Sponsored by..

Showing posts with label Xeex. Show all posts
Showing posts with label Xeex. Show all posts

Wednesday 6 November 2013

"Voice Message from Unknown" spam / VoiceMail.zip

This fake voice mail spam comes with a malicious attachment:

Date:      Wed, 6 Nov 2013 22:22:28 +0800 [09:22:28 EST]
From:      Administrator [voice9@victimdomain]
Subject:      Voice Message from Unknown (886-966-4698)

- - -Original Message- - -

From: 886-966-4698

Sent: Wed, 6 Nov 2013 22:22:28 +0800

To: recipients@victimdomain

Subject:  Private Message 
The email appears to come from an email address on the victim's own domain and the body text contains a list of recipients within that same domain. Attached to the email is a file VoiceMail.zip which in turn contains a malicious executable VoiceMail.exe with an icon to make it look like an audio file.

This malware file has a detection rate of 3/47 at VirusTotal. Automated analysis tools [1] [2] show an attempted connection to twitterbacklinks.com  on 216.151.138.243 (Xeex, US) which is a web host that has been seen before in this type of attack.

Xeex seems to divide up its network into /28 blocks, which would mean that the likely compromised block would be 216.151.138.240/28 which contains the following domains:
twitterbacklinks.com
saferankbacklinks.com
youtubebacklinks.com
vubby.com
abc3k.com
pinterestbacklinks.com

Those domains are consistent with the ones compromised here and it it likely that they have all also been compromised.

Recommended blocklist:
69.26.171.176/28
216.151.138.240/28
twitterbacklinks.com
saferankbacklinks.com
youtubebacklinks.com
vubby.com
abc3k.com
pinterestbacklinks.com
bookmarkingbeast.com
antonseo.com
allisontravels.com
robotvacuumhut.com
glenburnlaw.com
timinteriorsystems.com
bulkbacklinks.com
prblogcomments.com
highprlinks.com
facebookadsppc.com

Wednesday 30 October 2013

"Corporate eFax message" spam / bulkbacklinks[.]com and Xeex.com

Oh my, do people really fall for this "Corporate eFax message" spam? Apparently people do because the spammers keep sending it out.

Date:      Wed, 30 Oct 2013 23:33:23 +0900 [10:33:23 EDT]
From:      eFax Corporate [message@inbound.efax.com]
Subject:      Corporate eFax message from "673-776-6455" - 2 pages

Fax Message [Caller-ID: 673-776-6455] You have received a 2 pages fax at 2013-30-10
02:22:22 CST.* The reference number for this fax is
latf1_did11-1995781774-8924188505-39.View this fax using your PDF reader.Please visit
www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service!Home | Contact | Login | 2013 j2 Global
Communications, Inc. All rights reserved.eFax is a registered trademark of j2 Global
Communications, Inc.This account is subject to the terms listed in the eFax Customer
Agreement.

-----------------------

Date:      Wed, 30 Oct 2013 10:04:50 -0500 [11:04:50 EDT]
From:      eFax Corporate [message@inbound.efax.com]
Subject:      Corporate eFax message from "877-579-4466" - 5 pages

Fax Message [Caller-ID: 877-579-4466] You have received a 5 pages fax at 2013-30-10
05:55:55 EST.* The reference number for this fax is
latf1_did11-1224528296-8910171724-72.View this fax using your PDF reader.Please visit
www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service!Home | Contact | Login | 2013 j2 Global
Communications, Inc. All rights reserved.eFax is a registered trademark of j2 Global
Communications, Inc.This account is subject to the terms listed in the eFax Customer
Agreement. 
Attached to the message is a file FAX_10302013_1013.zip which in turn contains FAX_10302013_1013.exe (although the date is encoded into the filename so your version may be different) which has an icon that makes it look like a PDF file.

This has a very low detection rate at VirusTotal of just 1/46. Automated analysis tools [1] [2] [3] show an attempted connection to a domain bulkbacklinks.com on 69.26.171.187. This is part of the same compromised Xeex address range as seen here and here.

Xeex have not responded to notifications of a problem (apart from an AutoNACK). I recommend that you treat the entire 69.26.171.176/28 range as being malicious and you should block according to this list.

Tuesday 29 October 2013

Suspect network: 69.26.171.176/28

69.26.171.176/28 is a small network range is suballocated from Xeex to the following person or company which appears to have been compromised.

%rwhois V-1.5:0000a0:00 rwhois.xeex.com (by Network Connection Canada. V-1.0)
network:auth-area:69.26.160.0/19
network:network-name:69.26.171.176
network:ip-network:69.26.171.176/28
network:org-name:MJB Capital, Inc.
network:street-address:8275 South Eastern Avenue
network:city:Las Vegas
network:state:NV
network:postal-code:89123
network:country-code:US
network:tech-contact:Mark Bunnell
network:updated:2013-05-30 10:01:58
network:updated-by:noc@xeex.com
network:class-name:network


There are three very recent Malwr reports involving sites in this range:

69.26.171.179 - bookmarkingbeast.com
69.26.171.181 - allisontravels.com
69.26.171.182 - robotvacuumhut.com

As a precaution, I would recommend temporarily blocking the whole range. These other sites are also hosted in the same block, and if you are seeing unusual traffic going to them then I would suspect that it is a malware infection:
bookmarkingbeast.com
antonseo.com
allisontravels.com
robotvacuumhut.com
glenburnlaw.com
timinteriorsystems.com
bulkbacklinks.com
prblogcomments.com
highprlinks.com
facebookadsppc.com

"Division of Unemployment Assistance" spam / attached_forms.exe

This spam comes with a malicious attachment:

Date:      Tue, 29 Oct 2013 11:12:18 -0600 [13:12:18 EDT]
From:      "info@victimdomain" [info@victimdomain]
Subject:      [No Subject]

A former employee(s) of your company or organization recently filed a claim for benefits
with the Division of Unemployment Assistance (DUA). In order to process this claim, DUA
needs information about each former employee. You are requested to:

Provide Wage and Separation information (Form 1062/1074)

And/or

Provide Separation Pay Information

If you do not provide this information, you may lose your right to appeal any
determination made on the claim.
To provide this information electronically, <b>please print attached claim (file) and
complete any outstanding forms.

This message may contain privileged and/or confidential information. Unless you are the
addressee (or authorized to receive for the addressee), you may not use, copy,
disseminate, distribute or disclose to anyone the message or any information contained in
the message.
Attached is a file with the rather long name of  case#976179103613297~9392736683167.zip which contains a malicious executable attached_forms.exe with an icon that makes it look like a PDF file. The VirusTotal detections stand at 8/46 and automated analysis [1] [2] shows an attempted connection to bookmarkingbeast.com on 69.26.171.179 (Xeex Communications, US). That's just two IP addresses away from this other Xeex server mentioned here. I strongly suspect that there is a problem with servers in the 69.26.171.176/28 range so you might want to block those temporarily. This range is suballocated from Xeex to:

%rwhois V-1.5:0000a0:00 rwhois.xeex.com (by Network Connection Canada. V-1.0)
network:auth-area:69.26.160.0/19
network:network-name:69.26.171.176
network:ip-network:69.26.171.176/28
network:org-name:MJB Capital, Inc.
network:street-address:8275 South Eastern Avenue
network:city:Las Vegas
network:state:NV
network:postal-code:89123
network:country-code:US
network:tech-contact:Mark Bunnell
network:updated:2013-05-30 10:01:58
network:updated-by:noc@xeex.com
network:class-name:network



Wells Fargo "Check copy" spam / Copy_10292013.zip

These fake Wells Fargo spam messages have a malicious attachment:

Date:      Tue, 29 Oct 2013 22:34:50 +0800 [10:34:50 EDT]
From:      Wells Fargo [Emilio.Hendrix@wellsfargo.com]
Subject:      FW: Check copy

We had problems processing your latest check, attached is a image copy.

Emilio Hendrix
Wells Fargo Check Processing Services
817-576-4067 office
817-192-2390 cell Emilio.Hendrix@wellsfargo.com

Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.

--------------------

Date:      Tue, 29 Oct 2013 14:41:46 +0000 [10:41:46 EDT]
From:      Wells Fargo [Leroy.Dale@wellsfargo.com]
Subject:      FW: Check copy

We had problems processing your latest check, attached is a image copy.

Leroy Dale
Wells Fargo Check Processing Services
817-480-3826 office
817-710-4624 cell Leroy.Dale@wellsfargo.com

Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you. 
Attached is an executable file Copy_10292013.zip which contains an executable file Copy_10292013.exe which is (of course) malicious. Note that the date is encoded into the filenames, so future versions of this will vary.

The VirusTotal detection rate is just 3/47. Automated analysis [1] [2] shows an attempted connection to allisontravels.com on 69.26.171.181 (Xeex Communications, US) which appears to be the only site currently on this server. I would recommend blocking one or both of these.

gg