Sponsored by..

Showing posts with label ThreeScripts. Show all posts
Showing posts with label ThreeScripts. Show all posts

Wednesday, 14 August 2013

ADP spam / hubbywifeburgers.com

This fake ADP spam leads to malware on hubbywifeburgers.com:

Date:      Wed, 14 Aug 2013 08:58:12 -0700 [11:58:12 EDT]
From:      "ADPClientServices@adp.com" [service@citibank.com]
Subject:      ADP Security Management Update

ADP Security Management Update

Reference ID: 39866

Dear ADP Client August 2013

This message is to inform you of the upcoming �Phase 2� enhancement to ADP Security Management (formally ADP Netsecure). This is where you manage your users� access to ADP�s Internet services, and includes the self-service registration process.

Effective August 15th, ADP Security Management will reflect a new user interface. This will include tasks such as Account Maintenance, User Maintenance, and Company Maintenance within Security Management.

Please review the following information:

� Click here to view more details of the enhancements in Phase 2

� Complete the What�s New in Security Management Service here (Expected to take about 15 minutes)

� View the Supported Browsers and Operating Systems, listed here. These are updated to reflect more current versions to ensure proper presentation of the updated user interface. It is important to note that the new ADP Security Management is best accessed using Microsoft Internet Explorer Version 8 or Mozilla Firefox Version 3.6, at minimum.

This email was sent to active users in your company that access ADP Netsecure with a security role of �security master� or �security admin�. You may have other users that also access ADP Netsecure with other security roles. Please inform those users of these enhancements, noting that the above resources will have some functionality that does not apply to their role.

As always, thank you for choosing ADP as your business partner! If you have any questions, please contact your ADP Technical Support organization.

Ref: 0725 MSAMALONIS1@TWNSHP

[This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.]


Cherry Hill Township provides a secure environment for all information concerning our residents and all other business concerns. The information contained in this email is intended only for the individual(s) addressed in the message and may contain privileged and/or confidential information that is exempt from disclosure under applicable law.

Cherry Hill Township provides a secure environment for all information concerning our residents and all other business concerns. The information contained in this email is intended only for the individual(s) addressed in this message and may contain privileged and/or confidential information that is exempt from disclosure under applicable law.


Yeah.. click the link. What could possibly go wrong? Well, first you go to a legitimate hacked site that tried to load one of the following three scripts:

[donotclick]e-equus.kei.pl/perusing/cassie.js
[donotclick]cncnc.biz/pothooks/addict.js
[donotclick]khalidkala.com/immigration/unkind.js

From there, the victim is sent to a malware site that uses a hijacked GoDaddy domain at [donotclick]hubbywifeburgers.com/topic/nearby-promptly.php hosted on 199.195.116.51 (A2 Hosting, US - report here). This IP probably contains other hijacked domains from the same owner.

Recommended blocklist:
199.195.116.51
hubbywifeburgers.com
e-equus.kei.pl
cncnc.biz
khalidkala.com

Monday, 12 August 2013

Facebook spam / guterhelmet.com

This fake Facebook spam leads to malware on guterhelmet.com:

Date:      Mon, 12 Aug 2013 17:51:17 -0200 [15:51:17 EDT]
From:      Facebook [update+zj433fgc2_aay@facebookmail.com]
Subject:      Willie Powell wants to be friends with you on Facebook.

facebook
   
interesting pages on facebook
mark as favorite web pages that interest you to receive their updates in your news feed.

Willie Powell
Willie Powell
   
Bao Aguliar
Bibi Akel
   
Eleanora Casella
Murray Carsten
   
Jordana Fiqueroa
Jona Fiorelli
   
Leisha Heape
Lacresha Hautala
   
Monnie Carrillo
Missy Carreiro
find more pages
         
go to facebook
the message was sent to {mailto_username}@{mailto_domain}. if you do not want to receive these e-mail. letters from facebook, please give up subscription.
facebook, inc., attention: department 415, po box 10005, palo alto, ca 94303
Is it me, or does everyone look the same?

The link in the email goes through a legitimate hacked site and then on to one of three scripts:
[donotclick]golift.biz/lisps/seventeen.js
[donotclick]fh-efront.clickandlearn.at/parboiled/couplets.js
[donotclick]ftp.elotus.org/products/cleats.js

From there, the victim is redirected to a hijacked GoDaddy domain with a malicious payload at [donotclick]guterhelmet.com/topic/able_disturb_planning.php hosted on 192.81.135.132 (Linode, US) along with a number of other hijacked domains (in italics below)

Recommended blocklist:
192.81.135.132
golift.biz
fh-efront.clickandlearn.at
ftp.elotus.org
guterglove.com
grandrapidsleaffilter.com
greenbayleaffilter.com
guterhelmet.com
guterprosva.com






Saturday, 10 August 2013

CNN: " Canadian teenager Rehtaeh Parsons" spam leads to malware

The bad guys don't have much of a sense of shame. This fake CNN email leads to malware on hubbynwifewines.com:

Date:      Sat, 10 Aug 2013 01:33:17 +0330 [18:03:17 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: " Canadian teenager Rehtaeh Parsons"

2 face charges in case of Canadian girl who hanged self after alleged rape
By Stephanie Gallman and Phil Gast, CNN
updated 6:39 AM EDT, Fri August 9, 2013
Canadian teenager Rehtaeh Parsons, who was allegedly gang-raped and bullied, has died, her family said. Parsons, 17, was hospitalized after she tried to hang herself on Thursday, April 4. The high school student from Halifax, Nova Scotia, was taken off life support three days later.

Canadian teenager Rehtaeh Parsons

Two 18-year-old men face child pornography charges in connection with the case of a 17-year-old girl who hanged herself after she was allegedly gang-raped and bullied online, Canadian authorities said Thursday evening.  Full story >>

The link in the email goes through a legitimate but hacked site and ends up running one of three scripts:
[donotclick]1494ccc706155932.lolipop.jp/canard/lockup.js
[donotclick]ftp.adaware.net/earwax/philosophic.js
[donotclick]hargobindtravels.com/coloratura/nesting.js

The victim is then sent to a malware payload site at [donotclick]hubbynwifewines.com/topic/able_disturb_planning.php which is a hacked GoDaddy domain hosted on 72.249.76.197.

Recommended blocklist:
72.249.76.197
1494ccc706155932.lolipop.jp
ftp.adaware.net
hargobindtravels.com
housewalla.com
hubby-wife.com
hubbynwife.com
hubbynwifecakes.com
hubbynwifewines.com
hubbynwifedesigns.com

Thursday, 8 August 2013

Facebook spam / hubby-wife.com and 72.249.76.197

This fake Facebook spam leads to malware on hubby-wife.com:

Date:      Thu, 8 Aug 2013 09:36:19 -0800 [13:36:19 EDT]
From:      Facebook [update+zj433fgc2_aay@facebookmail.com]
Subject:      Doug Bernal wants to be friends with you on Facebook.
   
Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.

Doug Bernal
Doug Bernal
   
Hyo Auiles
Gigi Arvay
   
Hester Brush
Lesa Bueschel
   
Crawford Eredia
Casey Elting
   
Delfina Grode
Deandrea Grise
   
Tori Circle
Austin Chum
Find more pages
         
Go to Facebook
The message was sent to [redacted]. If you do not want to receive these e-mail. letters from Facebook, please give up subscription.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
Doug is quite a feminine looking bloke:


Clicking on the link in the email goes through a legitimate hacked site, and from there onto one of three scripts:
[donotclick]art.impactmt.com/ecology/christmases.js
[donotclick]palka-teleskopowa.pl/puppet/leafed.js
[donotclick]outoftheblueproductions.com/pipelines/tutsi.js

From here, the victim is sent to a malware payload at [donotclick]hubby-wife.com/topic/able_disturb_planning.php which (predictably) a hijacked GoDaddy domain hosted on 72.249.76.197 (Networld Internet Services) along with several other GoDaddy domains which are highlighted below.

Recommended blocklist:
72.249.76.197
art.impactmt.com
palka-teleskopowa.pl
outoftheblueproductions.com
hubby-wife.com
housewalla.com
hubbynwife.com
hubbynwifecakes.com



eFax / jConnect spam and eliehabib.com

This fake fax spam leads to malware on eliehabib.com:

Date:      Wed, 7 Aug 2013 13:05:22 -0600 [15:05:22 EDT]
From:      Fax Message [message@inbound.efax.com]
Subject:      Fax Message at 2013-08-07 01:54:34 EST

Blue Bar
Fax Message

You have received 4 fax page(s) at 2013-08-07 01:54:34 EST.

* The reference number for this fax is wlmt_bgp85-3506454489-3878764215-49.
* The transmission start time for this fax is .

Click here to view this message in your web browser
Please visit http://www.j2.com/help if you have any questions regarding this message or your j2 service.

Thank you for using jConnect!
Home|Contact|Login
Powered by j2

2013 j2 Global Communications, Inc. All rights reserved.
jConnect is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the jConnect Customer Agreement.
The link in the email goes through a legitimate hacked site and then on to three scripts as follows:
[donotclick]v3dev.eu/conciseness/bragging.js
[donotclick]masperblog.it/manacle/barnaul.js
[donotclick]shop.zhengtugps.com/submissions/snipped.js

From then on the victim is sent to a payload site at [donotclick]eliehabib.com/topic/seconds-exist-foot.php which is a hacked domain registered by GoDaddy, hosted on 173.246.105.15 (Gandi, US). There are probably other malicious domains that I cannot see on the same server.

Recommended blocklist:
173.246.105.15
v3dev.eu
masperblog.it
shop.zhengtugps.com
eliehabib.com


Friday, 2 August 2013

MoneyGram "Payment notification email" spam / drstephenlwolman.com

This fake MoneyGram spam leads to malware on drstephenlwolman.com:

Date:      Fri, 2 Aug 2013 22:23:53 +0330 [14:53:53 EDT]
From:      "Moneygram Inc." [infusionnbb3@gmail.com]
Subject:      Payment notification email
Revenues notification email
This is an automated email - please do not reply!

Dear customer!

You are receiving this notification because of you have been received the payment.
It may take a some time for this transaction to appear in the Recent Activity list on your account page.


Transaction details

Transaction sum: 110 USD
Transaction date: 2013/08/02

View the details of this transaction online

Thank you for using MoneyGram services!

MoneyGram ® 2013
Payload is on [donotclick]drstephenlwolman.com/topic/sessions-folk-binds.php via [donotclick]new.hotelniles.com/xd2iqku.html  and some intermediate scripts.

More analysis later..

Part II

OK, I have a little more time to look at this. Here is the screenshot:

Clicking the link takes you to a "ThreeScripts" page, but subtly different from previous ones, leading to scripts at:
[donotclick]nutnet.ir/dl/nnnew.txt
[donotclick]www.emotiontag.net/cp/nnnew.txt
[donotclick]aurummulier.pl/nnnew.txt

These scripts use a ".txt" extenstion, presumably to fool AV scanners.

The next step is a kind of weird Javascript leading to a malware page at [donotclick]drstephenlwolman.com/topic/sessions-folk-binds.php hosted on 74.91.118.212 (Nuclear Fallout Enterprises, US).


The domain in question is a hijacked GoDaddy domain.The payload is hardened against analysis. There will almost definitely be other hijacked domains hosted on this server, blocking access to it might be a good idea.

"Your most recent payment has been processed" spam / capitalagreements.com

This fake Discover Card spam leads to malware on capitalagreements.com:


Date:      Fri, 2 Aug 2013 20:41:09 +0200 [14:41:09 EDT]
From:      Discover Card [dontrply@service.discovercard.com]
Reply-To:      dontrply@service.discovercard.com


    Discover
     Access My Account
   
    ACCOUNT CONFIRMATION     Statements | Payments | Rewards    
    Your most recent payment has been processed.
   
Dear Customer,

This e-mail is to confirm that we have processed your most recent payment. Please remember to use your new information the next time you log in.

To view more details please click here.

Log In to review your account details or to make additional changes.


Please Note: If you did not make this request, please contact us immediately at 1-800-DISCOVER (1-800-347-2683).
   
Sign up    

Don't miss out—sign up to get exclusive offers via e-mail from Discover.

Sign Up

Facebook     Twitter     I Love Cashback Bonus Blog     Mobile

Add discover@service.discover.com to your address book to ensure delivery of these e-mails.
See ways to help identify authentic Discover e-mails by visiting our email security page.


    IMPORTANT INFORMATION

This e-mail was sent to [redacted].

You are receiving this Discover e-mail as a confirmation of your account activity.

Log in to update your e-mail address or view your account e-mail preferences.

If you have any questions about your account, please log in to contact us securely and we will be happy to assist you.

Please do not reply to this e-mail as we are not able to respond to messages sent to this address.

DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.

Discover Products Inc.
P.O. Box 30666
Salt Lake City, UT 84130
©2013 Discover Bank, Member FDIC

TRUPCHNG_A1_A1_A1
   
The link in the email goes to a legitimate hacked site and then one to three scripts as follows:
[donotclick]ekaterini.mainsys.gr/overspreading/hermaphrodite.js
[donotclick]sisgroup.co.uk/despairs/marveled.js
[donotclick]psik.aplus.pl/christian/pickford.js

After that, the victim is directed to the malware landing page at [donotclick]capitalagreements.com/topic/regard_alternate_sheet.php which is a hijacked GoDaddy domain hosted on 66.228.60.243 (Linode, US), along with several other hijacked domains.

The attack is fundamentally the same as this American Express themed malspam run described here.

Recommended blocklist:
66.228.60.243
northernforestcanoetrail.com
northforestcanoetrail.org
yourcaribbeanconnection.com
capitalagreements.com
buyfranklinrealty.com
franklinrealtyofcc.com
frccc.com
sellcitruscountyrealestate.com

Tuesday, 30 July 2013

Facebook spam / deltaoutriggercafe.com

These guys are busy. This fake Facebook spam leads to malware on deltaoutriggercafe.com:

Date:      Tue, 30 Jul 2013 15:05:25 -0500 [16:05:25 EDT]
From:      Facebook [no-reply@facebook.com]
Subject:      Issac Dyer wants to be friends with you on Facebook.

facebook
   
Issac Dyer wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
       
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
I don't know about you, but I think Isaac looks a bit like a girl.


Predicatably, clicking on the link in the email leads to a legitimate hacked site and then the same redirector scripts found in this spam run. However, in this case the target has now changed to [donotclick]deltaoutriggercafe.com/topic/able_disturb_planning.php which is hosted on 66.175.217.235 (Linode, US) along with a whole bunch of other similar domains that have been hijacked from GoDaddy.

Recommended blocklist:
66.175.217.235
deltaboatraces.net
deltaboatworks.net
deltadazeresort.net
deltamarineinspections.net
deltaoutriggercafe.com
deltarentalcenter.net
deltariverhouse.net
deltayachtclub.net

eBay "ready to get started? Here’s how." spam / deltamarineinspections.net

There is currently an eBay-themed  "ready to get started? Here’s how" spam run active, effectively almost the same as this one, except this time there is a new set of intermediate scripts and payload page. The three scripts involved are:

[donotclick]03778d6.namesecurehost.com/meaningful/unsnapping.js
[donotclick]icontractor.org/followings/trolloped.js
[donotclick]tvassist.co.uk/plead/grueled.js

..leading to a payload page at  [donotclick]deltamarineinspections.net/topic/able_disturb_planning.php on 66.175.217.235 (Linode, US). The domains in use are hijacked from a GoDaddy account and belong to the same poor sod that last control of the ones here.

Recommended blocklist:
66.175.217.235
deltaboatraces.net
deltaboatworks.net
deltadazeresort.net
deltamarineinspections.net
deltarentalcenter.net
deltariverhouse.net
deltayachtclub.net


CNN "Angelina Jolie tops list of highest-paid actresses" spam / deltadazeresort.net

This fake CNN spam leads to malware on deltadazeresort.net:

Date:      Tue, 30 Jul 2013 17:52:54 +0330 [10:22:54 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: Forbes: Angelina Jolie tops list of highest-paid actresses

Forbes: Angelina Jolie tops list of highest-paid actresses
By Sheridan Watson, EW.com
July 29, 2013 -- Updated 2014 GMT (0414 HKT)
Angelina Jolie attends a June 2013 premiere of her fiance Brad Pitt's movie,
Angelina Jolie attends a June 2013 premiere of her fiance Brad Pitt's movie, "World War Z."


(EW.com) -- She might not get paid as much as "Iron Man," but there's no doubt that celestial beauty Angelina Jolie is smiling all the way to the bank.

This year, Jolie topped Forbes' annual list of the highest-paid actresses in Hollywood with an incredibly robust $33 million.

The link in the email goes to a legitimate hacked site and then to one or more of three scripts:

[donotclick]00002nd.rcomhost.com/immanent/surfeit.js
[donotclick]theplaidfox.com/bulbs/falcon.js
[donotclick]sandbox.infotraxdevdocs.com/afforestation/provosts.js

From there the victim is sent to a landing page at [donotclick]deltadazeresort.net/topic/able_disturb_planning.php. At the time of writing this hijacked GoDaddy domain does not resolve, but it was recently hosted on the following IPs alongside these other hacked GoDaddy domains:

66.175.217.235 (Linode, US)
173.246.104.136 (Gandi, US)
deltaboatraces.net
deltaboatworks.net
deltadazeresort.net
deltarentalcenter.net
deltariverhouse.net
deltayachtclub.net

Monday, 29 July 2013

Facebook spam / happykido.com

This fake Facebook spam leads to malware on

Date:      Mon, 29 Jul 2013 09:33:38 -0600 [11:33:38 EDT]
From:      Facebook [update+zj4o40c2_aay@facebookmail.com]
Subject:      Betsy Wells wants to be friends with you on Facebook.
   
Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.

Betsy Wells
Betsy Wells
   
Baldric Aguino
Astrid Aggas
   
Deloris Bransfield
Perdita Brantz
   
Danelle Erstad
Daphne Escamilla
   
Giovanna Hadesty
Georgeann Habel
   
Hugh Campisi
Jake Callas
Find more pages
    �    
Go to Facebook
The message was sent to [redacted]. If you do not want to receive these e-mail. letters from Facebook, please give up subscription.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

Apparently all these people look alike:

This is a "ThreeScripts" attack, clicking the link goes to a legitimate hacked site which then tries to run one of the following:

[donotclick]system-hostings.info/aphrodisiac/nought.js
[donotclick]gc.sceonline.org/worsens/patronizingly.js
[donotclick]www.kgsindia.org/retell/manson.js

from there, the victim is sent to a malware landing page on a hijacked GoDaddy domain at [donotclick]happykido.com/topic/able_disturb_planning.php hosted on 50.2.138.161 (ServerHub Phoenix, US). There are several other hacked GoDaddy domains on the same server, all of which should be considered to be malicious.

Recommended blocklist:
50.2.138.161
handbagwalla.com
giftwalla.com
happykiddoh.com
happykido.com
system-hostings.info
gc.sceonline.org
www.kgsindia.org


Friday, 26 July 2013

Intellicast.com spam / artimagefrance.com

This fake weather spam leads to malware on artimagefrance.com:

Date:      Fri, 26 Jul 2013 02:46:26 -0800 [06:46:26 EDT]
From:      "Intellicast.com" [weather@intellicast.com]
Subject:      Intellicast.com [weather@intellicast.com]


Intellicast.com Weather E-mail - Thursday, Jul 25, 2013 3:38 AM
For the complete 10-Day forecast and current conditions, visit Intellicast.com:
http://www.intellicast.com/Local/Weather.aspx?location=USNH0164
=================================================

5-Day Forecast for Newfields, New Hampshire

Today:   Mostly Cloudy,  High: 72 F,  Low: 60 F

Tomorrow:  Showers,  High: 70 F,  Low: 60 F

Saturday:  Partly Cloudy,  High: 84 F,  Low: 64 F

Sunday:  Scattered Thunderstorms,  High: 82 F,  Low: 65 F

Monday:  Showers,  High: 82 F,  Low: 61 F

=================================================
Forecast Details

The payload and infection technique is exactly the same as the one used here.

"welcome to the eBay community!" spam / artimagefrance.com

This fake eBay email leads to malware on artimagefrance.com:

Date:      Fri, 26 Jul 2013 21:40:48 +0900 [08:40:48 EDT]
From:      eBay [eBay@reply1.ebay.com]
Subject:      [redacted] welcome to the eBay community!



Items selected just for you.
View this message in your browser     eBay Buyer Protection
ebay™     Fashion     Electionics     Collectibles     Daily Deals     Sell To Buy
    Welcome to eBay. The simpler and safer way to shop and save.
You've got options when it comes to paying.
       
   
Learn more to protect yourself from spoof (fake) e-mails

eBay Inc. sent this e-mail to you at [redacted] because your Notification Preferences indicate that you want to receive general email promotions.

If you do not wish to receive further communications like this, please click here to unsubscribe. Alternatively, you can change your Notification Preferences in My eBay by Privacy Policy and User Agreement if you have any questions.

Copyright © 2013 eBay Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. eBay and the eBay logo are trademarks of eBay Inc.
eBay Inc. is located at 2145 Hamilton Avenue, San Jose, CA 95125.

The link in the email goes to a legitimate hacked site and then runs one or more scripts from the following list of three:
[donotclick]75.126.43.229/deputy/clodhoppers.js
[donotclick]andywinnie.com/guessable/meteor.js
[donotclick]hansesquash.de/wimples/dunning.js

The victim is then sent to a malware landing page at [donotclick]artimagefrance.com/topic/accidentally-results-stay.php hosted on 184.95.37.110 (Secured Servers LLC, US / Jolly Works Hosting, Philippines). I would recommend blocking 184.95.37.96/28 in this case.

The domain is a hijacked GoDaddy domain, and the following hijacked domains appear to be in the neighbourhood. Ones flagged by Google as malware already are highlighted, although all should be considered as malicious.

184.95.37.100
fiberopticcableguy.com
fiberopticguy.com

guysanford.com
guyscards.com
hi-defhooters.com
y2k-usa.com

184.95.37.109
apparelacademy.com
apparelacademy.net
dragoncigars.net
heavenlycigars.net
libertychristianstore.com
michaelscigarbar.com
michaelscigarbar.net
michaelscigars.net
montverdestore.com
montverdestore.net
montverdestore.org
showmysupport.org


184.95.37.110
2013vistakonpresidentsclub.com
amicale-calvel.com
amicale-calvel.eu
artimagefrance.com
atmiaaustraliaconference.com


Thursday, 25 July 2013

"INCOMING FAX REPORT" spam / 2013vistakonpresidentsclub.com

This fake fax report spam (apparently from the Administrator at the Victim's domain) leads to malware on 2013vistakonpresidentsclub.com:

Date:      Thu, 25 Jul 2013 10:32:10 -0600 [12:32:10 EDT]
From:      Administrator [administrator@victimdomain]
Subject:      INCOMING FAX REPORT : Remote ID: 1150758119

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: 07/25/2013 02:15:22 CST
Speed: 23434 bps
Connection time: 09:04
Pages: 8
Resolution: Normal
Remote ID: 1150758119
Line number: 2
DTMF/DID:
Description: June Payroll

Click here to view the file online

********************************************************* 
The link in the spam leads to a legitimate hacked site and then on to one or more of these three intermediary scripts:

[donotclick]1954f7e942e67bc1.lolipop.jp/denominators/serra.js
[donotclick]internationales-netzwerk-portfolio.de/djakarta/opel.js
[donotclick]www.pep7.at/hampton/riposts.js

From there, the victim is sent to a malware landing page at [donotclick]2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php which was hosted on 162.216.18.169 earlier to day (like this spam) and was presumably a hijacked GoDaddy domain. I can't tell for certain if this site is clean now or not, but it seems to be on 184.95.37.110 which is a Jolly Works Hosting IP, which has been implicated in malware before. I would personally block 184.95.37.96/28 to be on the safe side.

CNN "77 dead after train derails" spam / evocarr.net

This spam mismatches two topics, a train crash in Spain and the birth of a royal baby in the UK, but it leads to malware on evocarr.net:


Date:      Thu, 25 Jul 2013 20:19:44 +0800 [08:19:44 EDT]
From:      77 dead after train derails [BreakingNews@mail.cnn.com>]
Subject:      "Perfect gift for royal baby ... a tree?" -  BreakingNews CNN


77 dead after train derails, splits apart in Spain
By Al Goodman, Elwyn Lopez, Catherine E. Shoichet, CNN July 25, 2013 -- Updated 0939 GMT (1739 HKT)
iReporter: 'It was a horrific scene'
STORY HIGHLIGHTS

    NEW: Train driver told police he entered the bend too fast, public broadcaster reports
    NEW: Regional governor declares 7 days of mourning for the victims, broadcaster says
    Witness: "The train was broken in half. ... It was quite shocking"
    77 people are dead, more bodies may be found, regional judicial official says

Madrid (CNN) -- An express train derailed as it hurtled around a curve in northwestern Spain on Wednesday, killing at least 77 people and injuring more than 100, officials said.� Full Story >>>>

The link in the email goes to a legitimate hacked site which tries to load one or more of the following scripts:

[donotclick]church.main.jp/psychosomatics/rayon.js
[donotclick]video.whatsonstage.com/overstocking/ownership.js
[donotclick]www.fewo-am-speckbusch.de/referees/metacarpals.js

From there the victim is sent to a landing page at [donotclick]evocarr.net/topic/accidentally-results-stay.php hosted on 69.163.34.49 (Directspace LLC, US). The following hijacked GoDaddy domains are on the same IP and can be considered suspect:
evocarr.net
serapius.com
leacomunica.net
mindordny.org
rdinteractiva.com
yanosetratasolodeti.org

Wednesday, 24 July 2013

CNN "Perfect gift for royal baby ... a tree?" spam / nphscards.com

This fake CNN spam leads to malware on nphscards.com:

Date:      Wed, 24 Jul 2013 19:54:18 +0400 [11:54:18 EDT]
From:      "Perfect gift for royal baby ... a tree?" [BreakingNews@mail.cnn.com]
Subject:      "Perfect gift for royal baby ... a tree?" -  BreakingNews CNN

CNN
U.S. presidents have spotty record on gifts for royal births
By Jessica Yellin, CNN Chief White House Correspondent
July 24, 2013 -- Updated 0151 GMT (0951 HKT)
Watch this video
Perfect gift for royal baby ... a tree?

STORY HIGHLIGHTS

    Gifts for William and Catherine's baby must honor special U.S.-UK relationship
    William got a gift from Reagans when he was born; brother Harry got nothing
    Truman sent telegram for Charles' birth; Coolidge did even less for queen's birth
    Protocol expert suggests American-made crafts -- but no silver spoons

Washington (CNN)�-- What will the Obamas get the royal wee one? Sources say it's a topic under discussion in the White House and at the State Department.

No baby buggy will do. The president and first lady must find a special gift to honor the special relationship between the United States and the United Kingdom.

Kate and William bring home royal baby boy

The payload work in exactly the same way as this fake Facebook spam earlier today and consists of a hacked GoDaddy domain (nphscards.com) hosted on 162.216.18.169 by Linode.

"You requested a new Facebook password" spam / nphscards.com

This fake Facebook spam leads to malware on nphscards.com:

Date:      Wed, 24 Jul 2013 11:22:46 -0300 [10:22:46 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password

facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
The link in the email goes through a legitimate hacked site and then through one or both of these following scripts:
[donotclick]ftp.thermovite.de/kurile/teeniest.js
[donotclick]traditionlagoonresort.com/prodded/televised.js

The victim is then directed to [donotclick]nphscards.com/topic/accidentally-results-stay.php (report here) which appears to be 403ing, but this may just be trickery. The site is hosted on 162.216.18.169 (Linode, US) and the domain nphscards.com itself appears to have been hijacked from GoDaddy. The domain nphssoccercards.com is also on the same server and is probably hijacked.

CNN "Harrison Ford" spam / 173.246.101.146 and fragrancewalla.com

This fake CNN alert leads to malware on fragrancewalla.com:


Date:      Wed, 24 Jul 2013 12:13:04 +0530 [02:43:04 EDT]
From:      "Harrison Ford on 'Ender's Game' controversy: 'Not an issue for me'" [BreakingNews@mail.cnn.com]
Subject:      "Harrison Ford on 'Ender's Game' controversy: 'Not an issue for me'"

CNN
Harrison Ford on 'Ender's Game' controversy: 'Not an issue for me'
By Emily Zemler, Special to CNN
July 21, 2013 -- Updated 1546 GMT (2346 HKT)
Actor Harrison Ford said he wasn't concerned about
Actor Harrison Ford said he wasn't concerned about "Ender's Game" author Orson Scott Card's views on gay marriage.


Editor's note: CNN.com is covering Comic-Con, the international gathering of geek and mainstream pop culture enthusiasts, through Sunday.

San Diego (CNN) -- For actor Harrison Ford, who is starring in a movie adaptation of Orson Scott Card's heralded and popular novel "Ender's Game," statements against same-sex marriage by the science-fiction author "are not an issue for me." FULL STORY

The link in the email goes through a legitimate hacked site, and then tries to run one or all of the following scripts:
[donotclick]ellensplace.lk/orientated/honecker.js
[donotclick]rodeiouniversitario.com.br/vicissitudes/furlong.js
[donotclick]funeralsintexas.com/gazillions/donkey.js

In turn, these scripts direct the victim to a malware landing page at [donotclick]fragrancewalla.com/topic/accidentally-results-stay.php (report here, appears to be 403ing but that could just be an anti-analysis response) hosted on 173.246.101.146 (Gandi, US).

The domain in question appears to be a hacked GoDaddy account, and the following GoDaddy registered domains are also on the same server and should be treated as suspicious:
happykidoh.com
fragrancewalla.com
fragrancessurplus.com

Thursday, 30 May 2013

ADP spam / 4rentconnecticut.com and 174.140.171.233

These fake ADP spams lead to malware on 4rentconnecticut.com:

Date:      Thu, 30 May 2013 12:41:28 -0500 [13:41:28 EDT]
From:      "ADPClientServices@adp.com" [ADPClientServices@adp.com]
Subject:      ADP Funding Notification - Debit Draft

Your Transaction Report(s) have been uploaded to the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.

Thank You,

ADP Benefit Services

====================

Date:      Thu, 30 May 2013 08:45:16 -0800 [12:45:16 EDT]
From:      ADP Inc [ADP_FSA_Services@ADP.com]
Subject:      ADP Invoice Reminder

Your latest ADP Dealer Services Invoice is now available to view or pay online at ADP Online Invoice Management .

To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice Management account.

Total amount due by May 31, 2013

$26062.29

If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.

Questions about your bill?

Contact David Nieto by Secure Mail.

Note: This is an automated email. Please do not reply. 

The link in the email goes to a legitimate hacked site and then tries to load three different scripts, currently:

[donotclick]kalimat.egyta.com/swearer/titan.js
[donotclick]www.asitecsrl.com/servicemen/ethic.js
[donotclick]www.mbbd.it/dzerzhinsky/bewilders.js

From there the victim is directed to the main malware landing page at [donotclick]4rentconnecticut.com/news/cross_destroy-sets-separate.php on 174.140.171.233 (DirectSpace LLC, US). A look at URLquery shows many suspect URLs on this server and VirusTotal also reports several malicious URLs.

It appears that every single domain on this server has been compromsed. Blocking the IP address is the easiest way to mitigate against this problem, but these following domains such all be assumed to be legitimate ones that have been hijacked:

1stchoicehsr.com
4rentanaheim.com
4rentarkansas.com
4rentarlington.com
4rentatlanta.com
4rentaurora.com
4rentbakersfield.com
4rentbaltimore.com
4rentcincinnati.com
4rentcoloradosprings.com
4rentcolumbus.com
4rentconnecticut.com
60minutessexy.com
60secondssexy.com
9602iridium.com
9602sbd.com
aainj.com
askfelix.org
bestskateboard.net
billflemming.com
bondageunlimited.com
bonniemichaels.com
breastcaresupplements.com
bystrictinchallenge.com
celebritwee.com
centurysciences.com
chicagoledsource.com
chitownled.com
compsbook.com
connectionre.com
december2012thefacts.com
desiraephilips.com
deviousgirl.com
deviousmindclothing.com
extrememarriagemakeover.com
firstchoicehsr.com
freyandsonautomotive.co
gilestire.com
glorytogodtires.com
halfromerican.com
halfromerican.net
handiexpertcarcare.com
healthwellnessdeals.com
healthwellnessforum.com
hubbardsauto.net
infocarretera.com
internetmarketingmagicpill.com
investorrichessupport.com
investorwealthacademy.com
iridium9522bmodem.com
iridium9602manual.com
iridium9602price.com
iridium9602sbd.com
iridiumcore9523.com
irishhillstire.com
jasonholmesrealty.com
jjgilestire.com
juniorstire.com
kjinteriorsinc.com
ledillinois.com
linkbuildingbootcamp.com
manisteetire.net
manningstire.com
marinholmes.com
marshalltirecity.com
marysvillecarcare.com
metroimport-tires.com
midlandtireandauto.com
mobileincomeopportunities.com
mobiletextopportunity.com
mobiletextopportunity.net
moonstire.com
msqcconference.org
natestire.com
powersautomotiveshop.com
precisiontunetire.com
premierconstructiongeorgia.com
prideinproperty.com
recoverydepot.net
regaltire.com
richestmaninrelationships.com
rogerclinetire.net
setupmyautoresponder.com
sexymarriagecoaching.com
sexymarriageforum.com
sexymarriagemakeover.com
sexymarriagesecrets.com
sheltontire.com
sherrillfire.org
smokelogix.com
southlyontire.com
spindivas.com
spinpsycho.net
spinpsychoapparel.com
spinpsychoapparel.net
steelbuildingprices.com
stiftelsen-pcn.net
sunless-glow.com
sunnysautocare.com
tandmtire.com
tecumsehtire.com
thejoshbrown.com
thetireoutlet.com
thewealthexplosionsystem.com
tmartapes.com
tracysoldcastle.com
twistedbehavior.com
vulcantire.net
westautorepair.com
woodstireservice.com
yiseoer.com