinterest.com.reports0701.net
polymerplanet.net
porschetr-ml.com
potteryconvention.ru
privat-tor-service.com
przcloud.net
questphoneservice.net
quipbox.com
ratenames.net
recatalogfinger.net
relationshipa.com
relectsdispla.net
rentipod.ru
reports0701.net
rustin.pl
safebrowse.pw
scourswarriors.su
secrettapess.com
secureaction120.com
securednshooki.com
sendkick.com
sensetegej100.com
sitemax.pl
sklephoreca.pl
soberimages.com
spros.pl
stilos.pl
streetgreenlj.com
susubaby.net
tagcentriccent.net
tagcentriccent.pl
taltondark.net
tax-returns.gov.cpa.state.us.gebelikokulu.net
teakfromafrica.net
telecomerra.com
thebodyfatsolutioncb.pl
thebodyfatsolutionoi.pl
thegalaxyatwork.com
theguardian-newspaper.pl
therichboysmail.net
thetimesforyou.pl
thosetemperat.net
toetotoetimef.net
tor-connect-secure.com
treehouse-dreams.net
trymaximumslimbaba.pl
trymaximumslimbia.pl
trymaximumslimboa.pl
trymaximumslimbua.pl
trymaximumslimbuta.pl
trymaximumslimdel.pl
trymaximumslimeta.pl
trymaximumslimfea.pl
trymaximumslimfoa.pl
trymaximumslimfol.pl
trymaximumslimhoa.pl
trymaximumslimhol.pl
trymaximumslimhowa.pl
trymaximumsliminl.pl
trymaximumslimlacl.pl
trymaximumslimlal.pl
trymaximumslimlea.pl
trymaximumslimleta.pl
trymaximumslimlitta.pl
trymaximumslimmaa.pl
trymaximumslimmal.pl
trymaximumslimmea.pl
trymaximumslimmia.pl
trymaximumslimnel.pl
trymaximumslimnota.pl
trymaximumslimota.pl
trymaximumslimpaa.pl
trymaximumslimpal.pl
trymaximumslimpara.pl
trymaximumslimrata.pl
trymaximumslimroba.pl
trymaximumslimroll.pl
trymaximumslimroma.pl
trymaximumslimsaa.pl
trymaximumslimsal.pl
trymaximumslimsanda.pl
trymaximumslimsil.pl
trymaximumslimsina.pl
trymaximumslimsofa.pl
trymaximumslimsofl.pl
trymaximumslimsparl.pl
trymaximumslimteda.pl
trymaximumslimulda.pl
trymaximumslimundl.pl
tstatbox.ru
tvblips.net
u-janusa.net
ukbash.ru
unabox.pl
usenet4ever.net
usergateproxy.net
vahvahchicas.ru
vip-proxy-to-tor.com
vivendacalangute.net
wickedpl.com
wic-office.com
wordstudio.pl
wow-included.com
yourbodyfatsolutionaningm.pl
yourbodyfatsolutionharm.pl
yourbodyfatsolutionhom.pl
yourbodyfatsolutionlgf.pl
yourbodyfatsolutionlittm.pl
yourbodyfatsolutionlpa.pl
yourbodyfatsolutionlub.pl
yourbodyfatsolutionlui.pl
yourbodyfatsolutionmem.pl
yourbodyfatsolutionnak.pl
yourbodyfatsolutionncb.pl
yourbodyfatsolutionnff.pl
yourbodyfatsolutionnzk.pl
yourbodyfatsolutionronm.pl
yourbodyfatsolutionsam.pl
yourbodyfatsolutionsim.pl
yourbodyfatsolutionterm.pl
yourbodyfatsolutiontinm.pl
yourbodyfatsolutionuca.pl
yourbodyfatsolutionucb.pl
yourbodyfatsolutionuee.pl
yourbodyfatsolutionufd.pl
yourbodyfatsolutionuff.pl
yourbodyfatsolutionufg.pl
yourbodyfatsolutionugd.pl
yourbodyfatsolutionugf.pl
yourbodyfatsolutionuhh.pl
yourbodyfatsolutionukk.pl
yourbodyfatsolutionunb.pl
yourbodyfatsolutionunc.pl
yourbodyfatsolutionuoi.pl
yourbodyfatsolutionupa.pl
yourbodyfatsolutionusd.pl
yourbodyfatsolutionuub.pl
yourbodyfatsolutionuui.pl
yourbodyfatsolutionuvb.pl
yourbodyfatsolutionuvc.pl
yourbodyfatsolutionuzk.pl
yourbodyfatsolutionwam.pl
zestrecommend.com

Monday, 15 July 2013

UPS spam / tvblips.net

This fake UPS spam leads to malware on tvblips.net:


Date:      Mon, 15 Jul 2013 10:20:13 -0500
From:     
Subject:      Your UPS Invoice is Ready

   
This is an automatically generated email. Please do not reply to this email address.

Dear UPS Customer,

Thank you for your business.

New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center.

Please visit the UPS Billing Center to view and pay your invoice.



Questions about your charges? To get a better understanding of surcharges on your invoice, click here.


Discover more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read Compass Online

� 2013 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS

The link in the email goes to a legitimate hacked site that has some highly obfuscated javascript that leads to a malware landing page on [donotclick]tvblips.net/news/ups-information.php (report here) hosted on:


46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
209.222.67.251 (Razor Inc, US)

Recommended blocklist:
46.45.182.27
209.222.67.251
allgstat.ru
americanexpress.com.krasalco.com
astarts.ru
autorize.net.models-and-kits.net
beachfiretald.com
beatenunwield.com
bnamecorni.com
brandeddepend.com
centow.ru
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
datapadsinthi.net
ehnihenransivuennd.net
eliroots.ru
ensutringscal.net
estateandpropertty.com
filmstripstyl.com
fulty.net
gcoordinatind.com
gebelikokulu.net
gentonoesleep.com
getstatsp.ru
gondamtvibnejnepl.net
hdmltextvoice.net
hingpressplay.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
jonkrut.ru
linkedin.com-update-report.taltondark.net
magiklovsterd.net
mattwaltererie.net
microsoftnotification.net
nvufvwieg.com
offeringshowt.com
oupwareplanets.su
privat-tor-service.com
quipbox.com
relationshipa.com
relectsdispla.net
sendkick.com
streetgreenlj.com
tax-returns.gov.cpa.state.us.gebelikokulu.net
toetotoetimef.net
tor-connect-secure.com
treehouse-dreams.net
tstatbox.ru
tvblips.net
vip-proxy-to-tor.com
zestrecommend.com


Friday, 12 July 2013

"TAX Return Reminder" / cpa.state.tx.us.tax-returns.mattwaltererie.net

This fake tax return reminder leads to malware on cpa.state.tx.us.tax-returns.mattwaltererie.net:

--- Version 1 --------------------

Date:      Fri, 12 Jul 2013 14:35:31 +0300
From:      DO.NOT.REPLY@REMINDER.STATE.TX.US.GOV
Subject:      TAX Return Reminder

After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $964.17. Please submit the tax refund request and allow us 2-5 business days to process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline

Returns can be electronically filed at www.cpa.state.tx.us/returns_caseid=035549412645

For security reasons we will record your IP address, date and time.
Deliberate scam inputs are criminally pursued and indicated.
Please do not reply to this e-mail.

Please disregard this reminder if the return has already been submitted.


--- Version 2 --------------------


Date:      Fri, 12 Jul 2013 17:05:39 +0530 [07:35:39 EDT]
From:      tax.help@STATE.TX.GOV.US
Subject:      TAX Return Reminder

After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $909.70. Please submit the tax refund request and allow us 2-3 business days to process it.

A refund may be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline

Returns can be electronically filed at www.cpa.state.tx.us/returns_caseid=488702484517

For security reasons we will record your IP address, date and time.
Deliberate wrong inputs are criminally pursued and indicated.
Please do not reply to this e-mail.

Please disregard this reminder if the return has already been submitted.
Unusually, the link in the email goes directly to the malware landing page rather than going through a legitimate hacked site, in this case directly to [donotclick]cpa.state.tx.us.tax-returns.mattwaltererie.net/news/tax_refund-caseid7436463593.php?[snip] (example 1, example 2) but I cannot get the malware to reveal itself (there's either a fault or it is resistant to analysis).

cpa.state.tx.us.tax-returns.mattwaltererie.net is hosted on the following IP addresses that are under control of what I call the Amerika gang:
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S., Turkey)
150.244.233.146 (Universidad Autonoma de Madrid, Spain)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)

The domain mattwaltererie.net also features the fake US WHOIS details that are characteristic of the Amerika gang (which is where they get their name from).

      Marilyn Clark
      13578 Calderon Rd
      SAN DIEGO, CA 92129
      US
      Phone: +1.7143435399
      Email: tekassis@usa.com


Below is a partial blocklist that I would recommened you use in conjunction with this one:
46.45.182.27
150.244.233.146
203.236.232.42
209.222.67.251
americanexpress.com.krasalco.com
astarts.ru
autorize.net.models-and-kits.net
beachfiretald.com
beatenunwield.com
bnamecorni.com
brandeddepend.com
centow.ru
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
datapadsinthi.net
delines.ru
ehnihenransivuennd.net
eliroots.ru
estateandpropertty.com
filmstripstyl.com
fulty.net
gebelikokulu.net
gentonoesleep.com
getstatsp.ru
gondamtvibnejnepl.net
hdmltextvoice.net
hingpressplay.net
joinproportio.com
jonkrut.ru
linkedin.com-update-report.taltondark.net
m.krasalco.com
magiklovsterd.net
mattwaltererie.net
nvufvwieg.com
offeringshowt.com
privat-tor-service.com
quipbox.com
relationshipa.com
relectsdispla.net
sendkick.com
streetgreenlj.com
taltondark.net
tor-connect-secure.com
treehouse-dreams.net
tstatbox.ru
vip-proxy-to-tor.com
zestrecommend.com




Wednesday, 10 July 2013

Visa spam / estateandpropertty.com and clik-kids.com

This fake Visa spam attempts to lead to malware on estateandpropertty.com:

Date:      Wed, 10 Jul 2013 13:20:38 -0300 [12:20:38 EDT]
From:      Visa [policemank3@newsletters.visabusinessnewsmail.org]
Reply-To:      flintierv34@complains.visabusinessnewsmail.org
Subject:      Update Your Business Visa Card Information


Your Visa Business card has been limited. Please update your information to reactivate your account.

Please proceed the link: http://visabusiness.com/fraud/warning_mail=81413185766854518964...96368, update necessary information and view further information that caused us to set a limit.
Your Case ID is: NW61826321176497

Look for unexpected charges or questionable activity, and if you see anything suspicious,don't wait to act.

This added security is to prevent any additional fraudulent charges from taking place on your account.


Notice: This Visa communication is furnished to you solely in your capacity as a customer of Visa Inc. (or its authorized agent) or a participant in the Visa payments system. By accepting this Visa communication, you acknowledge that the information contained herein (the "Information") is confidential and subject to the confidentiality restrictions contained in Visa's operating regulations, which limit your use of the Information. You agree to keep the Information confidential and not to use the Information for any purpose other than in your capacity as a customer of Visa Inc. or a participant in the Visa payments system. The Information may only be disseminated within your organization on a need-to-know basis to enable your participation in the Visa payments system.

Please be advised that the Information may constitute material nonpublic information under U.S. federal securities laws and that purchasing or selling securities of Visa Inc. while being aware of material nonpublic information would constitute a violation of applicable U.S. federal securities laws. This information may change from time to time. Please contact your Visa representative to verify current information. Visa is not responsible for errors in this publication. The Visa Non-Disclosure Agreement can be obtained from your Visa Account Manager or the nearest Visa Office.

This message was sent to you by Visa, P.O. Box 8999, San Francisco, CA 94128. Please click here to unsubscribe. 
The link in the email goes through a legitimate hacked site and then attemped t to go to a malware page at [donotclick]estateandpropertty.com/news/visa-report.php (report here) but it appears the registrar has nuked the domain, so the spammers have switched the link to [donotclick]clik-kids.com/news/visa-report.php (report here) instead. IPs involved are:

46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
77.240.118.69 (Acens Technlogies, Spain)
150.244.233.146 (Universidad Autonoma De Madrid, Spain)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)

Recommended blocklist:
46.45.182.27
77.240.118.69
150.244.233.146
203.236.232.42
209.222.67.251
afabind.com
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
aniolyfarmacij.com
astarts.ru
autorize.net.models-and-kits.net
beachfiretald.com
beatenunwield.com
bnamecorni.com
brandeddepend.com
centow.ru
chinadollars.net
clik-kids.com
com.amazon.com.first4supplies.net
condalinneuwu5.ru
condalnua745746.ru
datapadsinthi.net
delines.ru
eftps.gov.charismasalonme.net
ehnihenransivuennd.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
eliroots.ru
estateandpropertty.com
filmstripstyl.com
fulty.net
gentonoesleep.com
getstatsp.ru
gnanisienviwjunlp.ru
gondamtvibnejnepl.net
grivnichesvkisejj50.ru
hdmltextvoice.net
hingpressplay.net
joinproportio.com
jonkrut.ru
m.krasalco.com
magiklovsterd.net
meynerlandislaw.net
nvufvwieg.com
offeringshowt.com
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
privat-tor-service.com
quipbox.com
relationshipa.com
relectsdispla.net
reports0701.net
reveck.com
salesplaytime.net
sartorilaw.net
sendkick.com
smartsecurity-app.com
spanishafair.com
streetgreenlj.com
tor-connect-secure.com
tstatbox.ru
vip-proxy-to-tor.com
zestrecommend.com

Tuesday, 9 July 2013

"Payment File Successfully Processed" spam / autorize.net.models-and-kits.net

This spam leads to malware on autorize.net.models-and-kits.net:

Date:      Tue, 9 Jul 2013 15:36:42 -0500
From:      batchprovider@eftps.gov
Subject:      Payment File Successfully Processed

*** PLEASE DO NOT REPLY TO THIS MESSAGE***

Dear Batch Provider,

This message is being sent to inform you that your payment file has successfully processed. 2013-07-09-12.08.00.815358

Detailed information is available by logging into the Batch Provider software by clicking this link and performing a Sync request.
Thank You,
EFTPS

Contact Us: EFTPS Batch Provider Customer Service
at this link
A sender's email address of batchprovider@email.eftpsmail.gov is seen in another sample. The link goes through a legitimate hacked site and ends up an a malware laden page at [donotclick]autorize.net.models-and-kits.net/news/shortest-caused-race.php (report here) hosted on:

77.240.118.69 (Acens Technlogies, Spain)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
151.155.25.111 (Novell Inc, US)
202.28.69.195 (UniNet, Thailand)

All these IPs and more can be found in this recommended blocklist. Out of these four IPs we can see the following malicious domains which should also be blocked if you can't block the IPs themselves..

77.240.118.69
103.9.23.34
151.155.25.111
202.28.69.195
afabind.com
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
aniolyfarmacij.com
autorize.net.models-and-kits.net
charismasalonme.net
chinadollars.net
com.amazon.com.first4supplies.net
condalinneuwu5.ru
condalnua745746.ru
eftps.gov.charismasalonme.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
first4supplies.net
fulty.net
gnanisienviwjunlp.ru
gondamtvibnejnepl.net
grivnichesvkisejj50.ru
m.krasalco.com
meynerlandislaw.net
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
quipbox.com
reports0701.net
reveck.com
sartorilaw.net
sendkick.com
smartsecurity-app.com
spanishafair.com
vahvahchicas.ru

Update: a different spam is also circulating with the same payload:


Date:      Tue, 9 Jul 2013 06:56:26 -0800
From:      "Authorize . Net" [emailreceipts@news.authorizemail.net]
Subject:      Successful Credit Card Settlement Report.

Your Authorize.Net ID is: 1263577
Dear [redacted],

The following is your Credit Card settlement report for Sunday, July 09, 2013.

Transaction Volume Statistics for Settlement Batch dated 9-Jul-2013 11:0:55 PDT:
Batch ID: 668271114
Business Day: 09-Jul-2013
Net Batch Total: 9,917.74 (USD)
Number of Charge Transactions: 99
Amount of Charge Transactions: 9,917.74
Number of Refund Transactions: 7
Amount of Refund Transactions: 105.64

Warning! Your Batch limits for July exceeded!
To view details, please click here to log into the Merchant Interface.

If you have any questions regarding this settlement report, please contact your bank or you can contact Customer Support at this link.

Thank You,
Authorize.Net

*** You received this email because you chose to be a Credit Card Report recipient. You may change your email options by logging into the Merchant Interface. Click on Settings and Profile in the Main Menu, and select Manage Contacts from the General section. To edit a contact, click the Edit link next to the contact that you would like to edit. Under Email Types, select or deselect the Email types you would like to receive. Click Submit to save any changes. Please do not reply to this email.



Malware sites to block 9/7/13

These are the current IPs and domains that appear to be in use by this gang. IPs are listed with hosting companies and countries first, and then a plain list of IPs and domains for copy-and-pasting:
5.135.198.41 (OVH, France)
14.63.198.119 (Korea Telecom, Korea)
24.173.170.230 (Time Warner Cable, US)
46.14.182.109 (Swisscom, Switzerland)
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
54.232.86.91 (Amazon AWS, Brazil)
59.124.33.215 (Chungwa Telecom, Taiwan)
62.165.254.220 (Tvnetwork, Hungary)
62.169.58.22 (Phoenix Informatica, Italy)
64.49.246.226 (Rackspace, US)
69.162.76.10 (Limestone Networks, US)
74.63.195.131 (Limestone Networks, US)
74.93.56.83 (Comcast Communications, US)
77.240.118.69 (Acens Technlogies, Spain)
78.108.86.169 (Majordomo LLC, Russia)
80.52.135.172 (Telekomunikacja Polska, Poland)
80.218.115.92 (Cablecom, Switzerland)
82.79.4.33 (RCS & RDS Business, Romania)
82.165.41.13 (1&1 Internet, Philippines)
89.45.83.92 (Nlink SRL, Romania)
89.93.219.156 (Bouygues Telecom, France)
89.96.141.43 (IPS SRL, Italy)
89.248.161.137 (Ecatel, Netherlands)
89.248.161.146 (Ecatel, Netherlands)
95.111.32.249 (Mobitel, Bulgaria)
95.173.187.8 (Netinternet Bilgisayar Telekominukasyo, Turkey)
97.79.214.75 (Time Warner Cable, US)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
109.169.86.196 (iomart / ThrustVPS, UK)
109.234.84.213 (Servicleop, Spain)
113.161.207.101 (VNPT, Vietnam)
115.28.45.30 (HiChina Web Solutions / Alibaba, China)
115.146.93.25 (Nectar Research Cloud, Australia)
116.251.213.12 (OneAsiaHost, Singapore)
117.102.102.170 (Servo Buana Resources, Indonesia)
117.239.224.145 (ZAD Institute, India)
123.30.50.245 (VNPT, Vietnam)
129.64.95.45 (Brandeis University, US)
134.159.143.12 (Telstra-Telewhite, Hong Kong)
138.80.14.27 (Charles Darwin University, Australia)
143.239.87.38 (University College Cork, Ireland)
151.155.25.111 (Novell Inc, US)
172.246.122.111 (Enzu Inc, US)
173.167.54.139 (Iceweb Storage Corp, US)
173.245.7.158 (Leland Private Systems, US)
177.87.104.21 (Alberto Torres Barreto, Brazil)
181.54.174.204 (Telmex Colombia, Colombia)
184.22.36.4 (HostNOC, US)
184.105.135.29 (Hurricane Electric, US)
186.227.53.43 (Via Cabo Provedor de Internet e Informática Ltda, Brazil)
189.84.25.188 (DataCorpore Serviços e Representações, Brazil)
190.85.249.159 (Telmex Colombia, Colombia)
190.238.107.240 (TDP ERX, Peru)
192.210.205.208 (New Wave Netconnect / Colocrossing, US)
193.242.126.78 (Lemminkainen Oyj, Finland)
195.241.208.160 (Telfort / Tiscali / KPN, Netherlands)
198.46.131.100 (New Wave Netconnect / Colocrossing, US)
198.50.136.166 (OVH, Brazil)
198.175.124.17 (DNSSLAVE.COM, US)
198.199.70.149 (Digital Ocean, US)
199.233.234.83 (Nodedeploy, US)
202.28.69.195 (UniNet, Thailand)
202.56.170.28 (Ningnet, Indonesia)
203.235.181.181 (GNGAS Enterprise Networks, Korea)
207.254.1.17 (Virtacore Systems, US)
210.200.0.95 (Asia Pacific On-line Services Inc, Taiwan)
213.56.125.97 (OBS, France)
222.20.90.25 (HuaZhong University of Science and Technology, China)

5.135.198.41
14.63.198.119
24.173.170.230
46.14.182.109
46.45.182.27
54.232.86.91
59.124.33.215
62.165.254.220
62.169.58.22
64.49.246.226
69.162.76.10
74.63.195.131
74.93.56.83
77.240.118.69
78.108.86.169
80.52.135.172
80.218.115.92
82.79.4.33
82.165.41.13
89.45.83.92
89.93.219.156
89.96.141.43
89.248.161.137
89.248.161.146
95.111.32.249
95.173.187.8
97.79.214.75
103.9.23.34
109.169.86.196
109.234.84.213
113.161.207.101
115.28.45.30
115.146.93.25
116.251.213.12
117.102.102.170
117.239.224.145
123.30.50.245
129.64.95.45
134.159.143.12
138.80.14.27
143.239.87.38
151.155.25.111
172.246.122.111
173.167.54.139
173.245.7.158
177.87.104.21
181.54.174.204
184.22.36.4
184.105.135.29
186.227.53.43
189.84.25.188
190.85.249.159
190.238.107.240
192.210.205.208
193.242.126.78
195.241.208.160
198.46.131.100
198.50.136.166
198.175.124.17
198.199.70.149
199.233.234.83
202.28.69.195
202.56.170.28
203.235.181.181
207.254.1.17
210.200.0.95
213.56.125.97
222.20.90.25
101ndstreetymha.com
afabind.com
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
andertiua200.com
androv.pl
aniolyfarmacij.com
astarts.ru
auditbodies.net
beachfiretald.com
beatenunwield.com
bebomsn.net
beirutyinfo.com
blacklistsvignet.pl
bnamecorni.com
boats-sale.net
brandeddepend.com
buycushion.net
cardpalooza.su
centow.ru
centsvisualcaf.net
chairsantique.net
chrismortonlaw.net
ciriengrozniyivdd.ru
cirienkoidrugied50.ru
cirormdnivneinted40.ru
cocainism.net
collegialwar.com
com.amazon.com.first4supplies.net
condalinarad72234652.ru
condalinaradushko5.ru
condalinneuwu5.ru
condalinrwgw136.ru
condalnua745746.ru
datapadsinthi.net
delines.ru
dirvers.net
doorandstoned.com
driversupdate.pw
editionscode.com
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
enchantingfluid.com
enuhhdijsnenbude40.ru
ergopets.com
feminineperceiv.pl
filmstripstyl.com
fincal.pl
firefoxupd.pw
first4supplies.net
freakable.net
fulty.net
gamnnbienwndd70.net
gatorovnskeinbueed60.ru
genie-enterprises.com
gerlos-hotel.net
getstatsp.ru
ghroumingoviede.ru
gnanisienviwjunlp.ru
gnanosnugivnehu.ru
grivnichesvkisejj50.ru
hdmltextvoice.net
heidipinks.com
hexactos.com
hingpressplay.net
hospitalinstitutee.com
hotkoyou.net
independinsy.net
infostarter.net
initiationtune.su
insectiore.net
joinproportio.com
jonkrut.ru
letsgofit.net
lexus-lfa.net
libulionstreet.su
lifeline-tv.net
lifestylelbinfo.com
linefisher.com
liocolostrum.net
magiklovsterd.net
mail1.infostarter.net
modshows.net
mychildrenss.com
ns1.infostarter.net
nvufvwieg.com
organizerrescui.pl
oydahrenlitu346357.ru
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
porschetr-ml.com
potteryconvention.ru
privat-tor-service.com
przcloud.com
quipbox.com
recatalogfinger.net
relationshipa.com
relectsdispla.net
rentipod.ru
reports0701.net
reveck.com
salesplaytime.net
sartorilaw.net
secrettapess.com
securednshooki.com
sendkick.com
smartsecurity-app.com
soberimages.com
spros.pl
streetgreenlj.com
susubaby.net
syncbinderanalog.net
tagcentriccent.net
tagcentriccent.pl
telecomerra.com
tor-connect-secure.com
transplantee.net
tstatbox.ru
ukbash.ru
usenet4ever.net
utraining.us
vahvahchicas.ru
ventstandart.net
vip-proxy-to-tor.com
voippromotion.su
webhelphighestp.net
wic-office.com
widnows.net
winodwsupd.pw
wow-included.com
zestrecommend.com

Monday, 8 July 2013

Amex spam / americanexpress.com.krasalco.com

This fake Amex spam leads to malware on americanexpress.com.krasalco.com:

    
From: American Express [mailto:AmericanExpress@emalsrv.aexpmail.org]
Sent: 08 July 2013 15:00
Subject: Account Alert: A Payment Was Received


Check your account balance online at any time


   

    Hello, [redacted]
            



________________________________________    View Account

Make a Payment

   
Manage Alerts Preferences





Payment Received   

________________________________________    Check Balance



   
   
       
We received a payment for your Card account.

     Date Received:
         Mon, Jul 08, 2013
     Payment Amount:
         $2,511.92

Payments received after 8PM MST may not be credited until the next day. Please allow 24-48 hours for your payment to appear online.

Thank you for your Cardmembership.

American Express Customer Care

Was this e-mail helpful? Please click here to give us your feedback.

If you'd like to stop receiving this alert, simply click here.
   
   




Like Us on Facebook


Follow Us on Twitter


Subscribe to our channel


Share with Foursquare friends

   
       
    Contact Us
|    Privacy Statement
|    Add us to your address book


Your Cardmember information is included in the upper-right corner to help you recognize this as a customer service e-mail from American Express. To learn more about e-mail security or report a suspicious e-mail, please visit us at americanexpress.com/phishing. We kindly ask you not to reply to this e-mail but instead contact us via customer service.

© 2013 American Express. All rights reserved.

AU0S0RF76947278       


The link in the email goes through a legitimate hacked site to end up on a malicious landing page at [donoclick]americanexpress.com.krasalco.com/news/slightly_some_movie.php (report here) hosted on the following IPs:

77.240.118.69 (Acens Technologies, Spain)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
151.155.25.111 (Novell Inc, US)
202.28.69.195 (Uninet, Thailand)

Blocklist:
77.240.118.69
103.9.23.34
151.155.25.111
202.28.69.195
afabind.com
americanexpress.com.krasalco.com
aniolyfarmacij.com
chinadollars.net
condalinneuwu5.ru
condalnua745746.ru
ehnihjrkenpj.ru
ehnihujasebejav15.ru
first4supplies.net
gindonszkjchaijj.ru
gnanisienviwjunlp.ru
grivnichesvkisejj50.ru
meynerlandislaw.net
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
reports0701.net
reveck.com
sartorilaw.net
sendkick.com
smartsecurity-app.com
spanishafair.com
vahvahchicas.ru