"You requested a new Facebook password!" spam / Recoverypassword.zip and Facebook-SecureMessage.exe

This fake Facebook message comes with a malicious attachment:

Date:      Tue, 26 Nov 2013 04:58:18 +0300 [11/25/13 20:58:18 EST]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password!

facebook
Hello,

You have received a secure message. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

Read your secure message by opening the attachment, Facebook-SecureMessage.zip.

Didn't request this change?
If you didn't request a new password, let us know immediately.

This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The attachment is Recoverypassword.zip which in turn contains a malicious executable Facebook-SecureMessage.exe which has a VirusTotal detection rate of 16/42. Automated analysis tools [1] [2] [3] shows attempted connections to developmentinn.com on 38.102.226.252 (Cogent, US) and spotopia.com on 199.229.232.99 (Enzu, US). Note that the servers on those IPs host dozens of legitimate sites and I cannot say for certain if they are all compromised or note.

Facebook "You have new notifications" spam / directgrid.org

This fake Facebook spam leads to malware on directgrid.org:

Date:      Fri, 27 Sep 2013 16:22:58 +0300 [09:22:58 EDT]
From:      Facebook [notification+W85BNFWX@facebookmail.com]
Subject:      You have 21 friend suggestions, 11 friend requests and 14 photo tags

facebook
You have new notifications.
A lot has happened on Facebook since you last logged in. Here are some notifications
you've missed from your friends.
3 messages

11 friend requests

21 friend suggestions

14 photo tags

View Notifications

Go to Facebook

This message was sent to [redacted]. If you don't want to receive these emails
from Facebook in the future, please unsubscribe.Facebook, Inc., Attention: Department
415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes through a legitimate (but hacked) site and then loads one of the following three scripts:
[donotclick]3dbrandscapes.com/starker/manipulator.js
[donotclick]dtwassociates.com/marry/sullies.js
[donotclick]repairtouch.co.za/lollypops/aquariuses.js

This leads to a malware landing page hosted on a hijacked GoDaddy domain at [donotclick]directgrid.org/topic/lairtg-nilles-slliks.php hosted on 50.116.10.71 (Linode, US) where there are a number of other hijacked domains (listed below in italics)

Recommended blocklist:
50.116.10.71
directgrid.biz
directgrid.com
directgrid.info
directgrid.net
directgrid.org
directgrid.us
gilkjones.com
integra-inspection.ca
taxipunjab.com
taxisamritsar.com
watttrack.com
3dbrandscapes.com
dtwassociates.com
repairtouch.co.za

Facebook spam / www.facebook.com.achrezervations.com

This fake Facebook spam leads to malware on www.facebook.com.achrezervations.com:

Date:      Fri, 6 Sep 2013 08:07:14 -0500 [09:07:14 EDT]
From:      Facebook [notification+puppies9@mail.facebookmail.net]
Reply-To:      noreply [noreply@postmaster.facebookmail.org]
Subject:      Cole Butler confirmed your Facebook friend request

facebook
   
Cole Butler has confirmed that you're friends on Facebook.
You may know some of Cole's Friends
    Daren Douglas
1 mutual friends
   
Add Friend
   
    Gertrude Souza
14 mutual friends
   
Add Friend
    Brice Kelly
3 mutual friends
   
Add Friend
   
    Beverly Howard
12 mutual friends
   
Add Friend
    Julia Metz
6 mutual friends
   
Add Friend
   
    Nora Belanger
6 mutual friends
   
Add Friend
View Timeline
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes to a legitimate hacked site and then to an exploit kit on [donotclick]www.facebook.com.achrezervations.com/news/implement-circuit-false.php (report here) hosted on the following servers:
66.230.163.86 (Goykhman And Sons LLC, US)
95.111.32.249 (Megalan / Sofia Mobiltel EAD, Bulgaria)
115.78.233.220 (Vietel Corporation, Vietnam)
194.42.83.60 (Interoute Hosting, UK)

The following IPs and domains are all malicious and belong to this gang, I recommend you block them:
66.230.163.86
95.111.32.249
115.78.233.220
194.42.83.60
50plus-login.com
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
achrezervations.com
actiry.com
appsmartsecurity.com
askfox.net
bnamecorni.com
boxbass.com
casualcare.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
certierskieanyofthe23.net
chernigovskievojninua55.net
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
cirriantisationsansidd79.net
crobnivmocanriendi56.net
cyberflorists.su
driversupdate.pw
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihujasebejav15.ru
ehtiebanishkeobprienrt25.net
email.pinterest.com.lacave-enlignes.com
ermitajniedelaincityof40.net
evarse.com
explic.net
facebook.com.achrezervations.com
facebook.com.n.find-friends.lindoliveryct.net
favar.net
ffupdate.pw
germaniavampizdanahuj.net
germetikovskievremie29.net
gggrecheskiysala99.net
giabit.net
gormovskieafrterskioepr30.net
grannyhair.ru
gromoviepechiniegierskie.net
herbergers.com.content.customer-service.laptopsinstalled.net
hotbitscan.com
hyatt.com.reservations.reservation.roccoscollar.net
invoices.ulsmart.net
istatsking.ru
lacave-enlignes.com
liliputttt9999.info
maxichip.com
micnetwork100.com
microsoftstore.com.store.msusa.en_us.displaydownloadhistorypage.kemingpri.com
mirrorsupply.com
molul.com
multiachprocessor.com
musicstudioseattle.net
nacha-ach-processor.com
nvufvwieg.com
oleannyinsurance.net
paypal.com.us.cmd.stjamesang.net
photographysmile.net
photos.walmart.com.orders.stjamesang.net
redsox.com.tickets-service.lindoliveryct.net
smartsecureconnect.com
tickets-service.lindoliveryct.net
tor-connect-secure.com
vineostat.ru
viperestats.ru
vip-proxy-to-tor.com
weekings.com
wingdress.net
www.appsmartsecurity.com
www.facebook.com.achrezervations.com
www.hyatt.com.reservations.reservation.roccoscollar.net
www.nacha.org.multiachprocessor.com
www.nacha-ach-processor.com
www.redsox.com.tickets-service.lindoliveryct.net

Facebook spam / kapcotool.com

This fake Facebook spam leads to malware on kapcotool.com:

From:     Facebook [no-reply@facebook.com]
Date:     5 September 2013 15:21
Subject:     Michele Murdock wants to be friends with you on Facebook.

facebook
   
Michele Murdock wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
         
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

The link in the email uses an obscure URL shortening serving to go first to [donotclick]fenixa.com/97855 and then to [donotclick]magic-crystal.ch/normalized/index.html, and at this point it attempts to load the following three scripts:

[donotclick]00398d0.netsolhost.com/mcguire/forgiveness.js
[donotclick]202.212.131.8/ruses/nonsmokers.js
[donotclick]japanesevehicles.us/vector/internees.js

The final step is a malware landing page at [donotclick]kapcotool.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.227.154 (Linode, US) along with some other hijacked domains listed in italics below.

Recommended blocklist:
74.207.227.154
jgburgerlounge.ca
jngburgerjoint.ca
jngburgerjoint.com
johnmejalli.com
justcreature.com
justmonster.com
kalcodistributors.com
kapcotool.com00398d0.netsolhost.com
japanesevehicles.us
202.212.131.8

Facebook spam / watchfp.net

All this malware-laden Facebook spam is boring. Here's another one, leading to a malicious payload on watchfp.net:

Date: Tue, 3 Sep 2013 11:37:14 -0700 [14:37:14 EDT]
From: Facebook [notification+zrdohvri=vd1@facebookmail.com]
Subject: Blake Miranda tagged 5 photos of you on Facebook

facebook

Blake Miranda added 5 photos of you.
See photos

Go to notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

Blake is pretty feminine looking for a bloke:

The photograph is stolen from the website of Ashot Gevorkyan [some pictures perhaps nsfw] who has quite a nice porfolio. Anyway.. the link in the email uses a shortening service:

[donotclick]u.to/r05nBA which goes to
[donotclick]www.rosenberger-kirwa.de/triassic/index.html which loads one of the following:
[donotclick]safbil.com/stashed/flout.js
[donotclick]ftp.spectrumnutrition.ca/sunscreens/copping.js
[donotclick]schornsteinfeger-helmste.de/covetously/turk.js

The final step is that the victim ends up on a malware landing page at [donotclick]watchfp.net/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 192.81.134.241 (Linode, US) along with some other hijacked domains listed in italics below. The attack is characteristic of the ThreeScripts series of malicious spam emails.

Recommended blocklist:
192.81.134.241
watchfp.org
watchfp.mobi
watchfp.net
safbil.com
ftp.spectrumnutrition.ca
schornsteinfeger-helmste.de

Facebook spam / london-leather.com

This fake Facebook spam leads to malware on london-leather.com:

Date:      Mon, 2 Sep 2013 19:59:52 +0300 [12:59:52 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      Victoria Carpenter commented on your status

facebook
Hello, Victoria Carpenter commented on your status. Victoria wrote: "so cute;)" Go to comments Reply to this email to comment on this status. See Comment
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe. Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

In this case the link in the spam appears to use some sort of URL shortening service, first going to [donotclick]jdem.cz/5xxb8 then [donotclick]93.93.189.108/exhortation/index.html where it attempts to load one of the following three scripts:
[donotclick]codebluesecuritynj.com/mummifies/stabbed.js
[donotclick]mobileforprofit.net/affected/liberal.js
[donotclick]tuviking.com/trillionth/began.js

These scripts in turn direct the visitor to a malicious payload site at [donotclick]london-leather.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which hosts a number of malicious domains, also hijacked from GoDaddy and listed in italics below.

Recommended blocklist:
173.246.104.184
london-leather.com
kitchenwalla.com
kidswalla.com
jerseyluggage.com
jerseycitybags.com
kiddypals.com
kennethcolenyoutlet.com
codebluesecuritynj.com
mobileforprofit.net
tuviking.com

Facebook spam / thenatemiller.co

This fake Facebook spam leads to malware on thenatemiller.co:

Date:      Wed, 21 Aug 2013 22:05:38 +0530 [12:35:38 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password

facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

Nothing good will come from clicking the link. First victims go to a legitimate but hacked site that attempts to load the following three scripts:
[donotclick]gemclinicstore.com/admitted/tintinnabulations.js
[donotclick]mathenyadvisorygroup.com/toffies/ceiling.js
[donotclick]www.it-planet.gr/schlepped/suitor.js

From there the victim is directed to a malware landing page at [donotclick]thenatemiller.co/topic/able_disturb_planning.php (.co, not .com) which is a hijacked GoDaddy domain hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with several other hijacked domains (listed below in italics).

Recommended blocklist:
72.5.102.146
successchamp.com
dennissellsgateway.com
thenatemiller.co
thenatemiller.info
justinreid.us
waterwayrealtyteam.us
thenatemiller.biz
gemclinicstore.com
mathenyadvisorygroup.com
www.it-planet.gr

Facebook spam / dennissellsgateway.com

This fake Facebook spam leads to malware on dennissellsgateway.com:

Date:      Tue, 20 Aug 2013 15:28:11 -0500 [16:28:11 EDT]
From:      Facebook [no-reply@facebook.com]
Subject:      Gene Maynard wants to be friends with you on Facebook.

facebook
   
Gene Maynard wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
       
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

This is a "ThreeScripts" attack, with the link first going to a legitimate hacked site and then through one of the following three scripts:
[donotclick]ftp.crimestoppersofpinellas.org/jonson/tried.js
[donotclick]italiangardensomaha.com/moocher/pawned.js
[donotclick]www.it-planet.gr/schlepped/suitor.js

From there, the victim ends up on a hijacked GoDaddy domain with a malicious payload at [donotclick]dennissellsgateway.com/topic/able_disturb_planning.php on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with some other hijacked domains (listed in italics below).

Recommended blocklist:
72.5.102.146
dennissellsgateway.com
justinreid.us
waterwayrealtyteam.us
www.it-planet.gr
italiangardensomaha.com
ftp.crimestoppersofpinellas.org

Update:
Another spam is circulating with a different pitch, but the same malicious payload:

Dear Customer,

The following is your Credit Card settlement report for Monday, August 19, 2013.
Transaction Volume Statistics for Settlement Batch dated 19-Aug-2013
Batch ID: 108837538
Business Day: 19-Aug-2013
Net Batch Total: 3704.75 (USD)
Number of Charge Transactions: 1
Amount of Charge Transactions: 3704.75
Number of Refund Transactions: 5
Amount of Refund Transactions: 315.74
You can download your full report at https://account.authorize.net/login/protected/download/settlementreport/

To view details for a specific transaction, please log into the Merchant Interface.

1.Click "Reports" from the main menu
2.Select "Transaction Details by Settlement Date"
3.Select "Settled Transactions" from the Item Type drop-down box.
4.Select the Settlement Date for the batch you would like to view from the "Date" drop-down box
5.Click "Run Report"
6.In the results, click on any transaction ID to view specific details for that transaction.

If you have any questions regarding this settlement report, please contact us by Secure Mail or you can call Customer Support at 1-877-447-3938.

Thank You,
Authorize.Net
*** You received this email because you chose to be a Credit Card Report
recipient. You may change your email options by logging into the Merchant
Interface. Click on Settings and Profile in the Main Menu, and select
Manage Contacts from the General section. To edit a contact, click the
Edit link next to the contact that you would like to edit. Under Email
Types, select or deselect the Email types you would like to receive. Click
Submit to save any changes. Please do not reply to this email.

"You requested a new Facebook password" spam / frankcremascocabinets.com

This fake Facebook spam follows on from this one, but has a different malicious landing page at frankcremascocabinets.com:

From:     Facebook [update+hiehdzge@facebookmail.com]
Date:     19 August 2013 17:38
Subject:     You requested a new Facebook password

facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes to a legitimate hacked site which then tries to load one or more of the following three scripts:
[donotclick]ftp.hotwindsaunausa.com/clingy/concord.js
[donotclick]katchthedeal.sg/stilling/rifts.js
[donotclick]ftp.navaglia.it/gazebo/cowboys.js

The victim is then directed to a malware payload at [donotclick]frankcremascocabinets.com/topic/able_disturb_planning.php hosted on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines). This domain is a hijacked GoDaddy domain and there are several others on the same server (listed below in italics).

Recommended blocklist:
184.95.37.96/28
ftp.hotwindsaunausa.com
katchthedeal.sg
ftp.navaglia.it
giuseppepiruzza.com
frankcremascocabinets.com
gordonpoint.biz
hitechcreature.com
frankcremasco.com

Facebook spam / hubbywifewines.com

This fake Facebook spam leads to malware on hubbywifewines.com:

Date:      Mon, 19 Aug 2013 16:20:06 +0200 [10:20:06 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password


facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted].net at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes to a legitimate hacked site and then loads one or more of these three scripts:
[donotclick]ftp.hotwindsaunausa.com/clingy/concord.js
[donotclick]katchthedeal.sg/stilling/rifts.js
[donotclick]ftp.navaglia.it/gazebo/cowboys.js

The victim is then forwarded to a malware landing page using a hijacked GoDaddy domain at [donotclick]hubbywifewines.com/topic/able_disturb_planning.php hosted on 72.5.102.192 (Nuclear Fallout Enterprises, US) along with another hijacked domain of hubbywifefoods.com.

Recommended blocklist:
72.5.102.192
hubbywifewines.com
hubbywifefoods.com
ftp.hotwindsaunausa.com
katchthedeal.sg
ftp.navaglia.it

Facebook spam / guterhelmet.com

This fake Facebook spam leads to malware on guterhelmet.com:

Date:      Mon, 12 Aug 2013 17:51:17 -0200 [15:51:17 EDT]
From:      Facebook [update+zj433fgc2_aay@facebookmail.com]
Subject:      Willie Powell wants to be friends with you on Facebook.

facebook
   
interesting pages on facebook
mark as favorite web pages that interest you to receive their updates in your news feed.

Willie Powell
Willie Powell
   
Bao Aguliar
Bibi Akel
   
Eleanora Casella
Murray Carsten
   
Jordana Fiqueroa
Jona Fiorelli
   
Leisha Heape
Lacresha Hautala
   
Monnie Carrillo
Missy Carreiro
find more pages
         
go to facebook
the message was sent to {mailto_username}@{mailto_domain}. if you do not want to receive these e-mail. letters from facebook, please give up subscription.
facebook, inc., attention: department 415, po box 10005, palo alto, ca 94303

Is it me, or does everyone look the same?

The link in the email goes through a legitimate hacked site and then on to one of three scripts:
[donotclick]golift.biz/lisps/seventeen.js
[donotclick]fh-efront.clickandlearn.at/parboiled/couplets.js
[donotclick]ftp.elotus.org/products/cleats.js

From there, the victim is redirected to a hijacked GoDaddy domain with a malicious payload at [donotclick]guterhelmet.com/topic/able_disturb_planning.php hosted on 192.81.135.132 (Linode, US) along with a number of other hijacked domains (in italics below)

Recommended blocklist:
192.81.135.132
golift.biz
fh-efront.clickandlearn.at
ftp.elotus.org
guterglove.com
grandrapidsleaffilter.com
greenbayleaffilter.com
guterhelmet.com
guterprosva.com

Facebook spam / hubby-wife.com and 72.249.76.197

This fake Facebook spam leads to malware on hubby-wife.com:

Date:      Thu, 8 Aug 2013 09:36:19 -0800 [13:36:19 EDT]
From:      Facebook [update+zj433fgc2_aay@facebookmail.com]
Subject:      Doug Bernal wants to be friends with you on Facebook.
   
Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.

Doug Bernal
Doug Bernal
   
Hyo Auiles
Gigi Arvay
   
Hester Brush
Lesa Bueschel
   
Crawford Eredia
Casey Elting
   
Delfina Grode
Deandrea Grise
   
Tori Circle
Austin Chum
Find more pages
         
Go to Facebook
The message was sent to [redacted]. If you do not want to receive these e-mail. letters from Facebook, please give up subscription.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

Doug is quite a feminine looking bloke:

Clicking on the link in the email goes through a legitimate hacked site, and from there onto one of three scripts:
[donotclick]art.impactmt.com/ecology/christmases.js
[donotclick]palka-teleskopowa.pl/puppet/leafed.js
[donotclick]outoftheblueproductions.com/pipelines/tutsi.js

From here, the victim is sent to a malware payload at [donotclick]hubby-wife.com/topic/able_disturb_planning.php which (predictably) a hijacked GoDaddy domain hosted on 72.249.76.197 (Networld Internet Services) along with several other GoDaddy domains which are highlighted below.

Recommended blocklist:
72.249.76.197
art.impactmt.com
palka-teleskopowa.pl
outoftheblueproductions.com
hubby-wife.com
housewalla.com
hubbynwife.com
hubbynwifecakes.com

Facebook spam / deltaoutriggercafe.com

These guys are busy. This fake Facebook spam leads to malware on deltaoutriggercafe.com:

Date:      Tue, 30 Jul 2013 15:05:25 -0500 [16:05:25 EDT]
From:      Facebook [no-reply@facebook.com]
Subject:      Issac Dyer wants to be friends with you on Facebook.

facebook
   
Issac Dyer wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
       
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

I don't know about you, but I think Isaac looks a bit like a girl.

Predicatably, clicking on the link in the email leads to a legitimate hacked site and then the same redirector scripts found in this spam run. However, in this case the target has now changed to [donotclick]deltaoutriggercafe.com/topic/able_disturb_planning.php which is hosted on 66.175.217.235 (Linode, US) along with a whole bunch of other similar domains that have been hijacked from GoDaddy.

Recommended blocklist:
66.175.217.235
deltaboatraces.net
deltaboatworks.net
deltadazeresort.net
deltamarineinspections.net
deltaoutriggercafe.com
deltarentalcenter.net
deltariverhouse.net
deltayachtclub.net

Facebook spam / happykido.com

This fake Facebook spam leads to malware on

Date:      Mon, 29 Jul 2013 09:33:38 -0600 [11:33:38 EDT]
From:      Facebook [update+zj4o40c2_aay@facebookmail.com]
Subject:      Betsy Wells wants to be friends with you on Facebook.
   
Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.
�
Betsy Wells
Betsy Wells
   
Baldric Aguino
Astrid Aggas
   
Deloris Bransfield
Perdita Brantz
   
Danelle Erstad
Daphne Escamilla
   
Giovanna Hadesty
Georgeann Habel
   
Hugh Campisi
Jake Callas
Find more pages
    �    
Go to Facebook
The message was sent to [redacted]. If you do not want to receive these e-mail. letters from Facebook, please give up subscription.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

Apparently all these people look alike:

This is a "ThreeScripts" attack, clicking the link goes to a legitimate hacked site which then tries to run one of the following:

[donotclick]system-hostings.info/aphrodisiac/nought.js
[donotclick]gc.sceonline.org/worsens/patronizingly.js
[donotclick]www.kgsindia.org/retell/manson.js

from there, the victim is sent to a malware landing page on a hijacked GoDaddy domain at [donotclick]happykido.com/topic/able_disturb_planning.php hosted on 50.2.138.161 (ServerHub Phoenix, US). There are several other hacked GoDaddy domains on the same server, all of which should be considered to be malicious.

Recommended blocklist:
50.2.138.161
handbagwalla.com
giftwalla.com
happykiddoh.com
happykido.com
system-hostings.info
gc.sceonline.org
www.kgsindia.org

"You requested a new Facebook password" spam / nphscards.com

This fake Facebook spam leads to malware on nphscards.com:

Date:      Wed, 24 Jul 2013 11:22:46 -0300 [10:22:46 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password

facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes through a legitimate hacked site and then through one or both of these following scripts:
[donotclick]ftp.thermovite.de/kurile/teeniest.js
[donotclick]traditionlagoonresort.com/prodded/televised.js

The victim is then directed to [donotclick]nphscards.com/topic/accidentally-results-stay.php (report here) which appears to be 403ing, but this may just be trickery. The site is hosted on 162.216.18.169 (Linode, US) and the domain nphscards.com itself appears to have been hijacked from GoDaddy. The domain nphssoccercards.com is also on the same server and is probably hijacked.

Facebook spam / chinadollars.net

This fake Facebook spam leads to malware on chinadollars.net:

Date:      Mon, 24 Jun 2013 09:18:12 -0500
From:      Facebook [notification+SCCRJ42M8P@facebookmail.com]
Subject:      You have 1 friend request

facebook
   
You have new notifications.
A lot has happened on Facebook since you last logged in. Here are some notifications you've missed from your friends.
    1 friend request
View Notifications
       
Go to Facebook
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.

Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes through a legitimate but hacked site and then leads to a malware landing page at [donotclick]chinadollars.net/news/inputted-ties.php (report here) hosted on:
119.147.137.31 (China Telecom, China)
202.147.169.211 (LINKdotNET, Pakistan)
203.80.17.155 (MYREN Cloud Infrastructrure, Malaysia)
210.42.103.141 (Wuhan Urban Construction Institute, China)

Recommended blocklist:
119.147.137.31
202.147.169.211
203.80.17.155
210.42.103.141
abacs.pl
addressadatal.net
afabind.com
anygus.com
appasnappingf.com
avastsurveyor.com
cardpalooza.su
chinadollars.net
condalnuas34637.ru
condalnuashyochetto.ru
doggedlegitim.net
dollsinterfer.net
dulethcentury.net
ehnihjrkenpj.ru
ejoingrespubldpl.ru
enway.pl
estimateddeta.com
genown.ru
greli.net
gstoryofmygame.ru
gurieojgndieoj.ru
headbuttingfo.net
historuronded.com
huang.pl
ingrestrained.com
inutesnetworks.su
invisibilitym.net
jetaqua.com
joinproportio.com
libulionstreet.su
lmbcakes.com
ludena.ru
mantrapura.net
meticulousmus.net
multipliedfor.com
nipiel.com
oydahrenlitutskazata.ru
pc-liquidations.net
photosuitechos.su
planete-meuble-pikin.com
pleak.pl
profurnituree.com
relectsdispla.net
reportingglan.com
reveck.com
rmacstolp.net
rustin.pl
sendkick.com
shopkeepersne.net
sludgekeychai.net
smartsecurityapp2013.com
stilos.pl
streetgreenlj.com
theislandremembered.com
twintrade.net
unabox.pl
voippromotion.su
winne2000.net
zoneagainstre.com

rxlogs.net: spam or Joe Job?

I've had nearly one hundred of these this morning. Is it a genuine spam run or a Joe Job?

Date:      Thu, 6 Jun 2013 09:44:18 -0700 [12:44:18 EDT]
From:      Admin [whisis101@gmail.com]
Reply-To:      ec2-abuse@amazon.com

facebook   
You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 4 ago.
This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.

If you have any other questions, please visit our Help Center.
Thanks,
The Facebook Team

The link in the emails goes to multiple pages on rxlogs.net which as far I as can tell is not malware, but is a blog about online pharmacies. But is is spam? Well, let's dig a little deeper..

Each email comes from a different IP, probably being sent by a botnet. That's pretty normal for pharma spam, but in this case there appear to be some anomalous addition headers..

The mildly munged headers from an example email are quite revealing. It appears that there are references to Amazon ECS (Amazon's cloud service) and a valid sender address of whisis101 -at- gmail.com injected into the headers, along with a load of other elements that you'd expect from botnet spam. The email has at no point hit either Gmail or Amazon, but the headers appear to have been faked in order to generate reports to Amazon and/or Gmail. It's worth noting that rxlogs.net is hosted on 107.20.147.122 which is an Amazon IP, so this is beginning to look like a Joe Job.

Received: from lsh410.van.ca.siteprotect.com (204.174.223.206)
  by [redacted] with SMTP; 6 Jun 2013 07:37:53 -0000
Date: Thu, 6 Jun 2013 00:37:53 -0700
To: [redacted]
From: Admin [whisis101 -at- gmail.com]
Return-Path: [bantstreetpottery -at- sctelco.net.au]
Reply-To: ec2-abuse -at- amazon.com
Subject: Reminder: Reset your password
Message-Id: [2cc3f11ac2ce3aa7d59d8682eee6df05@notify.amazon.com]
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 7bit

So what do we know about the domain rxlogs.net? Well, the WHOIS details appear to be genuine and not hidden, I've redacted the most of the personal information but some of the key details are:

domain:       rxlogs.net
owner:        Stephen K. Walker
email:        whisis101 -at- gmail.com
address:      [redacted]
city:         [redacted]
postal-code:  [redacted]
country:      US
phone:        +7.[redacted]

The "From" address in the email matches the registration address in the WHOIS. Does that make it a genuine email? No, because no spammer is stupid enough to use their real email address in a spam run like this. Again, this smells like a Joe Job.

Another key indicator that this is a Joe Job is that all the dozens of emails have been sent to a spamcop.net email address, and there are far more emails that you would normally see for this type of spam run. This behaviour is typical for a Joe Job attack, the spammer pick the people who are most likely to complain and then hit them repeatedly to get try to get them to file a complaint with the victim's web host.

If you use Gmail, the email links back to a spare but apparently genuine Google+ profile, which links back to rxlogs.net. Which really leads to the next question.. what is rxlogs.net about?

rxlogs.net appears to be a genuine attempt to look at and rate online pharmacies using secondary sources to judge reliability and trustworthiness. The sites carries some paid advertising, but doesn't appear to deal with prescription medications directly, it looks like an affiliate site.

I'm not an expert in the US online pharmacy market, but I do know that you can check the legitimacy of online pharmacies with LegitScript but this is not without criticism.

My guess is that what has happened here is that Mr Walker has posted something on rxlogs.net which exposes a bogus pharma operation run by the same spammers sending out these emails. In other words, I believe this is a Joe Job and not a "genuine" spam run, and rxlogs.net is simply another victim of the bad guys.

Facebook spam / otophone.net

This fake Facebook spam leads to malware on otophone.net:

Date:      Tue, 14 May 2013 15:29:24 -0500 [05/14/13 16:29:24 EDT]
From:      Facebook [notification+LTFS15RDTR@facebookmail.com]
Subject:      Jonathan Rogers wants to be friends on Facebook

facebook
Jonathan Rogers wants to be friends with you on Facebook Facebook.
   
Jonathan Rogers
1083 friends · 497 photos · 2 notes · 1535 Wall posts
Confirm Friend Request
   
See All Requests
This message was sent to dynamoo@spamcop.net. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 417 P.O Box 10005 Palo Alto CA 96303

The link in the email goes through a legitimate hacked site and then ends up on a malware landing page at [donotclick]otophone.net/news/appreciate_trick_hanging.php (report here) hosted on the following IPs:

36.224.16.74 (Chunghwa Telecom, Taiwan)
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)


The WHOIS details are characteristic of the "Amerika" series of malware spams.
    MURNANE, LARRY  samyidea@yahoo.com
    690 West B
    SAN DIEGO, CA 92101
    US
    +1.8588695411

Blocklist:
36.224.16.74
108.5.125.134
198.61.147.58
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
peertag.com
pinformer.net
priorityclub.pl
smartsecurity-app.com
zonebar.net

ICANN: thanks for the malware spam / mailedspokesperson.biz

This is a pretty straightforward LinkedIn themed spam that leads to malware on mailedspokesperson.biz:

From:     Leonide Saad - LinkedIn [dreamland@beutelschneiderhamburg.de]
Date:     10 April 2013 15:19
Subject:     Join my network on LinkedIn

LinkedIn
REMINDERS

Invitation reminders:
 From Leonide Saad (Developer at Perot Systems)



PENDING MESSAGES

 There are a total of 8 messages awaiting your response. Go to InBox now.


This message was sent to username@domain.com. Don't want to receive email notifications? Login to your LinkedIn account to Unsubscribe.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. c 2013, LinkedIn Corporation.

The catch with this is that the email address being used is one used only to file WHOIS Compliance Reports with ICANN. If you file reports of inaccurate WHOIS data, then you need to be aware that by default ICANN will forward your contact details to the bad guys.. you can request that this be suppressed, but using an alias is (ironically) probably the best bet. So in this case, the bad guys have presumably just added the email in the complaint to their spam list..

Anyway, this has a link to a legitimate hacked site and thence on to [donotclick]mailedspokesperson.biz/closest/f2ihoiwegjowiejf230hfaj.php (report here) hosted on 46.4.150.117 (Siteko Ltd / Hetzner Online, Germany). The WHOIS details are characteristic of the Amerika gang:


Registrant ID:            INTEUMYC18TPLDWG
Registrant Name:          Hunter Afkham
Registrant Address1:      181 Sullivan St #4
Registrant City:          New York
Registrant Postal Code:   10012
Registrant Country:       United States
Registrant Country Code:  US
Registrant Phone Number:  +1.7914260046
Registrant Email:         hunter_afkham8428@aristotle.org

There are a couple of other bad looking sites on the same server, so this is my recommended blocklist:
46.4.150.117
1thyntyny.itemdb.com
diesulead.biz
mailedspokesperson.biz

Facebook "Reminder: Reset your password" spam / accooma.org

Another very aggressive spam run promoting accooma.org which is a fake pharma site..

Date:      Sat, 6 Apr 2013 13:16:59 -0700 [16:16:59 EDT]
From:      Facebook
Subject:      Reminder: Reset your password

facebook   
You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 2 ago.
This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.

If you have any other questions, please visit our Help Center.
Thanks,
The Facebook Team

The emails vary somewhat in content. I've received 60+ of these today to one email account alone, so this site is being pushed very hard indeed. Although the email is annoying, it does not seem to be harmful. For more details, see this earlier post about another spam run for the same domain.