"Amazon.com Password Assistance" spam / healthcarewelbizness.com

The fake pill pushers are getting inventing, this spam leads to a fake pharma site on healthcarewelbizness.com :

Date:      Fri, 27 Apr 2012 04:47:10 +0000 (UTC)
From:      "Amazon.com" [account-update@amazone.com]
Subject:      Amazon.com Password Assistance

We received a request to reset the password associated with this e-mail address. Please follow the instructions below.

Click the link below to complete or cancel request using our secure server:

https://www.amazon.com/ap/forgotpassword?arb=cf4c17ba-4659-06c6-ff0f-58f6e8b50a66

If clicking the link doesn't seem to work, you can copy and paste the link into your browser's address window, or retype it there.

Amazon.com will never e-mail you and ask you to disclose or verify your Amazon.com password, credit card, or banking account number. Thanks for visiting Amazon.com!

healthcarewelbizness.com is hosted on 46.183.216.215 (Dataclub, Latvia) along with a whole load of other toxic websites that are best avoided.

Twitter spam / medsdose.com

This fake Twitter spam leads to a fake pharmacy at medsdose.com but it could easily be adapted for malware.

Date:      Thu, 26 Apr 2012 19:43:05 +0000
From:      Twitter [c-nfxzlxr=znvy-ba.hf-ae0dc@postmaster.twitler.com]
To:      xxxx@xxxx.com
Subject:      Unusual activity with your account!

Hi, xxxx@xxxx.com

Our system detected unusual activity associated with your account.

Your account may be temporarily suspended for violations of the Twitter Rules.

We suspend accounts for investigation if we suspect an account has been hacked or compromised.

You need to confirm your email address to regain access to your account.

Once you regain access, you will be able to request a new password for your Twitter account.

You can find information on following automations and permitted following behaviors on the help page:

https://support.twitter.com/

The Twitter Team

Please do not reply to this message; it was sent from an unmonitored email address. This message is a service email related to your use of Twitter. For general inquiries or to request support with your Twitter account, please visit us at Twitter Support.

medsdose.com is hosted on 95.168.193.182 in the Czech Republic, this IP is used for several fake pharma sites and can be safely blocked.

Facebook spam / bioldrugstore.com

This fake Facebook spam leads to a fake pharma site, but it could easily be adapted for malware.

Date:      Thu, 26 Apr 2012 09:33:46 -0700
From:      "Facebook" [notification+xxxxxxxxxxx@facebookemail.com]
Subject:      Welcome back to Facebook

Hello,

The Facebook account associated with xxxxxxxxxxx was recently reactivated.

If you were not the one who reactivated this account, please visit our Help Center to cancel the request.

http://www.facebook.com/help/?topic=security

Thanks,
The Facebook Team

The payload is a pharma site at bioldrugstore.com hosted on 61.132.200.24 and 111.123.180.9 in China (two IPs that are full of fake pharma stores) and 213.162.209.177 in Spain.

This type of spam run can easily be adapted for malware, so keep an eye out for unexpected Facebook notifications.

Myspace spam / newprescriptionmedical.com

This spam leads to a fake pharmacy on newprescriptionmedical.com, but it could be easily adapted for malware.

Date:      Tue, 24 Apr 2012 20:13:58 -0700
From:      "Myspace" [noreply@message.myspace.com]
Subject:      Account Cancellation

myspace

Your request to cancel your Myspace account has been received.

You must follow this link to complete or cancel your request.

You will receive an email shortly with instructions for confirming that you wish to cancel.
Thank you for using Myspace!

The Myspace Team
http://www.myspace.com

Have questions? Visit our help page. Myspace, 8391 Beverly Blvd, #349, Los Angeles, CA 90048.
� Myspace Inc. All Rights Reserved.

newprescriptionmedical.com is hosted on 95.168.193.182 (Supernetwork, Czech Republic) along with a bunch of other fake pharma sites and is worth blocking.

Ning "Sign in Issue" spam / mycanadarx.com

This fake email from Ning (whatever that is) leads to a fake pharmacy site on mycanadarx.com, but it could easily be adapted for malware.

From: Ning Help Center [mailto:helpcenter@ning.com]
Sent: 23 April 2012 17:22
Subject: Sign In Issue

Hello!
Thanks for contacting us. We're writing to let you know we've received your message.
We strive to respond to tickets about issues as quickly as possible.
To provide us with additional details or updates, you can simply Login to Your Account.
Please be sure to leave the subject and body of this email in place. If you are able to resolve the issue, please let us know!
Many common issues are explained in http://help.ning.com/?faq=3800.
Thanks again!
The Ning Team
Summary:
ref:_00D80cCLt._50040JSbrh:ref

mycanadarx.com is hosted on 95.168.193.182 in the Czech Republic with a whole load of other fake pharma sites.

"Welcome to LiveJournal" spam / dietpharmacyeat.com

This "LiveJournal" spam actually leads to a fake pharma site, but it could be adapted easily to deliver malware:

Date:      Sun, 22 Apr 2012 04:21:28 +0000
From:      "LiveJournal.com" [do-not-reply@livejournal.com]
Subject:      Welcome to LiveJournal

Congratulations! Thanks for creating a new journal at LiveJournal!

Please click here to complete validation and set your primary email*

(If you are unable to click on the link, copy and paste code into your browser window.)

Code: 33416121.5p9rmuuyqvzp7tw

All the best,

The LiveJournal Team

http://www.livejournal.com/

* About your primary email address: Your first validated email address (also known as primary email) is the only way to confirm that you own the journal, so please use only your most secure email address. If you chose a less secure address in the process of registration, we recommend that you change it and confirm your new address.

In this case, the fake pharma site is dietpharmacyeat.com. Always check the link carefully before clicking on this type of email, it might not be as it seems.

"MediaWiki Mail" Spam / carewelhealth.com

A novel spam, in this case leading to a fake pharmacy on carewelhealth.com.. but it could just as easily be malware.

Date:      Sun, 22 Apr 2012 16:09:12 +0000
From:      MediaWiki Mail [wiki@wikimedia.org]
Subject:      Account details on Wikipedia

Wikipedia

Someone (probably you, from IP address 105.191.258.285) requested a reminder of your account details for Wikipedia. The following user account is associated with this e-mail address: xxxxxxxxxxx

This reminder will expire in 7 days.
If you didn't initiate the request on Wikipedia, feel free to cancel this message and uncheck the "Reminder" checkbox in your account.

Thanks, and once again Welcome!
http://en.wikipedia.org

Of course, the IP address of 105.191.258.285 is invalid, but most people probably won't be looking too closely. Keep an eye out for this type of spam. it might well lead to something nastier than a fake Viagra merchant.

LinkedIn spam / mysalepharmacy.com

Here's a very convincing looking LinkedIn spam:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Email Confirmation
Sent: 20 April 2012 09:54
Subject: Please confirm your email address

LinkedIn
Click here to confirm your email address.
If the above link does not work, you can paste the following address into your browser:
https://www.linkedin.com/e/vAIspiNMa9UrLxwLy8OkxtE3ZZ5hfZkRMg0f2bmzDWANi
You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.
We ask you to confirm your email address before sending invitations or requesting contacts at LinkedIn. You can have several email addresses, but one will need to be confirmed at all times to use the system.
If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.
Thank you for using LinkedIn!
--The LinkedIn Team
http://www.linkedin.com/
© 2012, LinkedIn Corporation

There are three hyperlinks in the message, two of them are to LinkedIn and one of them is to a fake pharma site on mysalepharmacy.com on 178.19.108.195 in Poland.

Personally, I hate LinkedIn emails. Blocking everything that appears to be from linkedin.com will not have any adverse impact on your life.

"Hello. Thank you for contacting us!" spam

Here's a slightly different spam from normal, in this case it doesn't lead to malware, but to a fake pharmacy site. However, the malware/pharma playloads are easily interchangeable. So, don't click that link, eh?

Date:      Date: Tue, 17 Apr 2012 14:49:18 -0400
From:      Customer center [anfinnegan@pasadena.net]
Subject:      [#3143] Ticket

Hello. Thank you for contacting us!
Your information has been changed and we should be in touch with you soon.
Proceed to Site.
Ticket code: fi5FFkG
You should expect a personal reply within the day or even sooner - as we answer most email within a few hours.

fff

mailbox-email.com scam

Part of a long running dating scam, mailbox-email.com looks like a free email service, but isn't. Hosted on 222.170.127.122 in China, the server also hosts various fake dating and prescription sites.

All of these following sites are some scam or another, avoid them:

• Adltfuntime.com
• Adultmeetspot.com
• Amazmail.com
• Aprofilepage.com
• Blowingawaytherestnow.com
• Email-mailbox.com
• Findallthebestherenow.com
• Findnewfriend.net
• Free-email-chat.com
• Free-email-connect.com
• Free-email-fun.com
• Free-email-live.com
• Freeextender.net
• Freemailaccounts.net
• Freemailnow.net
• Getitatrxcenternow.com
• Greatestofrxznow.com
• Happeningrxcenternow.com
• Hotlivemailchat.com
• Kingofthekingofrxznow.com
• Myemailhome.net
• Netherlandsdns.com
• Nodocneededforrxmedznow.com
• Plygroundadlt.com
• Realdealrxbrandnamesnow.com
• Sexyhotlivechat.com
• Skinny-me.info
• Ysjhdfjd.com
• Zeuhiuer.com

"freeemailnow.net" scam

The domain freeemailnow.net looks like.. well, it looks like a free e-mail provider. But it isn't, it's part of some sort of fraudulent scheme, most likely a dating scam.

The pitch arrives something like this:

Subject: your profile
From: "Pasquale Clay"
Date: Fri, December 4, 2009 11:55 pm

Hey!
I know you dont know me, but I d like to get to know you.
I stumbled upon your contact information, am looking for a chat friend and maybe more.
Write me back at: snowfall1@freeemailnow.net

i am anxious to talk with you

A look at the SOA records points to ns1.netherlandsdns.com and admin.affilnet.net - affilnet.net is familiar, indicating that this is a re-run of the warmfuzzylove.com scam but again annoyingly missing a picture of a pretty Russian girl.

The registration details for freeemailnow.net are anonymous, nameservers are ns1.netherlandsdns.com and ns2.netherlandsdns.com, both on 222.170.127.122 in China along with freeemailnow.net itself.

There's a bunch of fake pharma sites sharing the same server:

• Acquireflowherenow.com
• Acquirerxmedzherenow.com
• Allthebestatyourfingertips.com
• Alwaysbetterrx.com
• Anyrxmedications.com
• Beatingallcompetition.com
• Besatifiedmedsnow.com
• Bestrxbuyshere.com
• Blowingawaytherestnow.com
• Championrxsource.com
• Cheapcodeines.com
• Choosefr0mthebest.com
• Codeineoffers.com
• Codeinepromo.com
• Crazymedsupplyforyou.com
• Discount-codeine.com
• Easyrxhere.com
• Expressmedz4u.com
• Findallthebestherenow.com
• Fingtertiprxmedacces.com
• Firerxmedication.com
• Flowagerofgood.com
• G00dsonline.com
• Getallyourfavorites.com
• Getitatrxcenternow.com
• Getmedicatedonline.com
• Getrxeasily.com
• Getrxeasilyonline.com
• Getrxmedicationsherenow.com
• Goodzchoices.com
• Greatestofrxznow.com
• Greatmedicalshere.com
• Greatrxdepot.com
• Greatrxg00ds.com
• Greatrxonline4u.com
• Grillindealz4u.com
• Happeninggoodtime.com
• Happeningrxcenternow.com
• Honorablechoice.com
• Incrediblerx4u.com
• Kingofthekingofrxznow.com
• Maxsav3r.com
• Maxsaverz.com
• Meddiezcenter.com
• Medzfromonlinetoyourhome.com
• Mosthighlysoughtafter.com
• Neverendingflowages.com
• Neverwaitrx.com
• Newrx4champions.com
• Niceflowofmedz.com
• Nodocneededforrxmedznow.com
• Nomorewaitinginlinenow.com
• Onpointflowage.com
• Qualitycodeine.com
• Quickrxmedications.com
• Readysetgetmedz.com
• Realdealrxbrandnames.com
• Realdealrxbrandnamesnow.com
• Realdealrxrefills.com
• Refillrx-depot.com
• Reliableflowagehere.com
• Reliablemedsource4u.com
• Reliablerx4uonline.com
• Rightrxchoice.com
• Rx-refilldepot.com
• Rxmainsource.com
• Rxmedsolution4unow.com
• Rxmedzatthefingers.com
• Rxmedzinnotime.com
• Rxremedies4u.com
• Rxthatbeatsallothers.com
• Rxwindowonline.com
• Rxsourceforwinners.com
• Selectfromallthebestmeds.com
• Selectionfromthebest.com
• Simeplyarx.com
• Smokingdealz4u.com
• Swiftestmedz.com
• Theeasyreliablesourcenow.com
• Theflowageoccurshere.com
• Themybetterrx.com
• Toprxsuppliers.com
• Toprxsupplierz.com
• Uniqueflowagesnow.com
• Wehaveallyourfavorites.com
• Wehavethemforyou.com
• Wehavewhaturlookingfornow.com
• Wehavewhatyourlooking4.com
• Your-rxs.com
• Netherlandsdns.com

Anyway, this is the same old scam and it should be avoided along with the fake RX sites that go with it.