Sponsored by..

Showing posts with label Linode. Show all posts
Showing posts with label Linode. Show all posts

Monday 9 September 2013

Malware sites to block 9/9/13

These domains and IPs are associated with this gang, this list supersedes (or complements) the one I made last week.

1.209.108.29 (BORANET, Korea)
24.173.170.230 (Time Warner Cable, US)
37.153.192.72 (Routit BV, Netherlands)
42.121.84.12 (Aliyun Computing Co, China)
58.68.228.148 (Beijing Blue I.T Technologies Co., China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM, Korea)
66.230.163.86 (Goykhman and Sons LLC, US)
66.230.190.249 (ISPrime, US)
74.63.233.79 (Limestone Networks Inc / 123Systems Solutions, US)
74.207.231.42 (Linode, US)
95.87.1.19 (Trakia Kabel, Bulgaria)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
95.242.252.26 (Telecom Italia, Italy)103.20.166.67 (PT. Visikom Indo Sentratama, Indonesia)
111.93.115.216 (Tata Teleservices, India)
115.78.233.220 (Vietel Corporation, Vietnam)
115.160.146.142 (Wharf T&T Ltd, Hong Kong)
130.63.110.159 (York University, Canada)
140.116.72.75 (TANET, Taiwan)
141.20.102.73 (Humboldt-Universitaet zu Berlin, Germany)
148.204.64.107 (Instituto Politecnico Nacional, Mexico)
173.254.250.218 (OC3 Networks, US)
184.23.8.7 (Sonic.net, US)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
187.60.172.18 (Linhares Serviços Online LTDA, Brazil)
190.145.25.126 (Telmex Colombia, Colombia)
190.152.149.85 (Consejo De Participacion Ciudadana Y Control Soci, Ecuador)
192.241.199.191 (Digital Ocean, US)
194.42.83.60 (Interoute Communications, UK)
194.158.4.42 (Interoute Communications, France)
198.224.81.54 (AT&T, US)
199.115.228.213 (VolumeDrive, US)
208.52.185.178 (BroadRiver Communication Corp, US)
208.69.42.50 (Bay Area Video Coalition, US)
208.180.134.20 (Suddenlink Communications, US)
212.169.49.234 (Claranet, UK)
213.156.91.110 (Ukrainian Special Systems Network, Ukraine)
222.35.102.133 (China TieTong Telecommunications Corporation, China)
223.30.27.251 (Sify Limited, India)

1.209.108.29
24.173.170.230
37.153.192.72
42.121.84.12
58.68.228.148
58.246.240.122
61.36.178.236
66.230.163.86
66.230.190.249
74.63.233.79
74.207.231.42
95.87.1.19
95.111.32.249
95.242.252.26
103.20.166.67
111.93.115.216
115.78.233.220
115.160.146.142
130.63.110.159
140.116.72.75
141.20.102.73
148.204.64.107
173.254.250.218
184.23.8.7
186.251.180.205
187.60.172.18
190.145.25.126
190.152.149.85
192.241.199.191
194.42.83.60
194.158.4.42
198.224.81.54
199.115.228.213
208.52.185.178
208.69.42.50
208.180.134.20
212.169.49.234
213.156.91.110
222.35.102.133
223.30.27.251
achrezervations.com
agence-moret.net
altertraveldream.com
amimeseason.net
bnamecorni.com
boardsxmeta.com
brasilmatics.net
bundle.su
casualcare.net
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
certierskieanyofthe23.net
chairsantique.net
checklistsseesmics.su
chernigovskievojninua55.net
controlsalthoug.com
credit-find.net
crovliivseoslniepodmore83.net
deepsealinks.com
dotier.net
dvdramrautosel.su
ehnihujasebenahujchtoza27.net
ehnynewyortenotbaber.net
ehtiebanishkeobprienrt25.net
elvisalive4ever.com
email.pinterest.com.lacave-enlignes.com
ergopets.com
ermitajniedelaincityof40.net
explic.net
facebook.com.achrezervations.com
favar.net
fender.su
ffupdate.pw
fulty.net
gaphotoid.net
gemochlenoftheierarhia23.net
germaniavampizdanahuj.net
germetikovskievremie29.net
gggrecheskiysala99.net
giabit.net
gonulpalace.net
gormonigraetnapovalahule26.net
gormoshkeniation68.net
gormovskieafrterskioepr30.net
grannyhair.ru
higherpricedan.com
hobox.net
hotbitscan.com
icentis-finance.net
insectiore.net
invoices.ulsmart.net
istatsking.ru
jessesautobody.net.rcom-dns.eu
kpsart.net
lacave-enlignes.com
lights-awake.net
liliputttt9999.info
lindoliveryct.net
macache.net
maxichip.com
medusascream.net
micnetwork100.com
mobile-unlocked.net
molul.com
multiachprocessor.com
myaxioms.com
mywebsitetips.net
nacha-ach-processor.com
namastelearning.net
ns1.namastelearning.net
ns2.namastelearning.net
nvufvwieg.com
oadims.net
ordersdeluxe.com
oversearadios.net
paypal.com.us.cmd.stjamesang.net
perkindomname.com
photos.walmart.com.orders.stjamesang.net
porschetr-ml.com
powerranger-toys.net
priceless.su
printingupplies.com
pure-botanical.net
redsox.com.tickets-service.lindoliveryct.net
relectsdispla.net
rentipod.ru
saucancafe.net
scoutmoor.net
secureprotection5.com
soberimages.com
stjamesang.net
stonewallspwt.net
strutterradio.net
taltondark.net
templateswell.net
thefastor.com
thegalaxyatwork.com
tickets-service.lindoliveryct.net
tor-connect-secure.com
trans-staronline.net
treesmustdownload.su
u-janusa.net
ulsmart.net
uprisingquicks.net
video-withtext.com
vineostat.ru
viperestats.ru
vip-proxy-to-tor.com
virginiarealtyonline.net
weekings.com
wildgames-orb.net
wow-included.com
www.facebook.com.achrezervations.com
www.linkedin.com.achrezervations.com
www.nacha.org.multiachprocessor.com
www.nacha-ach-processor.com
www.redsox.com.tickets-service.lindoliveryct.net
zinvolarstikel.com

Thursday 5 September 2013

Facebook spam / kapcotool.com

This fake Facebook spam leads to malware on kapcotool.com:

From:     Facebook [no-reply@facebook.com]
Date:     5 September 2013 15:21
Subject:     Michele Murdock wants to be friends with you on Facebook.

facebook
   
Michele Murdock wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
         
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
The link in the email uses an obscure URL shortening serving to go first to [donotclick]fenixa.com/97855 and then to [donotclick]magic-crystal.ch/normalized/index.html, and at this point it attempts to load the following three scripts:

[donotclick]00398d0.netsolhost.com/mcguire/forgiveness.js
[donotclick]202.212.131.8/ruses/nonsmokers.js
[donotclick]japanesevehicles.us/vector/internees.js

The final step is a malware landing page at [donotclick]kapcotool.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.227.154 (Linode, US) along with some other hijacked domains listed in italics below.

Recommended blocklist:
74.207.227.154
jgburgerlounge.ca
jngburgerjoint.ca
jngburgerjoint.com
johnmejalli.com
justcreature.com
justmonster.com
kalcodistributors.com
kapcotool.com
00398d0.netsolhost.com
japanesevehicles.us
202.212.131.8

Wednesday 4 September 2013

PayPal spam / dshapovalov.info

This fake (and badly formatted) fake PayPal spam email leads to malware on dshapovalov.info:

Date:      Wed, 4 Sep 2013 08:33:25 -0500 [09:33:25 EDT]
From:      PayPal [service@int.paypal.com]
Subject:      History of transactions #PP-011-538-446-067

ID

Transaction: { figure } {SYMBOL }

On your account malicious activity , for 1 hour was filmed around $ 100 , in small amounts In order to avoid blocking the account you need to go in. Authenticate Now

Sincerely, Services for protection

Department

PayPal does not tolerate fraud or illegal activities. Your complaint It was noted in the minutes of PayPal user you reported . If we find that This user has violated our policies , we will investigate and take appropriate action. In this case , you can contact in the future status this complaint.

To ensure that future transactions proceed smoothly, we suggest you visit PayPal site and click the Security Center link located at the top of any page. There you will find tips on how to avoid scammers " Fraud Prevention Tips for Buyers " section.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance , log in to your PayPal account and click the Help link in the upper right corner of any page PayPal.

Copyright © 1999-2013 PayPal. All rights reserved.

PPID PP {DIGIT } The history of monetary transactions 

The link in the email goes through a URL shortening service at [donotclick]url7.org/KRh - one annoying feature with this service is that you have to click through a form to get the link, so it isn't easy to see where you are going to land. In this case it is [donotclick]184.168.56.23/observatories/index.html and then it runs one of the following three scripts:
[donotclick]81.143.33.169/garrotting/rumples.js
[donotclick]northeastestateagency.co.uk/queues/relaxes.js
[donotclick]mineralmizer.webpublishpro,com/peps/dortmund.js

From there, the victim is sent to a hijacked GoDaddy domain at [donotclick]dshapovalov.info/topic/able_disturb_planning.php hosted on 192.81.134.241 (Linode, US) which is the same server used in this attack. There are other hijacked GoDaddy domains on the same domain (listed below in italics).

Recommended blocklist:
192.81.134.241
watchfp.org
watchfp.mobi
journeyacrossthesky.com
dshapovalov.info
watchfp.net
dshapovalov.info

mineralmizer.webpublishpro.com
northeastestateagency.co.uk
81.143.33.169

Facebook spam / watchfp.net

All this malware-laden Facebook spam is boring. Here's another one, leading to a malicious payload on watchfp.net:

Date: Tue, 3 Sep 2013 11:37:14 -0700 [14:37:14 EDT]
From: Facebook [notification+zrdohvri=vd1@facebookmail.com]
Subject: Blake Miranda tagged 5 photos of you on Facebook

facebook

Blake Miranda added 5 photos of you.
See photos

Go to notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

Blake is pretty feminine looking for a bloke:

The photograph is stolen from the website of Ashot Gevorkyan [some pictures perhaps nsfw] who has quite a nice porfolio. Anyway.. the link in the email uses a shortening service:

[donotclick]u.to/r05nBA which goes to
[donotclick]www.rosenberger-kirwa.de/triassic/index.html which loads one of the following:
[donotclick]safbil.com/stashed/flout.js
[donotclick]ftp.spectrumnutrition.ca/sunscreens/copping.js
[donotclick]schornsteinfeger-helmste.de/covetously/turk.js


The final step is that the victim ends up on a malware landing page at [donotclick]watchfp.net/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 192.81.134.241 (Linode, US) along with some other hijacked domains listed in italics below. The attack is characteristic of the ThreeScripts series of malicious spam emails.

Recommended blocklist:
192.81.134.241
watchfp.org
watchfp.mobi
watchfp.net

safbil.com
ftp.spectrumnutrition.ca
schornsteinfeger-helmste.de

Monday 26 August 2013

UPS Spam / UPS Invoice 74458652.zip

This fake UPS invoice has a malicious attachment:

From:      "UPSBillingCenter@ups.com" [UPSBillingCenter@ups.com]
Subject:      Your UPS Invoice is Ready


New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center. Download the attachment. Invoice will be automatically shown by double click.
Attached is a file UPS Invoice 74458652 which in turn contains a file called UPS Invoice {DIGIT[8]}.exe  which presumably isn't meant to be named like that..

The VirusTotal detection rate is a so-so 18/46. The Malwr analysis is that this is a trojan downloader that attempts to download bad things from the following locations:
[donotclick]gordonpoint.org/forum/viewtopic.php
[donotclick]mierukaproject.jp/PjSE.exe
[donotclick]programcommunications.com/WZP3mMPV.exe
[donotclick]fclww.com/QdytJso0.exe
[donotclick]www.lajen.cz/tPT8oZTB.exe

The VirusTotal detection rate for the downloaded file is not great at just 9/46.

The domain gordonpoint.org is a hijacked GoDaddy domain on 74.207.229.45 (Linode, US) along with several other hijacked domains which are listed below in italics.

Recommended blocklist:
74.207.229.45
gordonpoint.org
hitechcreature.com
industryseeds.ca
infocreature.com
itanimal.com
itanimals.com
jngburgerjoint.ca
jngburgerjoint.com
johnmejalli.com

mierukaproject.jp
programcommunications.com
fclww.com
www.lajen.cz

Thursday 22 August 2013

Discover card "Your account login information updated" spam / abemuggs.com

This fake Discover card spam leads to malware on abemuggs.com:

Date:      Thu, 22 Aug 2013 16:14:59 +0000 [12:14:59 EDT]
From:      Discover Card [no-reply@facebook.com]
Subject:      Your account login information updated

Discover
Access My Account
   
ACCOUNT CONFIRMATION    Statements | Payments | Rewards   
Your account login information has been updated.

Dear Customer,

This e-mail is to confirm that you have updated your log-in information for Discover.com. Please remember to use your new information the next time you log in.

Log In to review your account details or to make additional changes.

Please Note: If you did not make this request, please contact us immediately at 1-800-DISCOVER (1-800-347-2683).
   
Sign up    

Don't miss out—sign up to get exclusive offers via e-mail from Discover.

Sign Up
   
Facebook    Twitter    I Love Cashback Bonus Blog    Mobile

   
Add discover@service.discover.com to your address book to ensure delivery of these e-mails.
See ways to help identify authentic Discover e-mails by visiting our email security page.

    IMPORTANT INFORMATION

This e-mail was sent to [redacted].

You are receiving this Discover e-mail as a confirmation of your account activity.

Log in to update your e-mail address or view your account e-mail preferences.

If you have any questions about your account, please log in to contact us securely and we will be happy to assist you.

Please do not reply to this e-mail as we are not able to respond to messages sent to this address.

DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.

Discover Products Inc.
P.O. Box 30666
Salt Lake City, UT 84130
©2012 Discover Bank, Member FDIC

TRUPCHNG_A1_A1_A1


The link in the email uses the Twitter redirection service to go to [donotclick]t.co/9PsnfeL8hh then [donotclick]x.co/1neIk then [donotclick]activegranite.com/vocatives/index.html and finally to a set of three scripts as follows:
[donotclick]02aa198.netsolhost.com/frostbite/hyde.js
[donotclick]96.9.28.44/dacca/quintilian.js
[donotclick]cordcamera.dakisftp.com/toothsome/catch.js

From this point the victim ends up at the malicious payload at [donotclick]abemuggs.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.253.139 (Linode, US).

At the moment, I can only see abemuggs.com active on 74.207.253.139, however other domains in the same GoDaddy account may be hijacked as well. If you see unexpected traffic going to the following domains then it may be malicious:
abemuggs.com
abesmugs.com
abemugs.com
andagency.com
mytotaltitle.com

I would strongly recommend the following blocklist:
74.207.253.139
96.9.28.44
abemuggs.com
02aa198.netsolhost.com
cordcamera.dakisftp.com

Tuesday 13 August 2013

Bank of American spam / Instructions Secured E-mail.zip

This fake Bank of American spam has a malicious attachment:

Date:      Tue, 13 Aug 2013 09:35:13 -0500 [10:35:13 EDT]
From:      "Alphonso.Wilcox" [Alphonso.Wilcox@bankofamerica.com]
Subject:      Instructions Secured E-mail.pdf

I will be forwarding the application through a secure e-mail. Attached are instructions for you to create a password to open the secure e-mails from us. Just a bit of security for when we transmit confidential information.

Thanks,

Amado.Underwood
Bank of America
Principal Business Relationship Manager
Direct - 915-045-4237 office
Cell - 915-070-4128 cell
Amado.Underwood@bankofamerica.com

This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. 
Attached to the message is a file Instructions Secured E-mail.zip which contains an executable file Instructions Secured E-mail.exe with an icon to make it look like a PDF file.

The detection rate for this initial malware is just 9/45 at VirusTotal.

This is a pony/gate downloader [1] which attempts to download from [donotclick]guterprotectionperfection.com/ponyb/gate.php on 192.81.135.132 (Linode, US). This is the same IP as used in this attack, and it also utilises a hijacked GoDaddy domain.

The download then attempts to download a second stage from the from the following locations [2] (as well as installing all sorts of hooks into your system):
[donotclick]Missionsearchjobs.com/D5F7G.exe
[donotclick]betterbacksystems.com/kvq.exe
[donotclick]www.printdirectadvertising.com/vfMJH.exe
[donotclick]S381195155.onlinehome.us/vmkCQg8N.exe

The second stage has an even lower detection rate of just 3/45. The analyses by Comodo CAMAS and Malwr do give some detail as to how this part infects the target system.

Recommended blocklist:
192.81.135.132
guterprotectionperfection.com
Missionsearchjobs.com
betterbacksystems.com
www.printdirectadvertising.com
S381195155.onlinehome.us

Malware sites to block 13/8/13

These IPs and domains belong to this gang and this list follows on from the one I made last week.

5.39.14.148 (OVH, France)
5.231.57.253 (GHOSTnet, Germany)
15.185.121.30 (HP Cloud Services, US)
24.173.170.230 (Time Warner Cable, US)
37.99.18.145 (2day Telecom, Kazakhstan)
42.121.84.12 (Aliyun Computing Co / Alibaba Advertising Co, China)
50.2.109.148 (Eonix Corporation, US)
50.56.172.149 (Rackspace, US)
59.77.36.225 (CERNET, China)
59.124.33.215 (Chunghwa Telecom, Taiwan)
61.36.178.236 (LG DACOM, Korea)
65.190.51.124 (Time Warner Cable, US)
66.230.163.86 (Goykhman And Sons LLC, US)
68.174.239.70 (Time Warner Cable, US)
74.207.251.67 (Linode, US)
75.147.133.49 (Comcast Business Communcations, US)
78.47.248.101 (Hetzner, Germany)
88.86.100.2 (Supernetwork SRO, Czech Republic)
89.163.170.134 (Unitedcolo, Germany)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Mobiltel EAD, Bulgaria)
95.188.76.14 (Sibirtelecom OJSC, Russia)
95.138.165.133 (Rackspace, UK)
109.107.128.13 (The Blue Zone East, Jordan)
114.112.172.34 (Worldcom Teda Networks Technology, China)
123.202.15.170 (Hong Kong Broadband Network, Hong Kong)
140.113.87.153 (TANET, Taiwan)
140.116.72.75 (TANET, Taiwan)
173.224.211.216 (Psychz Networks, US)
177.53.80.39 (Cordeirópolis Ltda, Brazil)
185.5.54.162 (Interneto Vizija UAB, Lithunia)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
188.132.213.115 (Mars Global Datacenter Services, Turkey)
188.134.26.172 (Perspectiva Ltd, Russia)
190.85.249.159 (Telmex Colombia, Colombia)
190.95.222.196 (Homenet CIA. Ltda / Telconet, Ecuador)
198.211.115.228 (Digital Ocean Inc, US)
199.231.188.226 (Interserver Inc, US)
202.197.127.42 (CERNET, China)
204.124.182.30 (Volumedrive, US)
209.222.67.251 (Razor Inc, US)
212.68.34.88 (Mars Global Datacenter Services, Turkey)
216.158.67.42 (Webnx Inc, US)
217.64.107.108 (Society Of Mali's Telecommunications, Mali)

Recommended blocklist:
5.39.14.148
5.231.57.253
15.185.121.30
24.173.170.230
37.99.18.145
42.121.84.12
50.2.109.148
50.56.172.149
59.77.36.225
59.124.33.215
61.36.178.236
65.190.51.124
66.230.163.86
68.174.239.70
74.207.251.67
75.147.133.49
78.47.248.101
88.86.100.2
89.163.170.134
95.87.1.19
95.111.32.249
95.188.76.14
95.138.165.133
109.107.128.13
114.112.172.34
123.202.15.170
140.113.87.153
140.116.72.75
173.224.211.216
177.53.80.39
185.5.54.162
186.251.180.205
188.132.213.115
188.134.26.172
190.85.249.159
190.95.222.196
198.211.115.228
199.231.188.226
202.197.127.42
204.124.182.30
209.222.67.251
212.68.34.88
216.158.67.42
217.64.107.108
50plus-login.com
abundanceguys.net
acautotentsale.net
allgstat.ru
amnsreiuojy.ru
amods.net
antidoctorpj.com
askfox.net
astarts.ru
autocompletiondel.net
avini.ru
badstylecorps.com
bbmasterbuilders.net
beachfiretald.com
beldenindcontacts.net
blindsay-law.net
bnamecorni.com
boardsxmeta.com
boats-sale.net
breakingtextediti.com
briltox.com
businessdocu.net
buycushion.net
calenderlabor.net
casinocnn.net
cbstechcorp.net
centow.ru
condalinneuwu37.net
condrskajaumaksa66.net
controlsalthoug.com
creativerods.net
credit-find.net
crossplatformcons.com
culturalasia.net
cyberflorists.su
datapadsinthi.net
devicesta.ru
dulethcentury.net
ehnihjrkenpj.ru
endom.net
evishop.net
exhilaratingwiki.net
exnihujatreetrichmand77.net
exowaps.com
fitstimekeepe.net
fivelinenarro.net
flashedglobetrot.pl
frontrunnings.com
frontsidecash.net
frutpass.ru
gatumi.com
gondorskiedelaahuetebanj88.net
gonulpalace.net
gormoshkeniation68.net
gotoraininthecharefare88.net
hdmltextvoice.net
hotkoyou.net
includedtight.com
info-for-health.net
inningmedicare.pl
intcheck.com
jonkrut.ru
kneeslapperz.net
legalizacionez.com
lhobbyrelated.com
liliputttt9999.info
lucams.net
made-bali.net
magiklovsterd.net
medusascream.net
micnetwork100.com
microsoftnotification.net
mifiesta.ru
mirris.ru
mobile-unlocked.net
moonopenomy.com
motobrio.net
musicstudioseattle.net
namastelearning.net
neplohsec.com
nightclubdisab.su
nvufvwieg.com
onsayoga.net
onsespotlight.net
ordersdeluxe.com
organizerrescui.pl
pacifista.ru
palmer-ford.net
partyspecialty.su
pinterest.com.onsayoga.net
prysmm.net
pure-botanical.net
quill.com.account.settings.musicstudioseattle.net
raekownholida.com
relectsdispla.net
restless.su
ringosfulmobile.com
saberig.net
sai-uka-sai.com
scourswarriors.su
sensetegej100.com
sensing-thefuture.com
seoworkblog.net
suburban.su
tagcentriccent.net
tagcentriccent.pl
taltondark.net
templateswell.net
thegalaxyatwork.com
thesecuritylistfx.net
tigerdirect.com.secure.orderlogin.asp.palmer-ford.net
tor-connect-secure.com
u-janusa.net
viperlair.net
vip-proxy-to-tor.com
wildgames-orb.net
workeschaersecure.net
x-pertwindscreens.net
zestrecommend.com
zukkoholsresv.pl

Monday 12 August 2013

Facebook spam / guterhelmet.com

This fake Facebook spam leads to malware on guterhelmet.com:

Date:      Mon, 12 Aug 2013 17:51:17 -0200 [15:51:17 EDT]
From:      Facebook [update+zj433fgc2_aay@facebookmail.com]
Subject:      Willie Powell wants to be friends with you on Facebook.

facebook
   
interesting pages on facebook
mark as favorite web pages that interest you to receive their updates in your news feed.

Willie Powell
Willie Powell
   
Bao Aguliar
Bibi Akel
   
Eleanora Casella
Murray Carsten
   
Jordana Fiqueroa
Jona Fiorelli
   
Leisha Heape
Lacresha Hautala
   
Monnie Carrillo
Missy Carreiro
find more pages
         
go to facebook
the message was sent to {mailto_username}@{mailto_domain}. if you do not want to receive these e-mail. letters from facebook, please give up subscription.
facebook, inc., attention: department 415, po box 10005, palo alto, ca 94303
Is it me, or does everyone look the same?

The link in the email goes through a legitimate hacked site and then on to one of three scripts:
[donotclick]golift.biz/lisps/seventeen.js
[donotclick]fh-efront.clickandlearn.at/parboiled/couplets.js
[donotclick]ftp.elotus.org/products/cleats.js

From there, the victim is redirected to a hijacked GoDaddy domain with a malicious payload at [donotclick]guterhelmet.com/topic/able_disturb_planning.php hosted on 192.81.135.132 (Linode, US) along with a number of other hijacked domains (in italics below)

Recommended blocklist:
192.81.135.132
golift.biz
fh-efront.clickandlearn.at
ftp.elotus.org
guterglove.com
grandrapidsleaffilter.com
greenbayleaffilter.com
guterhelmet.com
guterprosva.com






Friday 2 August 2013

"Your most recent payment has been processed" spam / capitalagreements.com

This fake Discover Card spam leads to malware on capitalagreements.com:


Date:      Fri, 2 Aug 2013 20:41:09 +0200 [14:41:09 EDT]
From:      Discover Card [dontrply@service.discovercard.com]
Reply-To:      dontrply@service.discovercard.com


    Discover
     Access My Account
   
    ACCOUNT CONFIRMATION     Statements | Payments | Rewards    
    Your most recent payment has been processed.
   
Dear Customer,

This e-mail is to confirm that we have processed your most recent payment. Please remember to use your new information the next time you log in.

To view more details please click here.

Log In to review your account details or to make additional changes.


Please Note: If you did not make this request, please contact us immediately at 1-800-DISCOVER (1-800-347-2683).
   
Sign up    

Don't miss out—sign up to get exclusive offers via e-mail from Discover.

Sign Up

Facebook     Twitter     I Love Cashback Bonus Blog     Mobile

Add discover@service.discover.com to your address book to ensure delivery of these e-mails.
See ways to help identify authentic Discover e-mails by visiting our email security page.


    IMPORTANT INFORMATION

This e-mail was sent to [redacted].

You are receiving this Discover e-mail as a confirmation of your account activity.

Log in to update your e-mail address or view your account e-mail preferences.

If you have any questions about your account, please log in to contact us securely and we will be happy to assist you.

Please do not reply to this e-mail as we are not able to respond to messages sent to this address.

DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.

Discover Products Inc.
P.O. Box 30666
Salt Lake City, UT 84130
©2013 Discover Bank, Member FDIC

TRUPCHNG_A1_A1_A1
   
The link in the email goes to a legitimate hacked site and then one to three scripts as follows:
[donotclick]ekaterini.mainsys.gr/overspreading/hermaphrodite.js
[donotclick]sisgroup.co.uk/despairs/marveled.js
[donotclick]psik.aplus.pl/christian/pickford.js

After that, the victim is directed to the malware landing page at [donotclick]capitalagreements.com/topic/regard_alternate_sheet.php which is a hijacked GoDaddy domain hosted on 66.228.60.243 (Linode, US), along with several other hijacked domains.

The attack is fundamentally the same as this American Express themed malspam run described here.

Recommended blocklist:
66.228.60.243
northernforestcanoetrail.com
northforestcanoetrail.org
yourcaribbeanconnection.com
capitalagreements.com
buyfranklinrealty.com
franklinrealtyofcc.com
frccc.com
sellcitruscountyrealestate.com

Tuesday 30 July 2013

Facebook spam / deltaoutriggercafe.com

These guys are busy. This fake Facebook spam leads to malware on deltaoutriggercafe.com:

Date:      Tue, 30 Jul 2013 15:05:25 -0500 [16:05:25 EDT]
From:      Facebook [no-reply@facebook.com]
Subject:      Issac Dyer wants to be friends with you on Facebook.

facebook
   
Issac Dyer wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
       
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
I don't know about you, but I think Isaac looks a bit like a girl.


Predicatably, clicking on the link in the email leads to a legitimate hacked site and then the same redirector scripts found in this spam run. However, in this case the target has now changed to [donotclick]deltaoutriggercafe.com/topic/able_disturb_planning.php which is hosted on 66.175.217.235 (Linode, US) along with a whole bunch of other similar domains that have been hijacked from GoDaddy.

Recommended blocklist:
66.175.217.235
deltaboatraces.net
deltaboatworks.net
deltadazeresort.net
deltamarineinspections.net
deltaoutriggercafe.com
deltarentalcenter.net
deltariverhouse.net
deltayachtclub.net

eBay "ready to get started? Here’s how." spam / deltamarineinspections.net

There is currently an eBay-themed  "ready to get started? Here’s how" spam run active, effectively almost the same as this one, except this time there is a new set of intermediate scripts and payload page. The three scripts involved are:

[donotclick]03778d6.namesecurehost.com/meaningful/unsnapping.js
[donotclick]icontractor.org/followings/trolloped.js
[donotclick]tvassist.co.uk/plead/grueled.js

..leading to a payload page at  [donotclick]deltamarineinspections.net/topic/able_disturb_planning.php on 66.175.217.235 (Linode, US). The domains in use are hijacked from a GoDaddy account and belong to the same poor sod that last control of the ones here.

Recommended blocklist:
66.175.217.235
deltaboatraces.net
deltaboatworks.net
deltadazeresort.net
deltamarineinspections.net
deltarentalcenter.net
deltariverhouse.net
deltayachtclub.net


CNN "Angelina Jolie tops list of highest-paid actresses" spam / deltadazeresort.net

This fake CNN spam leads to malware on deltadazeresort.net:

Date:      Tue, 30 Jul 2013 17:52:54 +0330 [10:22:54 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: Forbes: Angelina Jolie tops list of highest-paid actresses

Forbes: Angelina Jolie tops list of highest-paid actresses
By Sheridan Watson, EW.com
July 29, 2013 -- Updated 2014 GMT (0414 HKT)
Angelina Jolie attends a June 2013 premiere of her fiance Brad Pitt's movie,
Angelina Jolie attends a June 2013 premiere of her fiance Brad Pitt's movie, "World War Z."


(EW.com) -- She might not get paid as much as "Iron Man," but there's no doubt that celestial beauty Angelina Jolie is smiling all the way to the bank.

This year, Jolie topped Forbes' annual list of the highest-paid actresses in Hollywood with an incredibly robust $33 million.

The link in the email goes to a legitimate hacked site and then to one or more of three scripts:

[donotclick]00002nd.rcomhost.com/immanent/surfeit.js
[donotclick]theplaidfox.com/bulbs/falcon.js
[donotclick]sandbox.infotraxdevdocs.com/afforestation/provosts.js

From there the victim is sent to a landing page at [donotclick]deltadazeresort.net/topic/able_disturb_planning.php. At the time of writing this hijacked GoDaddy domain does not resolve, but it was recently hosted on the following IPs alongside these other hacked GoDaddy domains:

66.175.217.235 (Linode, US)
173.246.104.136 (Gandi, US)
deltaboatraces.net
deltaboatworks.net
deltadazeresort.net
deltarentalcenter.net
deltariverhouse.net
deltayachtclub.net

Wednesday 24 July 2013

CNN "Perfect gift for royal baby ... a tree?" spam / nphscards.com

This fake CNN spam leads to malware on nphscards.com:

Date:      Wed, 24 Jul 2013 19:54:18 +0400 [11:54:18 EDT]
From:      "Perfect gift for royal baby ... a tree?" [BreakingNews@mail.cnn.com]
Subject:      "Perfect gift for royal baby ... a tree?" -  BreakingNews CNN

CNN
U.S. presidents have spotty record on gifts for royal births
By Jessica Yellin, CNN Chief White House Correspondent
July 24, 2013 -- Updated 0151 GMT (0951 HKT)
Watch this video
Perfect gift for royal baby ... a tree?

STORY HIGHLIGHTS

    Gifts for William and Catherine's baby must honor special U.S.-UK relationship
    William got a gift from Reagans when he was born; brother Harry got nothing
    Truman sent telegram for Charles' birth; Coolidge did even less for queen's birth
    Protocol expert suggests American-made crafts -- but no silver spoons

Washington (CNN)�-- What will the Obamas get the royal wee one? Sources say it's a topic under discussion in the White House and at the State Department.

No baby buggy will do. The president and first lady must find a special gift to honor the special relationship between the United States and the United Kingdom.

Kate and William bring home royal baby boy

The payload work in exactly the same way as this fake Facebook spam earlier today and consists of a hacked GoDaddy domain (nphscards.com) hosted on 162.216.18.169 by Linode.

"You requested a new Facebook password" spam / nphscards.com

This fake Facebook spam leads to malware on nphscards.com:

Date:      Wed, 24 Jul 2013 11:22:46 -0300 [10:22:46 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password

facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
The link in the email goes through a legitimate hacked site and then through one or both of these following scripts:
[donotclick]ftp.thermovite.de/kurile/teeniest.js
[donotclick]traditionlagoonresort.com/prodded/televised.js

The victim is then directed to [donotclick]nphscards.com/topic/accidentally-results-stay.php (report here) which appears to be 403ing, but this may just be trickery. The site is hosted on 162.216.18.169 (Linode, US) and the domain nphscards.com itself appears to have been hijacked from GoDaddy. The domain nphssoccercards.com is also on the same server and is probably hijacked.

Tuesday 11 June 2013

Amazon.com spam / goldcoinvault.com

This fake Amazon.com spam leads to malware on goldcoinvault.com:

Date:      Tue, 11 Jun 2013 14:25:21 -0600 [16:25:21 EDT]
From:      "Amazon.com Customer Care Service" [payments-update@amazon.com]
Subject:      Payment for Your Amazon Order # 104-884-8180383

Regarding Your Amazon.com Order

Order Placed: June 11, 2013
Amazon.com order number: 104-884-8180383
Order Total: $2761.86

Sony VAIO E Series SVE11135CXW 11.6-Inch Laptop (White)

Sony KDL50EX645 50-Inch 1080p 120HZ Internet Slim LED HDTV (Black)

Sony DSC-H200 Digital Camera with 3-Inch LCD (Black)



Payment Problem
We're writing to let you know that we are having difficulty processing your payment for the above 
transaction.  To protect your security and privacy, your issuing bank cannot provide us with 
information regarding why your credit card was declined. 

However, we suggest that you double-check the billing address, expiration date and cardholder name 
that you entered; if entered incorrectly these will sometimes cause a card to decline. There is no 
need to place a new order as we  will automatically  try your credit card again.

There are a few steps you can take to make the process faster:  

1. Verify the payment information for this order is correct (expiration date, billing address, etc). 
You can update your account and billing information at : 

https://www.amazon.com/gp/css/summary/edit.html?ie=UTF8&orderID=104-884-8180383 
 
2. Contact your issuing bank using the number on the back of your card to learn more about their 
policies. Some issuers put restrictions on using credit cards for electronic or internet 
purchases.  Please have the exact dollar amount and details of this purchase when you call the 
bank.  If paying by credit card is not an option, buy Amazon.com Gift Card claim codes with cash 
from authorized resellers at a store near you. Visit www.amazon.com/cashgcresellers to learn 
more.  

Thank you for shopping at Amazon.com.  Sincerely, Amazon.com Customer Service 
http://www.amazon.com  

Please note: This e-mail was sent from a notification-only address that cannot accept incoming
 e-mail. Please do not reply to this message..
To view more details click Order Summary.
Please note: This is not a VAT invoice.

Conditions of Use | Privacy Notice 1996-2013, Amazon.com, Inc. or its affiliates

The link in the email goes through a legitimate hacked site to an intermediate page with the following redirectors:
[donotclick]ftp.blacktiedjent.com/mechanic/vaccinated.js
[donotclick]piratescoveoysterbar.com/piggybacks/rejoiced.js
[donotclick]nteshop.es/tsingtao/flanneling.js

..from there it hits the main malware payload site at [donotclick]goldcoinvault.com/news/pictures_hints_causes.php (report here) hosted on goldcoinvault.com which is a hacked GoDaddy domain hijacked to point at 173.255.213.171 (Linode, US). This same server is very active and has been spotted here and here, also using hacked GoDaddy domains, but right at the moment the malware page appears to be 403ing which is good.

These following domains appear to be pointing to that server:
ccrtl.com
chrisandannwedding.com
chriscarlson.com
eaglebay5.com
eaglebay-eb5.com
freepokermoney.com
goldcoinvault.com
gosuccessmode.com
hraforbiz.com
margueritemcenery.com
mceneryfinancial.com
megmcenery.com
page10development.com
shrinerapparel.com
shrinersapparel.com
shrinersapparel.net
supportquilting.com
taxfreeincomenow.com
taxfreeincomenow.info
taxfreeincomenow.net
taxfreeincomenow.org
tmgfinancial.org
tmginsurance.org
uniformexpert.com
uniformexperts.com
uniformoutfitter.net
uniformoutfitters.net
wcaband.org





Something evil on 173.255.213.171

As a follow-up to this post, the exploit server on 173.255.213.171 (Linode, US) is hosting a number of hijacked GoDaddy-registered domains that are serving an exploit kit [1] [2]. If you are unable to block 173.255.213.171 then I would recommend the following blocklist:

ccrtl.com
eaglebay5.com
eaglebay-eb5.com
gosuccessmode.com
hraforbiz.com
margueritemcenery.com
mceneryfinancial.com
megmcenery.com
shrinerapparel.com
shrinersapparel.com
shrinersapparel.net
supportquilting.com
taxfreeincomenow.com
taxfreeincomenow.info
taxfreeincomenow.net
taxfreeincomenow.org
tmgfinancial.org
tmginsurance.org
uniformexpert.com
uniformexperts.com
uniformoutfitter.net
uniformoutfitters.net
wcaband.org

Friday 7 June 2013

"PAYVE - Remit file" spam / CD0607213.389710762910.zip

This fake American Express Payment Network spam has a malicious attachment.

Date:      Fri, 7 Jun 2013 20:41:25 +0600 [10:41:25 EDT]
From:      "PAYVESUPPORT@AEXP.COM" [PAYVESUPPORT@AEXP.COM]
Subject:      PAYVE - Remit file

A payment(s) to your company has been processed through the American Express Payment
Network.
The remittance details for the payment(s) are attached (CD06072013.389710762910.zip).

   -   The remittance file contains invoice information passed by your buyer. Please
contact your buyer
       for additional information not available in the file.

   -   The funds associated with this payment will be deposited into your bank account
according to the
       terms of your American Express merchant agreement and may be combined with other
American Express deposits.
       For additional information about Deposits, Fees, or your American Express merchant
agreement:
       Contact American Express Merchant Services at 1-800-528-0265 Monday to Friday,
8:00 AM to 8:00 PM ET.    -  You can also view PAYVE payment and invoice level details
using My Merchant Account/Online Merchant Services.
      If you are not enrolled in My Merchant Account/OMS, you can do so at
www.americanexpress.com/mymerchantaccount
      or call us at 1-866-220-3581, Monday - Friday between 9:00 AM-7:30 PM ET, and we'll
be glad to help you.
      For quick and easy enrollment, please have your American Express Merchant Number,
bank account ABA (routing number)
      and DDA (account number) on hand.

This customer service e-mail was sent to you by American Express. You may receive
customer service e-mails even if you have unsubscribed from marketing e-mails from
American Express.

Copyright 2013 American Express Company. All rights reserved Contact Customer Service:
https://www.americanexpress.com/messagecenter

******************************************************************************
"This message and any attachments are solely for the intended recipient and may contain
confidential or privileged information. If you are not the intended recipient, any
disclosure, copying, use, or distribution of the information included in this message and
any attachments is prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this message and any
attachments. Thank you."
******************************************************************************
Attached to the email is an archive file called CD0607213.389710762910.zip which in turn contains an executable named CD06072013.239871839.exe (note that the date is included in the filename). Virustotal reports that just 8/46 anti-virus scanners detect it.

The Comodo CAMAS report gives some details about the malware, including the following checksums:

MD5fd18576bd4cf1baa8178ff4a2bef0849
SHA18b8ba943393e52a3972c11603c3f1aa1fc053788
SHA256f31ca8a9d429e98160183267eea67dd3a6e592757e045b2c35bb33d5e27d6875

The malware attempts to download further components from storeyourbox.com on 97.107.137.239 (Linode, US) which looks like a legitimate server that has been badly compromised. The following domains appear to be on the server, I would advise that they are all dangerous at the moment:

drjoycethomasderm.com
goodvaluemove.com
jacksonmoving.com
jacksonmoving.net
napervillie-movers.com
reebie.net
storageandmoving.net
storeyourbox.com
storeyourbox.net
storeyourthings.net

Update: the ThreatExpert report took a long time to process, but is quit interesting. It shows DNS queries for:
storeyourbox.com
storeyourbox.net
storeyourthings.net
drjoycethomasderm.com
www.archeting.it
www.errezeta.biz
190.147.81.28
207.204.5.170

The following URLs are accessed:
[donotclick]www.archeting.it/86zP.exe
[donotclick]www.errezeta.biz/ToSN79T.exe
[donotclick]190.147.81.28/yqRSQ.exe
[donotclick]207.204.5.170/PXVYGJx.exe

archeting.it and errezeta.biz are hosted on IPs belonging to Aruba S.p.A. in Italy (62.149.132.57 and 62.149.131.162 respectively). I've long suspected that there's a serious problem with Aruba due to a very high incidence of malware sites. Those are shared hosting IPs and as far as I can tell the rest of the sites on those servers are clean.

190.147.81.28 and 207.204.5.170 (Telmex, Colombia and Register.com US) have been seen before and don't seem to be shared hosts. I would strongly recommend blocking them.



Sunday 19 May 2013

Something evil on 50.116.28.24

50.116.28.24 (Linode, US) is hosting the callback servers for some Mac malware as mentioned here and here plus some other suspect sites. I would advise that you assume that all domains hosted on this IP are malicious, ones that are already marked as malware by Google are highlighted in  red .

6699x.in
7e.xpsp.in
allotusual.in
approvaldesignteam.com
asodistrict.org
australiantestnew2333s.info
bbclsht4.knaqu.eu
bene-ficus.com
berstaska.com
bigbrothershome.org
bizforum.us
boostdeeming.org
c8.uk3.in
cagxjuhgvacsmjvdeo.com
capucchinopayments.com
cascotqhij.com
caytmlnlrou.com
checkincheckoutdoodling.in
ckgryagcibbcf.com
cross-bordertrade.eu
d3aya.net
desepil.com
docsforum.info
ds32v7k3.knaqu.eu
duomyvwabkuappgqxhp.com
englishmaninny.in
exactsixservice.com
fogorieort.com
galaint.statonlinekit.in
galokusemus.eu
ganycyhywek.eu
genecevaletoday.ws
getgluedeluxe.com
gidrim.com
giliminfobluster.com
godgivenwisdom.com
gokbwlivwvgqlretxd.com
googlebarcorp.com
gw.desepil.com
gysqreclw.com
havanaprom.com
hcvuririvnuq.com
hgydiduewiltga.com
hxpgffdwbevww.com
itismybestsite555.in
itismybestsite666.in
itismybestsite777.in
ivaserg.us
jbeqyjlvjqbmq.com
jexgpprgph.com
jngorreo.com
jpuityvakjgg.com
karambajobs.us
kaspyrsky.net
kckkjyqtokjlwfem.com
knaqu.eu
kudrizaial.in
kxkdyatouls.tv
labush.in
lekerdeka.com
liveonflyhelp.com
lotosmusicfm.net
lpkporti.com
mail.desepil.com
mambarada.com
michellesogood.in
monsboys.biz
mqjvmmcckkbwgihlbwm.com
mukevipvxvrq.com
musicmixb.co
myloanandcredit.net
n0r1.org
n-0-r-1.org
nanomirs.com
nbvusher.com
nogold.in
nogold.me
nr.kaspyrsky.net
ns1.musicmixb.co
ns1.searchhereonline.net
ns2.searchhereonline.net
ns4.searchhereonline.net
ofexplained.com
oodsydayvbmwj.com
podaitjnvfauh.com
prcgijpwvrl.com
pvpipkio.com
qobiragevuryt.com
realfirmvare.in
rumbaduna.com
sdvrcplyavjif.com
searchhereonline.net
secdfbpyopjhyhuw.com
securitytable.org
simplynamedgritty.in
sliokrvnkjenhwgpjl.com
sqhmkesvsraquihx.com
statonlinekit.in
storedlay.com
suhashvill.com
symbisecure.com
tentiklus.com
tetebebe.knaqu.eu
u.kaspyrsky.net
uk3.in
uxlyihgvfnqcrfcf.com
vdstestservice.info
vncs.knaqu.eu
voohnyqdinl.com
vosmefnuxkkmhbmuac.com
vwaeloyyutodtr.com
wbmpvebw.com
wgkyyalemnvhdrai.com
window-shopper.info
wir.knaqu.eu
wkabaspswbf.com
wwrgnyoqwcodyhg.com
www.desepil.com
x.n-0-r-1.org
x6690x.in
x6699x.in
xd11.in
xdgeivuswhon.com
xjpakmdcfuqe.in
xksax.biz
xphdllpguj.com
xpsp.in
yfsxwvqbsnghyln.com
ylamixambistarimbasicolasta.com