Sponsored by..

Showing posts with label Spain. Show all posts
Showing posts with label Spain. Show all posts

Tuesday, 26 February 2013

Intuit spam / forumligandaz.ru

This fake Intuit spam leads to malware on forumligandaz.ru:

Date:      Tue, 26 Feb 2013 01:27:09 +0330
From:      "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject:      Payroll Account Holded by Intuit


Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Tue, 26 Feb 2013 01:27:09 +0330.

    Finances would be gone away from below account # ending in 8733 on Tue, 26 Feb 2013 01:27:09 +0330
    amount to be seceded: 3373 USD
    Paychecks would be procrastinated to your personnel accounts on: Tue, 26 Feb 2013 01:27:09 +0330
    Log In to Review Operation


Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services

The malicious payload is at [donotclick]forumligandaz.ru:8080/forum/links/column.php (report here) hosted on:

31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)

Blocklist:
31.200.240.153
83.169.41.58
fzukungda.ru
famagatra.ru
forumkinza.ru
forummersedec.ru
emmmhhh.ru
fuigadosi.ru
forummoskowciti.ru
errriiiijjjj.ru
forumrogario.ru
ejjiipprr.ru
forumbmwr.ru
filialkas.ru
finalions.ru
eiiiioovvv.ru
forumvvz.ru
forumligandaz.ru

Thursday, 13 December 2012

"Copies of Policies" spam / awoeionfpop.ru:

This spam leads to malware on awoeionfpop.ru:

Date:      Thu, 13 Dec 2012 09:08:32 -0400
From:      "Myspace" [noreply@message.myspace.com]
Subject:      Fwd: Deshaun - Copies of Policies

Unfortunately, I cannot obtain electronic copies of the SPII policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

Deshaun ZAMORA,
The malicious payload is at [donotclick]awoeionfpop.ru:8080/forum/links/column.php hosted on the following IPs that I haven't seen before:


75.148.242.70 (Comcast Business, US)
91.142.208.144 (Axarnet, Spain)

The following domains are also on these IPs:
pelamutrika.ru
aliamognoa.ru
ahiontota.ru
anifkailood.ru
podarunoki.ru
aseniakrol.ru
publicatorian.ru
pitoniamason.ru
amnaosogo.ru
dimarikanko.ru
aofngppahgor.ru
awoeionfpop.ru

Tuesday, 27 November 2012

FedEx spam / PostalReceipt.zip


A slightly new take on the malicious FedEx spam we've seen recently. This time, the link in the email goes to a hacked domain to download an attachment called PostalReceipt.zip

Date:      Tue, 27 Nov 2012 13:04:37 -0400
From:      "Office Mail" [no_replyFRL@cleveland.com]
Subject:      ID (I)JI74 384 428 2295 7492

FedEx   
  
Order: AX-7608-99659670234   
Order Date: Sunday, 25 November 2012, 10:35 AM

Dear Customer,

Your parcel has arrived at the post office at November 27.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

GET POSTAL RECEIPT


Best Regards, The FedEx Team.
  
� FedEx 1995-2012 
In this case the download site was [donotclick]amsterdam.cathedralsoft.com/TFOIATVZVT.html hosted on 46.105.140.157 (OVH, Spain). www.cathedralsoft.com is hosted on 94.23.187.176 (also OVH, Spain). It looks like cathedralsoft.com have been compromised in this attack.

VirusTotal detection rates are very low. I don't currently have an analysis of the malicious payload.

Update: here is another variant, downloading from  [donotclick]brandandreputation.net/NOHDPQWPJJ.html  (195.249.40.193, TeamInternet Denmark)

Date:      Wed, 28 Nov 2012 A.D. 07:34:52 -0400
From:      "First-Class UPS logistics" [no.reply-FG@houston.com]
Subject:      Tracking Number (A)PSO79 089 360 1947 4933

FedEx    
   
Order: MN-8474-09876452234    
Order Date: Sunday, 24 November 2012, 11:36 AM

Dear Customer,

Your parcel has arrived at the post office at November 26.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 

Detection rates are pretty miserable for this one too. It looks like a Bredolab variant.

Update 2:  another variant of the malware, this time downloading via [donotclick]www.cantoncityutah.com/OXSJOVVYOE.html (this tries to open PostalReceipt.zip in a window). Again, VirusTotal detection is not good.


Date:      Thu, 29 Nov 2012 A.D. 14:29:38 +0200
From:      "Office Mail" [NoReply@baltimore.com]
Subject:      Tracking Number (K)IR46 545 922 5276 0059

FedEx    
   
Order: HD-5468-483254683    
Order Date: Monday, 25 November 2012, 03:41 PM

Dear Customer,

Your parcel has arrived at the post office at November 27.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012     

Update 3: yet another variant.. the payload wasn't working on this one though.

Date:      Fri, 30 Nov 2012 A.D. 07:57:38 -0400
From:      "First-Class logistics" [NoReply.368@tucson.com]
Subject:      Number (N)GDE82 422 446 0527 6243



FedEx
   
Order: HD-5468-483254683    
Order Date: Tuesday, 26 November 2012, 10:17 AM

Dear Customer,

Your parcel has arrived at the post office at November 28.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012    
Update 4: this variant attempts to download [donotclick]catercut.ie/Postal-Receipt.zip (VirusTotal results here) via [donotclick]catercut.ie/KANHEPGVVM.html:

Date:      Fri, 30 Nov 2012 A.D. 14:33:35 -0400
From:      "UPS Mail" [NOreplyEAY@baltimore.com]
Subject:      ID (P)NRB90 564 295 9947 6165

FedEx    
   
Order: HD-5468-483254683    
Order Date: Tuesday, 26 November 2012, 10:17 AM

Dear Customer,

Your parcel has arrived at the post office at November 28.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012     
Update 5: another spam run, same payload as last time (updated VirusTotal results here). Link leads to [donotreply]drillsaw.com.au/VYWFBRIUBU.html which leads to a payload at [donotreply]drillsaw.com.au/Postal-Receipt.zip

Date:      Fri, 30 Nov 2012 A.D. 22:47:44 -0700
From:      "logistics UPS" [no.reply-UAC@losangeles.com]
Subject:      Tracking Detail (L)OK73 487 973 8524 5206


FedEx    
   
Order: HD-5468-483254683    
Order Date: Tuesday, 26 November 2012, 10:17 AM

Dear Customer,

Your parcel has arrived at the post office at November 28.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012
Update 6: yet another variant, this time downloading from [donotclick]exodionline.com/job.php?php=receipt (VirusTotal results here).

Date:      Sun, 02 Dec 2012 A.D. 15:13:18 -0400
From:      "UPS Receipt" [NOreply.815@irvine.com]
Subject:      Tracking ID (T)SB58 793 555 5502 9056

FedEx    
   
Order: RM-8723-2307345234    
Order Date: Monday, 19 November 2012, 09:32 AM

Dear Customer,

Your parcel has arrived at the post office at November 29.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 
Update 7: this variant downloads from [donotclick]www.850spider.de/TYKXVHIFQH.html (report here):


Date:      Sat, 01 Dec 2012 A.D. 19:50:18 -0500
From:      "First-Class logistics" [NoReply-QEP@baltimore.com]
Subject:      Tracking Detail (K)HW33 625 799 6339 9731

FedEx    
   
Order: RM-8723-2307345234    
Order Date: Monday, 19 November 2012, 09:32 AM

Dear Customer,

Your parcel has arrived at the post office at November 29.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012    
Update 8: this one attempts (and fails) to download the payload from [donotclick]aucs.de/job.php?php=receipt - I haven't seen the payload for this yet.

Date:      Tue, 04 Dec 2012 05:13:30 -0600
From:      "U.P.S.Service" [no_replyQQW@tampa.com]
Subject:      Tracking Number (X)SO21 772 224 4605 7903

FedEx    
   
Order: SD-5468-482485468    
Order Date: Monday, 2 December 2012, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 
Update 9: another slightly different version, this one 404s:

Date:      Wed, 05 Dec 2012 A.D. 06:52:19 -0400
From:      "U.P.S.Service" [NOreplyPCP@birmingham.com]
Subject:      ID (I)PFP44 818 840 9369 1257

FedEx    
   
Order: SD-5468-482485468    
Order Date: Monday, 2 December 2012, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012
Update 10: another version, this downloads from [donotclick]gaffashion.de/KUHZNRQXSG.php?php=receipt , VirusTotal results are patchy.

Date:      Wed, 05 Dec 2012 13:21:13 -0400
From:      "logistics UPS" [no.replyDD@cincinnati.com]
Subject:      Tracking Number (O)UBF96 497 677 7945 1347

FedEx    
   
Order: SD-5468-482485468    
Order Date: Monday, 2 December 2012, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012

Update 11: even more of these today, the volumes seem to be ramping up. Detection rates are pretty miserable.

Subjects spotted:
Tracking Detail (S)AR71 347 275 0953 6096
Number (H)OY68 102 257 0143 6263
Tracking Number (A)WF09 061 710 9662 3209
Tracking Detail (Y)XEY08 661 121 7788 5937
ID (T)TU26 454 839 5856 0273
Number (651)36-651-651-7313-7313
Number (N)QGW24 822 128 6967 5066
Tracking Detail (J)RD66 396 145 5017 2968
Tracking ID (G)EQI40 177 581 4008 9333 

Dowload sites:
[donotclick]www.andovar.de/LNYYNMZAMK.php?php=receipt
[donotclick]biggis-musiktruhe.de/PQRZPJPCBG.php?php=receipt
[donotclick]threesolution.org/OGIKYWHWNJ.php?php=receipt
[donotclick]s375670599.online.de/RTJQIUZQOJ.php?php=receipt
[donotclick]Joeyscafeok.com/PHLNPDFSRV.php?php=receipt
[donotclick]www.edibaer.at/CPDWHUDQDM.php?php=receipt

[donotclick]architetturapc.altervista.org/VOWORTEUWM.php?php=receipt
[donotclick]myinci.net/XIGTTUBPNV.php?php=receipt


Update 12: another version with a tweaked malicious binary:

Date:      Fri, 07 Dec 2012 08:33:17 -0400
From:      "UPS Receipt" [NOreply.IDH@riverside.com]
Subject:      ID (D)RH64 621 035 9749 7042

FedEx    
   
Order: SD-5468-482485468    
Order Date: Monday, 2 December 2012, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 

In this case, the link goes to [donotclick]www.dol2day.com/QGYAMKOOBH.php?php=receipt which downloads Postal-Receipt.zip containing Postal-Receipt.exe. The VirusTotal results are not good. Another version uses the subject Number (A)CV88 683 994 7812 3447 

Update 13another couple of variants, the payload has morphed again and VirusTotal results are predictably very poor.


Date:      Sun, 09 Dec 2012 A.D. 12:20:15 -0400
From:      "Priority Mail Postal Service" [GJX_308@neworleans.com]
Subject:      Tracking Detail (Y)VH30 307 516 2676 5647

FedEx    
Order: SGH-3818-3779326179    
Order Date: Monday, 2 December 2012, 12:32 AM

Dear Customer,

Your parcel has arrived at the post office at December 7.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012    

====================

Date:      Sat, 08 Dec 2012 14:11:29 -0700
From:      "UPS Receipt" [NOreply.094@shreveport.com]
Subject:      Number (X)UJ39 079 034 0694 8327

FedEx    
   
Order: SGH-0987-4616781861    
Order Date: Monday, 2 December 2012, 12:32 AM

Dear Customer,

Your parcel has arrived at the post office at December 7.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012

Some other subject lines:
Number (A)CFV63 149 496 9260 0620
Tracking Detail (S)ESQ89 729 953 7596 6283

Some download sites (don't visit these unless you know what you are doing)
www.musikschule-nvp.de/SNDDAAWTBR.php?php=receipt
www.mcfcdonegal.com/OPMUYUCCIV.php?php=receipt
www.beller-das.de/NWAPXATXVT.php?php=receipt
www.trude-hau-rein.de/UWQNZZWFXZ.php?php=receipt

Update 14: just in time for Christmas..

Date:      Tue, 25 Dec 2012 00:07:07 +0200
From:      "Office 852" [mu-852@orlando.com]
Subject:      Tracking Detail (193)92-193-193-9477-9477

FedEx    
   
Order: VGH-4658-1148074435    
Order Date: Friday, 14 December 2012, 01:21 PM

Dear Customer,

Your parcel has arrived at the post office at December 20.Our courier was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this receipt.
DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.
The binary has changed again, detection rates are patchy. Anubis reports that the malware calls home to 74.80.220.148:60000 which would make it a Zbot variant.

Update 15: this one loads via [donotclick]www.eurogleuf.nl/DERZRCUKKY.php?php=receipt , VitusTotal detection rates are just 7/46.

From:     Express Mail Service [user-989@louisville.com]
date:     26 December 2012 10:46
subject:     Tracking ID (580)53-580-580-3103-3103

FedEx    
   
Order: VGH-2024-9642451224    
Order Date: Friday, 14 December 2012, 01:21 PM

Dear Customer,

Your parcel has arrived at the post office at December 20.Our courier was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this receipt.

DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.

Update 16: just in time for New Year's day, this one loads via [donotclick]www.subclix.com/QJXBJWUUEJ.php?php=receipt. VT detections are again patchy.

Date:      Sun, 06 Jan 2013 A.D. 05:11:30 -0500
From:      "Worldwide Express Mail Service" <support_489@coloradosprings.com>
To:      [redacted]
Subject:      Tracking Number (I)FG03 107 566 0859 2689

FedEx    
   
Order: HJF-8295-96674032    
Order Date: Thursday, 27 December 2012, 10:41 AM

Dear Customer,

Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.
   
� FedEx 1995-2012

================


Date:      Sat, 05 Jan 2013 19:25:48 -0400
From:      "Worldwide Express Mail" <support.800@portland.com>
To:      [redacted]
Subject:      Number (M)EG25 627 586 0611 4432

*+++
FedEx   
   
Order: HJF-9667-27583280    
Order Date: Thursday, 27 December 2012, 10:41 AM

Dear Customer,

Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.
   
� FedEx 1995-2012    

================


Date:      Sat, 05 Jan 2013 A.D. 13:57:18 -0400
From:      "First-Class Mail Postal Service" <support.813@baltimore.com>
To:      [redacted]
Subject:      Number (V)TGS29 427 081 6880 9243

FedEx    
   
Order: HJF-3918-81582364    
Order Date: Thursday, 27 December 2012, 10:41 AM

Dear Customer,

Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.
   
� FedEx 1995-2012    

================


Date:      Sat, 05 Jan 2013 09:05:00 -0400
From:      "First-Class Mail Service" <DTU.160@baltimore.com>
To:      [redacted]
Subject:      Tracking Detail (S)JYD60 835 496 0448 5921

FedEx    
   
Order: HJF-8882-94725648    
Order Date: Thursday, 27 December 2012, 10:41 AM

Dear Customer,

Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 
Example download sites:
[donotclick]omahadisability.com/UWOJIEUBLS.php?php=receipt
[donotclick]p-g-maintenance.co.uk/YLFDRZWNJP.php?php=receipt
[donotclick]cctvsecuritysystemshouston.com/XUAJAIPISI.php?php=receipt
[donotclick]itiyam.com/WEQOHWFEAK.php?php=receipt

Note the these URLs seem to be hardened against analysis, if you can't access them check your user agent and referrer strings.

Update 17: and more, this time with the following details:

Tracking Number (B)TXP55 992 494 4822 1645
Number (N)DD46 790 881 6344 2460

Order: HJF-4121-39707012
Order: HJF-2424-11089225

[donotclick]jcpub.com/SXYUXBKFQF.php?php=receipt
[donotclick]travelclinicsswansea.com/INJIETKYXV.php?php=receipt

 Update 18: another spam run, detection rates are a bit better for this one:

Date:      Wed, 09 Jan 2013 06:35:16 +0200
From:      "Shipping Service" [IAL_792@chesapeake.com]
Subject:      Tracking Detail (V)QT48 601 848 0556 8882

FedEx    
   
Order: JN-3254-98757378    
Order Date: Thursday, 3 January 2013, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at January 6.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

GET & PRINT RECEIPT
   
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 
Variants:
Tracking ID (R)EBE08 923 976 4800 2506
Tracking ID (Y)OKX60 559 414 2225 0045
Order: JN-8274-10502299
Order: JN-9593-93771591

Sample download sites:
[donotclick]fibam.be/CMNVTXINXV.php?php=receipt
[donotclick]sofa-session.ch/PRRVWKCUQJ.php?php=receipt

Update 19: another spam run with the following characteristics:

Subject: Tracking Number (E)KA09 359 952 5829 0864
Order: JN-9160-75660784
Download site: [donotclick]endlich-ein-dsl-anschluss.de/HUPAHPNHTC.php?receipt=ss00_323
VirusTotal report

Update 20: another one, this time downloading from [donotclick]businesscoaching24.com/BWMIZNPQAT.php?receipt=802_195210783

Date:      Sun, 27 Jan 2013 13:09:22 +0100
From:      "Priority Mail Postal Service" [clients-669@columbus.com]
Subject:      Number (L)BVT74 159 159 2182 2182

Fed Ex    
   
Order: HCD-7626-14749451    
Order Date: Thursday, 17 January 2013, 11:10 AM

Dear Customer,

Your parcel has arrived at the post office at January 21.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

GET & PRINT RECEIPT
   
Best Regards, The FedEx Team.
   
FedEx 1995-2012    
Detection rates are patchy according to VirusTotal. The ThreatExpert report is here.

Update 21: another sample, this time from [donotclick]mydrugstoreus.net/get_file.php?print_receipt=ss00_323, VirusTotal results are 16/46.

Date:      Tue, 05 Feb 2013 19:20:36 -0400
From:      "Manager David Riddle" [manager@tampa.us]
Subject:      Order Detail

FedEx    
   
Tracking ID: 4013-85911016    
Date: Monday, 28 January 2013, 09:22 AM

Dear Client,

Your parcel has arrived at February 1.Courier was unable to deliver the parcel to you at 1 February 05:54 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

   

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013    
Update 22: this one downloads from [donotclick]zdsw.net/get_file.php?receipt_print=ss00_323 with VirusTotal detections at 12/46.

Date:      Wed, 06 Feb 2013 18:29:28 -0400
From:      "Manager William Burt" [service@greensboro.us]
Subject:      Shipping Info

FedEx    
   
Tracking ID: 5739-64600336    
Date: Monday, 28 January 2013, 09:22 AM

Dear Client,

Your parcel has arrived at February 1.Courier was unable to deliver the parcel to you at 1 February 05:54 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

   

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013     
According to ThreatExpert, this version attempts to connect to the following IP addresses which may be worth blocking:

46.4.178.174
66.84.10.68
66.232.145.174
77.79.81.166
80.90.198.43
81.93.248.152
84.38.159.166
85.186.22.146
85.214.50.161
89.19.20.202
94.101.86.146
173.255.203.178
190.111.176.13
202.153.132.24
202.169.224.202
217.11.63.194

Update 23: this variant downloads from [donotclick]www.ocadaval.com/tmp/vsgnpg.php?receipt_print=ss00_323 with VirusTotal detections of 16/46:

From: Manager Jayden Dickson [support@santaana.us]
Date: 8 February 2013 03:33:48 CET
Subject: Tracking Info
FedEx    
   
7475-42208096     Monday, 4 January 2013, 08:24 AM

Your parcel has arrived at February 6.Courier was unable to deliver the parcel to you at 6 February 05:51 PM.
To receive your parcel, please, print this receipt and go to the nearest office.    
          Print Receipt

Best Regards, The FedEx Team.        
       
FedEx 1995-2013        
Update 24: downloading from [donotclick]www.olmuccio.com/tmp/0iuziv.php?receipt_print=ss00_323 and with VirusTotal detections of just 10/46.

Date:      Mon, 11 Feb 2013 A.D. 13:35:56 -0500
From:      "Manager Daniel Acevedo" [manager@lexington.us]
Subject:      Order Information

FedEx    
   
Tracking ID: 2803-20131928    
Date: Monday, 4 January 2013, 09:42 AM

Dear Client,

Your parcel has arrived at February 8.Courier was unable to deliver the parcel to you at 8 February 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

   

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013 
Update 25: downloading from [donotclick]www.onzeklus.com/tmp/gnnvyg.php?receipt_print=ss00_323 with VirusTotal detections at just 7/44.

Date:      Wed, 13 Feb 2013 A.D. 16:28:00 -0400
From:      "Manager William Burt" [client@wichita.us]
Subject:      Shipping Service

FedEx    
   
Tracking ID: 2890-49318193    
Date: Monday, 4 January 2013, 09:42 AM

Dear Client,

Your parcel has arrived at February 8.Courier was unable to deliver the parcel to you at 8 February 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013 
Update 26: downloading from [donotclick]www.assembleserver.net/clients/comp/mirror.php?receipt_print=ss00_323 with VirusTotal detections of just 5/46.

Date:      Fri, 15 Feb 2013 10:44:44 -0400
From:      "Manager Jayden Soto" [manager@norfolk.us]
Subject:      Shipping Info

FedEx    
   
Tracking ID: 4374-23102840    
Date: Monday, 11 February 2013, 10:22 AM

Dear Client,

Your parcel has arrived at February 14.Courier was unable to deliver the parcel to you at 14 February 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

   

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013    
According to Anubis, the malware attempts to call home to the following IPs:
66.84.10.68
72.29.84.159
87.118.122.19
94.101.86.146
173.255.203.178

Update 27: downloading from[donotclick]/phillipsflorist.co.uk/wp-content/plugins/akismet/mirror.php?receipt=ss00_323 with a detection rate of 4/45.
Date:      Wed, 20 Feb 2013 10:00:38 -0400
From:      "Manager Mason Marsh" [service@anaheim.us]
Subject:      Order Shipped

FedEx    
   
Tracking ID: 9702-66479247    
Date: Monday, 11 February 2013, 10:22 AM

Dear Client,

Your parcel has arrived at February 18.Courier was unable to deliver the parcel to you at 18 February 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013 
According to Anubis, this malware tries to call home to:
50.115.116.201
81.93.248.152
87.118.122.19
94.23.193.229
190.111.176.13
213.229.106.32



Update 28: another version, with a download site of [donotclick]www.2handhome.com/components/.ebgv3m.php?receipt=838_129704313 and a VirusTotal score of just 6/45.

Date:      Wed, 13 Mar 2013 05:54:18 -0700
From:      "Manager Liam Ortega" [support@lincoln.us]
Subject:      Tracking Information

FedEx    
   
Tracking ID: 6673-95490112    
Date: Monday, 4 March 2013, 10:22 AM

Dear Client,

Your parcel has arrived at March 7.Courier was unable to deliver the parcel to you at 7 March 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

 Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013 
According to Anubis, the malware calls home to:
87.106.51.52:8080
91.121.156.162:8080
80.67.6.226:8080
93.125.30.232:8080
174.120.225.57:8080
91.121.28.146:8080
193.23.226.15:8080


Friday, 1 June 2012

LinkedIn spam / immerialtv.ru

This fake LinkedIn spam leads to malware:

Date:      Fri, 1 Jun 2012 02:45:50 +0000
From:      LinkedIn Email Confirmation [emailconfirm@linkedin.com]
Subject:      Please confirm your email address

LinkedIn

Click here to confirm your email address.

If the above link does not work, you can paste the following address into your browser:

You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.

We ask you to confirm your email address before sending invitations or requesting contacts at LinkedIn. You can have several email addresses, but one will need to be confirmed at all times to use the system.

If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.

Thank you for using LinkedIn!

--The LinkedIn Team

� 2012, LinkedIn Corporation

The payload is on [donotclick]immerialtv.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs:


50.57.43.49 (Slicehost, US)
50.57.88.200 (Slicehost, US)
184.106.200.65 (Slicehost, US)
187.85.160.106 (Ksys Soluções Web, Brazil)

Plain list for copy-and-pasting:
50.57.43.49
50.57.88.200
184.106.200.65
187.85.160.106

Those IPs host the following domains which can also be assumed to be hostile:
immerialtv.ru
opimmerialtv.ru
piloramamoskow.ru

Thursday, 22 September 2011

Fake jobs: totaljob-us.com

Another fake job offer, part of this long-running series of spam/scam emails.

From: Spam Victim
Sent: 21 September 2011 20:18
To: Spam Victim
Subject: Current Vacancy

Urgente!

Solicitamos personal de cofianza para trabajo a largo plazo en la seccion financiera.
Estudiantes, amas de casa etc...
tambien pueden conseguir trabajo en la empresa, el trabajo no toma mucho tiempo, requiere de mucha responsabilidad.

No es marqueting! Ni nada parecido.
Trabajamos con mas de 10 paises del mundo para hacer nuestras transferencias.
La empresa se dedica a hacer transferencias de dinero local y internacional.

Sus datos personales favor enviar al correo electronico: Ana@totaljob-us.com

Deje su telefono movil para que nuestro operador se contacte con usted.

En espera de sus curriculums,  Ana Sykes

The email appears to come "from" the spam victim (here's why). The domain was registered just yesterday to an "Alexey Kernel" at a fake address in the Ukraine.

Some other "reply to" addresses are:
Casandro@totaljob-us.com
Gad@totaljob-us.com
Prospero@totaljob-us.com
Martirio@totaljob-us.com
Guy@totaljob-us.com
Melvis@totaljob-us.com
Muneca@totaljob-us.com

Subjects include "Current Vacancy", "Job Offer - Flexible Hours", "Get a New Job Today", "Current Open Position", "Administrative Assistant Vacancy" and "Employment Opportunity". Oddly, the subject is in English even though the body of the message is in Spanish.

The jobs offered will be money laundering and other illegal activities. If you have any samples that are different, please consider sharing them in the Comments. Thanks!

Tuesday, 13 September 2011

Fake banks on 88.191.36.45

88.191.36.45 [Proxad, France] is hosting a series of fake banking domains, one of which is detailed by F-Secure.The domains target Finnish and Spanish banks.

The following sites appear to be hosted on that IP:

bbva-es.com
nordea-vf.com
nordeasfi.com
nordea-if.com
nordea-fis.com
osuuspankki-fi.com


Some sites might use the following subdomains: kultaraha, solo1, solo2, www and xxx.

The (fake) registrant details are:
  Admin Name........... Arthur Williams
  Admin Address........ lake tarson 41
  Admin Address........
  Admin Address........ new york city
  Admin Address........ 90121
  Admin Address........ NY
  Admin Address........ UNITED STATES
  Admin Email.......... sir.arthur999@hotmail.com
  Admin Phone.......... +1.802716100

Blocking access to 88.191.36.45 would probably be a good idea if you have Spanish or Finnish users.

Friday, 29 July 2011

Fake jobs: chile-hh.com, cl-joblists.com, pt-joblist.com and spain-joblist.com

Four new fake job domains today, targeting victims in South America, Spain and Portugal.

chile-hh.com
cl-joblists.com
pt-joblist.com
spain-joblist.com

These domains were all registered in the past few days. The standard email approach seems to be "from" the victim, and they are often badly translated into Portuguese and Spanish.

The "jobs" on offer are not jobs at all, they usually involve money laundering and other criminal activities. They form part of this very long running scam that has been going on for years.

Three of the four domains have a new (fake) registrant that we haven't seen before:

Alexey Kernel
    Email: johnkernel26@yahoo.co.uk
    Organization: Alexey Kernel
    Address: Kreshchatyk Street 34
    City: Kiev
    State: Kiev
    ZIP: 01090
    Country: UA
    Phone: +38.00442794512 

If you have an example email, please consider sharing it in the comments.

Thursday, 28 July 2011

Fake jobs: trabajo-lista.com

A single fake domain today, trabajo-lista.com uses the same approach as yesterday's domains, again targeting Spanish language speakers with money laundering jobs and other illegal activities.

Emails will most likely appear to be "from" yourself. This particular scam has been going on now for several years.

If you have a sample, please consider sharing it in the Comments. Thanks!

Wednesday, 27 July 2011

Fake jobs: chile-hh.com, cv-trabalho.com, espana-hh.com and worldjoblists.com

These domains are being used to advertise fake jobs and appear to be targeting Spanish and Portuguese speakers. They form part of this long-running series of domains associated with fake job offers.

chile-hh.com
cv-trabalho.com
espana-hh.com
worldjoblists.com


The jobs being offered are typically money laundering (lavado de dinero / lavagem de dinheiro) which are highly illegal. It is possible that some other jobs offered may be "back office" functions, including translation into local languages.

The domains are very new, registered in the past two days to:

Ricardo Lopez
    Email: ricardolip2@yahoo.com
    Organization: Ricardo Lopez
    Address: ul. Liivalaia 34-10
    City: Tallin
    State: Tallin
    ZIP: 15040
    Country: EE
    Phone: +3.726317190 

If you have any examples of mail using these domains, please consider sharing them in the Comments section. Thanks.