Sponsored by..

Friday 22 February 2013

"Data Processing" spam / dekolink.net

This fake "Data Processing" spam leads to malware on dekolink.net:


Date:      Fri, 22 Feb 2013 08:06:43 -0500
From:      "Data Processing Service" [customersupport@dataprocessingservice.com]
Subject:      ACH file ID '768.579

Files Processing Service

SUCCESS Note
We have successfully handled ACH file 'ACH2013-02-20-5.txt' (id '768.579') submitted by user '[redacted]' on '2013-02-20 1:14:30.7'.
FILE SUMMARY:

Item count: 79

Total debits: $28,544.53

Total credits: $28,544.53

For more info click here

The malicious payload is at [donotclick]dekolink.net/detects/when-weird-contrast.php (report here) hosted on the following servers:

50.7.251.59 (FDC Servers, Czech Republic)
176.120.38.238 (Langate, Ukraine)

"End of Aug. Stat." spam / forummersedec.ru

This fake invoice email leads to malware on forummersedec.ru:

Date:      Fri, 22 Feb 2013 11:33:38 +0530
From:      AlissonNistler@[victimdomain]
Subject:      Re: FW: End of Aug. Stat.
Attachments:     Invoices-1207-2012.htm

Hallo,

as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer/Mozilla Firefox file)

Regards


The attachment attempts to redirect the victim to a malicious payload at [donotclick]forummersedec.ru:8080/forum/links/column.php (report here) hosted on

84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)

The following IPs and domains are related and should be blocked:
84.23.66.74
122.160.168.219
eiiiioovvv.ru
ejjiipprr.ru
emmmhhh.ru
errriiiijjjj.ru
famagatra.ru
familanar.ru
faneroomk.ru
filialkas.ru
finalions.ru
forummersedec.ru
fuigadosi.ru
fulinaohps.ru
fzukungda.ru

Thursday 21 February 2013

"Scan from a Xerox WorkCentre Pro" spam / familanar.ru

This familiar printer spam leads to malware on the familanar.ru domain:

Date:      Thu, 21 Feb 2013 09:22:25 -0500 [09:22:25 EST]
From:      Tagged [Tagged@taggedmail.com]
Subject:      Fwd: Re:  Scan from a Xerox WorkCentre Pro #800304

A Document was sent to you using a XEROX WorkJet PRO 760820.

SENT BY : BRYNN
IMAGES : 5
FORMAT (.JPEG) DOWNLOAD
The malicious payload is at [donotclick]familanar.ru:8080/forum/links/column.php (report here) hosted on:

84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
210.71.250.131 (Chungwa Telecom, China)

Which are the same IPs found in this attack and several others. Block 'em if you can.

ACH transaction spam / payment receipt - 884993762994.zip

This fake ACH transaction spam comes with a malicous attachment:

Date:      Thu, 21 Feb 2013 14:32:08 -0500 [14:32:08 EST]
From:      Payment notification system [homebodiesga38@gmail.com]
Subject:      Automatic transfer notification

ACH transaction is completed. $443 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt on payment is attached.

*** This is an automatically generated email, please do not reply *** 
Attached is a file called payment receipt - 884993762994.zip which unzips to payment receipt - 884993762994.exe which has a disappointing VirusTotal detection count of just 14/46. Automated analysis tools are inconclusive.

Blocking EXE-in-ZIP files at the perimeter generally causes very little trouble, assuming you can do it..

"Efax Corporate" spam / fuigadosi.ru

This fake eFax spam leads to malware on fuigadosi.ru:

Date:      Thu, 21 Feb 2013 -05:24:35 -0800
From:      LinkedIn Password [password@linkedin.com]
Subject:      Efax Corporate
Attachments:     EFAX_Corporate.htm



Fax Message [Caller-ID: 705646877]

You have received a 29 pages fax at Thu, 21 Feb 2013 -05:24:35 -0800, (913)-809-4198.

* The reference number for this fax is [eFAX-806896385].

View attached fax using your Internet Browser.


© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax ® Customer Agreement.

The malicious payload is at [donotclick]fuigadosi.ru:8080/forum/links/column.php (report here) hosted on:

84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
210.71.250.131 (Chungwa Telecom, China)

The following domains and IPs are malicious and should be blocked:
84.23.66.74
122.160.168.219
210.71.250.131
eiiiioovvv.ru
ejjiipprr.ru
emmmhhh.ru
errriiiijjjj.ru
famagatra.ru
faneroomk.ru
finalions.ru
fuigadosi.ru
fulinaohps.ru
fzukungda.ru

ADP Spam / faneroomk.ru

This fake ADP spam tries (and fails) to lead to malware on faneroomk.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 20 February 2013 20:02
Subject: ADP Immediate Notification

ADP Immediate Notification
Reference #: 001737199

Thu, 21 Feb 2013 02:01:39 +0600
Dear ADP Client

Your Transfer Record(s) have been created at the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please see the following notes:
•    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
•    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.

This note was sent to acting users in your system that approach ADP Netsecure.

As usual, thank you for choosing ADP as your business affiliate!

Ref: 890911798


HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.

The malicious payload is meant to be [donotclick]faneroomk.ru:8080/forum/links/column.php but right at the moment it is not resolving.

We can perhaps do a little digging around to see what's going on here. The WHOIS details show the notorious Russian "Private Person".

whois -h whois.ripn.net faneroomk.ru ...
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain:        FANEROOMK.RU
nserver:       ns1.faneroomk.ru. 41.168.5.140
nserver:       ns2.faneroomk.ru. 110.164.58.250
nserver:       ns3.faneroomk.ru. 210.71.250.131
nserver:       ns4.faneroomk.ru. 203.171.234.53
nserver:       ns5.faneroomk.ru. 184.106.195.200
state:         REGISTERED, NOT DELEGATED, UNVERIFIED
person:        Private Person
registrar:     NAUNET-REG-RIPN
admin-contact: https://client.naunet.ru/c/whoiscontact
created:       2013.02.17
paid-till:     2014.02.17
free-date:     2014.03.20
source:        TCI

Last updated on 2013.02.21 17:16:40 MSK

Anyway. it's probably a good idea to block the domain and those NS IPs. The following IPs and domains are all related:


41.168.5.140
110.164.58.250
184.106.195.200
210.71.250.131
203.171.234.53
faneroomk.ru
fzukungda.ru
famagatra.ru
emmmhhh.ru
errriiiijjjj.ru
faneroomk.ru
ejjiipprr.ru
finalions.ru
fulinaohps.ru
eiiiioovvv.ru


Wednesday 20 February 2013

Verizon Wireless spam / participamoz.com

This fake Verizon Wireless spam leads to malware on participamoz.com:


Date:      Wed, 20 Feb 2013 23:24:49 +0400
From:      "AccountNotify@verizonwireless.com" [cupcakenc0@irs.gov]
Subject:      Verizon wireless online bill.
Important account information from Verizon Wireless
Your current bill for your account ending in XXXX-XX001 is now available online in My Verizon
Total Balance Due: $48.15
Scheduled Automatic Payment Date: 02/25/2012
Mind that payments and/or adjustments made to your account after your bill was generated will be deducted from your automatic payment amount.

> Review and Pay Your Bill

Thank you for choosing Verizon Wireless.

My Verizon is also available 24/7 to assist you with:
Vrowsing your usage
Updating your plan
Adding Account Members
Paying your bill
Finding accessories for your devices
And much, much more...

2011 Verizon Wireless
Verizon Wireless | One Verizon Way | Mail Code: 190WVB | Basking Ridge, NJ 07990
We respect your privacy. Please review our privacy policy for more information

If you are not the intended recipient and feel you have received this email in error; or if you
would like to update your customer notification preferences, please click here.
The malicious payload is at [donotclick]participamoz.com/detects/holds_edge.php (report here) hosted on:
161.200.156.200 (Chulanet, Thailand)
173.251.62.46 (MSP Digital / Cablevision, US)

The following IPs and domains are connected should be treated as malicious:
161.200.156.200
173.251.62.46
prosctermobile.com
aftandilosmacerati.com
pardontemabelos.com
participamoz.com

   

SendSecure Support spam / secure_message_02202013_01590106757637303.zip

This fake SendSecure Support / Bank of America spam comes with a malicious attachment called secure_message_02202013_01590106757637303.zip:

Date:      Wed, 20 Feb 2013 11:23:43 -0400 [10:23:43 EST]
From:      SendSecure Support [SendSecure.Support@bankofamerica.com]
Subject:      You have received a secure message from Bank Of America

You have received a secure message.

Read your secure message by opening the attachment. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly.

First time users - will need to register after opening the attachment.
Help - https://securemail.bankofamerica.com/websafe/help?topic=Envelope
The zip file secure_message_02202013_01590106757637303.zip unzips into secure_message_02202013_01590106757637303.exe with a VirusTotal detection rate of 6/46. According to ThreatExpert, the malware installs a keylogger and also tries to phone home to:

blog.ritual.ca
dontgetcaught.ca

These sites are hosted on 74.208.148.35 which I posted about yesterday. Blocking access to this IP might mitigate against this particular threat somewhat.



"Wire transfer" spam / fulinaohps.ru

This fake wire transfer spam leads to malware on fulinaohps.ru:

Date:      Wed, 20 Feb 2013 04:28:14 +0600
From:      accounting@[victimdomain]
Subject:      Fwd: ACH and Wire transfers disabled.

Dear Online Account Operator,

Your ACH transactions have been
temporarily disabled.
View details

Best regards,
Security department
The malicious payload is at [donotclick]fulinaohps.ru:8080/forum/links/column.php (report here) hosted om the following IPs:

84.23.66.74 (EUserv Internet, Germany)
195.210.47.208 (PS Internet Company, Kazakhstan)
210.71.250.131 (Chungwa Telecom, Taiwan)

These are the same IPs as used in this attack, you should block them if you can.

famagatra.ru injection attack in progress

There seems to be an injection attack in progress, leading visitors to hacked website to a malicious page on the server famagatra.ru.

The payload is at [donotclick]famagatra.ru:8080/forum/links/public_version.php?atd=1n:33:2v:1l:1h&qav=3j&yvxhqg=1j:33:32:1l:1g:1i:1o:1n:1o:1i&jehmppj=1n:1d:1f:1d:1f:1d:1j:1k:1l (report here) which is basically a nasty dose of Blackhole.


84.23.66.74 (EUserv Internet, Germany)
195.210.47.208 (PS Inernet Company, Kazakhstan)
210.71.250.131 (Chungwa Telecom, Taiwan)

The following domains are IPs are all part of the same evil circus:
84.23.66.74
195.210.47.208
210.71.250.131
efjjdopkam.ru
eiiiioovvv.ru
eipuonam.ru
ejiposhhgio.ru
ejjiipprr.ru
emaianem.ru
emalenoko.ru
eminakotpr.ru
emmmhhh.ru
enakinukia.ru
epilarikko.ru
epionkalom.ru
errriiiijjjj.ru
esigbsoahd.ru
estipaindo.ru
ewinhdutik.ru
exiansik.ru
exibonapa.ru
famagatra.ru
finalions.ru

Something evil on 62.212.130.115

Something evil seems to be lurking on 62.212.130.115 (Xenosite, Netherlands) - a collection of sites connected with the Blackhole exploit kit, plus indications of evil subdomains of legitimate hacked sites. All-in-all, this IP is probably worth avoiding.

Firstly, there are the evil subomains that have a format like 104648746540365e.familyholidayaccommodation.co.za - these are mostly hijacked .co.za and .cl domains.

The following list contains the legitimate domains and IPs that appear to have been hijacked. Ones marked in  red   have been flagged as malicious by Google. Remember, these IPs are not evil, it is just the subdomains that are (on a different IP).

190.196.23.231 (clean)
sanjoselosandes.cl
liceomixto.cl
servicioseximia.cl
siitec.cl
sictral.cl
specialdetail.cl
sycabogados.cl

199.34.228.100 (clean)
delfinos.co.za

208.70.149.57 (clean)
cafehavana.co.za
destinationsunlimited.co.za
firearmlicence.co.za
dolceluce.co.za

firearmsafe.co.za
firearmlicense.co.za
familysuite.co.za
bolandparkhotel.co.za
gamesmodels.com
onthebeachjbay.com
disc-deals.com

The second bunch of domains appear to be connected with the Blackhole Exploit kit (according to this report) and can be assumed to be malicious, and are hosted on 62.212.130.115:

google-statistic.in
libola.com
minizip.org
msdbug.com
msrst.com
nlsdl.org
ntdsapi.com
ntmsdba.com
pifmgr.org
piparse.com
spam-rep-service.in

This third group are almost definitely malicious and are on the same server:

garmonyoy.eu
harmonyoy.eu
kinyng.ru
ntimage.net
ntmsapi.net
ntmsmgr.net
pastaoyto.eu
plustab.net
polstore.net
puntooy.eu
pvzvnp.ru
rvwwko.ru

The final group is where it gets messy. These are malicious subdomains that either are on (or have recently been on)  62.212.130.115. It looks like they are hardened against analysis, but they certainly shouldn't be here and can be assumed to be malicious too,

54fd8c9fa1abf2b5.firearmsafe.co.za
32464a746740345e.familysuite.co.za
fece86cc9b68c8761151711302121857a5da12fce1b0b.sanjoselosandes.cl
ba7562877f032c1d0160451302111347717339942fd25832980fc947bbaab6e.liceomixto.cl    104698f48570d66e01910213021108078ff41b00051a92fb8f.liceomixto.cl
897581b79c33cf2d016045130210212851378959885060ea5995f416222722b.liceomixto.cl
cd028570a864fb7a01402413021722022144552c318ce7cab9e09a0d2a6a8b5.cafehavana.co.za
23753bc716e345fd114110130218141121065128682695243c3a6e68eaa454c.destinationsunlimited.co.za
23753bc716e345fd119181130218123421084144fafd9a8a2ecee7c9e8a813d.destinationsunlimited.co.za
23753bc716e345fd.destinationsunlimited.co.za
fefd56cf7bfb28e501402413021916372140748bad59371eb615c227bcf6494.firearmlicence.co.za
fefd56cf7bfb28e50191851302191616816357255aa3a775d33e0e87031dabd.firearmlicence.co.za
efce974cba68e97601902413021819141134725bc512d95c3a3367364f60e7f.dolceluce.co.za
54fd8c9fa1abf2b50152021302192150218227543eacf3e65962cfa456e6742.firearmsafe.co.za
54fd8c9fa1abf2b50190551302192029115216056c76db44aa04bf200b3dd64.firearmsafe.co.za
54fd8c9fa1abf2b501511113021919479278009323500c592bf3b0a3e0e48b8.firearmsafe.co.za
54fd8c9fa1abf2b5115023130219202841813244c0634fe85c4f0d28b6001ac.firearmsafe.co.za
54fd8c9fa1abf2b511511113021920019153428450b973995f121f87d07597d.firearmsafe.co.za
54fd8c9fa1abf2b5019003130219205011588175e845eee9fba56981ef9762f.firearmsafe.co.za
54fd8c9fa1abf2b5019184130219200951610365d41a651918d996c2262265f.firearmsafe.co.za
1002a8108524d63a01411013021917377210805bc813254f0b52ddadc7a4fb6.firearmlicense.co.za
1002a8108524d63a0190861302191834518734754e1569db098dc04657268c7.firearmlicense.co.za
1002a8108524d63a015135130219171541448694b4a5ad611740bce908b41e9.firearmlicense.co.za
1002a8108524d63a01608613021918067148673452fc4f3b25e4a92991e388c.firearmlicense.co.za
32464a746740345e0140861302191352721746257b791a8cb29212692450169.familysuite.co.za
ab02b3809e94cd8a0141851302171831719273654b106add758c4d1ea448054.bolandparkhotel.co.za
fe3116d33bd768c9014185130217152321157054e238a5d15e6899e06b4a256.bolandparkhotel.co.za
ab02b3809e94cd8a014014130217181671594515d6908be7ac815a5c8aec9bd.bolandparkhotel.co.za
104648746540365e.familyholidayaccommodation.co.za
2375dba7f6b3a5ad01900313021810166108414bc5043b30fcbf6df10ac0d36.delfinos.co.za
2375dba7f6b3a5ad.delfinos.co.za
2375dba7f6b3a5ad1141101302181050617308286822211b6e41c16bae4a8ad.delfinos.co.za
104618a40570566e0190861302141716512521554e01e13647caa0d7585e0a2.servicioseximia.cl
104618a40570566e01608613021416261099221452fc4f3fddf44bf19ce67a3.servicioseximia.cl
cd46f5c4e810bb0e014029130214200431169736dd938489c7b1b51af4b6f74.servicioseximia.cl
cd46f5c4e810bb0e0142031302142008713472502551149f67b7bdb45a92f07.servicioseximia.cl
104618a40570566e019096130214190761242645133a051309afb24913257bb.servicioseximia.cl
104618a40570566e01900713021417086116022bad56157e487133b8039b0fb.servicioseximia.cl
104618a40570566e.servicioseximia.cl
dc8a5458498c1a92019024130215034191505755a15eef17404dfc7a914c407.siitec.cl
fe7596178bc3d8dd01515913021423367212073189eb0ffdcfd7bc050f5cc84.sictral.cl
fe7596178bc3d8dd01612913021501048032017adf505b4a51493df8d7e7e8b.sictral.cl
01ce199c04785766.specialdetail.cl
01ce199c047857661140151302151103607956789e2ef312e860b4529ed0fdc.specialdetail.cl
76fdbedfa36bf075014025130213175772228515fdfce25de6ebd91bd067892.sanjoselosandes.cl
23fdcb3fd68b859511416113021320291114120d5436e9454395fe51a4f8bd4.sanjoselosandes.cl
32fd2a6f37db64c501613813021307218103025988506029ed2c2b5c8df9915.sanjoselosandes.cl
5431bca3a167f27901604513021414306142650adf4cf112a9c89769565e055.sanjoselosandes.cl
45fdad0fb0abe3b5.sanjoselosandes.cl
54fdec0ff1cba2d5.sanjoselosandes.cl
23fdcb3fd68b859501612913021321298189883d812e2a7244210d47d2832e5.sanjoselosandes.cl
fece86cc9b68c876.sanjoselosandes.cl
dcceb41ca9a8fab6.sanjoselosandes.cl
98fd50bf4d1b1e05019086130212235552028805ddb0cd40d31dd927eda2037.sanjoselosandes.cl
76fdbedfa36bf07501916613021318165124581972ac37159baca15f93b3b48.sanjoselosandes.cl
23fdcb3fd68b859501916113021320155132506020b16ab30472c9a28008598.sanjoselosandes.cl
76fdbedfa36bf07501612913021318103106829d074104b45444a6bd90368bb.sanjoselosandes.cl
76fdbedfa36bf07501902413021317264126483b1287cb246f1c65418b6a03c.sanjoselosandes.cl
cd8a85e8984ccb5211409913021215378176886b2072dbee3d87f6b240713fd.sanjoselosandes.cl
ef46f7f4ea10b90e.sycabogados.cl
45b90ddb20ff73e1.disc-deals.com
89fd717f5c4b0f5511511113021922528294810b80d17e6193d54e6faa102d8.gamesmodels.com
89fd717f5c4b0f55014185130219223852203155b41df139190d76dfce35e2c.gamesmodels.com
89fd717f5c4b0f550151311302192250727293718c48e6c9eab856d51453cbe.gamesmodels.com
0102d920f434a72a.chinese.onthebeachjbay.com





USPS spam / USPS delivery failure report.zip

This fake USPS spam contains malware in an attachment called USPS delivery failure report.zip.

Date:      Wed, 20 Feb 2013 06:40:39 +0200 [02/19/13 23:40:39 EST]
From:      USPS client manager Michael Brewer [reports@usps.com]
Subject:      USPS delivery failure report

USPS notification

Our company’s courier couldn’t make the delivery of package.

REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: KnoxvilleFort
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: M1PZN6BI4F
FEATURES: No

Label is enclosed to the letter.
Print a label and show it at your post office.

An additional information:

If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for using our services.
USPS Global.
The attachment is double-zipped, presumably to try to evade virus and content scanners. Opening it extracts another ZIP file called USPS report id 943577924988734.zip which contains another file called USPS report id 943577924988734.exe.

The VirusTotal detections for this are patchy and fairly generic. Automated analysis tools are pretty inconclusive when it comes to the payload, although if you are trying to clean it up then starting with HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched (which is set to "C:\Documents and Settings\All Users\svchost.exe") is probably a good start.

Tuesday 19 February 2013

Cyberbunker fake pharma spam / 84.22.104.123

Crime-friendly host Cyberbunker strikes again, this time hosting more fake pharma sites on 84.22.104.123, being promoted through this suspicious looking spam:

Date:      Tue, 19 Feb 2013 22:58:26 +0000 (GMT)
From:      Apple [noreply@bellona.wg.saar.de]
To:      [redacted]
Subject:      Your Apple ID was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5

   
Dear Customer,
Your Apple ID ([redacted]) was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5.
If you have not recently set up an iPhone with your Apple ID, then you should change your Apple ID password. Learn More.
   
Privacy Policy
Copyright 2013 Apple Inc. 1 Infinite Loop, Cupertino CA 95014 - All Rights Reserved.
The spam has a link to an illegally hacked legitimate site that then bounces to drugstorepillstablets.ru hosted on 84.22.104.123 along with these following spammy sites:

medicalhealthcaretab.com
washealthcare.com
presenthiring.com
prescriptionfiscal.com
salelindahl.com
pillcarney.com
healthviagraobesity.com
sdewyuvze.net
lxie.ru
ongy.ru
drugstorepillstablets.ru

Cyberbunker is nothing but bad news. Blocking 84.22.96.0/19 is an exceptionally good idea.

Something evil on 74.208.148.35

Spotted by the good folks at GFI Labs here, here and here are several Canadian domains on the same server, 74.208.148.35 (1&1, US):

justcateringfoodservices.com
dontgetcaught.ca
blog.ritual.ca
lumberlandnorth.com

Obviously, there's some sort of server-level compromise here. Blocking access to 74.208.148.35 will give some protection against several very active malicious spam campaigns.

UPS Spam / emmmhhh.ru

The spammers sending this stuff out always confuse UPS with USPS, this one is not exception although on balance it is more UPS than USPS.. anyway, it leads to malware on emmmhhh.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Valda Gill via LinkedIn
Sent: 19 February 2013 10:00
Subject: United Postal Service Tracking Nr. H9878032462

You can use UPS .COM to:
 Ship Online
 Schedule a Pickup
 Open a UPS .COM Account


   
Welcome to UPS Team
Hi, [redacted].

DEAR CUSTOMER , We were not able to delivery the post package

PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT.

With best regards , UPS Customer Services.    


    ________________________________________
Copyright 2011 United Parcel Service of America, Inc. Your USPS .us Customer Services, the Your USPS Team brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
Please do not reply directly to this e-mail. USPS .us Customer Services will not receive any reply message. For questions or comments, visit Contact UPS.
We understand the importance of privacy to our customers. For more information, please consult the Your USPS Customer Services Privacy Policy.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.    
There is an attachment UPS_ID5408466.htm which attempts to direct visitors to [donotclick]emmmhhh.ru:8080/forum/links/column.php hosted on:

50.31.1.104 (Steadfast Networks, US)
66.249.23.64 (Endurance International, US)
195.210.47.208 (PS Internet Company, Kazakhstan)

The following IPs and domains are all malicious and should be blocked:
50.31.1.104
66.249.23.64
195.210.47.208
efjjdopkam.ru
eipuonam.ru
ejiposhhgio.ru
ejjiipprr.ru
emaianem.ru
emalenoko.ru
eminakotpr.ru
emmmhhh.ru
enakinukia.ru
epilarikko.ru
epionkalom.ru
esigbsoahd.ru
estipaindo.ru
ewinhdutik.ru
exiansik.ru
exibonapa.ru


Something evil on 67.208.74.71

67.208.74.71 (Inforelay, US) is a parking IP with several thousand IPs hosted on it. However, it also includes a large number of malicious sites using Dynamic DNS servces. Some of these sites have recently moved from the server mentioned here.

Probably most of the sites on this server are legitimate and blocking access to it might cause some problems. However, you can block most of these malicious domains by targeting the Dynamic DNS domain, the bulk of which are as follows:

assexyas.com
athersite.com
byinter.net
findhere.org
isgre.at
isthebe.st
kwik.to
lookin.at
lowestprices.at
myfw.us
myredirect.us
onmypc.info
onmypc.org
onthenetas.com
ontheweb.nu
passinggas.net
rr.nu

You can find a copy of the domains, IPs, WOT ratings and Google prognosis here [csv].

These following domains are hosted on 67.208.74.71 and are listed as malicious by Google's Safe Browsing Diagnostics:

govgrantstodays.assexyas.com
kqenc.assexyas.com
tesyf.assexyas.com
athersite.com
qezwdz.athersite.com
tdbnsc.athersite.com
www1.safeqwcleanerdm.athersite.com
www1.simple-ozfgsecurity.athersite.com
dnwswurowz.byinter.net
kcshhdvqzmte.byinter.net
mhlswzmqpe.byinter.net
oorkaibadtb.byinter.net
wonfhujmel.byinter.net
ztmgyzknjpf.byinter.net
cmvwixzxhl.findhere.org
dhyaugqmbgwm.findhere.org
gkqqujqsd.findhere.org
lvindkiys.findhere.org
lyfxhiyza.findhere.org
pvhetiozstg.findhere.org
tdtxohbjbvzx.findhere.org
thgdtujicjtq.findhere.org
ueuvjqhvao.findhere.org
wcnnrcjgb.findhere.org
free-ddddsex-ddddpasswords.isthebe.st
free-dsex-dpasswords.isthebe.st
index.isthebe.st
radiomangalia.isthebe.st
asfqphphk.kwik.to
gebofuoautl.kwik.to
lqlonqihgkco.kwik.to
mowkespvffn.kwik.to
nbnezaszei.kwik.to
qmgplmfyibh.kwik.to
ydsjveyfjr.kwik.to
rrmoymcqskq.lookin.at
htrxcytvfmhg.lowestprices.at
aadhvxiftw.myfw.us
abtqgybicghr.myfw.us
ameyznosvam.myfw.us
amvgvvyasde.myfw.us
aokeufvoci.myfw.us
azddoalylxsn.myfw.us
azojgzmnj.myfw.us
bkhrwvxblnm.myfw.us
caedvkkimck.myfw.us
cbqlthvefhv.myfw.us
ckvwoajjjg.myfw.us
crmnfeeooft.myfw.us
csllshncxdu.myfw.us
cudthmeyl.myfw.us
cwvmtudybwvr.myfw.us
dfredwpcun.myfw.us
dnbdjddrvwl.myfw.us
dsublegejzg.myfw.us
ebgilaznkcxa.myfw.us
ebhiacfkaddk.myfw.us
eepyofqzl.myfw.us
eivxprpbemv.myfw.us
ejyffxuookfi.myfw.us
eldttmawnvt.myfw.us
elfncrfubk.myfw.us
eprlccywb.myfw.us
erlsgwzbgwl.myfw.us
eslwbgkgyqhm.myfw.us
esuifzeipsz.myfw.us
euhhmufug.myfw.us
ewvwzpiqw.myfw.us
eyefvnzwoyg.myfw.us
ezphudgyyjy.myfw.us
femtpvrvr.myfw.us
feutgqoyxc.myfw.us
fowgvslqqvgf.myfw.us
fugqgxxuiwe.myfw.us
gbptzyqhoc.myfw.us
gmnmwmuhf.myfw.us
gohvjgbrplkm.myfw.us
gvbxwmicjvq.myfw.us
gyuaowfnlrw.myfw.us
hcdazkdqlvci.myfw.us
hcwryplhc.myfw.us
hfkfeuqfvzf.myfw.us
hhifsoine.myfw.us
hhzlhizlbil.myfw.us
hqzgrwmorws.myfw.us
hvdkdcgae.myfw.us
hwmhlbscbs.myfw.us
hxlxxaqntaxb.myfw.us
idjgpnkmaj.myfw.us
isdrjerrd.myfw.us
itzpsmkbyabo.myfw.us
jebrglmzye.myfw.us
jeyqstlybz.myfw.us
jjfzmzfkoky.myfw.us
jjxhjygwcnln.myfw.us
jmmbspisw.myfw.us
jspyaaqfuj.myfw.us
jugfzxlitus.myfw.us
jumzijibbh.myfw.us
jybvhfvfhwu.myfw.us
kbahixlxpe.myfw.us
kqpaxhumj.myfw.us
ktxxlgwgze.myfw.us
kwjgjnmmcu.myfw.us
ljszveihhqb.myfw.us
lswgpbvvkukx.myfw.us
lsxswsgka.myfw.us
lwztritpzuvl.myfw.us
mibgbbbwioml.myfw.us
miptvfzufwal.myfw.us
mldtdbsoko.myfw.us
mqqpwxjlf.myfw.us
mrqmsbqrdkvk.myfw.us
mydvonyeagt.myfw.us
ngcfuanjtm.myfw.us
nsnybecste.myfw.us
nvkdyjhplpo.myfw.us
okctxkxny.myfw.us
ookzctlfazdl.myfw.us
oqlupounl.myfw.us
orownhbgn.myfw.us
oxegwgflld.myfw.us
pbvmirnwk.myfw.us
phibmvaqsap.myfw.us
phvcbflqrsbo.myfw.us
qeavazuugk.myfw.us
qhbkyfehpbzi.myfw.us
qivtnqqxjnp.myfw.us
qlhkccfosm.myfw.us
qyjkiuopo.myfw.us
rexewmyxgl.myfw.us
rjrzcrswqhl.myfw.us
rjytkixbfjxkk.myfw.us
rqjghacecazb.myfw.us
rwdpuifin.myfw.us
rynucqapeinv.myfw.us
sqazmgapz.myfw.us
sqqqrsnozlgj.myfw.us
srutebmduoh.myfw.us
sslqlwitv.myfw.us
tevrntjkrl.myfw.us
tsxwbywjwdm.myfw.us
tuobdghfp.myfw.us
tvodqreyyyh.myfw.us
ujzkfdpdf.myfw.us
ukwwwhkamh.myfw.us
wbynflhapl.myfw.us
weapwihjpu.myfw.us
whxszkeaot.myfw.us
wigfdfuvps.myfw.us
wpddnjknrn.myfw.us
wpvhiedhnzxs.myfw.us
wtgylzokmsyd.myfw.us
xiudvllnl.myfw.us
ybzwfyvadq.myfw.us
yowbgyyykemw.myfw.us
yrhamrfrzk.myfw.us
ywzjvqssv.myfw.us
yxbbvktub.myfw.us
yxkgtyqmz.myfw.us
yznafipqmd.myfw.us
zqruajfsgir.myfw.us
zwzfvpxksyx.myfw.us
zzjsujpstcsx.myfw.us
ryeyymburbyr.myredirect.us
twenbrmndfui.myredirect.us
zfhbsvcererr.myredirect.us
btwosfunny.onthenetas.com
xfinity-dddddddddddddddddddddddddddddddzimbra.onthenetas.com
xfinity-dddddddddddddddddddzimbra.onthenetas.com
forehmailywt.ontheweb.nu
hahasfunnyfb.ontheweb.nu
lhixjcdtgypr.ontheweb.nu
pornogratis.ontheweb.nu
pwvmochqwb.ontheweb.nu
qlphivcmm.ontheweb.nu
uhjqzvcjfmb.ontheweb.nu
ohchr.passas.us
mysignin-ddddddddddddddddddddddddddddddddddddddddddcomcast.passinggas.net
passinggas.net
andsto57cksstar.rr.nu
cha39nce.rr.nu
chelpo94landsa.rr.nu
dahfugwhsmzi.rr.nu
deunce68rtaint.rr.nu
its53new.rr.nu
jarujtltg.rr.nu
lasimp04risoned.rr.nu
nabwpjdola.rr.nu
nytndbssyrtkjuykiryu7.rr.nu
ssbo98omin.rr.nu
tenin58gaccel.rr.nu
tentsf05luxfig.rr.nu
jsngupdwxeoa.uglyas.com

These domains are hosted on 67.208.74.71 and are not flagged by Google, but almost all have a poor WOT reputation and are very likely to be malicious:

skidka-ddddd90.bestdeals.at
ensac.byinter.net
safe-defensehrm.byinter.net
combo-dddddddddddddddddddd04-ddddddddddddddddddddkarla.findhere.org
daphne-d52full.findhere.org
mabjdawzaqw.findhere.org
netnummers.findhere.org
nqonet.findhere.org
odiwmklhah.findhere.org
www2.first-ozsoft.findhere.org
xcnyyj7973.findhere.org
ycqtxsac62.findhere.org
215.isgre.at
power-dddfiarmy.isgre.at
ab-din.kwik.to
ag-in.kwik.to
confirm.content.files.internet.secure.access.go.kwik.to
confirm.content.files.internet.secure.access.goto.kwik.to
ksarefunny.kwik.to
media.secure.sites.acc.portal00.kwik.to
media.secure.sites.acc.portal0002.kwik.to
media.secure.sites.acc.portal001.kwik.to
media.secure.sites.acc.portal003.kwik.to
newess.kwik.to
portal00.kwik.to
www2.safeyg-sentinel.kwik.to
www2.strongsoftyc.kwik.to
ebzryeaba.lookin.at
game.lookin.at
gdz-dddddddatanasyan.lookin.at
ru-drabota.lookin.at
skidka-dvsem.lookin.at
teiinxdpe.lookin.at
wett-dddwendy.lookin.at
what.are-you.lookin.at
wyoqdaeru.lookin.at
iuntrbtyvstbn.lowestprices.at
mof-ddddddddddddddddddddddddddweb.lowestprices.at
mof-ddweb.lowestprices.at
aggwgeskrby.myfw.us
htawhcgamvq.myfw.us
jtzxmudxtno.myfw.us
mexico.activa.myfw.us
michelemontas.myfw.us
pjkcyvzcyz.myfw.us
savejtxv-sentinel.myfw.us
secure4.lac.enroll.mexico.myfw.us
umbbwtcler.myfw.us
www2.simplehircantivir.myfw.us
xglzbowlmuco.myfw.us
9999992099.rr.nu
asin54grepl.rr.nu
mila.kat.sexyphoto.athersite.comkede.rr.nu
ossnyfpkag.rr.nu
ourae.rr.nu
pcnews.rr.nu
personalhvrsecurity.rr.nu
pimping.gangsta-paradise.rr.nu
rrrrrrrrrr.rr.nu
save-antivirchecker.rr.nu
topsentinelet.rr.nu
vpnfx-d001.rr.nu
www1.mystemguard.rr.nu
www1.personal-antivirgwg.rr.nu
www3.netsurfingprotectionwe.rr.nu

These sites appear to have been hosted recently on 67.208.74.71 and are flagged as malware by Google, but are not resolving at present:

aotztod.almostmy.com
ueizqnm.changeip.name
jakrcr.changeip.org
fgzsnergle.compress.to
fmmrlp.ddns.name
gyomtcnzc.dhcp.biz
gifqravi.dnsrd.com
ydrehhvgjz.ezua.com
rawvgbygj.gr8name.biz
sspmrwli.jkub.com
slnpqel.lflinkup.org
ywtxkebtx.ns01.info
wjbluj.ns01.us
hurocozr.onedumb.com
rmvpfdg.onmypc.info
qhtqqtxqua.onmypc.org
cejkopsbv.port25.biz
efdghpug.sexxxy.biz
ttenmxqq.vizvaz.com
iselktnfo.xxxy.info

These domains appear to have been recently hosted on 67.208.74.71, are not flagged as malicious by Google but are nonetheless suspect.

uzdknpz.4dq.com
zzxvxyi.mydad.info
blur.rr.nu
org.rr.nu
axyaqb.xxuz.com

Friday 15 February 2013

Wire transfer spam / 202.72.245.146

This fake wire transfer spam leads to malware on 202.72.245.146:

Date:      Fri, 15 Feb 2013 07:24:40 -0500
From:      Tasha Rosenthal via LinkedIn [member@linkedin.com]
Subject:      RE: Wire transfer cancelled

Good day,

Wire Transfer was canceled by the other bank.



Canceled transaction:

FED NR: 94813904RE5666838

Transfer Report: View



The Federal Reserve Wire Network
The malicious payload is on [donotclick]202.72.245.146:8080/forum/links/public_version.php (Railcom, Mongolia) (report here) which is a well-known malicious IP that you should definitely block if you can.

Update: there is also a "Scan from a HP ScanJet  #841548" spam for the same IP, sending victims to [donotclick]202.72.245.146:8080/forum/links/column.php

"Cum Avenue" IRS Spam / azsocseclawyer.net

This fake IRS spam (from an office on "Cum Avenue"!) actually leads to malware on azsocseclawyer.net:

Date:      Fri, 15 Feb 2013 09:47:25 -0500
From:      Internal Revenue Service [ahabfya196@etax.irs.gov]
Subject:      pecuniary penalty for delay of tax return filling

Herewith we are informing you that you are required to pay a surcharge for not filling the income tax return prior to January 31.

Please note that IRS Section 7117-F-8 specifies a money penalty of $2.000 for each Form 479 that is filled later than deadline for filling the income tax return or does not contain the exhaustive information described in 7117-F-8.

You will be released from the pecuniary penalty when the taxpayer shows that the failure to file was caused by substantial reason.

Please visit official website for more information


Internal Revenue Services United States, Department of Treasury
Ap #822-9450 Cum Avenue
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
The malicious payload is at [donotclick]azsocseclawyer.net/detects/necessary_documenting_broadcasts-sensitive.php (report here) hosted on:

77.241.192.47 (VPSNET, Lithunia)
175.121.229.209 (Hanaro Telecom, Korea)

The following domains are currently visible on those IPs are should be regarded as malicious:
albaperu.net
azsocseclawyer.net
derdondetes.com
dressaytam.net
estudienteyo.com
extuderbest.com
madcambodia.net
micropowerboating.net
mochentopen.com
theatreli.net
thedigidares.net


Malware sites to block 15/2/13

A set of malware sites.. or I think two sets of malware sites that you might want to block. The .ru domains are connected with this botnet, a second set of sites seem to be something else malicious. Both groups of sites are connected by a server at 142.0.45.27 (Volumedrive, US) which may be a C&C server. Interested parties might want to poke at the server a bit..

As a bonus, these are the IPs that I can find connected with the .ru botnet that I have collected over the past few days. Some of them are dynamic, but it might be a starting point if anyone wants to poke at that botnet a bit more.

actuallywebdav.biz
adoptionarchive.org
adscard.net
adsknoll.net
adsmonsterslda.me
adsmonsterslda.net
adspolis.net
adsspark.com
adstimes.net
adstown.net
akon342.info
apolonq3.info
arenthis.org
bigtimetcpip.org
booksdesk.org
bounceeleven.biz
carambala.com
casesswooshpretty.net
classifyipchains.biz
columnheavyhanded.org
competingopts.biz
conaninefficiently.biz
confickerclones.com
cuxystaf.ru
dlnabeta.org
efisamil.ru
enjoycapacious.org
exciifun.ru
extcg.org
eyefulconcern.com
fan.ysb3.net
fesdrtfgfddsadsa.homelinux.com
filesforretail.org
gazzuxiz.ru
greatville.org
huaxydpa.ru
hudsfjfdsueofakl.homelinux.com
ifdependable.org
ifkyxdys.ru
img.handyworksfl.com
img.sppta.org
iqkibbuz.ru
ivqojsaj.ru
kamisca.com
kejfhtee.cu.cc
kemalxun.ru
koldpsaofdkdlsa.homelinux.com
kopsakfdsasew.homelinux.com
languageinads.com
languageinads.net
lebowskiappcentric.org
libertynetsgums.info
limminglory.net
lisybsij.ru
live.28356365.com
lowerqualitydocstac.in
milioneer.com
missiledongle.biz
modesthalfempty.org
moneysfilegon.net
navaten.tk
netingsixform.net
nobuaudiophile.org
offensivesimple.biz
ohvelzym.ru
partyharddns.com
performingspinoffs.org
pipelivemotion.biz
pyncegok.ru
resendfold.biz
safelyplayback.biz
sedikivu.tk
startstracker.info
syllablesshrinkwrap.org
syrjikhe.ru
techntitus.com
touristdefinitions.biz
tracktighter.biz
upicampaign.com
usingthisxploreing.org
velvetnoret.com
vowakabo.tk
wontlogics.biz
wpw.bestgoodshop.info
www.aanoownsw.tld.cc
ybavwego.ru
ykmeffyw.ru
ylgoaxle.ru
yvxaghod.ru
zypvynas.ru

Thursday 14 February 2013

Intuit spam / epionkalom.ru

This fake Intuit spam leads to malware on epionkalom.ru:

Date:      Thu, 14 Feb 2013 09:05:48 -0500
From:      "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject:      Payroll Account Holded by Intuit


Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Thu, 14 Feb 2013 09:05:48 -0500.

    Finances would be gone away from below account # ending in 2317 on Thu, 14 Feb 2013 09:05:48 -0500
    amount to be seceded: 2246 USD
    Paychecks would be procrastinated to your personnel accounts on: Thu, 14 Feb 2013 09:05:48 -0500
    Log In to Review Operation


Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services
The malicious payload is at [donotclick]epionkalom.ru:8080/forum/links/column.php hosted on a bunch of IP addresses that we have seen many, many times before:

91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)