ADP spam / hubbywifeburgers.com

This fake ADP spam leads to malware on hubbywifeburgers.com:

Date:      Wed, 14 Aug 2013 08:58:12 -0700 [11:58:12 EDT]
From:      "ADPClientServices@adp.com" [service@citibank.com]
Subject:      ADP Security Management Update

ADP Security Management Update

Reference ID: 39866

Dear ADP Client August 2013

This message is to inform you of the upcoming �Phase 2� enhancement to ADP Security Management (formally ADP Netsecure). This is where you manage your users� access to ADP�s Internet services, and includes the self-service registration process.

Effective August 15th, ADP Security Management will reflect a new user interface. This will include tasks such as Account Maintenance, User Maintenance, and Company Maintenance within Security Management.

Please review the following information:

� Click here to view more details of the enhancements in Phase 2

� Complete the What�s New in Security Management Service here (Expected to take about 15 minutes)

� View the Supported Browsers and Operating Systems, listed here. These are updated to reflect more current versions to ensure proper presentation of the updated user interface. It is important to note that the new ADP Security Management is best accessed using Microsoft Internet Explorer Version 8 or Mozilla Firefox Version 3.6, at minimum.

This email was sent to active users in your company that access ADP Netsecure with a security role of �security master� or �security admin�. You may have other users that also access ADP Netsecure with other security roles. Please inform those users of these enhancements, noting that the above resources will have some functionality that does not apply to their role.

As always, thank you for choosing ADP as your business partner! If you have any questions, please contact your ADP Technical Support organization.

Ref: 0725 MSAMALONIS1@TWNSHP

[This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.]


Cherry Hill Township provides a secure environment for all information concerning our residents and all other business concerns. The information contained in this email is intended only for the individual(s) addressed in the message and may contain privileged and/or confidential information that is exempt from disclosure under applicable law.

Cherry Hill Township provides a secure environment for all information concerning our residents and all other business concerns. The information contained in this email is intended only for the individual(s) addressed in this message and may contain privileged and/or confidential information that is exempt from disclosure under applicable law.

Yeah.. click the link. What could possibly go wrong? Well, first you go to a legitimate hacked site that tried to load one of the following three scripts:

[donotclick]e-equus.kei.pl/perusing/cassie.js
[donotclick]cncnc.biz/pothooks/addict.js
[donotclick]khalidkala.com/immigration/unkind.js

From there, the victim is sent to a malware site that uses a hijacked GoDaddy domain at [donotclick]hubbywifeburgers.com/topic/nearby-promptly.php hosted on 199.195.116.51 (A2 Hosting, US - report here). This IP probably contains other hijacked domains from the same owner.

Recommended blocklist:
199.195.116.51
hubbywifeburgers.com
e-equus.kei.pl
cncnc.biz
khalidkala.com

Bank of American spam / Instructions Secured E-mail.zip

This fake Bank of American spam has a malicious attachment:

Date:      Tue, 13 Aug 2013 09:35:13 -0500 [10:35:13 EDT]
From:      "Alphonso.Wilcox" [Alphonso.Wilcox@bankofamerica.com]
Subject:      Instructions Secured E-mail.pdf

I will be forwarding the application through a secure e-mail. Attached are instructions for you to create a password to open the secure e-mails from us. Just a bit of security for when we transmit confidential information.

Thanks,

Amado.Underwood
Bank of America
Principal Business Relationship Manager
Direct - 915-045-4237 office
Cell - 915-070-4128 cell
Amado.Underwood@bankofamerica.com

This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. 

Attached to the message is a file Instructions Secured E-mail.zip which contains an executable file Instructions Secured E-mail.exe with an icon to make it look like a PDF file.

The detection rate for this initial malware is just 9/45 at VirusTotal.

This is a pony/gate downloader [1] which attempts to download from [donotclick]guterprotectionperfection.com/ponyb/gate.php on 192.81.135.132 (Linode, US). This is the same IP as used in this attack, and it also utilises a hijacked GoDaddy domain.

The download then attempts to download a second stage from the from the following locations [2] (as well as installing all sorts of hooks into your system):
[donotclick]Missionsearchjobs.com/D5F7G.exe
[donotclick]betterbacksystems.com/kvq.exe
[donotclick]www.printdirectadvertising.com/vfMJH.exe
[donotclick]S381195155.onlinehome.us/vmkCQg8N.exe

The second stage has an even lower detection rate of just 3/45. The analyses by Comodo CAMAS and Malwr do give some detail as to how this part infects the target system.

Recommended blocklist:
192.81.135.132
guterprotectionperfection.com
Missionsearchjobs.com
betterbacksystems.com
www.printdirectadvertising.com
S381195155.onlinehome.us

Facebook spam / guterhelmet.com

This fake Facebook spam leads to malware on guterhelmet.com:

Date:      Mon, 12 Aug 2013 17:51:17 -0200 [15:51:17 EDT]
From:      Facebook [update+zj433fgc2_aay@facebookmail.com]
Subject:      Willie Powell wants to be friends with you on Facebook.

facebook
   
interesting pages on facebook
mark as favorite web pages that interest you to receive their updates in your news feed.

Willie Powell
Willie Powell
   
Bao Aguliar
Bibi Akel
   
Eleanora Casella
Murray Carsten
   
Jordana Fiqueroa
Jona Fiorelli
   
Leisha Heape
Lacresha Hautala
   
Monnie Carrillo
Missy Carreiro
find more pages
         
go to facebook
the message was sent to {mailto_username}@{mailto_domain}. if you do not want to receive these e-mail. letters from facebook, please give up subscription.
facebook, inc., attention: department 415, po box 10005, palo alto, ca 94303

Is it me, or does everyone look the same?

The link in the email goes through a legitimate hacked site and then on to one of three scripts:
[donotclick]golift.biz/lisps/seventeen.js
[donotclick]fh-efront.clickandlearn.at/parboiled/couplets.js
[donotclick]ftp.elotus.org/products/cleats.js

From there, the victim is redirected to a hijacked GoDaddy domain with a malicious payload at [donotclick]guterhelmet.com/topic/able_disturb_planning.php hosted on 192.81.135.132 (Linode, US) along with a number of other hijacked domains (in italics below)

Recommended blocklist:
192.81.135.132
golift.biz
fh-efront.clickandlearn.at
ftp.elotus.org
guterglove.com
grandrapidsleaffilter.com
greenbayleaffilter.com
guterhelmet.com
guterprosva.com

CNN: " Canadian teenager Rehtaeh Parsons" spam leads to malware

The bad guys don't have much of a sense of shame. This fake CNN email leads to malware on hubbynwifewines.com:

Date:      Sat, 10 Aug 2013 01:33:17 +0330 [18:03:17 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: " Canadian teenager Rehtaeh Parsons"

2 face charges in case of Canadian girl who hanged self after alleged rape
By Stephanie Gallman and Phil Gast, CNN
updated 6:39 AM EDT, Fri August 9, 2013
Canadian teenager Rehtaeh Parsons, who was allegedly gang-raped and bullied, has died, her family said. Parsons, 17, was hospitalized after she tried to hang herself on Thursday, April 4. The high school student from Halifax, Nova Scotia, was taken off life support three days later.

Canadian teenager Rehtaeh Parsons

Two 18-year-old men face child pornography charges in connection with the case of a 17-year-old girl who hanged herself after she was allegedly gang-raped and bullied online, Canadian authorities said Thursday evening.  Full story >>

The link in the email goes through a legitimate but hacked site and ends up running one of three scripts:
[donotclick]1494ccc706155932.lolipop.jp/canard/lockup.js
[donotclick]ftp.adaware.net/earwax/philosophic.js
[donotclick]hargobindtravels.com/coloratura/nesting.js

The victim is then sent to a malware payload site at [donotclick]hubbynwifewines.com/topic/able_disturb_planning.php which is a hacked GoDaddy domain hosted on 72.249.76.197.

Recommended blocklist:
72.249.76.197
1494ccc706155932.lolipop.jp
ftp.adaware.net
hargobindtravels.com
housewalla.com
hubby-wife.com
hubbynwife.com
hubbynwifecakes.com
hubbynwifewines.com
hubbynwifedesigns.com

Facebook spam / hubby-wife.com and 72.249.76.197

This fake Facebook spam leads to malware on hubby-wife.com:

Date:      Thu, 8 Aug 2013 09:36:19 -0800 [13:36:19 EDT]
From:      Facebook [update+zj433fgc2_aay@facebookmail.com]
Subject:      Doug Bernal wants to be friends with you on Facebook.
   
Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.

Doug Bernal
Doug Bernal
   
Hyo Auiles
Gigi Arvay
   
Hester Brush
Lesa Bueschel
   
Crawford Eredia
Casey Elting
   
Delfina Grode
Deandrea Grise
   
Tori Circle
Austin Chum
Find more pages
         
Go to Facebook
The message was sent to [redacted]. If you do not want to receive these e-mail. letters from Facebook, please give up subscription.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

Doug is quite a feminine looking bloke:

Clicking on the link in the email goes through a legitimate hacked site, and from there onto one of three scripts:
[donotclick]art.impactmt.com/ecology/christmases.js
[donotclick]palka-teleskopowa.pl/puppet/leafed.js
[donotclick]outoftheblueproductions.com/pipelines/tutsi.js

From here, the victim is sent to a malware payload at [donotclick]hubby-wife.com/topic/able_disturb_planning.php which (predictably) a hijacked GoDaddy domain hosted on 72.249.76.197 (Networld Internet Services) along with several other GoDaddy domains which are highlighted below.

Recommended blocklist:
72.249.76.197
art.impactmt.com
palka-teleskopowa.pl
outoftheblueproductions.com
hubby-wife.com
housewalla.com
hubbynwife.com
hubbynwifecakes.com

MoneyGram "Payment notification email" spam / drstephenlwolman.com

This fake MoneyGram spam leads to malware on drstephenlwolman.com:

Date:      Fri, 2 Aug 2013 22:23:53 +0330 [14:53:53 EDT]
From:      "Moneygram Inc." [infusionnbb3@gmail.com]
Subject:      Payment notification email

Revenues notification email
This is an automated email - please do not reply!

Dear customer!

You are receiving this notification because of you have been received the payment.
It may take a some time for this transaction to appear in the Recent Activity list on your account page.


Transaction details

Transaction sum: 110 USD
Transaction date: 2013/08/02

View the details of this transaction online

Thank you for using MoneyGram services!

MoneyGram ® 2013

Payload is on [donotclick]drstephenlwolman.com/topic/sessions-folk-binds.php via [donotclick]new.hotelniles.com/xd2iqku.html  and some intermediate scripts.

More analysis later..

Part II

OK, I have a little more time to look at this. Here is the screenshot:

Clicking the link takes you to a "ThreeScripts" page, but subtly different from previous ones, leading to scripts at:
[donotclick]nutnet.ir/dl/nnnew.txt
[donotclick]www.emotiontag.net/cp/nnnew.txt
[donotclick]aurummulier.pl/nnnew.txt

These scripts use a ".txt" extenstion, presumably to fool AV scanners.

The next step is a kind of weird Javascript leading to a malware page at [donotclick]drstephenlwolman.com/topic/sessions-folk-binds.php hosted on 74.91.118.212 (Nuclear Fallout Enterprises, US).

The domain in question is a hijacked GoDaddy domain.The payload is hardened against analysis. There will almost definitely be other hijacked domains hosted on this server, blocking access to it might be a good idea.

"Your most recent payment has been processed" spam / capitalagreements.com

This fake Discover Card spam leads to malware on capitalagreements.com:

Date:      Fri, 2 Aug 2013 20:41:09 +0200 [14:41:09 EDT]
From:      Discover Card [dontrply@service.discovercard.com]
Reply-To:      dontrply@service.discovercard.com


    Discover
     Access My Account
   
    ACCOUNT CONFIRMATION     Statements | Payments | Rewards    
    Your most recent payment has been processed.
   
Dear Customer,

This e-mail is to confirm that we have processed your most recent payment. Please remember to use your new information the next time you log in.

To view more details please click here.

Log In to review your account details or to make additional changes.


Please Note: If you did not make this request, please contact us immediately at 1-800-DISCOVER (1-800-347-2683).
   
Sign up    

Don't miss out—sign up to get exclusive offers via e-mail from Discover.

Sign Up

Facebook     Twitter     I Love Cashback Bonus Blog     Mobile

Add discover@service.discover.com to your address book to ensure delivery of these e-mails.
See ways to help identify authentic Discover e-mails by visiting our email security page.


    IMPORTANT INFORMATION

This e-mail was sent to [redacted].

You are receiving this Discover e-mail as a confirmation of your account activity.

Log in to update your e-mail address or view your account e-mail preferences.

If you have any questions about your account, please log in to contact us securely and we will be happy to assist you.

Please do not reply to this e-mail as we are not able to respond to messages sent to this address.

DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.

Discover Products Inc.
P.O. Box 30666
Salt Lake City, UT 84130
©2013 Discover Bank, Member FDIC

TRUPCHNG_A1_A1_A1

   
The link in the email goes to a legitimate hacked site and then one to three scripts as follows:
[donotclick]ekaterini.mainsys.gr/overspreading/hermaphrodite.js
[donotclick]sisgroup.co.uk/despairs/marveled.js
[donotclick]psik.aplus.pl/christian/pickford.js

After that, the victim is directed to the malware landing page at [donotclick]capitalagreements.com/topic/regard_alternate_sheet.php which is a hijacked GoDaddy domain hosted on 66.228.60.243 (Linode, US), along with several other hijacked domains.

The attack is fundamentally the same as this American Express themed malspam run described here.

Recommended blocklist:
66.228.60.243
northernforestcanoetrail.com
northforestcanoetrail.org
yourcaribbeanconnection.com
capitalagreements.com
buyfranklinrealty.com
franklinrealtyofcc.com
frccc.com
sellcitruscountyrealestate.com

Facebook spam / deltaoutriggercafe.com

These guys are busy. This fake Facebook spam leads to malware on deltaoutriggercafe.com:

Date:      Tue, 30 Jul 2013 15:05:25 -0500 [16:05:25 EDT]
From:      Facebook [no-reply@facebook.com]
Subject:      Issac Dyer wants to be friends with you on Facebook.

facebook
   
Issac Dyer wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
       
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

I don't know about you, but I think Isaac looks a bit like a girl.

Predicatably, clicking on the link in the email leads to a legitimate hacked site and then the same redirector scripts found in this spam run. However, in this case the target has now changed to [donotclick]deltaoutriggercafe.com/topic/able_disturb_planning.php which is hosted on 66.175.217.235 (Linode, US) along with a whole bunch of other similar domains that have been hijacked from GoDaddy.

Recommended blocklist:
66.175.217.235
deltaboatraces.net
deltaboatworks.net
deltadazeresort.net
deltamarineinspections.net
deltaoutriggercafe.com
deltarentalcenter.net
deltariverhouse.net
deltayachtclub.net

eBay "ready to get started? Here’s how." spam / deltamarineinspections.net

There is currently an eBay-themed  "ready to get started? Here’s how" spam run active, effectively almost the same as this one, except this time there is a new set of intermediate scripts and payload page. The three scripts involved are:

[donotclick]03778d6.namesecurehost.com/meaningful/unsnapping.js
[donotclick]icontractor.org/followings/trolloped.js
[donotclick]tvassist.co.uk/plead/grueled.js

..leading to a payload page at  [donotclick]deltamarineinspections.net/topic/able_disturb_planning.php on 66.175.217.235 (Linode, US). The domains in use are hijacked from a GoDaddy account and belong to the same poor sod that last control of the ones here.

Recommended blocklist:
66.175.217.235
deltaboatraces.net
deltaboatworks.net
deltadazeresort.net
deltamarineinspections.net
deltarentalcenter.net
deltariverhouse.net
deltayachtclub.net

CNN "Angelina Jolie tops list of highest-paid actresses" spam / deltadazeresort.net

This fake CNN spam leads to malware on deltadazeresort.net:

Date:      Tue, 30 Jul 2013 17:52:54 +0330 [10:22:54 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: Forbes: Angelina Jolie tops list of highest-paid actresses

Forbes: Angelina Jolie tops list of highest-paid actresses
By Sheridan Watson, EW.com
July 29, 2013 -- Updated 2014 GMT (0414 HKT)
Angelina Jolie attends a June 2013 premiere of her fiance Brad Pitt's movie,
Angelina Jolie attends a June 2013 premiere of her fiance Brad Pitt's movie, "World War Z."


(EW.com) -- She might not get paid as much as "Iron Man," but there's no doubt that celestial beauty Angelina Jolie is smiling all the way to the bank.

This year, Jolie topped Forbes' annual list of the highest-paid actresses in Hollywood with an incredibly robust $33 million.

The link in the email goes to a legitimate hacked site and then to one or more of three scripts:

[donotclick]00002nd.rcomhost.com/immanent/surfeit.js
[donotclick]theplaidfox.com/bulbs/falcon.js
[donotclick]sandbox.infotraxdevdocs.com/afforestation/provosts.js

From there the victim is sent to a landing page at [donotclick]deltadazeresort.net/topic/able_disturb_planning.php. At the time of writing this hijacked GoDaddy domain does not resolve, but it was recently hosted on the following IPs alongside these other hacked GoDaddy domains:

66.175.217.235 (Linode, US)
173.246.104.136 (Gandi, US)
deltaboatraces.net
deltaboatworks.net
deltadazeresort.net
deltarentalcenter.net
deltariverhouse.net
deltayachtclub.net

Facebook spam / happykido.com

This fake Facebook spam leads to malware on

Date:      Mon, 29 Jul 2013 09:33:38 -0600 [11:33:38 EDT]
From:      Facebook [update+zj4o40c2_aay@facebookmail.com]
Subject:      Betsy Wells wants to be friends with you on Facebook.
   
Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.
�
Betsy Wells
Betsy Wells
   
Baldric Aguino
Astrid Aggas
   
Deloris Bransfield
Perdita Brantz
   
Danelle Erstad
Daphne Escamilla
   
Giovanna Hadesty
Georgeann Habel
   
Hugh Campisi
Jake Callas
Find more pages
    �    
Go to Facebook
The message was sent to [redacted]. If you do not want to receive these e-mail. letters from Facebook, please give up subscription.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

Apparently all these people look alike:

This is a "ThreeScripts" attack, clicking the link goes to a legitimate hacked site which then tries to run one of the following:

[donotclick]system-hostings.info/aphrodisiac/nought.js
[donotclick]gc.sceonline.org/worsens/patronizingly.js
[donotclick]www.kgsindia.org/retell/manson.js

from there, the victim is sent to a malware landing page on a hijacked GoDaddy domain at [donotclick]happykido.com/topic/able_disturb_planning.php hosted on 50.2.138.161 (ServerHub Phoenix, US). There are several other hacked GoDaddy domains on the same server, all of which should be considered to be malicious.

Recommended blocklist:
50.2.138.161
handbagwalla.com
giftwalla.com
happykiddoh.com
happykido.com
system-hostings.info
gc.sceonline.org
www.kgsindia.org

CNN "77 dead after train derails" spam / evocarr.net

This spam mismatches two topics, a train crash in Spain and the birth of a royal baby in the UK, but it leads to malware on evocarr.net:

Date:      Thu, 25 Jul 2013 20:19:44 +0800 [08:19:44 EDT]
From:      77 dead after train derails [BreakingNews@mail.cnn.com>]
Subject:      "Perfect gift for royal baby ... a tree?" -  BreakingNews CNN


77 dead after train derails, splits apart in Spain
By Al Goodman, Elwyn Lopez, Catherine E. Shoichet, CNN July 25, 2013 -- Updated 0939 GMT (1739 HKT)
iReporter: 'It was a horrific scene'
STORY HIGHLIGHTS

    NEW: Train driver told police he entered the bend too fast, public broadcaster reports
    NEW: Regional governor declares 7 days of mourning for the victims, broadcaster says
    Witness: "The train was broken in half. ... It was quite shocking"
    77 people are dead, more bodies may be found, regional judicial official says

Madrid (CNN) -- An express train derailed as it hurtled around a curve in northwestern Spain on Wednesday, killing at least 77 people and injuring more than 100, officials said.� Full Story >>>>

The link in the email goes to a legitimate hacked site which tries to load one or more of the following scripts:

[donotclick]church.main.jp/psychosomatics/rayon.js
[donotclick]video.whatsonstage.com/overstocking/ownership.js
[donotclick]www.fewo-am-speckbusch.de/referees/metacarpals.js

From there the victim is sent to a landing page at [donotclick]evocarr.net/topic/accidentally-results-stay.php hosted on 69.163.34.49 (Directspace LLC, US). The following hijacked GoDaddy domains are on the same IP and can be considered suspect:
evocarr.net
serapius.com
leacomunica.net
mindordny.org
rdinteractiva.com
yanosetratasolodeti.org

CNN "Perfect gift for royal baby ... a tree?" spam / nphscards.com

This fake CNN spam leads to malware on nphscards.com:

Date:      Wed, 24 Jul 2013 19:54:18 +0400 [11:54:18 EDT]
From:      "Perfect gift for royal baby ... a tree?" [BreakingNews@mail.cnn.com]
Subject:      "Perfect gift for royal baby ... a tree?" -  BreakingNews CNN

CNN
U.S. presidents have spotty record on gifts for royal births
By Jessica Yellin, CNN Chief White House Correspondent
July 24, 2013 -- Updated 0151 GMT (0951 HKT)
Watch this video
Perfect gift for royal baby ... a tree?

STORY HIGHLIGHTS

    Gifts for William and Catherine's baby must honor special U.S.-UK relationship
    William got a gift from Reagans when he was born; brother Harry got nothing
    Truman sent telegram for Charles' birth; Coolidge did even less for queen's birth
    Protocol expert suggests American-made crafts -- but no silver spoons

Washington (CNN)�-- What will the Obamas get the royal wee one? Sources say it's a topic under discussion in the White House and at the State Department.

No baby buggy will do. The president and first lady must find a special gift to honor the special relationship between the United States and the United Kingdom.

Kate and William bring home royal baby boy

The payload work in exactly the same way as this fake Facebook spam earlier today and consists of a hacked GoDaddy domain (nphscards.com) hosted on 162.216.18.169 by Linode.

"You requested a new Facebook password" spam / nphscards.com

This fake Facebook spam leads to malware on nphscards.com:

Date:      Wed, 24 Jul 2013 11:22:46 -0300 [10:22:46 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password

facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes through a legitimate hacked site and then through one or both of these following scripts:
[donotclick]ftp.thermovite.de/kurile/teeniest.js
[donotclick]traditionlagoonresort.com/prodded/televised.js

The victim is then directed to [donotclick]nphscards.com/topic/accidentally-results-stay.php (report here) which appears to be 403ing, but this may just be trickery. The site is hosted on 162.216.18.169 (Linode, US) and the domain nphscards.com itself appears to have been hijacked from GoDaddy. The domain nphssoccercards.com is also on the same server and is probably hijacked.

CNN "Harrison Ford" spam / 173.246.101.146 and fragrancewalla.com

This fake CNN alert leads to malware on fragrancewalla.com:

Date:      Wed, 24 Jul 2013 12:13:04 +0530 [02:43:04 EDT]
From:      "Harrison Ford on 'Ender's Game' controversy: 'Not an issue for me'" [BreakingNews@mail.cnn.com]
Subject:      "Harrison Ford on 'Ender's Game' controversy: 'Not an issue for me'"

CNN
Harrison Ford on 'Ender's Game' controversy: 'Not an issue for me'
By Emily Zemler, Special to CNN
July 21, 2013 -- Updated 1546 GMT (2346 HKT)
Actor Harrison Ford said he wasn't concerned about
Actor Harrison Ford said he wasn't concerned about "Ender's Game" author Orson Scott Card's views on gay marriage.


Editor's note: CNN.com is covering Comic-Con, the international gathering of geek and mainstream pop culture enthusiasts, through Sunday.

San Diego (CNN) -- For actor Harrison Ford, who is starring in a movie adaptation of Orson Scott Card's heralded and popular novel "Ender's Game," statements against same-sex marriage by the science-fiction author "are not an issue for me." FULL STORY

The link in the email goes through a legitimate hacked site, and then tries to run one or all of the following scripts:
[donotclick]ellensplace.lk/orientated/honecker.js
[donotclick]rodeiouniversitario.com.br/vicissitudes/furlong.js
[donotclick]funeralsintexas.com/gazillions/donkey.js

In turn, these scripts direct the victim to a malware landing page at [donotclick]fragrancewalla.com/topic/accidentally-results-stay.php (report here, appears to be 403ing but that could just be an anti-analysis response) hosted on 173.246.101.146 (Gandi, US).

The domain in question appears to be a hacked GoDaddy account, and the following GoDaddy registered domains are also on the same server and should be treated as suspicious:
happykidoh.com
fragrancewalla.com
fragrancessurplus.com

Xerox WorkCentre (or is it HP Digital Device?) spam / SCAN_129_07082013_18911.zip

This fake printer spam has a malicious attachment:

Date:      Mon, 8 Jul 2013 12:20:24 -0500 [07/08/13 13:20:24 EDT]
From:      HP Digital Device [HP.Digital8@victimdomain]
Subject:      Scanned Image from a Xerox WorkCentre

Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: [victimdomain]
Number of Images: 8
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: OM7IEQ4M22

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/

In this case there is an attachment SCAN_129_07082013_18911.zip containing an executable file SCAN_129_07082013_18911.exe (note that the date is encoded into the file). VirusTotal detections are 26/47 and identify it as a generic downloader, Comodo CAMAS reports that it is a Pony downloader that attempts to contact 2ndtimearoundweddingphotography.com which appears to be a hijacked GoDaddy domain.

As is common at the moment, there are a bunch of related hacked GoDaddy domains on a random (non-GoDaddy) server, in this case 64.94.100.116 (the somewhat notorious Nuclear Fallout Enterprises). All these domains should be treated as malicious according to reports from URLquery and VirusTotal.

gfpmenusonline.com
gfponlineordering.com
solarrec-auction.com
chapter2weddings.com
pecoprocurement.com
2brothersdelimenu.com
2ndtimearoundweddingphotography.com

The ThreatTrack report reveals more details [pdf] including the subsequent download locations as does the ThreatExpert report.

[donotclick]lacasadelmovilusado.com/bts1.exe
[donotclick]common.karsak.com.tr/FzPfH6.exe
[donotclick]ftp.vickibettger.com/oEoASW64.exe
[donotclick]qualitydoorblog.com/qbSTq.exe

This second file has a much lower detection rate at VirusTotal of just 3/47 (and they are all generic at that). The ThreatExpert report [pdf] gives more details of the malware plus some connection attempts, and Anubis reports something similar. They all appear to be dynamic ADSL addresses and probably not worth trying to block.

64.136.115.72
66.63.204.26
68.7.103.29
76.226.114.217
77.30.83.91
78.131.54.252
84.59.131.0
85.107.90.53
87.18.47.40
90.189.37.85
94.240.240.106
95.246.170.150
107.217.117.139
108.234.133.110
180.247.156.110
181.67.52.88
190.202.83.105
200.91.49.183
201.209.58.176
212.71.16.46
217.132.249.173
221.215.31.50

Recommended blocklist:
gfpmenusonline.com
gfponlineordering.com
solarrec-auction.com
chapter2weddings.com
pecoprocurement.com
2brothersdelimenu.com
2ndtimearoundweddingphotography.com
bobkahnvideo.com
lacasadelmovilusado.com
common.karsak.com.tr
ftp.vickibettger.com
qualitydoorblog.com
64.94.100.116
198.173.93.218
212.58.2.22

Something evil on 205.234.139.169

205.234.139.169 (Hostforweb, US) appears to be hosting a bunch of Java exploits being served up on subdomains of hacked GoDaddy domains. The malware looks like it is being served up in some sort of injection attack. Here are some example URLs of badness:

[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/applet.jnlp
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/contact.php
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/xXsdYVRQe.class
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/xXsdYVRQe/class.class
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/jfygZbFu

URLquery and VirusTotal are not very conclusive, but if it walks like a duck and quacks like a duck.. well, you know the rest.

The following domains appear to be hosted on the server. You should assume that they are all malicious, ones already flagged by Google are marked in  red .

blog2.4glenview.com
blog2.bigciti.com
blog2.bonitajoe.com
blog2.dnbmedia.com
blog2.dynamomedia.com
blog2.equityblueprintmn.com
blog2.floridawaterfrontpro.com
blog2.flsearchmls.com
blog2.fmbcribs.com
blog2.fmbjoe.tv
blog2.fortmyersbeachrealestatejoe.com
blog2.joe22.com
blog2.joemoves.com
blog2.joeorlandini.com
blog2.joesrealtygroup.com
blog2.joey1.com
blog2.joeyou.com
blog2.kitejunkys.com
blog2.loan2have.com
blog2.mailjoe.com
blog2.mlsfloridasearch.com
blog2.mysportnovelties.ca
blog2.mysportnovelties.com
blog2.naplezjoe.com
blog2.orlandinifamily.com
blog2.parkshorejoe.com
blog2.portroyaljoe.com
blog2.stefura.com
blog2.stefura-associates.com
blog2.stefuraassociatesinc.com
blog3.augustacampoli.com
blog3.bhs.com.pk
blog3.buckinghamsports.ca
blog3.itcspakistan.com
blog3.sindclub.org
blog3.sindclub.org.pk

(And yes, apparently you can get .pk domains through GoDaddy!)

"Scan from a HP ScanJet" spam / humaniopa.ru

This fake printer spam leads to malware on humaniopa.ru:

Date:      Mon, 25 Mar 2013 03:57:54 -0500
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      Scan from a HP ScanJet #928909620
Attachments:     Scanned_Document.htm

Attached document was scanned and sent

to you using a Hewlett-Packard HP Officejet 98278P.

Sent by: CHANG
Images : 5
Attachment Type: .HTM [INTERNET EXPLORER]

Hewlett-Packard Officejet Location: machine location not set

The attachment Scanned_Document.htm leads to malware on [donotclick]humaniopa.ru:8080/forum/links/column.php (report here) hosted on:
66.249.23.64 (Endurance International Group, US)
72.11.155.182 (OC3 Networks, US)
72.167.254.194 (GoDaddy, US)
95.211.154.196 (Leaseweb, Netherlands)

Blocklist:
66.249.23.64
72.11.155.182
72.167.254.194
95.211.154.196
hohohomaza.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
humaniopa.ru
humarikanec.ru

getyourbet.org injection attack

There seems to be an injection attack doing the rounds, the injected domain is getyourbet.org hosted on 31.184.192.237. The domain registration details are:

Registrant ID:TOD-42842658
Registrant Name:ChinSec
Registrant Organization:ChinSec
Registrant Street1:Beijing
Registrant Street2:
Registrant Street3:
Registrant City:Beijing
Registrant State/Province:BJ
Registrant Postal Code:519000
Registrant Country:CN
Registrant Phone:+86.5264337745
Registrant Phone Ext.:
Registrant FAX:+86.5264337745
Registrant FAX Ext.:
Registrant Email:chinseccdomains@yahoo.com

The domain was created on 12th October. The IP address is in Russia (PIN-DEDICATEDSERVERS-NET).

This is a two stage attack, if  getyourbet.org is called with the correct referrer parameters then the victim ends up at another server at 64.202.123.3 (Hostforweb, US) that tries to serve up a malicious payload. This server contains a bunch of subdomains from a hacked GoDaddy account.

pin.panacheswimwear.co.uk
physical.oneandonlykanuhura.com
pig.onmailorder.com
picture.onlyplussizes.com
person.nypersonaltrainers.com
pipe.payday-loanstoday.com

I've seen this sort of abuse of GoDaddy domains before, the main "www" domain resolves OK, but the subdomains get pointed elsewhere. There's either a problem with GoDaddy or this is done through a phish.

Anyway, block 64.202.123.3 and 31.184.192.237 if you can to prevent further attacks.

IRS spam / 1.howtobecomeabostonian.com and mortal-records.net

Three different versions of fake IRS spam today, two leading to malware on 1.howtobecomeabostonian.com and the other with a malicious payload on mortal-records.net.

Date:      Wed, 26 Sep 2012 20:44:47 +0530
From:      "Internal Revenue Service (IRS)" [58D1F47@guyzzer.com]
To:      [redacted]
Subject:      Internal Revenue Service: For the attention of enterpreneurs

Internal Revenue Service (IRS)

Hello,

Due to the system error the EIN of your company has been accidently erased from the online database, please validate your EIN to reaffirm your current status of taxpayer. Certain indulgences will be applied to the next audit report for your company. IRS is sorry to cause inconvenience.





For detail information, please refer to:

https://www.irs.gov/Login.aspx?u=E8710D9E9

    Email address: [redacted]

Sincerely yours,

Barry Griffin

IRS Customer Service representative

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.

You will need to use your email address to log in.

This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535

==========


Date:      Wed, 26 Sep 2012 11:09:45 -0400
From:      "Internal Revenue Service (IRS)" [90A75BC@etherplay.com]
To:      [redacted]
Subject:      Internal Revenue Service: For the attention of enterpreneurs

Internal Revenue Service (IRS)

Dear business owners,

Due to the corrections in the taxation policies that have been recently applied, IRS informs that LLC, C-Corporations and S-Corporations have to validate their EIN in order to reaffirm their actual status. You have 14-day period in order to examine all the changes and make necessary amendments. We are sorry for the inconvenience caused.



For the details please refer to:

https://www.irs.gov/ClientArea.aspx?u=1CBD0FC829256C

    Email address: [redacted]

Sincerely yours,

Damon Abbott

Internal Revenue Service Representative

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.

You will need to use your email address to log in.

This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535


==========

Date:      Wed, 26 Sep 2012 19:53:28 +0400
From:      Internal Revenue Service [weirdpr6@polysto.com]
To:      [[redacted]]
Subject:      IRS report of not approved tax bank transfer

Your Federal Tax pending transaction (ID: 52007291963155), recently ordered for processing from your checking account was rejected by your Bank.

Rejected Tax transaction
Tax Transaction ID:     52007291963155
Reason ID     See details in the report below
State Tax Transaction Report     tax_report_52007291963155.doc (Microsoft Word Document)

Internal Revenue Service 9611 Tellus. Av. Augusta 38209 MV  

Payload one is at [donotclick]1.howtobecomeabostonian.com/links/marked-alter.php hosted on 74.207.232.13 (Linode, US) which looks like a hacked GoDaddy domain. Payload two is at [donotclick]mortal-records.net/detects/processing-successfully.php hosted on 203.91.113.6 (G-Mobile, Mongolia) which is an IP address that has been used a LOT for this type of attack. Blocking those IPs would be ideal.

These other bad domains are associated with the Mongolian IP address:
allmn-leicncester.net
amsnxn.com
bowerystore.net
cahgmt.com
cahmncm.com
casxmn.com
catmngn.com
chgmnm.com
myinfn.com
nitor-solutions.net
ntanwolb.com
penel-opessong.com
sncahmn.com
stafffire.net