Sponsored by..

Showing posts with label Zerigo. Show all posts
Showing posts with label Zerigo. Show all posts

Friday 17 February 2012

"Your accountant CPA license termination" spam / biggestsetter.com and 199.30.89.0/24

I haven't seen this spam before, but the malicious payload it leads to is very familiar..

Date:      Fri, 16 Feb 2012 14:35:18 +0200
From:      "Mae Keller"
Subject:      Your accountant CPA license termination.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Revocation of CPA license due to income tax fraud allegations

Dear AICPA member,

We have received a complaint about your alleged participation in tax return fraudulent activity� on behalf of one of your employees. According to AICPA Bylaw Section 700 your Certified Public Accountant license can be cancelled in case of� the occurrence of filing of a misguided or fraudulent income tax return on the member's or a client's behalf.�

Please familiarize yourself with the notification below and respond to it within 7 days. The failure to provide the clarifications within this term will result in withdrawal of your Accountant license.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

Although it claims to be from "The American Institute of Certified Public Accountants" (aicpa.org), the "from" address claims to be the BBB.

Click on the "complaint.pdf" link and you are redirected to biggestsetter.com/search.php?page=73a07bcb51f4be71  which attempts to download the Blackhole Exploit Kit. biggestsetter.com  is hosted on 199.30.89.187 (Zerigo / Central Host Inc). This netblock has been used several times in the past few days so my advice is to block access to 199.30.89.0/24.

Some more examples:

Date:      Fri, 16 Feb 2012 14:40:46 +0100
From:      "Susie Smallwood"
Subject:      Termination of your accountant license.

You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to tax return fraud accusations

Dear AICPA member,

We have been notified of your recent assistance in income tax refund fraud on behalf of one of your clients. According to AICPA Bylaw Section 600 your Certified Public Accountant status can be withdrawn in case of the occurrence of submitting of a misguided or fraudulent income tax return on the member's or a client's behalf.

Please familiarize yourself with the complaint below and respond to it within 7 days. The failure to respond within this term will result in cancellation of your Accountant license.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

===============

Date:      Fri, 16 Feb 2012 14:25:24 +0100
From:      "Alvaro Best"
Subject:      Tax return fraud notification.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Revocation of Public Account Status due to tax return fraud allegations

Dear accountant officer,

We have been notified of your possible participation in income tax return fraudulent activity for one of your clients. According to AICPA Bylaw Section 700 your Certified Public Accountant status can be cancelled in case of the act of submitting of a misguided or fraudulent income tax return for your client or employer.

Please find the complaint below below and respond to it within 14 days. The failure to provide the clarifications within this period will result in withdrawal of your Accountant status.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

===============

Date:      Fri, 16 Feb 2012 14:21:48 +0100
To:      
Subject:      Fraudulent tax return assistance accusations.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to income tax fraud allegations

Dear AICPA member,

We have received a complaint about your possible assistance in tax return fraudulent activity on behalf of one of your employers. According to AICPA Bylaw Section 500 your Certified Public Accountant license can be withdrawn in case of the fact of submitting of a incorrect or fraudulent tax return for your client or employer.

Please find the complaint below below and respond to it within 21 days. The failure to respond within this period will result in withdrawal of your CPA license.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

Thursday 16 February 2012

NACHA Spam / billydimple.com and biggestblazer.com

Here we go again, another NACHA spam leading to a malicious payload..

From:  The Electronic Payments Association risk_manager@nacha.org
Date: 15 February 2012 13:52
Subject: Rejected ACH payment

The ACH transaction (ID: 44103676925895), recently initiated from your bank account (by you or any other person), was canceled by the Electronic Payments Association.

Canceled transfer
Transaction ID:     44103676925895
Rejection Reason     See details in the report below
Transaction Report     report_44103676925895.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171

2011 NACHA - The Electronic Payments Association
The malware is on biggestblazer.com/search.php?page=73a07bcb51f4be71 (report here) which is hosted on 199.30.89.180 (Central Host Inc / Zerigo.. yet again). It attempts to download additional components from billydimple.com/forum/index.php?showtopic=656974  on 69.164.205.122 (Linode.. again).

I've now seen several malicious sites in the 199.30.89.0/24 range, it might be worth considering blocking the whole lot.

Monday 13 February 2012

NACHA Spam / cooldcloud.com and twistcosm.com

Yet more NACHA spam leading to a malicious payload, this time on cooldcloud.com.

Date:      Mon, 12 Feb 2012 08:16:16 -1100
From:      "The Electronic Payments Association"
Subject:      ACH transfer rejected
Attachments:     nacha_logo.jpg

The ACH transfer (ID: 1366285882700), recently initiated from your bank account (by you or any other person), was rejected by the other financial institution.

Rejected transaction
Transaction ID:     1366285882700
Rejection Reason     See details in the report below
Transaction Report     report_1366285882700.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

==================

Date:      Mon, 12 Feb 2012 19:06:12 +0000
From:      "The Electronic Payments Association"
Subject:      ACH transfer rejected
Attachments:     nacha_logo.jpg

The ACH transaction (ID: 9485030409966), recently sent from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

Canceled transfer
Transaction ID:     9485030409966
Rejection Reason     See details in the report below
Transaction Report     report_9485030409966.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

The malware is at cooldcloud.com/search.php?page=73a07bcb51f4be71 hosted on 74.91.117.227 (Nuclear Fallout Enterprises... again). Blocking the IP is best as that will protect against other malware, although you may want to block more widely given the problems with this host.

The malware tries to download additional content from twistcosm.com/forum/index.php?showtopic=656974 on 199.30.89.139 (Central Host / Zerigo Inc), another problem hosting company.

You can find a Wepawet report here.

NACHA Spam / beaverday.biz

More fake NACHA spam, this time with a malicious payload on the domain beaverday.biz.

From:  The Electronic Payments Association office@officecar.ro
Reply-To:  The Electronic Payments Association
To:  itd@sos.com.ph
Date:  13 February 2012 10:06
Subject:  ACH transfer error

Dear Chief Accounting Officer,

We are sorry to inform you, that Direct Deposit payment (ID801400587332) has not been credited to the receiver account, because of partially missing banking details.

Direct Deposit procedure incomplete
Transaction ID :     801400587332
Details:     Please use the transfer correction request below provide the correct banking information.
Transfer Status     report-801400587332.doc (Micro soft Word Document)

Home About Us Site Map Contact Us NACHA Inquiries NACHA Privacy Policy NACHA Code of Conduct Disclaimer
Membership Education ACH Network ACH Rules Risk & Compliance News & Resources NACHA eStore

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

2012 NACHA - The Electronic Payments Association

The payload is a Blackhole exploit kit at beaverday.biz/search.php?page=977334ca118fcb8c (Wepawet report here) which is hosted on 199.30.89.139 (Central Host Inc / Zerigo.net), just a few IPs away from 199.30.89.135 as used in this spam run a few days ago. I have also seen malicious activity on 199.30.91.44 in the same /21.. perhaps Zerigo / Central Host have a problem? Block IPs as you feel is appropriate..

Wednesday 8 February 2012

NACHA Spam / bluemator.com, synergyledlighting.net and hakkage.com

There has been a ton of NACHA-themed spam today, here are some examples:

Date:      Wed, 7 Feb 2012 18:17:43 +0200
From:      alert@nacha.org
Subject:      ACH payment canceled

The ACH transaction (ID: 8321348803546), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

Canceled transaction
Transaction ID:     8321348803546
Reason of rejection     See details in the report below
Transaction Report     report_8321348803546.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

================

Date:      Wed, 7 Feb 2012 17:13:42 +0100
From:      payment@nacha.org
Subject:      Rejected ACH transaction

The ACH transaction (ID: 5999727582818), recently initiated from your bank account (by you or any other person), was canceled by the other financial institution.

Canceled transfer
Transaction ID:     5999727582818
Reason for rejection     See details in the report below
Transaction Report     report_5999727582818.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

================

Date:      Wed, 7 Feb 2012 15:14:00 +0100
From:      transfers@nacha.org
Subject:      Rejected ACH transaction

The ACH transfer (ID: 5896958322102), recently sent from your bank account (by you or any other person), was canceled by the other financial institution.

Canceled transaction
Transaction ID:     5896958322102
Reason for rejection     See details in the report below
Transaction Report     report_5896958322102.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

==================

Date:      Wed, 7 Feb 2012 15:58:54 +0200
From:      payments@nacha.org
Subject:      Your ACH transfer

The ACH transfer (ID: 118757985791), recently sent from your bank account (by you or any other person), was rejected by the other financial institution.

Canceled transfer
Transaction ID:     118757985791
Reason for rejection     See details in the report below
Transaction Report     report_118757985791.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

==================

Date:      Wed, 7 Feb 2012 13:15:17 +0200
From:      alert@nacha.org
Subject:      ACH payment canceled

The ACH transaction (ID: 926663997526), recently sent from your bank account (by you or any other person), was rejected by the other financial institution.

Rejected transfer
Transaction ID:     926663997526
Reason for rejection     See details in the report below
Transaction Report     report_926663997526.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

 The bad guys are using very heaving obfuscated javascript to try to hide what they are doing, but there is a malicious payload at the following URLs:

bluemator.com/search.php?page=73a07bcb51f4be71  [199.30.89.135 - Zerigo, US]
bluemator.com/content/adp2.php?f=126
hakkage.com/forum/index.php?showtopic=656974 [173.255.210.86 - Linode, US]
synergyledlighting.net/main.php?page=30e3ec8cd29abd6b [173.236.78.113 - Singlehop, US and 173.212.222.36 - HostNOC, US[
synergyledlighting.net/content/adp2.php?f=50

You can see a sample Wepawet report here and here.

Blocking access to the IPs  199.30.89.135, 173.255.210.86, 173.236.78.113 and 173.212.222.36 is probably a good idea..

Monday 6 February 2012

"Your tax information needs verification" / hakkacraft.com and hakkayard.com

Another version of this spam leading to a malicious web page..

Date:      Mon, 5 Feb 2012 13:43:16 +0000
From:      "INTUIT INC." [tools@intuit.com]
Subject:      Your tax information needs verification.

Hello,

With intent to assure that correct data is being maintained on our systems, and to be able to grant you better quality of service; INTUIT INC. has partaken in the Internal Revenue Service [IRS] Name and TIN Matching Program.

We have found out, that your name and/or Employer Identification Number, that is specified on your account is not in compliance with the information on file with the IRS.

In order to check and update your account, please click here.

Yours truly,
INTUIT INC.

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

The link in the email bounces through a couple a hacked legitimate sites and then lands on http://hakkacraft.com/search.php?page=73a07bcb51f4be71 (Wepawet report is here). There is a subsequent download attempted from hakkayard.com/forum/index.php?showtopic=656974

hakkacraft.com is hosted on 173.248.190.192 (Zerigo Inc / wehostwebsites.com, US). hakkayard.com is on 66.228.54.47 (Linode, US). Blocking the IP addresses will block any other malicious sites on the same server.

Thursday 26 January 2012

Some malware sites to block 26/1/12

Some more malware sites to block, being used in current spam runs to distribute the blackhole exploit kit. Block the domains and IPs if you can.

Eonix, Canada
173.213.93.203
clostescape.com

Zerigo, US
173.248.190.37
chilleloot.com

Colo4Dallas, US
174.136.0.87
chillegraph.com
chilleline.com

Ixvar, Canada
174.142.247.164
clostery.com

Hostforweb, US
205.234.187.6
sulusient.com

Networld Internet, US
207.210.96.45
clostehold.com
72.249.126.223
chillemap.com

Confluence Networks, BVI
208.91.197.27 (parked)
closteyard.com

Endurance International, US
209.59.220.57
closteland.com
closterange.com
209.59.220.65
sulusity.com
209.59.220.202
chillency.com
209.59.221.158
closteation.com

Nuclear Fallout Enterprises, US
66.150.164.192
chilletect.com
74.91.119.202
sulusality.com

Linode, US
69.164.199.231
chillepay.com
96.126.96.123
chillechart.com
96.126.102.252
sulusium.com

Not resolving
chillebucks.com
chillecash.com
chillefunds.com
chillestruct.com
sulusius.com
sulusize.com

Wednesday 25 January 2012

Lazy BBB / "ACH transfer pending" spam, chillestruct.com and closteation.com

Here's a lazy spam about an "ACH transfer" that appears to come from the BBB, because the spammers have mixed up the campaigns.

Date:      Wed, 24 Jan 2012 13:31:58 +0100
From:      "manager@bbb.org" [manager@bbb.org]
Subject:      ACH transfer pending

Dear Sir or Madam,

This message includes a notification about the ACH debit transfer sent on your behalf, that was held by our bank:

Transaction ID: 471209863177939
Transaction status: pending

In order to resolve this matter, please review the transaction details using the link below as soon as possible.

Yours faithfully,
Kathy Quirk
Accounting Department

The link in the spam routes through a couple of hacked sites to a malicious payload at chillestruct.com on 173.248.190.37 (Zerigo Inc, California) and closteation.com on 209.59.221.158 (Endurance International, Massachusetts). Wepawet reports are here and here.

Blocking the IPs will prevent any other malicious sites on those servers from causing problems.