Sponsored by..

Thursday, 19 January 2012

Wire transfer malicious spam / monikabestolucci.ru:8801 and 78.159.118.226

More malicious spam doing the rounds, but this time it's more complicated than before.

From: accounting@victimdomain.com [mailto:accounting@victimdomain.com]
Sent: 18 January 2012 02:14
Subject: Re: Wire Transfer Confirmation (FED_93711S15719)

Dear Bank Account Operator,
WIRE TRANSACTION: FWD-7563133392175652
CURRENT STATUS: PENDING

Please Review your transaction as soon as possible.

The link goes to a legitimate hacked site containing some heavily obfuscated javascript, in turn this points to monikabestolucci.ru:8801 and then downloads further code from 78.159.118.226/forum/hp.php?i=8 (Netdirect, Germany) - the Wepawet report is here, there also an Anubis report on the binary here.

monikabestolucci.ru is massively multihomed (a raw list is at the end of the post) presumably on legitimate hacked servers.

24.37.34.163 (Videotron, Canada)
46.105.28.61 (OVH Systems, Italy)
50.57.77.119 (Slicehost, Texas)
50.57.118.247 (Slicehost, Texas)
74.207.248.120 (Linode, New Jersey)
74.208.205.185 (1&1, US)
78.47.122.11 (Hetzner, Germany)
80.90.199.196 (Webfusion, UK)
81.31.43.43 (Master Internet, Czech Republic)
82.165.197.58 (1&1, Germany)
83.170.91.152 (UK2.NET, UK)
84.246.210.87 (Infortelecom, Spain)
88.191.97.108 (Dedibox SAS, France)
97.74.87.3 (GoDaddy, Arizona)
124.11.65.210 (TFN, Taiwan)
125.214.74.8 (Web24, Australia)
129.67.100.11 (Oxford University, UK)
173.201.187.225 (GoDaddy, Arizona)
173.230.137.129 (Linode, Florida)
173.255.229.33 (Linode, New Jersey)
174.122.121.154 (ThePlanet, Texas)
209.59.222.145 (Endurance International, Massachusetts)
211.44.250.173 (SK Broadband, Korea)

Blocking these IPs might be a pain, but it would block any other malicious sites on the same servers.

Raw list:
24.37.34.163
46.105.28.61
50.57.77.119
50.57.118.247
74.207.248.120
74.208.205.185
78.47.122.11
80.90.199.196
81.31.43.43
82.165.197.58
83.170.91.152
84.246.210.87
88.191.97.108
97.74.87.3
124.11.65.210
125.214.74.8
129.67.100.11
173.201.187.225
173.230.137.129
173.255.229.33
174.122.121.154
209.59.222.145
211.44.250.173

BBB Spam / freecities.com and 78.129.132.82

A couple of BBB spams, both leading to malware on different domains on the same IP of 78.129.132.82 (Rapidswitch / Iomart Hosting, UK).

Example 1:

Date:      Thu, 18 Jan 2012 10:24:33 +0000
From:      "Better Business Bureau"
Subject:      Urgent information from BBB
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau notifies you that we have received a complaint (ID 38423165) from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this matter and let us know of your point of view as soon as possible.

We are looking forward to your prompt reply.

Regards,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Example 2:

Date:      Thu, 18 Jan 2012 11:27:55 +0100
From:      "Better Business Bureau"
Subject:      BBB complaint report
Attachments:     betterbb_logo.jpg

Hello,

Here with the Better Business Bureau would like to notify you that we have received a complaint (ID 52266668) from a customer of yours related to their dealership with you.

Please open the COMPLAINT REPORT below to find more information on this issue and let us know of your point of view as soon as possible.

We hope to hear from you very soon.

Sincerely,

Arnold Melendez

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

In these two examples, the malicious payload is on wihdshop.net/main.php?page=c61c8ae4358e765e and ionsclinics.net/main.php?page=4875f07aa6fe472a (Wepawet report is here) , reached through a page on a freecities.com web site (apparently part of 0catch.com). You could consider blocking access to the entire freecities.com domain, but you should certainly block 78.129.132.82 if you can.

These other domains are hosted on 78.129.132.82 and are probably malicious:

0riginalcheck.net
ambasadorka.com
centerjobdepart.com
comparmory.org
digitalarmory.net
gitadocs.com
gitafiles.com
ionsclinics.net
lifesdigi.org
marketjob.net
nextddefence.com
originalsyst.org
ourdefence.net
stafffire.net
stub-search.net
systemdwall.com
theyardesale.com
wihdshop.net
yourdefse.com


Update:  angelcities.com is also being used as an intermediate infection step, also part of 0catch.com. It looks like the intermediate sites might be freshly created, there is no indication that 0catch.com sites have been breached.

Wednesday, 18 January 2012

Something evil on 95.211.115.228 and 46.249.37.22.

A set of malicious sites, linked to the Redret gang, hosted on 95.211.115.228 (Leaseweb, Netherlands). Blocking the IP rather than the individual domains will also protect against other malicious sites on the same server.

child-re-ninth-ebusiness.com
childregardingninthebusiness.com
childreninthebusiness.com
childsubjectninthcompany.com
childsubjectninthebiz.com
childsubjectninthebusiness.com
custom-t-shirtsfromhansen.com
extentthahansen.com
freeholidaynew.com
hirtsfromhansen.com
holidaygreat.com
holidaynewsite.com
myholidaynew.com
range-the-hansen.com


Another server in this same network is 46.249.37.22 (Serverius Holding, Netherlands)

1o345.info
1op45.info
2012-my-happy.com
2012myownhappy.com
543oh.info
54mo1.info
54po1.info
akvitea.com
alurbrilance.com
arowipes.com
avangeit.com
bitcast.in
bitcube.in
bitechnica.in
bitfire.in
bitware.in
bitwire.in
businessnfamily.com
companynfamily.com
companynpeople.com
customtshirtsfromhansen.com
domtrixsov.com
drinki.in
familycommercial.com
freeautomag.info
funnytshirtsfromhansen.com
glad-year.com
globaltracking02234.info
great-happy.com
happy-period.com
happy-term.com
happychock.biz
happytwelvemonths.com
ho345.info
iflos.com
ivairiu.com
joyful-year.com
jsijdewhg.com
kalalog-testov.com
latest-happy.com
makdacs00.com
makiajdleavseh.com
merry-year.com
modern-happy.com
muravied222.com
odnonoshnicy.com
plsk3mme.com
q234.info
s00n.in
safe-t-shirtsfromhansen.com
safetshirtsfromhansen.com
serdjuchka.biz
stop-prysham.com
timetracking02234.info
uskoriteliinterneta.biz
xxxtubedirty.com


The third server in the group is 203.170.193.102, which has already been identified here.

doofyonmycolg.ru / coolwebzuzuzu.ru now on 203.170.193.102

The malicious domains doofyonmycolg.ru and coolwebzuzuzu.ru have now shifted IPs since yesterday. The new address is 203.170.193.102 (IDC Cyberworld, Thailand). This server also hosts two "Redret" domains, also as identified yesterday, so these malicious emails are presumably from the same crew.

The following domains appear to be hosted on 203.170.193.102, all of which appear to be malicious in some way:

1god.in
aerostrips.com
arrayhansen.com
available78.de.ms
backozifice.net
betbits.com
boeingmiles.com
ccredret.ru
chronvofu.dlinkddns.com
ckredret.ru
collection-hansen.com
companyandfamily.com
ease.breastedchestedboobiestits.com
familyownedcompany.com
family-ownedcompany.com
filkso.in
freemmsservice.com
freetracking02234.info
greatglad.com
krasivayfigura.com
latestglad.com
libraryhansen.com
lkskjje43d.com
mc-3.in
metropannolike.in
mobiletracking02234.info
myskyinfo.in
oeit.in
olanuc.dlinkddns.com
onlinetelephonika.info
orfasde.dlinkddns.com
p38-adsrv.nl.ai
p66-adservices.nl.ai
pedastera.cu.cc
portfoliohansen.com
rifalogs.com
saldo7.us
schenledi.dlinkddns.com
seifancold.dlinkddns.com
sgsk43tgsdlflfbcbg.uni.me
skyinfo.in
tanildirtystories.com
tshirtsfromhansen.com
usaloaosns.com
zadpol.cu.cc
zareqah.cu.cc
zverovod.in

Scam sites to block on 209.25.137.196

Here's a site of very professional looking scam sites, incuding fake investment firms and escrow companies. Most of these have been registered over the past few weeks with anonymous details.

atlasconsultancyltd.com
bfsauthority.org
bltradinggrp.com
chicagobgllc.com
crawfordcapitalpartners.com
fidelitycorporategroup.com
grenfellassociates.com
johnsonsterlingconsultancy.com
knowltonadvisors.com
mediatransfersltd.com
millerconsultancyservices.com
morganpremiergrp.com
notanordinarysite.com
peregrineintlgroup.com
scmrcom.org
sftcommission.org
tatecarverconsultancy.com
toddwhitefinancial.com
warrenfisherassociates.com
wellsconsultancy.com
winchesterconsultancygrp.com


also hosted on the same server:
mentemptation.com
webhostingbreaker.com

Some of the trading names used by these scammers (some may be similar to legitimate companies):
  • Atlas Consultancy
  • Brussels Financial Supervisory Authority
  • BL Trading Group
  • Chicago Business Group LLC
  • Crawford Capital Partners
  • Fidelity Corporate Group
  • Grenfell and Blackrock Associates
  • Johnson Sterling Consultancy
  • Knowlton Group
  • Media Transfers Limited
  • Miller Counsulting Group
  • Morgan Premier Group
  • Peregrine International Group
  • Swiss Commodity Market Regulatory Commission
  • Swiss Financial Trading Commission
  • Tate and Carver Consultancy Group
  • Todd and White Financial Marketing Services
  • Warren Fisher and Associates
  • Wells Capital Management
  • Winchester Consultancy Group
Do not be fooled by how good the sites look.. they are very, very convincing. Here is are some examples:



The sites are all hosted on 209.25.137.196 which looks like a rented server from LiquidNet, Florida. Also hosted on the same server is webhostingbreaker.com (possibly based in the Philippines) which might be the black hat reseller involved.

Part of this network was fingered a few weeks ago here, and it still appears to be active. Avoid at all costs.

How to access Wikipedia during the blackout

Wikipedia is blacked out because of a protest about SOPA. But what happens if you really, really need Wikipedia?

The good news is that you can still access it on your smartphone, or by accessing the mobile site directly. You can also temporarily by disabling Javascript in your browser when visiting the site (specifically blocking scripts from bits.wikimedia.org). Using Firefox + NoScript is an easy way to do this.

The Wikimedia foundation have a technical description of how the blackout is implemented here.

Added: the stylesheet itself appears to be at http://bits.wikimedia.org/en.wikipedia.org/load.php?debug=false&lang=en&modules=site&only=styles&skin=vector&*  so blocking that temporarily might help.

If you are managing a large number of users who need access, you can block access to bits.wikimedia.org/en.wikipedia.org/ which will allow access to content but screws up the layout.

Tuesday, 17 January 2012

Scan from a Xerox W. Pro spam / coolwebzuzuzu.ru

Another malicious spam, this time leading to an exploit page on coolwebzuzuzu.ru/main.php.

Date:      Tue, 16 Jan 2012 02:50:00 +0000
From:      officejet@victimdomain.com
Subject:      Fwd: Fwd: Scan from a Xerox W. Pro #9522304

A Document was sent to you using a XEROX OFFICE N220337423.

SENT BY: LAURA
IMAGES : 6
FORMAT (.JPG) DOWNLOAD

DEVICE: PD55695SK7AO559107L

coolwebzuzuzu.ru is hosted on 66.225.237.222, HostForWeb in Chicago. There is another malware site on an adjacent IP. You might want to block both IPs or even the whole /24 to be on the safe side.

UPS Spam / doofyonmycolg.ru

This UPS (or is it USPS?) spam is attempting to direct visitors to a malicious web page at doofyonmycolg.ru/main.php. This looks like a variant of the Redret campaign we have seen recently.

Date:      Tue, 16 Jan 2012 02:16:45 -0300
From:      "UPS TEAM 121" [support.350@ups.com]
Subject:      UPS Tracking Number H4825887305

Your USPS .US for big savings!     Can't see images? CLICK HERE.   
UPS UPS TEAM 477   
UPS - UPS MANAGER 559 >>
  
Not Ready to Open an Account?   
      
    The UPS Store® can help with full service packing and shipping.  
    Learn More >>  
  
UPS - Your UPS Customer Services

DEAR, victim@victimdomain.com.

DEAR CLIENT , Delivery Confirmation: Failed

Track your Shipment now!

With best regards , Your UPS Services.
  
                      
Shipping         Tracking         Calculate Time & Cost         Open an Account
                      
@ 2011 United Parcel Service of America, Inc. USPS CUSTOMER SERVICES, the UPS brandmark, and the color brown are

trademarks of United Parcel Service of America, Inc. All rights reserved.


This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to

Your USPS .US marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.

Your USPS .US, 1 Glenlake Parkway, NE - Atlanta, GA 30331

Attn: Customer Communications Department 

doofyonmycolg.ru is hosted on 66.225.237.223. There is another malicious site on 66.225.237.222, there may be others. This IP is allocated to HostForWeb Inc, Chicago. Blocking the IP rather than the domain may help protect against other malicious sites on the same server.

Redret domains to block 17/1/12

The Redret domains have shifted around a little since last week, indicating perhaps more malicious activity to come.

Of note, cvredret.ru and cxredret.ru are both multihomed on several IP addresses (both domains are on the same set of addresses). Those domains can be found on 91.208.181.205, 93.189.88.198, 213.193.231.210, 78.47.135.105, 78.129.233.8, 85.214.204.32, and 87.106.201.119.

Changes since last time are highlighted.

46.249.37.109 (Serverius Holdings, Netherlands)
cpredret.ru

67.215.3.153 (GloboTech Communications, California)
ckredret.ru
clredret.ru

78.47.135.105 (Hetzner Online, Germany)
cvredret.ru
cxredret.ru

78.129.233.8 (Rapidswitch, UK)
cvredret.ru
cxredret.ru

79.137.237.63 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
crredret.ru
ctredret.ru
czredret.ru

79.137.237.67 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
ciredret.ru
coredret.ru

79.137.237.68 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
caredret.ru
cdredret.ru
cfredret.ru
cgredret.ru
csredret.ru

85.214.204.32 (Strato AG, Germany)
cvredret.ru
cxredret.ru

87.106.201.119 (1&1, Spain)
cvredret.ru
cxredret.ru

89.208.34.116  (Digital Network JSC aka DINETHOSTING, Russia. Block 89.208.32.0/19)
aredirect.ru
ajredret.ru
akredret.ru
alredret.ru
amredret.ru
apredret.ru
arredret.ru
asredret.ru
baredret.ru
biredret.ru
bvredret.ru

91.208.181.205 (Oxalide, France)
cvredret.ru
cxredret.ru

91.220.35.38 (Zamanhost, Ukraine/Russia. Block 91.220.35.0/24)
bredirect.ru
credirect.ru
dredirect.ru
eredirect.ru
aaredret.ru
abredret.ru
acredret.ru
adredret.ru

91.222.137.170 (Delta-X Ltd, Ukraine. Consider blocking 91.222.136.0/22)
chredret.ru
cjredret.ru

93.189.88.198 (Silicontower, Spain)
cvredret.ru
cxredret.ru

94.199.51.108 (23VNet, Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru

95.163.89.193 (Digital Network JSC aka DINETHOSTING, Russia. Block 95.163.64.0/19)
aeredret.ru
afredret.ru
agredret.ru
ahredret.ru
airedret.ru
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru

95.163.89.200 (Digital Network JSC aka DINETHOSTING, Russia)
bwredret.ru
bzredret.ru

109.70.26.36 (Parked at RU-SERVICE Ltd ISP)
iredirect.ru

203.170.193.102 (IDC Cyberworld, Thailand)
cbredret.ru
ccredret.ru

213.193.213.210 (Trueserver, Netherlands)
cvredret.ru
cxredret.ru

No IP at present
fredirect.ru
gredirect.ru
hredirect.ru
jredirect.ru
kredirect.ru
lredirect.ru
mredirect.ru
nredirect.ru
oredirect.ru
predirect.ru
qredirect.ru
rredirect.ru
sredirect.ru
tredirect.ru
uredirect.ru
vredirect.ru
wredirect.ru
xredirect.ru
yredirect.ru
zredirect.ru
anredret.ru
aoredret.ru
aqredret.ru
atredret.ru
auredret.ru
avredret.ru
awredret.ru
axredret.ru
ayredret.ru
azredret.ru
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru
ceredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cwredret.ru
cyredret.ru

Friday, 13 January 2012

"Your order for helicopter for the weekend" / ccredret.ru

Another Redret spam leading to a malicious payload..


Date:      Fri, 12 Jan 2012 04:53:25 +0100
From:      "Keila Farley" [HannaMarcelino@ameritrade.com]
Subject:      Your order for helicopter for the weekend

Your order for our air carriage services has been received and processed. The chopper will be at your disposal from 3.30 a.m. sunday to 16.00 wednesday. Once again, the rates are as follows:
1 hour in the air: 794$
Takeoff / Landing: 163$
1 hour idle time on the ground: 166$
Longest flight is 3 hours.
When flying for longer distances, a co-pilot is needed, and the cost accordingly grows by 114$ per hour.


Invoice.doc 581kb
With Best Regards
Keila Farley
The malicious payload is delivered via a legitimate hacked site which redirects to ccredret.ru/main.php, hosted on 67.215.3.153 (GloboTech, California). That same IP was seen recently with another Redret domain, and you should block access to it if you can.

fff

Thursday, 12 January 2012

"John Dillinger" / "Apple Store - Important information about your Apple ID"

This email was actually sent by Apple, apparently to a famous bank robber, John Dillinger.

Date: Thu, 12 Jan 2012 01:37:23 +0000 (GMT)
From: Apple [appleid@id.apple.com]
Subject: Apple Store - Important information about your Apple ID

    Apple Online Store   
Order Status     Account     Help    
   
   
Dear John Dillinger
Welcome to the Apple Online Store. We wanted to share some information with you about your Apple ID, which allows you to personalize your Apple Online Store experience and helps you access other Apple resources.
Your Apple ID is your current email address.  You can use the password you created when you set up your account online. If you forget or need to reset your password, go to My Apple ID.
By using your Apple ID on the Apple Online Store, you have access to your account information online.  You can save carts until you're ready to place an order, check the status of or change your order, track your shipments, view your order history, maintain your account information, check Apple Gift Card balances, and much more.
Additionally, your Apple ID gives you access to other Apple resources, including:
• Buying music, movies, TV shows, and more at the iTunes Store
• Buying or downloading applications for your iPod touch or iPhone using the App Store
• Ordering photos and photobooks through iPhoto
• Registering your Apple products
• Accessing support for your products from AppleCare
• Getting One to One personal training and other services at an Apple Retail Store
Sign in to Your Account, to take advantages of the benefits of your Apple ID on the Apple Online Store. To learn more about your Apple ID, visit the Your Account section of online Help.
We also want you to know that the security of your personal information is important to us.  For more information on how Apple protects your personal information, please refer to the Apple Customer Privacy Policy.
Thank you for choosing Apple,
The Apple Store Team
http://store.apple.com
1-800-MY-APPLE


Indeed, an Apple account has been created for this email address. But not by me. Upon inspection, the Apple account has no information in it apart from the "John Dillinger" name, and it's a simple matter to reset the password to thwart whatever it going on here.

The email is quite genuine, coming from an Apple IP (17.254.6.195) and with all the links pointing to Apple and not another site. And it seems that I am not alone in receiving this email.

If you have had the same email, please consider letting me know in the comments!

Tuesday, 10 January 2012

"Our chances to win an action are higher than ever" spam / clredret.ru

A weird spam, leading to a malicious download at clredret.ru/main.php via a random hacked site.
Date:      Tue, 9 Jan 2012 08:39:05 +0300
From:      victimname@gmail.com
Subject:      Re: Our chances to win an action are higher than ever.

We discussed it with the administration representatives, and if we confess our non-essential faults to improve their statistics, the key cause will be closed due to the lack of the government interest to the action We have prepared your declaratory text for the court. Please read it carefully and if anything in it dissatisfies you, inform us.

Speech.doc 489kb


With Respect To You
Jeramiah Cohen

As mentioned earlier, clredret.ru is on 46.249.37.22 (Serverius Holdings, Netherlands) and that IP is well worth blocking.

Redret domains to block 10/1/12

After a quite couple of weeks, the Redret spam has started again using the domains and IPs listed below. Some are familiar, some are new. In some cases blocking whole IP ranges is the best idea.

46.249.37.22 (Serverius Holdings, Netherlands)
clredret.ru

46.249.37.109 (Serverius Holdings, Netherlands)
cpredret.ru

67.215.3.153 (GloboTech Communications, California)
ckredret.ru

79.137.237.63 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
crredret.ru
ctredret.ru
czredret.ru

79.137.237.67 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
ciredret.ru
coredret.ru

79.137.237.68 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
caredret.ru
cdredret.ru
cfredret.ru
cgredret.ru
csredret.ru

89.208.34.116  (Digital Network JSC aka DINETHOSTING, Russia. Block 89.208.32.0/19)
ajredret.ru
akredret.ru
alredret.ru
amredret.ru
apredret.ru
aredirect.ru
arredret.ru
asredret.ru
baredret.ru
biredret.ru
bvredret.ru

91.220.35.38 (Zamanhost, Ukraine/Russia. Block 91.220.35.0/24)
aaredret.ru
abredret.ru
acredret.ru
adredret.ru
bredirect.ru
credirect.ru
dredirect.ru
eredirect.ru

91.222.137.170 (Delta-X Ltd, Ukraine. Consider blocking 91.222.136.0/22)
chredret.ru
cjredret.ru

94.199.51.108 (23VNet, Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru

95.163.89.193 (Digital Network JSC aka DINETHOSTING, Russia. Block 95.163.64.0/19)
aeredret.ru
afredret.ru
agredret.ru
ahredret.ru
airedret.ru
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru

95.163.89.200 (Digital Network JSC aka DINETHOSTING, Russia)
bwredret.ru
bzredret.ru

109.70.26.36 (Parked at RU-SERVICE Ltd ISP)
iredirect.ru

No IP at present
anredret.ru
aoredret.ru
aqredret.ru
atredret.ru
auredret.ru
avredret.ru
awredret.ru
axredret.ru
ayredret.ru
azredret.ru
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru
cbredret.ru
ccredret.ru
ceredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru
fredirect.ru
gredirect.ru
hredirect.ru
jredirect.ru
kredirect.ru
lredirect.ru
mredirect.ru
nredirect.ru
oredirect.ru
predirect.ru
qredirect.ru
rredirect.ru
sredirect.ru
tredirect.ru
uredirect.ru
vredirect.ru
wredirect.ru
xredirect.ru
yredirect.ru
zredirect.ru

Airline ticket spam / ckredret.ru

Despite a whole pile of Redret malware spam at the end of the year, the past couple of weeks have been very quiet. However, a new campaign has started up directing visitors via a hacked legitimate site to ckredret.ru/main.php which is hosted on 203.170.193.102 (IDC Cyberworld, Thailand).

Date:      Tue, 9 Jan 2012 08:33:24 +0700
From:      sales1@victimdomain.com
Subject:      Re: Your Flight N US966-282315527

Dear Customer,



FLIGHT NUMBER 5821-5704164

DATE/TIME : JANUARY 23, 2011, 16:12 PM

ARRIVING AIRPORT: WASHINGTON DC INT. AIRPORT

PRICE : 552.06 USD



Download your ticket here:

VIEW



KAYCEE Ramirez,

American Airlines

Right at the moment the site is failing to resolve, but that could simply be a loading issue. Blocking the 203.170.193.102 IP address would be a good idea as it will stop any other malicious sites on the same server.

Friday, 6 January 2012

"Elavon 2012 Update" phish

Elavon deals with payment processing. This email is not from Evalon.

From: "Elavon, Inc." [sobolan@myvirtualmerchan-02.com]
Date:Fri, 06 Jan 2012 16:09:48 +0100
Subject: Urgent-Notification

--Elavon 2012 Update--
Dear Customer,

We regret to inform you that your retail merchant account is locked.
To re-activate it please download the file attached to this e-mail and update your login information.

2012 Elavon Inc,
-Please note only RETAIL account are locked-
-Example : Market Segmet : Retail-

Attached is a file called myvirtualmerchant_login.html which is the phish itself, displaying the following screen.

The form itself sends the details to mail.xinsanjing.com on 220.189.213.181. (HangZhou XinSanJing Food Co. Ltd. China) which is possibly a hacked server. In this case the email originated from 209.91.252.206 in Puerto Rico.

If you use Elavon's services, watch out for this phish.

Thursday, 29 December 2011

"Your Changelog UPDATED" / cjredret.ru

Another spam, another "redret" domain. This time the spam is a "changelog" one, the malicious payload is on cjredret.ru/main.php.

Date:      Thu, 29 Dec 2011 07:59:51 +0200
From:      accounting@victimdomain.com
Subject:      Re: Fwd: Your Changelog UPDATED

Hello,

as promised chnglog updated -: View Changelog

Carey CATHERINE

The site is hosted on 91.222.137.170 (Delta-X, Ukraine), the same IP address as yesterday. If you don't have any reason to send traffic to the Ukraine, blocking access to 91.222.136.0/22 might be prudent.

Wednesday, 28 December 2011

"HP Officejet" spam / chredret.ru

More spam pointing to a malicious web page at chredret.ru/main.php (after redirecting through a legitimate but hacked site), but this time using the old "HP Officejet" approach.


Date:      Wed, 28 Dec 2011 05:32:16 +0700
From:      VG2EBrady@gmail.com
Subject:      Re: Fwd: Re: Scan from a HP Officejet #8056528

A document was scanned and sent to you using a Hewlett-Packard JET SK868691M



Sent to you by: SHEA
Pages : 3
Filetype: Image (.jpeg) View

Location: GDOSO.1.3TH
Device: OP685S9OD6236672

The domain chredret.ru  was used in this spam run yesterday, but now the server has moved from 46.249.37.22 to 91.222.137.170 (Delta-X, Ukraine). I don't know Delta-X at all, but the SiteVet and Google reports are not good, so you might want to consider blocking the entire range 91.222.136.0/22.

Tuesday, 27 December 2011

Contract spam / chredret.ru

Another fake "contract" spam leading to malware, hosted on chredret.ru .

Date:      Tue, 27 Dec 2011 06:06:18 +0700
From:      "Destinee Mills"
Subject:      The variant of the contract you've offered has been delcined.

After our legal department studied this contract carefully, they've noticed the following mismatches with our previous arrangements. We've composed a preliminary variant of the new contract, please study it and make sure that all the issues are matching your interests
NEW_Contract.doc 44kb


With best wishes
Destinee Mills
Another name used on the spam is "Ramiro Howell", although there are probably hundreds of fake names. The malicious payload is at chredret.ru/main.php, hosted on 46.249.37.22 (Serverius Holding BV, Netherlands). This is the second "redret" domain in this /24, so blocking 46.249.37.0/24 might be prudent.

Thursday, 22 December 2011

NACHA Spam / cgredret.ru

More NACHA spam, this time pointing to cgredret.ru (which we've seen before) which delivers a malicious payload.

Date:      Thu, 22 Dec 2011 03:37:35 +0530
From:      "NACHA"
Subject:      ACH Transfer rejected

ACH transaction, initiated from your checking account, was canceled.



Canceled transaction:



Transfer ID: B2793447923US

Transfer Report: View



GALINA Gunter

NACHA - The Electronic Payment Association

cgredret.ru has moved since yesterday and is now on 79.137.237.68. Unsurprisingly, it is now on Digital Network JSC in Russia (aka DINETHOSTING). Block access to 79.137.224.0/20 if you can.

Wednesday, 21 December 2011

"Hello! Look, I've received an unfamiliar bill.." / cgredret.ru

The spam tsunami continues, this one is a reworking of one seen last month, but with a new payload site.

Date:      Wed, 21 Dec 2011 06:43:07 +0700
From:      "MERLYN Spicer" [sales1@victimdomain.com]
To:     
Subject:      Need your help!

Hello! Look, I've received an unfamiliar bill, have you ordered anything?
Here is the bill

Please reply as soon as possible, because the amount is large and they demand the payment urgently.

Looking forward to your answer



Fingerprint: 2ccc03a5-e19549f7

The malicious payload is on cgredret.ru which I catalogued yesterday (although it didn't have an IP address then). The IP is now 206.72.207.156 (Interserver Inc, USA) along with some other malicious sites. Block the IP rather than the domain if you can.

*redirect.ru sites to block

These are another part of the "redret" series of malware sites being promoted by spam, and are worth blocking proactively.

109.70.26.36 (Parked)
iredirect.ru

89.208.34.116 (Digital Network JSC aka DINETHOSTING Russia, block 89.208.32.0/19)
aredirect.ru

91.220.35.38 (Zamanhost Ukraine, block 91.220.35.0/24)
bredirect.ru
credirect.ru
dredirect.ru
eredirect.ru

No IP allocated
fredirect.ru
gredirect.ru
hredirect.ru
jredirect.ru
kredirect.ru
lredirect.ru
mredirect.ru
nredirect.ru
oredirect.ru
predirect.ru
qredirect.ru
rredirect.ru
sredirect.ru
tredirect.ru
uredirect.ru
vredirect.ru
wredirect.ru
xredirect.ru
yredirect.ru
zredirect.ru

BBB Spam / curvechirp.com

Yet more BBB spam, this time with a different malicious domain - curvechirp.com, hosted on 184.171.248.47 at TMZHosting LLC, Florida. This range is suballocated from Hostdime and has been seen a few days ago with another attack, so blocking all access to 184.171.248.32/27 is probably prudent.

Payload page is at curvechirp.com/main.php?page=111d937ec38dd17e, at the moment the page is not responding (possibly due to being overloaded as it looks like a cheap VPS).

Here are some samples:


Date:      Wed, 21 Dec 2011 13:37:00 +0100
From:      "Better Business Bureau" [manager@bbb.org]
Subject:      BBB complaint processing
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau informs you that we have been filed a complaint (ID 54838460) from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to view the details on this question and suggest us about your opinion as soon as possible.

We are looking forward to your prompt reply.

Regards,

Gerard Johnson

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

========

Date:      Wed, 21 Dec 2011 14:41:50 +0200
From:      "Better Business Bureau" [info@bbb.org]
Subject:      Urgent notice from BBB
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau informs you that we have been sent a complaint (ID 67732970) from a customer of yours with respect to their dealership with you.

Please open the COMPLAINT REPORT below to view the details on this case and inform us about your point of view as soon as possible.

We hope to hear from you shortly.

Sincerely,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

BBB Spam / curcandle.net

Yet more BBB themed malware spam this morning, bouncing through a couple of hacked servers to a malicious payload on curcandle.net (174.136.1.223, Colo4Dallas). Blocking access to the IP will also block any other evil domains on the same server.

The payload is on curcandle.net/main.php?page=111d937ec38dd17e although right at the moment it is 404ing. However, the spam run is just 30 minutes old so perhaps it is still under construction.

Some samples:


Date:      Wed, 21 Dec 2011 09:55:02 +0100
From:      "Better Business Bureau" [manager@bbb.org]
Subject:      BBB information regarding your customer’s complaint
Attachments:     betterbb_logo.jpg

Good afternoon,

Here with the Better Business Bureau informs you that we have been sent a complaint (ID 54715375) from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this matter and inform us about your opinion as soon as possible.

We are looking forward to your prompt reply.

Sincerely,

Rebecca Wilcox

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

============

Date:      Wed, 21 Dec 2011 09:54:50 +0100
From:      "BBB" [alerts@bbb.org]
Subject:      Your customer complained to BBB
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau notifies you that we have been sent a complaint (ID 44513446) from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this question and inform us about your opinion as soon as possible.

We are looking forward to hearing from you.

Regards,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

============

Date:      Wed, 21 Dec 2011 08:54:38 +0000
From:      "BBB" [service@bbb.org]
Subject:      Better Business Bureau complaint
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau would like to notify you that we have received a complaint (ID 10822005) from one of your customers related to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this question and inform us about your position as soon as possible.

We are looking forward to your prompt reply.

Kind regards,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

============

Date:      Wed, 21 Dec 2011 09:33:03 +0000
From:      "BBB" [manager@bbb.org]
Subject:      BBB complaint report
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau notifies you that we have been sent a complaint (ID 10942308) from one of your customers in regard to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this question and let us know of your position as soon as possible.

We hope to hear from you very soon.

Faithfully,

Arnold Melendez

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

a*redret.ru domains to block

More malware domains to block, being promoted through malicious spam emails:

89.208.34.116  (Digital Network JSC Russia aka DINETHOSTING. Block 89.208.32.0/19 as it is all toxic)
ajredret.ru
akredret.ru
alredret.ru
amredret.ru
apredret.ru
arredret.ru
asredret.ru

91.220.35.38 (Zamanhost, Ukraine. Block 91.220.35.0/24)
aaredret.ru
abredret.ru
acredret.ru
adredret.ru

95.163.89.193 (Digital Network JSC Russia. Block 95.163.0.0/16 or 95.163.64.0/19)
aeredret.ru
afredret.ru
agredret.ru
ahredret.ru
airedret.ru

No IP allocated
anredret.ru
aoredret.ru
aqredret.ru
atredret.ru
auredret.ru
avredret.ru
awredret.ru
axredret.ru
ayredret.ru
azredret.ru

b*redret.ru domains to block (updated)

Another set of "Redret" domains, the b*redret.ru series is used in malware distribution. It has some new IP addresses since the last time.

89.208.34.116 (Digital Network JSC Russia aka DINETHOSTING. Block 89.208.32.0/19 as it is all toxic)
baredret.ru
biredret.ru
bvredret.ru

91.228.133.120 (Inter-Treyd LLC, Russia. Recommend blocking 91.228.133.0/24)
blredret.ru
bsredret.ru

94.199.51.108 (23VNet Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru

95.163.89.193 (Digital Network JSC Russia. Block 95.163.0.0/16 or 95.163.64.0/19)
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru

95.163.89.200 (Digital Network JSC Russia)
bwredret.ru
bzredret.ru

No IP at present
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru

Tuesday, 20 December 2011

c*redret.ru sites to block (updated)

These "Redret" domains serve up malware and are promoted by spam, some of them have moved around since last week so consider this an updated list.

46.249.37.109 [Serverius Holding B.V, Netherlands]
cpredret.ru

79.137.237.63 [Digital Network JSC, Russia aka DINETHOSTING. Recommend blocking 79.137.224.0/20]
crredret.ru
ctredret.ru
czredret.ru

79.137.237.67 [Digital Network JSC, Russia]
ciredret.ru
coredret.ru

79.137.237.68 [Digital Network JSC, Russia]
caredret.ru
csredret.ru

91.195.11.42 [UkrStar ISP, Ukraine. Recommend blocking 91.195.10.0/23]


206.72.207.156 [Interserver Inc, United States]
cdredret.ru
cfredret.ru

Not hosted at present
cbredret.ru
ccredret.ru
ceredret.ru
cgredret.ru
chredret.ru
cjredret.ru
ckredret.ru
clredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru

BBB Spam / financestuff.serveblog.net

Here's another BBB Spam leading to malware..

Date:      Tue, 20 Dec 2011 11:45:50 +0100
From:      "BBB" [support@bbb.org]
Subject:      BBB complaint processing
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau would like to notify you that we have received a complaint (ID 24673594) from your customer with respect to their dealership with you.

Please open the COMPLAINT REPORT below to find the details on this issue and let us know of your point of view as soon as possible.

We are looking forward to hearing from you.

Faithfully,

Katherine Schulte

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Malware payload in on financestuff.serveblog.net/main.php?page=69dbd5a1e3ed6ae9 on 207.210.65.12 (Global Net Access LLC). Block the IP address if you can.

"Scan from a Xerox WorkCentre Pro" / cfredret.ru

This is a fairly common malware spam, pointing to malicious code on cfredret.ru/main.php.

Date:      Tue, 20 Dec 2011 05:42:20 +0300
From:      victimname@gmail.com
Subject:      Re: Fwd: Re: Scan from a Xerox WorkCentre Pro #2966272

A Document was sent to you using a Xerox WKC1296130.



Sent by: SHIRLEY
Images : 5
Image (.JPEG) Download

Device: UM85256LL6P68270479



bfe116b5-7dcccccc

cfredret.ru is hosted on 78.47.193.36, exactly the same IP address as this BBB themed malware spam. Blocking access to 78.47.198.32/29 is a fabulous idea if you can.

BBB Spam / blumtam.com

More BBB spam, this time attempting to deliver users to a malicious payload on blumtam.com. A couple of samples:

Date:      Tue, 20 Dec 2011 00:34:38 -0800
From:      "BBB" [alerts@bbb.org]
Subject:      Re: your customer�s complaint ID 82235322
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau would like to inform you that we have been sent a complaint (ID 82235322) from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this case and let us know of your position as soon as possible.

We hope to hear from you shortly.

Kind regards,

Fernando Grodhaus

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
and
Date:      Tue, 20 Dec 2011 11:09:23 +0200
From:      "BBB" [alerts@bbb.org]
Subject:      BBB case ID 59988329
Attachments:     betterbb_logo.jpg

Hello,

Here with the Better Business Bureau would like to notify you that we have been filed a complaint (ID 59988329) from a customer of yours related to their dealership with you.

Please open the COMPLAINT REPORT below to view more information on this matter and let us know of your opinion as soon as possible.

We are looking forward to hearing from you.

Faithfully,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Payload is on blumtam.com/main.php?page=69dbd5a1e3ed6ae9 hosted on 78.47.198.36, a Hetzner AG address suballocated to an outfit called QHoster Ltd in Bulgaria. Blocking access to 78.47.198.32/29 would probably be prudent.

Monday, 19 December 2011

DHL malware spam / secure.dhldispatches.com

This DHL themed spam leads to malware:

From: DHL Express
Sent: 19 December 2011 10:03
Subject: DHL Express Dispatch Confirmation

Order number: 9672834463

Your order has now been dispatched and your DHL Express air waybill number is 9672834463.

To follow the progress of your shipment and print invoice for your records, please go to :
http://secure.dhldispatches.com/tracking/

IMPORTANT INFORMATION:
 
DHL Express will deliver your order between 9am-5pm GMT, Monday to Friday. If you are unavailable, DHL Express will leave a card so you can contact them to reschedule.

All orders must be signed for upon delivery.

Please note, we are unable to change the shipping address on your order now it has been dispatched. Your purchase should arrive in perfect condition. If you are unhappy with the quality, please let us know immediately.

Yours sincerely,

Customer Care
www.dhl.com

For assistance email customercare@dhl.com or call 0800 099 27671 from the UK, +44 (0)20 2781 62512 from the rest of the world, 24 hours a day, seven days a week


CONFIDENTIALITY NOTICE
The information in this email is confidential and is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, you must not read, use or disseminate the information. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of DHL Express Deliveries.

secure.dhldispatches.com (hosted on 116.240.194.69, Primus Australia) looks like a DHL page, but it carries a malicious payload which is loads from 118.88.25.36 (Dedicated Servers Australia). Blocking access to both those IPs may be prudent. The Wepawet report for this one is here.

FDIC spam / splatstack.net

More FDIC spam leading to malware, this time at splatstack.net.

Date:      Mon, 19 Dec 2011 05:32:49 -0600
From:      "Greta Bullock"
Subject:      Blockage of your transactions

Attn: Financial Department


By this message we would like to inform you about the latest amendments in the Federal Deposit Insurance Corporation coverage rules. During the period from December 31, 2010 to December 31, 2012 all funds in a "noninterest-bearing transaction account" are provided with a full insurance coverage by the Federal Deposit Insurance Corporation. Please note, that this arrangement is temporary and separate from the Federal Deposit Insurance Corporation's basic insurance rules.

The term "noninterest-bearing transaction account" implies a usual checking account or demand deposit account on which the insured depository institution pays no interest. For more information about this temporary FDIC unlimited coverage, please refer to: http://iimtstudies.com/e3f4e0/index.html

Yours faithfully,
Greta Bullock
Federal Deposit Insurance Corporation


The link goes via a couple of hacked sites to a malicious payload splatstack.net/main.php?page=abfd0d069b45c17e hosted on 173.255.253.115 (Linode). Blocking access to that IP address will probably be prudent.

Scam: "CareerQuick Staffing" / careermanagement.com.ua

This is another take on RockSmith Management scam, linked to these dodgy work-at-home sites, apparently with an Australian connection.

Date:      Mon, 26 Sep 2011 05:48:19 +0530
From:      "Terence Mooney" [terence.mooney@voicecom.co.za]
Subject:      Reminder: Employment Opportunity Followup

Hello

Thank you for submitting your information for potential employment opportunities.
We look forward to reviewing your application, but can not do so until you complete our
internal application.

The pay range for available positions range from $35.77 per hour to $57.62 per hour.
Prior to begin able to be considered, you will first need you to formally apply.
Please go here to begin the process:

http://careermanagement.com.ua/

Also, the following perks are potentially available:

- Paid Time Off
- Health Benefits Package
- Higher than average salaries
- Tuition Reimbursement
- Extensive 401(k)program

Please take the time to follow the directions and complete the entire
application process.


Best Regards,

Rock Smith Management


careermanagement.com.ua is a Ukrainian domain, it is hosted on 85.121.39.3, which is a known black-hat host in Romania (Monyson Grup S.A), although as we said before this appears to be an Australian crew running the scam. The layout of the site echoes careerquickstaffing.com, a site that has already been suspended for spamming.

Friday, 16 December 2011

NACHA Spam/ ragsnip.com

Yet another round of fake NACHA spam leading to malware is doing the rounds, this time the payload is on ragsnip.com/main.php?page=111d937ec38dd17e hosted on 207.210.96.226 (Global Net Access LLC, Atlanta). Blocking access to the IP is preferable to the domain as there may be other malicious domains on the same server.

An example spam email from this run (it seems no different to all the other ones):

Date:      Fri, 16 Dec 2011 16:43:21 +0100
From:      "transactions@nacha.org" [transactions@nacha.org]
Subject:      Information on your pending transaction

Attention: Accounting Department

This message contains a report about the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction #:    007457776956967
Status of the transaction:    pending

In order to resolve this matter, please review the transaction details using the link below as soon as possible.

Faithfully yours,
Kathy Quirk
Accounting Department

NACHA Spam / ragsnub.com

More NACHA spam is doing the rounds, this time redirecting through a legitimate hacked site to ragsnub.com/main.php?page=69dbd5a1e3ed6ae9 on 184.171.248.35 (Hostdime, Florida).

There may be other bad domains on that server, so blocking access to the IP is the safest approach.

Thursday, 15 December 2011

NACHA Spam / evrymonthnighttry.com and glasseseverydaynow.com

More NACHA themed spam this morning that redirects victims through a hacked legitimate site to a malware laden page, this time hosted on evrymonthnighttry.com or glasseseverydaynow.com.

These sites are hosted on 46.183.217.119 (Dataclub, Latvia). I can't see anything at all of value in 46.183.216.0/21 so blocking access to all of that range might be prudent.

It also attempts to load an exploit from a site called bbb-complains.org which is not resolving at present.

A couple of example emails:

Date:      Thu, 15 Dec 2011 07:42:51 +0000
From:      "risk.manager@nacha.org" [risk.manager@nacha.org]
Subject:      Your ACH transaction details

Attention: Accounting Department

This message includes an important information regarding the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction ID:    079788807282357
Transaction status:    pending

In order to resolve this matter, please use the link below to review the transaction details as soon as possible.

Yours faithfully,
Anthony Cooley
Chief Accountant

and

Date:      Thu, 15 Dec 2011 07:30:43 +0000
From:      "alert@nacha.org" [alert@nacha.org]
Subject:      Your pending ACH debit transfer

Dear Sir or Madam,

Please find below a report about the ACH debit transfer sent on your behalf, that was kept back by our bank:
Transaction #:    638798200851317
Status of the transaction:    pending

In order to resolve this matter, please review the transaction details using the link below as soon as possible.

Yours truly,
Kevin Hunt
Chief Accountant

Fake Facebook spam / caredret.ru

More toxic spam.

Date:      Thu, 15 Dec 2011 11:52:56 +0700
From:      Facebook [notification+VGNDUO7NQM4R@facebookmail.com]
Subject:      LUCY Snow wants to be friends on Facebook.

facebook
LUCY Snow wants to be friends with you on Facebook.
   
LUCY Snow

Confirm Friend Request
   
See All Requests
This message was sent to victim@victimdomain.com. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.

Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303 

In this case, the link goes via a hacked legitimate site and gets redirected to a malicious page on caredret.ru/main.php hosted on 79.137.237.67 (Digital Network JSC, Russia aka DINETHOSTING). Block access to 79.137.224.0/20 if you can, there is nothing legitimate hosted here.

FDIC spam / sownload.zapto.org and 63.223.78.19

The spam tsunami continues today with a set of new malware URLs to block. This one allegedly comes from the FDIC in the US.

Date:      Fri, 16 Dec 2011 04:12:15 +0400
From:      "Freeman Ballard" [Freeman.Ballard@campioni.info]
Subject:      URGENT! Security system updates

Dear Sirs,

In order to prevent new cases of wire fraud, we have introduced a new security system. In this connection all the account transactions of our customers have been suspended unless the special security requirements are met.. In order to rehabilitate your account, you need to

Install a special security software. Please use the link below to read the instructions for the installation of the latest security version.

We apologize for the inconveniences caused to you by this measure.
Please do not hesitate to contact us if you have any questions.

Sincerely yours,

FDIC Call Center 1-877-275-3342 (1-877-ASKFDIC)
or Email Address: consumer-service@fdic.gov
8:00 am - 8:00 pm ET; Monday-Friday
9:00 am - 5:00 pm ET; Saturday-Sunday
For the Hearing Impaired Toll Free 1-800-925-4618 / Local (VA) 703-562-2289

The link goes through a legitimate hacked site and tries to direct the user to a malicious page at sownload.zapto.org/main.php?page=db3408bf080473cf hosted on 63.223.78.199 (InfraVPS Network Solutions, Philippines). Blocking the IP address is preferable because there may more other malicious domains on that server.

Wednesday, 14 December 2011

Spam: "Cuban car sale rise after law change" / csredret.ru

A weird spam, leading to a malicious payload on csredret.ru

Date:      Wed, 14 Dec 2011 03:50:19 +0900
Subject:      Fwd: VIDEO: Cuban car sale rise after law change

Hi, look in.

VIDEO: Cuban car sale rise after law change

csredret.ru is hosted on 79.137.237.67 at Digital Network JSC in Russia (aka DINETHOSTING). Blocking access to 79.137.224.0/20 is essential if you can do it.

NACHA Spam / financeportal.sytes.net

More NACHA spam this morning, this time the payload is at financeportal.sytes.net/main.php?page=111d937ec38dd17e on 174.140.165.90. Blocking the IP address rather than the domain is probably best as there may be other malicious sites on that server.

174.140.165.90 is on Directspace LLC in Oregon who seem to have a significant problem with malware at the moment, I have seen malicious sites on:

147.140.163.116
147.140.163.118
147.140.165.90
147.140.165.195

You might want to consider blocking Directspace LLC more widely if you are worried.

Tuesday, 13 December 2011

"PAYROLL LOGS" Spam

This spam is obviously trying to do something evil, but I'm not quite sure what.


Date:      Tue, 13 Dec 2011 15:23:00 -0600
From:      "Helen Oconnell" [terminationsm@migtel.ru]

Subject:      11122011 PAYROLL INDICES

http://jazzon.nl/YK4VUSWQ.html Please access the URL below to reveal PAYROLL LOGS. It was submitted to you using a Xerox WorkCentre. Pro

==================================================================================================================

Confidential E-Mail: This e-Mail is proposed only for the username to that it is addressed and may be composed data that is intimate or otherwise preserved from exposal.If you have take this email in confusion, please notify the support by respond the present e-Mail and erase the original e-Mail and each copy..

The email is a piece of social engineering that relies on you wanting to know how much your colleagues are earning. Click the link and you get redirected to cms-wideopendns.com (a DSL subscriber in Span) then trackorder.commercialday-net.com (in China). It doesn't seem to work properly, but then it might just be resisting the tools I am throwing at it.

In any case.. avoid this one.

NACHA Spam / badthen.com

More NACHA spam, this time leading to a malicious payload on badthen.com. Stupidly (again) the NACHA email appears to come from linkedin.com.

Date:      Wed, 14 Dec 2011 05:36:48 +0900
From:      "LinkedIn" [linkedin@em.linkedin.com]
Subject:      ACH transfer suspended

The ACH transaction (ID: 137297301664), recently initiated from your bank account (by you or any other person), was rejected by the Electronic Payments Association.
Rejected transfer
Transaction ID:     137297301664
Rejection Reason     See details in the report below
Transaction Report     report_137297301664.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

© 2011 NACHA - The Electronic Payments Association

The malware is on badthen.com/main.php?page=977334ca118fcb8c  hosted on 173.230.130.158 (Linode, US). Blocking the IP address will block any other malware domains on the same server.

Spam: "I found your pictures on my camera yesterday, remember me?" / csredret.ru

Another spam run leading to a malicious payload on csredret.ru (as here)

Date:      Tue, 13 Dec 2011 10:19:58 +0200
From:      "Tomi Mcrae"
Subject:      Hi! This is Tomi

Finally I found your e-mail, I?m not sure whether you remember me, we?ve got terribly drunk, I found your pictures on my camera yesterday, remember me? Party14.jpg 487kb 

The "pictures" link loads the malicious script, hosted at black hat hosts Digital Network JSC aka DINETHOSTING in Russia. Avoid.